libcli/auth: split out netlogon_creds_CredentialState_extra_info

As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.

For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.

In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.

In the following patches we'll also use it in order
to store client related information...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 236cb6fc180307c321f5943b712bbc0cfec070ae..342dcd95154a117215b09b6c93d47436c18d65e7 100644 (file)
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -701,11 +701,15 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                return NULL;
        }
 
-       creds->sid = dom_sid_dup(creds, client_sid);
-       if (creds->sid == NULL) {
+       creds->ex = talloc_zero(creds,
+                       struct netlogon_creds_CredentialState_extra_info);
+       if (creds->ex == NULL) {
                talloc_free(creds);
                return NULL;
        }
+       creds->ex->client_sid = *client_sid;
+
+       creds->sid = &creds->ex->client_sid;
 
        if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
                status = netlogon_creds_init_hmac_sha256(creds,
@@ -1193,12 +1197,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_copy(
                return NULL;
        }
 
-       if (creds_in->sid) {
-               creds->sid = dom_sid_dup(creds, creds_in->sid);
-               if (!creds->sid) {
+       if (creds_in->ex != NULL) {
+               creds->ex = talloc_zero(creds,
+                       struct netlogon_creds_CredentialState_extra_info);
+               if (creds->ex == NULL) {
                        talloc_free(creds);
                        return NULL;
                }
+               *creds->ex = *creds_in->ex;
+       }
+
+       if (creds->ex != NULL) {
+               creds->sid = &creds->ex->client_sid;
+       } else {
+               creds->sid = NULL;
        }
 
        memcpy(creds->session_key, creds_in->session_key, sizeof(creds->session_key));

diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 2454a433819447795aca00423fdeee5e3ca36a88..ee7ee546baffd423c2f91f87b5ee2c3f45b1cfb3 100644 (file)
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -88,6 +88,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
        char *name_upper;
        NTSTATUS status;
 
+       if (creds->ex == NULL) {
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
+       if (creds->sid == NULL) {
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+
        if (strlen(creds->computer_name) > 15) {
                /*
                 * We may want to check for a completely
@@ -195,6 +203,13 @@ NTSTATUS schannel_fetch_session_key_tdb(struct db_context *db_sc,
                NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
        }
 
+       if (creds->ex == NULL) {
+               status = NT_STATUS_INTERNAL_ERROR;
+               goto done;
+       }
+
+       creds->sid = &creds->ex->client_sid;
+
        DEBUG(3,("schannel_fetch_session_key_tdb: restored schannel info key %s\n",
                keystr));
 

diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl
index 3bc8a92c92f6a5597b0e6ccdd5e43c8d287fb003..76b0dfd4c5532c88f9295332a393559eab39a7b0 100644 (file)
--- a/librpc/idl/schannel.idl
+++ b/librpc/idl/schannel.idl
@@ -14,6 +14,17 @@ interface schannel
 {
        /* this structure is used internally in the NETLOGON server */
 
+       typedef [flag(NDR_PAHEX)] struct {
+               /*
+                * These were only used on the server part
+                * with a single dom_sid for the client_sid.
+                *
+                * On the server we use CLEAR_IF_FIRST,
+                * so db layout changes don't matter there.
+                */
+               dom_sid client_sid;
+       } netlogon_creds_CredentialState_extra_info;
+
        typedef [public,flag(NDR_PAHEX)] struct {
                netr_NegotiateFlags negotiate_flags;
                uint8 session_key[16];
@@ -24,7 +35,8 @@ interface schannel
                netr_SchannelType secure_channel_type;
                [string,charset(UTF8)] uint8 computer_name[];
                [string,charset(UTF8)] uint8 account_name[];
-               dom_sid *sid;
+               [skip] dom_sid *sid;
+               netlogon_creds_CredentialState_extra_info *ex;
        } netlogon_creds_CredentialState;
 
        /* This is used in the schannel_store.tdb */