libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()

This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index c9c8ddb5394d0aaeb1c6414ca318d3e24b8ec3ee..0f5dd1a676ac7c70ef55ca263c6365f0bd6127c2 100644 (file)
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -830,6 +830,8 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
 static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
                                                         uint16_t validation_level,
                                                         union netr_Validation *validation,
+                                                        enum dcerpc_AuthType auth_type,
+                                                        enum dcerpc_AuthLevel auth_level,
                                                         bool do_encrypt)
 {
        struct netr_SamBaseInfo *base = NULL;
@@ -945,21 +947,29 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
 
 NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
                                                    uint16_t validation_level,
-                                                   union netr_Validation *validation)
+                                                   union netr_Validation *validation,
+                                                   enum dcerpc_AuthType auth_type,
+                                                   enum dcerpc_AuthLevel auth_level)
 {
        return netlogon_creds_crypt_samlogon_validation(creds,
                                                        validation_level,
                                                        validation,
+                                                       auth_type,
+                                                       auth_level,
                                                        false);
 }
 
 NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
                                                    uint16_t validation_level,
-                                                   union netr_Validation *validation)
+                                                   union netr_Validation *validation,
+                                                   enum dcerpc_AuthType auth_type,
+                                                   enum dcerpc_AuthLevel auth_level)
 {
        return netlogon_creds_crypt_samlogon_validation(creds,
                                                        validation_level,
                                                        validation,
+                                                       auth_type,
+                                                       auth_level,
                                                        true);
 }
 

diff --git a/libcli/auth/libcli_auth.h b/libcli/auth/libcli_auth.h
index c5c7a7b0fa8944f6d5af51214f47ca0e5f29bcf9..518dc3c2ca517d1b4e9baff1b96a010a4fcc71e6 100644 (file)
--- a/libcli/auth/libcli_auth.h
+++ b/libcli/auth/libcli_auth.h
@@ -17,6 +17,7 @@
 #ifndef __LIBCLI_AUTH_H__
 #define __LIBCLI_AUTH_H__
 
+#include "librpc/gen_ndr/dcerpc.h"
 #include "librpc/gen_ndr/netlogon.h"
 #include "librpc/gen_ndr/wkssvc.h"
 #include "librpc/gen_ndr/schannel.h"

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 07547a9178ce014e14adff43991e914dfebbacca..4f5a5f5d2ca99b773c586e68a99c75c45b728985 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -2862,10 +2862,16 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
        struct netlogon_creds_cli_LogonSamLogon_state *state =
                tevent_req_data(req,
                struct netlogon_creds_cli_LogonSamLogon_state);
+       enum dcerpc_AuthType auth_type;
+       enum dcerpc_AuthLevel auth_level;
        NTSTATUS status;
        NTSTATUS result;
        bool ok;
 
+       dcerpc_binding_handle_auth_info(state->binding_handle,
+                                       &auth_type,
+                                       &auth_level);
+
        if (state->try_logon_ex) {
                status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
                                                          state->validation,
@@ -2918,7 +2924,9 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
 
                status = netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
                                                                    state->validation_level,
-                                                                   state->validation);
+                                                                   state->validation,
+                                                                   auth_type,
+                                                                   auth_level);
                if (tevent_req_nterror(req, status)) {
                        netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
                        return;
@@ -2992,7 +3000,9 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
 
        status = netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
                                                            state->validation_level,
-                                                           state->validation);
+                                                           state->validation,
+                                                           auth_type,
+                                                           auth_level);
        if (tevent_req_nterror(req, status)) {
                netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
                return;

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index ae68aab192a93a3c53c252488c9a35d1769c3da8..1eec792d8041e4379d8ca09c28976562a7d58cfd 100644 (file)
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -78,10 +78,14 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
                                 struct netr_Authenticator *return_authenticator) ;
 NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
                                                    uint16_t validation_level,
-                                                   union netr_Validation *validation);
+                                                   union netr_Validation *validation,
+                                                   enum dcerpc_AuthType auth_type,
+                                                   enum dcerpc_AuthLevel auth_level);
 NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
                                                    uint16_t validation_level,
-                                                   union netr_Validation *validation);
+                                                   union netr_Validation *validation,
+                                                   enum dcerpc_AuthType auth_type,
+                                                   enum dcerpc_AuthLevel auth_level);
 NTSTATUS netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
                                               enum netr_LogonInfoClass level,
                                               union netr_LogonLevel *logon);

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index f473af2dce143fb4bf4c6965ad2f94982f939a6c..b1743b8ee3476ebcf8aaaabc998fd1f69f5d30cb 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1948,7 +1948,9 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 
        status = netlogon_creds_encrypt_samlogon_validation(creds,
                                                            r->in.validation_level,
-                                                           r->out.validation);
+                                                           r->out.validation,
+                                                           auth_type,
+                                                           auth_level);
 
        return status;
 }

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 2223bb7cace74bcc011c37681d55fe2f06a845d3..0f4a1bd858bb7ee107e9861e6ea4f30746dddf5d 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -1683,9 +1683,16 @@ static void dcesrv_netr_LogonSamLogon_base_reply(
        NTSTATUS status;
 
        if (NT_STATUS_IS_OK(r->out.result)) {
+               enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+               enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+
+               dcesrv_call_auth_info(state->dce_call, &auth_type, &auth_level);
+
                status = netlogon_creds_encrypt_samlogon_validation(state->creds,
                                                                    r->in.validation_level,
-                                                                   r->out.validation);
+                                                                   r->out.validation,
+                                                                   auth_type,
+                                                                   auth_level);
                if (!NT_STATUS_IS_OK(status)) {
                        DBG_ERR("netlogon_creds_encrypt_samlogon_validation() "
                                "failed - %s\n",

diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c
index f16db64424117c7c8a57e5bd3bd792b9af8b516b..a9f8ff5b5b6a8a1677a9fb69b03f832b8e077303 100644 (file)
--- a/source4/torture/rpc/samlogon.c
+++ b/source4/torture/rpc/samlogon.c
@@ -91,6 +91,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
        struct netr_NetworkInfo ninfo;
        struct netr_SamBaseInfo *base = NULL;
        uint16_t validation_level = 0;
+       enum dcerpc_AuthType auth_type;
+       enum dcerpc_AuthLevel auth_level;
+
+       dcerpc_binding_handle_auth_info(samlogon_state->p->binding_handle,
+                                       &auth_type,
+                                       &auth_level);
 
        samlogon_state->r.in.logon->network = &ninfo;
        samlogon_state->r_ex.in.logon->network = &ninfo;
@@ -178,7 +184,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
 
                status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
                                                                    validation_level,
-                                                                   r->out.validation);
+                                                                   r->out.validation,
+                                                                   auth_type,
+                                                                   auth_level);
                if (!NT_STATUS_IS_OK(status)) {
                        if (error_string) {
                                *error_string = strdup(nt_errstr(status));
@@ -218,7 +226,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
 
                status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
                                                                    validation_level,
-                                                                   r_ex->out.validation);
+                                                                   r_ex->out.validation,
+                                                                   auth_type,
+                                                                   auth_level);
                if (!NT_STATUS_IS_OK(status)) {
                        if (error_string) {
                                *error_string = strdup(nt_errstr(status));
@@ -266,7 +276,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
 
                status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
                                                                    validation_level,
-                                                                   r_flags->out.validation);
+                                                                   r_flags->out.validation,
+                                                                   auth_type,
+                                                                   auth_level);
                if (!NT_STATUS_IS_OK(status)) {
                        if (error_string) {
                                *error_string = strdup(nt_errstr(status));