return NULL;
}
- creds->ex = talloc_zero(creds,
- struct netlogon_creds_CredentialState_extra_info);
- if (creds->ex == NULL) {
- talloc_free(creds);
- return NULL;
- }
- creds->ex->client_requested_flags = client_requested_flags;
- creds->ex->auth_time = now;
+ creds->client_requested_flags = client_requested_flags;
+ creds->auth_time = now;
if (client_sid != NULL) {
- creds->ex->client_sid = *client_sid;
+ creds->client_sid = *client_sid;
} else {
- creds->ex->client_sid = global_sid_NULL;
+ creds->client_sid = global_sid_NULL;
}
return creds;
return;
}
- state->creds->ex->client_sid.sub_auths[0] = state->rid;
+ state->creds->client_sid.sub_auths[0] = state->rid;
status = netlogon_creds_cli_store_internal(state->context,
state->creds);
if (tevent_req_nterror(req, status)) {
return;
}
- if (state->creds->ex != NULL) {
- requested_flags = state->creds->ex->client_requested_flags;
- } else {
- requested_flags = state->context->client.proposed_flags;
- }
+ requested_flags = state->creds->client_requested_flags;
if (state->client_caps.requested_flags != requested_flags) {
status = NT_STATUS_DOWNGRADE_DETECTED;
char *name_upper;
NTSTATUS status;
- if (creds->ex == NULL) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
if (strlen(creds->computer_name) > 15) {
/*
* We may want to check for a completely
NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
}
- if (creds->ex == NULL) {
- status = NT_STATUS_INTERNAL_ERROR;
- goto done;
- }
-
DEBUG(3,("schannel_fetch_session_key_tdb: restored schannel info key %s\n",
keystr));
typedef [flag(NDR_PAHEX)] struct {
/*
- * These were only used on the server part
- * with a single dom_sid for the client_sid.
- *
- * On the server we use CLEAR_IF_FIRST,
- * so db layout changes don't matter there,
- * but on the client side we need to handle
- * the ctdb case were CLEAR_IF_FIRST only
- * works if all cluster nodes are restarted.
- *
- * As this was a single dom_sid before,
- * we add some magic in order to let
- * old code (on other nodes to parse the new layout).
- *
- * We have basically this definition of dom_sid:
- *
- * typedef struct {
- * uint8 sid_rev_num;
- * [range(0,15)] int8 num_auths;
- * uint8 id_auth[6];
- * uint32 sub_auths[num_auths];
- * } dom_sid;
- *
- * It means it consumes at least 8 bytes while
- * and it's also 4 byte aligned (before sid_rev_num).
- * The largest sid would have 68 bytes.
- *
- * The old client side code would see a sid like
- * this: S-1-RSV-CRF-ATL-ATH-257-0-RID
- *
- * RSV => reserved (the last 4 bytes of id_auth)
- *
- * CRF => client_requested_flags (sub_auths[0]
- *
- * Note NTTIME used ndr_pull_udlong, it's not NTTIME_hyper!
- * ATL => low 4 bytes of auth_time (sub_auths[1])
- * ATH => high 4 bytes of auth_time (sub_auths[2])
- *
- * From client_sid (S-1-0-RID): sub_auth[3-5]
- *
- * 257 => 0x01 0x01 0x00 0x00 =
- * (sid_rev_num = 1, num_auths =1,
- * id_auth[0] = 0, id_auth[1] = 0)
- * 0 => id_auth[2-6]
- *
- * RID => the RID of the client
- *
- * It means the magic needs to simulate
- * num_auths = 6
+ * This can be used in order to
+ * make backward compatible changes,
+ * see commits:
+ * 518f57b93bdb84900d3b58cd94bdf1046f82a5a6
+ * dfbc5e5a19420311eac3db5ede1c665a9198395d
+ * 8b972fea0978101575f847eac33b09d2fd8d02e7
*/
- [value(0x00000601)] uint32 magic;
- [value(0)] uint32 reserved;
- netr_NegotiateFlags client_requested_flags;
- NTTIME auth_time;
- dom_sid client_sid;
+ dom_sid dummy_sid;
} netlogon_creds_CredentialState_extra_info;
typedef [public,flag(NDR_PAHEX)] struct {
- netr_NegotiateFlags negotiate_flags;
- uint8 session_key[16];
+ [value(0)] uint32 zero_flags;
+ [flag(NDR_SECRET)] uint8 session_key[16];
uint32 sequence;
netr_Credential seed;
netr_Credential client;
netr_SchannelType secure_channel_type;
[string,charset(UTF8)] uint8 computer_name[];
[string,charset(UTF8)] uint8 account_name[];
- netlogon_creds_CredentialState_extra_info *ex;
+ /*
+ * magic1 used to be a pointer to
+ * in 4.21 and older.
+ *
+ * magic2 was 'magic' or the first
+ * for 4 bytes of dom_sid (in 4.19)
+ *
+ * magic3 was the first 4 bytes of
+ * dom_sid in 4.21 and 4.20.
+ *
+ * With 4.22 we break the compat!
+ * So we have all of them as UINT32_MAX
+ * which means the parsing of a new record would
+ * fail in older releases.
+ */
+ [value(0xFFFFFFFF)] uint32 magic1;
+ [value(0xFFFFFFFF)] uint32 magic2;
+ netr_NegotiateFlags negotiate_flags;
+ netr_NegotiateFlags client_requested_flags;
+ NTTIME auth_time;
+ [value(0xFFFFFFFF)] uint32 magic3;
+ dom_sid28 client_sid;
+ [value(0)] boolean8 reserved1;
+ /* here's some padding ... */
+ [value(0)] hyper reserved2;
+ [value(NULL)] netlogon_creds_CredentialState_extra_info *ex;
} netlogon_creds_CredentialState;
/* This is used in the schannel_store.tdb */
DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
struct dcesrv_netr_check_schannel_state);
if (s != NULL) {
- if (!dom_sid_equal(&s->account_sid, &creds->ex->client_sid)) {
+ if (!dom_sid_equal(&s->account_sid, &creds->client_sid)) {
goto new_state;
}
if (s->auth_type != auth_type) {
return NT_STATUS_NO_MEMORY;
}
- s->account_sid = creds->ex->client_sid;
+ s->account_sid = creds->client_sid;
s->auth_type = auth_type;
s->auth_level = auth_level;
s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
TALLOC_FREE(creds);
return status;
}
- client_sid = &creds->ex->client_sid;
+ client_sid = &creds->client_sid;
DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
r->in.computer_name, creds->computer_name));
TALLOC_FREE(creds);
return status;
}
- client_sid = &creds->ex->client_sid;
+ client_sid = &creds->client_sid;
DBG_NOTICE("Server Password Set2 by remote "
"machine:[%s] on account [%s]\n",
break;
case 2:
r->out.capabilities->requested_flags =
- creds->ex->client_requested_flags;
+ creds->client_requested_flags;
break;
}
r->in.credential, r->out.return_authenticator,
&creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- client_sid = &creds->ex->client_sid;
+ client_sid = &creds->client_sid;
sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
if (sam_ctx == NULL) {
r->in.credential, r->out.return_authenticator,
&creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- client_sid = &creds->ex->client_sid;
+ client_sid = &creds->client_sid;
sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
if (sam_ctx == NULL) {
user_info->netlogon_trust_account.account_name
= creds->account_name;
user_info->netlogon_trust_account.sid
- = &creds->ex->client_sid;
+ = &creds->client_sid;
break;
default:
break;
case 2:
r->out.capabilities->requested_flags =
- creds->ex->client_requested_flags;
+ creds->client_requested_flags;
break;
}
talloc_free(frame);
}
NT_STATUS_NOT_OK_RETURN(status);
- client_sid = &creds->ex->client_sid;
+ client_sid = &creds->client_sid;
/* We want to avoid connecting as system. */
sam_ctx = dcesrv_samdb_connect_as_user(mem_ctx, dce_call);
&creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- client_sid = &creds->ex->client_sid;
+ client_sid = &creds->client_sid;
switch (creds->secure_channel_type) {
case SEC_CHAN_BDC:
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
- client_sid = &creds->ex->client_sid;
+ client_sid = &creds->client_sid;
/* TODO: check r->in.server_name is our name */
r->out.return_authenticator,
&creds);
NT_STATUS_NOT_OK_RETURN(nt_status);
- client_sid = &creds->ex->client_sid;
+ client_sid = &creds->client_sid;
if (creds->secure_channel_type != SEC_CHAN_RODC) {
return NT_STATUS_ACCESS_DENIED;
projects / thirdparty / samba.git / commitdiff
