libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialSta...

Before storing the structure into a ctdb managed volatile database
we check against netlogon_creds_CredentialState_legacy (the structure
used before recent changes). This makes sure unpatched cluster nodes
would not get a parsing error.

We'll remove this again in master when we try to implement
netr_ServerAuthenticateKerberos() and the related changes
to netlogon_creds_CredentialState, which will break the compat...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 1b9d26171e1093e825c022d94cb7a81f786d8329..07547a9178ce014e14adff43991e914dfebbacca 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -752,6 +752,7 @@ static NTSTATUS netlogon_creds_cli_store_internal(
        enum ndr_err_code ndr_err;
        DATA_BLOB blob;
        TDB_DATA data;
+       struct netlogon_creds_CredentialState_legacy lc = { .sequence = 0, };
 
        if (DEBUGLEVEL >= 10) {
                NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
@@ -765,6 +766,18 @@ static NTSTATUS netlogon_creds_cli_store_internal(
                return status;
        }
 
+       ndr_err = ndr_pull_struct_blob_all(&blob, frame, &lc,
+               (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState_legacy);
+       if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+               status = ndr_map_error2ntstatus(ndr_err);
+               TALLOC_FREE(frame);
+               return status;
+       }
+
+       if (DEBUGLEVEL >= 11) {
+               NDR_PRINT_DEBUG(netlogon_creds_CredentialState_legacy, &lc);
+       }
+
        data.dptr = blob.data;
        data.dsize = blob.length;
 

diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl
index 8905d514f557a038e7d753ea6a4f66c1be908a11..9fe4b7aed7c75c3fcef616d278efdc98652fa020 100644 (file)
--- a/librpc/idl/schannel.idl
+++ b/librpc/idl/schannel.idl
@@ -85,6 +85,19 @@ interface schannel
                netlogon_creds_CredentialState_extra_info *ex;
        } netlogon_creds_CredentialState;
 
+       typedef [public,flag(NDR_PAHEX)] struct {
+               netr_NegotiateFlags negotiate_flags;
+               uint8 session_key[16];
+               uint32 sequence;
+               netr_Credential seed;
+               netr_Credential client;
+               netr_Credential server;
+               netr_SchannelType secure_channel_type;
+               [string,charset(UTF8)] uint8 computer_name[];
+               [string,charset(UTF8)] uint8 account_name[];
+               dom_sid *sid;
+       } netlogon_creds_CredentialState_legacy;
+
        /* This is used in the schannel_store.tdb */
        typedef [public] struct {
                [string,charset(UTF16)] uint16 *computer_name;