libcli/auth: pass client_sid to netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index d18759604480875094b2b7f86f629d3fcb2fe68f..236cb6fc180307c321f5943b712bbc0cfec070ae 100644 (file)
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -657,6 +657,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                                                                  const struct samr_Password *machine_password,
                                                                  const struct netr_Credential *credentials_in,
                                                                  struct netr_Credential *credentials_out,
+                                                                 const struct dom_sid *client_sid,
                                                                  uint32_t negotiate_flags)
 {
 
@@ -700,6 +701,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                return NULL;
        }
 
+       creds->sid = dom_sid_dup(creds, client_sid);
+       if (creds->sid == NULL) {
+               talloc_free(creds);
+               return NULL;
+       }
+
        if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
                status = netlogon_creds_init_hmac_sha256(creds,
                                                         client_challenge,

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 9f6a8b68b8b1368e78361978578eec41c204103f..edc3284d32cd0a2467f14aefe1e66e36c6a64831 100644 (file)
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -69,6 +69,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                                                                  const struct samr_Password *machine_password,
                                                                  const struct netr_Credential *credentials_in,
                                                                  struct netr_Credential *credentials_out,
+                                                                 const struct dom_sid *client_sid,
                                                                  uint32_t negotiate_flags);
 NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
                                 const struct netr_Authenticator *received_authenticator,

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 1c740fa4730bfb2f8a077dec5f6c0541c2d6317d..fb41cda5bbbcd7a57e474ca1e210ee294fabfe03 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                                           &mach_pwd,
                                           r->in.credentials,
                                           r->out.return_credentials,
+                                          &sid,
                                           neg_flags);
        if (!creds) {
                DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
@@ -1030,12 +1031,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                goto out;
        }
 
-       creds->sid = dom_sid_dup(creds, &sid);
-       if (!creds->sid) {
-               status = NT_STATUS_NO_MEMORY;
-               goto out;
-       }
-
        /* Store off the state so we can continue after client disconnect. */
        become_root();
        status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds);

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 61c97042f176ddc6e9dcc66ebafcb1014005d42f..ad0eb9ac0760b3a8756eac36e5dd0aeafb8fec5e 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -778,6 +778,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                return NT_STATUS_ACCESS_DENIED;
        }
 
+       *sid = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid");
+       if (*sid == NULL) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        creds = netlogon_creds_server_init(mem_ctx,
                                           r->in.account_name,
                                           r->in.computer_name,
@@ -787,6 +792,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                                           curNtHash,
                                           r->in.credentials,
                                           r->out.return_credentials,
+                                          *sid,
                                           negotiate_flags);
        if (creds == NULL && prevNtHash != NULL) {
                /*
@@ -804,14 +810,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                                                   prevNtHash,
                                                   r->in.credentials,
                                                   r->out.return_credentials,
+                                                  *sid,
                                                   negotiate_flags);
        }
 
        if (creds == NULL) {
                return NT_STATUS_ACCESS_DENIED;
        }
-       creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
-       *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid));
 
        nt_status = schannel_save_creds_state(mem_ctx,
                                              dce_call->conn->dce_ctx->lp_ctx,