diff options
| author | Jeremy Allison <jra@samba.org> | 2006-02-22 21:18:23 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:10:20 -0500 |
| commit | 202bc164ca11539a62a7e894330265df90319828 (patch) | |
| tree | 46cf5ad64312725f20c25776f977bde38cfcc31a /source3/utils/net_rpc_join.c | |
| parent | fd5ecef41ce3dd6acff1ed0fc17529fa8459a66f (diff) | |
| download | samba-202bc164ca11539a62a7e894330265df90319828.tar.gz samba-202bc164ca11539a62a7e894330265df90319828.tar.xz samba-202bc164ca11539a62a7e894330265df90319828.zip | |
r13641: Finish fix for #3510. Don't use client schannel when told
not to, cope with a server that doesn't offer schannel also.
Jeremy
(This used to be commit 68005f6bdb70883eace0d9067c76c3360a803023)
Diffstat (limited to 'source3/utils/net_rpc_join.c')
| -rw-r--r-- | source3/utils/net_rpc_join.c | 52 |
1 files changed, 39 insertions, 13 deletions
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c index 29a27d8f647..1f68da0d754 100644 --- a/source3/utils/net_rpc_join.c +++ b/source3/utils/net_rpc_join.c @@ -43,31 +43,57 @@ **/ static int net_rpc_join_ok(const char *domain) { + uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL; struct cli_state *cli = NULL; struct rpc_pipe_client *pipe_hnd = NULL; - int retval = 1; - NTSTATUS ret; + struct rpc_pipe_client *netlogon_pipe = NULL; + NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL; /* Connect to remote machine */ if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { - return 1; + return -1; } - pipe_hnd = cli_rpc_pipe_open_schannel(cli, PI_NETLOGON, - PIPE_AUTH_LEVEL_PRIVACY, - domain, &ret); + /* Setup the creds as though we're going to do schannel... */ + netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, &ntret); + + /* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing + to negotiate schannel, but the creds were set up ok. That'll have to do. */ + + if (!netlogon_pipe) { + if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) { + cli_shutdown(cli); + return 0; + } else { + DEBUG(0,("net_rpc_join_ok: failed to get schannel session " + "key from server %s for domain %s. Error was %s\n", + cli->desthost, domain, nt_errstr(ntret) )); + cli_shutdown(cli); + return -1; + } + } - if (!pipe_hnd) { - DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n", nt_errstr(ret) )); - goto done; + /* Only do the rest of the schannel test if the client is allowed to do this. */ + if (!lp_client_schannel()) { + cli_shutdown(cli); + /* We're good... */ + return 0; } - retval = 0; /* Success! */ - -done: + pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON, + PIPE_AUTH_LEVEL_PRIVACY, + domain, netlogon_pipe->dc, &ntret); + + if (!pipe_hnd) { + DEBUG(0,("net_rpc_join_ok: failed to open schannel session " + "on netlogon pipe to server %s for domain %s. Error was %s\n", + cli->desthost, domain, nt_errstr(ntret) )); + cli_shutdown(cli); + return -1; + } cli_shutdown(cli); - return retval; + return 0; } /** |