After getting confirmation from Guenther, add 3 changes we'll ultimately need to fix bug #6099 Samba returns incurrate capabilities list. 1). Add a comment to point out that r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags. 2). Ensure we return NETLOGON_NEG_STRONG_KEYS in our flags return if the client requested it. 3). Clean up the error exits so we always return the same way. Signed off by Guenther. Jeremy.

(cherry picked from commit 59ee131464636d3363bc7ee398ba6390a6333558)

1 files changed, 23 insertions, 13 deletions

diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c
index 119dab2e397..4a78c949e1a 100644
--- a/source/rpc_server/srv_netlog_nt.c
+++ b/source/rpc_server/srv_netlog_nt.c
@@ -472,12 +472,15 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 {
 	NTSTATUS status;
 	uint32_t srv_flgs;
+	/* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
+	 * so use a copy to avoid destroying the client values. */
+	uint32_t in_neg_flags = *r->in.negotiate_flags;
 	struct netr_Credential srv_chal_out;
 
 	/* According to Microsoft (see bugid #6099)
 	 * Windows 7 looks at the negotiate_flags
 	 * returned in this structure *even if the
-	 * call fails with access denied ! So in order
+	 * call fails with access denied* ! So in order
 	 * to allow Win7 to connect to a Samba NT style
 	 * PDC we set the flags before we know if it's
 	 * an error or not.
@@ -494,6 +497,11 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 		   NETLOGON_NEG_REDO |
 		   NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
 
+	/* Ensure we support strong (128-bit) keys. */
+	if (in_neg_flags & NETLOGON_NEG_128BIT) {
+		srv_flgs |= NETLOGON_NEG_128BIT;
+	}
+
 	if (lp_server_schannel() != false) {
 		srv_flgs |= NETLOGON_NEG_SCHANNEL;
 	}
@@ -504,19 +512,19 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 	if (!p->dc || !p->dc->challenge_sent) {
 		DEBUG(0,("_netr_ServerAuthenticate2: no challenge sent to client %s\n",
 			r->in.computer_name));
-		*r->out.negotiate_flags = srv_flgs;
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	if ( (lp_server_schannel() == true) &&
-	     ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
+	     ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
 
 		/* schannel must be used, but client did not offer it. */
 		DEBUG(0,("_netr_ServerAuthenticate2: schannel required but client failed "
 			"to offer it. Client was %s\n",
 			r->in.account_name));
-		*r->out.negotiate_flags = srv_flgs;
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	status = get_md4pw((char *)p->dc->mach_pw,
@@ -527,12 +535,12 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 			"account %s: %s\n",
 			r->in.account_name, nt_errstr(status) ));
 		/* always return NT_STATUS_ACCESS_DENIED */
-		*r->out.negotiate_flags = srv_flgs;
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	/* From the client / server challenges and md4 password, generate sess key */
-	creds_server_init(*r->in.negotiate_flags,
+	creds_server_init(in_neg_flags,
 			p->dc,
 			&p->dc->clnt_chal,	/* Stored client chal. */
 			&p->dc->srv_chal,	/* Stored server chal. */
@@ -545,8 +553,8 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 			"request from client %s machine account %s\n",
 			r->in.computer_name,
 			r->in.account_name));
-		*r->out.negotiate_flags = srv_flgs;
-		return NT_STATUS_ACCESS_DENIED;
+		status = NT_STATUS_ACCESS_DENIED;
+		goto out;
 	}
 
 	/* set up the LSA AUTH 2 response */
@@ -565,10 +573,12 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
 					    r->in.computer_name,
 					    p->dc);
 	unbecome_root();
+	status = NT_STATUS_OK;
 
-	*r->out.negotiate_flags = srv_flgs;
+  out:
 
-	return NT_STATUS_OK;
+	*r->out.negotiate_flags = srv_flgs;
+	return status;
 }
 
 /*************************************************************************