From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 25 Nov 2024 17:12:22 +0000 (+0100)
Subject: s4:rpc_server/netlogon: implement dcesrv_netr_ServerPasswordGet()
X-Git-Tag: tdb-1.4.13~374
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a382636fc2ac9b0c0d16d2bb10d3eaf338f416d4;p=thirdparty%2Fsamba.git

s4:rpc_server/netlogon: implement dcesrv_netr_ServerPasswordGet()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/selftest/knownfail b/selftest/knownfail
index dee099b79c1..51aae99d6b4 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -105,7 +105,6 @@
 ^samba4.rpc.netlogon.*.DatabaseSync2
 ^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomains
 ^samba4.rpc.netlogon.*.NetrEnumerateTrustedDomainsEx
-^samba4.rpc.netlogon.*.GetPassword
 ^samba4.rpc.netlogon.*.DatabaseRedo
 ^samba4.rpc.netlogon.*.netlogon.lsa_over_netlogon\(ad_dc\) #Broken by split of \\pipe\lsass from \\pipe\netlogon in the IDL
 ^samba4.rpc.netlogon.*.netlogon.SetupCredentialsDowngrade\(ad_dc_ntvfs\) # Broken by allowing NT4 crypto on this environment
diff --git a/selftest/knownfail.d/samba.tests.krb5.netlogon b/selftest/knownfail.d/samba.tests.krb5.netlogon
index dcf5c049e2e..3da1d7368e5 100644
--- a/selftest/knownfail.d/samba.tests.krb5.netlogon
+++ b/selftest/knownfail.d/samba.tests.krb5.netlogon
@@ -2,7 +2,6 @@
 ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_.*_auth3_00004004
 ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_.*_auth3_603fffff
 # These need to be checked
-^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords
 ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam
 # This is not implemented yet
 ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_ticket_samlogon
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 5c7ac435a1c..0667a120507 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -3105,13 +3105,47 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
 }
 
 
+static NTSTATUS dcesrv_netr_ServerGetTrustInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+		       struct netr_ServerGetTrustInfo *r);
+
 /*
   netr_ServerPasswordGet
 */
 static NTSTATUS dcesrv_netr_ServerPasswordGet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 		       struct netr_ServerPasswordGet *r)
 {
-	DCESRV_FAULT(DCERPC_FAULT_OP_RNG_ERROR);
+	struct netr_ServerGetTrustInfo r2 = {};
+	struct samr_Password old_owf_password = {};
+	struct netr_TrustInfo *_ti = NULL;
+	NTSTATUS status;
+
+	r2.in.server_name = r->in.server_name;
+	r2.in.account_name = r->in.account_name;
+	r2.in.secure_channel_type = r->in.secure_channel_type;
+	r2.in.computer_name = r->in.computer_name;
+	r2.in.credential = r->in.credential;
+
+	r2.out.return_authenticator = r->out.return_authenticator;
+	r2.out.new_owf_password = r->out.password;
+	r2.out.old_owf_password = &old_owf_password;
+	r2.out.trust_info = &_ti;
+
+	status = dcesrv_netr_ServerGetTrustInfo(dce_call, mem_ctx, &r2);
+
+	r->out.return_authenticator = r2.out.return_authenticator;
+	r->out.password = r2.out.new_owf_password;
+
+	ZERO_STRUCT(old_owf_password);
+	switch (r->in.secure_channel_type) {
+	case SEC_CHAN_BDC:
+	case SEC_CHAN_RODC:
+		break;
+	default:
+		ZERO_STRUCTP(r->out.password);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	return status;
 }
 
 static bool sam_rodc_access_check(struct ldb_context *sam_ctx,
@@ -4281,9 +4315,6 @@ static WERROR dcesrv_netr_DsrDeregisterDNSHostRecords(struct dcesrv_call_state *
 }
 
 
-static NTSTATUS dcesrv_netr_ServerGetTrustInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-		       struct netr_ServerGetTrustInfo *r);
-
 /*
   netr_ServerTrustPasswordsGet
 */