The Samba-Bugzilla – Attachment 11318 Details for
Bug 11291
NetApp joined to a Samba/ADDC cannot resolve SIDs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v4-3-test
tmp43.diff.txt (text/plain), 3.20 KB, created by
Stefan Metzmacher
on 2015-08-06 18:50:05 UTC
(
hide
)
Description:
Patch for v4-3-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2015-08-06 18:50:05 UTC
Size:
3.20 KB
patch
obsolete
>From 1b747ab84094a1890df6fe4539c142ebf821c5db Mon Sep 17 00:00:00 2001 >From: Arvid Requate <requate@univention.de> >Date: Thu, 6 Aug 2015 15:00:25 +0200 >Subject: [PATCH] s4:rpc_server/netlogon: Fix for NetApp > >This patch fixes an issue where NetApp filers joined to a >Samba/ADDC cannot resolve SIDs. Without this patch the issue >can only be avoided by setting "allow nt4 crypto = yes" in smb.conf. > >The issue is triggered by NetApp filers in three steps: > >1. The client calls netr_ServerReqChallenge to set up challenge tokens > >2. Next it calls netr_ServerAuthenticate2 with NETLOGON_NEG_STRONG_KEYS > set to 0. Native AD and Samba respond to this with > NT_STATUS_DOWNGRADE_DETECTED. At this point Samba throws away > the challenge token negotiated in the first step. > >3. Next the client calls netr_ServerAuthenticate2 again, this time with > NETLOGON_NEG_STRONG_KEYS set to 1. > Samba returns NT_STATUS_ACCESS_DENIED as it has lost track > of the challenge and denies logon with the message > > No challenge requested by client [CLNT1/CLNT1$], cannot authenticate > >Git commit 321ebc99b5a00f82265aee741a48aa84b214d6e8 introduced >a workaround for a different but related issue. This patch makes a minor >adjustment to that commit to delay flushing the cached challenge until >it's clear that we are not in a NT_STATUS_DOWNGRADE_DETECTED >situation. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11291 > >Signed-off-by: Arvid Requate <requate@univention.de> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Thu Aug 6 20:29:04 CEST 2015 on sn-devel-104 > >(cherry picked from commit d3ac3da98611e665dc0f4e825faa5f12f6c848ef) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 22 +++++++++++----------- > 1 file changed, 11 insertions(+), 11 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index b47ccf4..49b5b2f 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -172,17 +172,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca > } > } > >- /* >- * At this point we can cleanup the cache entry, >- * if we fail the client needs to call netr_ServerReqChallenge >- * again. >- * >- * Note: this handles global_challenge_table == NULL >- * and also a non existing record just fine. >- */ >- memcache_delete(global_challenge_table, >- SINGLETON_CACHE, challenge_key); >- > server_flags = NETLOGON_NEG_ACCOUNT_LOCKOUT | > NETLOGON_NEG_PERSISTENT_SAMREPL | > NETLOGON_NEG_ARCFOUR | >@@ -229,6 +218,17 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca > } > > /* >+ * At this point we can cleanup the cache entry, >+ * if we fail the client needs to call netr_ServerReqChallenge >+ * again. >+ * >+ * Note: this handles global_challenge_table == NULL >+ * and also a non existing record just fine. >+ */ >+ memcache_delete(global_challenge_table, >+ SINGLETON_CACHE, challenge_key); >+ >+ /* > * According to Microsoft (see bugid #6099) > * Windows 7 looks at the negotiate_flags > * returned in this structure *even if the >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review?
(
abartlet
)
jra
:
review+
asn
:
review+
Actions:
View
Attachments on
bug 11291
:
11089
|
11314
| 11318 |
11319