1306
1309
DEBUG(3, ("could not open handle to NETLOGON pipe\n"));
1312
auth = netlogon_pipe->auth;
1313
if (netlogon_pipe->dc) {
1314
neg_flags = netlogon_pipe->dc->negotiate_flags;
1310
1317
/* It is really important to try SamLogonEx here,
1311
1318
* because in a clustered environment, we want to use
1326
1333
* wrapping SamLogon context.
1328
1335
* -- abartlet 21 April 2008
1337
* It's also important to use NetlogonValidationSamInfo4 (6),
1338
* because it relies on the rpc transport encryption
1339
* and avoids using the global netlogon schannel
1340
* session key to en/decrypt secret information
1341
* like the user_session_key for network logons.
1343
* [MS-APDS] 3.1.5.2 NTLM Network Logon
1344
* says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
1345
* NETLOGON_NEG_AUTHENTICATED_RPC set together
1346
* are the indication that the server supports
1347
* NetlogonValidationSamInfo4 (6). And must only
1348
* be used if "SealSecureChannel" is used.
1350
* -- metze 4 February 2011
1354
domain->can_do_validation6 = false;
1355
} else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1356
domain->can_do_validation6 = false;
1357
} else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
1358
domain->can_do_validation6 = false;
1359
} else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
1360
domain->can_do_validation6 = false;
1361
} else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
1362
domain->can_do_validation6 = false;
1331
1365
logon_fn = contact_domain->can_do_samlogon_ex
1332
1366
? rpccli_netlogon_sam_network_logon_ex
1333
1367
: rpccli_netlogon_sam_network_logon;
1340
1374
name_domain, /* target domain */
1341
1375
global_myname(), /* workstation */
1377
domain->can_do_validation6 ? 6 : 3,
1348
1382
if ((NT_STATUS_V(result) == DCERPC_FAULT_OP_RNG_ERROR)
1349
1383
&& contact_domain->can_do_samlogon_ex) {
1350
1384
DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1351
1385
"retrying with NetSamLogon\n"));
1352
1386
contact_domain->can_do_samlogon_ex = false;
1388
* It's likely that the server also does not support
1389
* validation level 6
1391
domain->can_do_validation6 = false;
1396
if (domain->can_do_validation6 &&
1397
(NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
1398
NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
1399
NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
1400
DEBUG(3,("Got a DC that can not do validation level 6, "
1401
"retrying with level 3\n"));
1402
domain->can_do_validation6 = false;
1408
* we increment this after the "feature negotiation"
1409
* for can_do_samlogon_ex and can_do_validation6
1357
1413
/* We have to try a second time as cm_connect_netlogon
1358
1414
might not yet have noticed that the DC has killed
1900
1958
nt_errstr(result)));
1961
auth = netlogon_pipe->auth;
1962
if (netlogon_pipe->dc) {
1963
neg_flags = netlogon_pipe->dc->negotiate_flags;
1967
domain->can_do_validation6 = false;
1968
} else if (auth->auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
1969
domain->can_do_validation6 = false;
1970
} else if (auth->auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
1971
domain->can_do_validation6 = false;
1972
} else if (!(neg_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
1973
domain->can_do_validation6 = false;
1974
} else if (!(neg_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
1975
domain->can_do_validation6 = false;
1904
1978
logon_fn = contact_domain->can_do_samlogon_ex
1905
1979
? rpccli_netlogon_sam_network_logon_ex
1914
1988
/* Bug #3248 - found by Stefan Burkei. */
1915
1989
workstation, /* We carefully set this above so use it... */
1916
1990
state->request->data.auth_crap.chal,
1991
domain->can_do_validation6 ? 6 : 3,
1923
1998
DEBUG(3, ("Got a DC that can not do NetSamLogonEx, "
1924
1999
"retrying with NetSamLogon\n"));
1925
2000
contact_domain->can_do_samlogon_ex = false;
2002
* It's likely that the server also does not support
2003
* validation level 6
2005
domain->can_do_validation6 = false;
2010
if (domain->can_do_validation6 &&
2011
(NT_STATUS_EQUAL(result, NT_STATUS_INVALID_INFO_CLASS) ||
2012
NT_STATUS_EQUAL(result, NT_STATUS_INVALID_PARAMETER) ||
2013
NT_STATUS_EQUAL(result, NT_STATUS_BUFFER_TOO_SMALL))) {
2014
DEBUG(3,("Got a DC that can not do validation level 6, "
2015
"retrying with level 3\n"));
2016
domain->can_do_validation6 = false;
2022
* we increment this after the "feature negotiation"
2023
* for can_do_samlogon_ex and can_do_validation6
1932
2027
/* We have to try a second time as cm_connect_netlogon