From: Stefan Metzmacher Date: Thu, 10 Oct 2024 11:39:38 +0000 (+0200) Subject: libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialSta... X-Git-Tag: tdb-1.4.13~805 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3792fe372884aad6ea2893f2e62629dd1cddc129;p=thirdparty%2Fsamba.git libcli/auth: let netlogon_creds_cli_store_internal check netlogon_creds_CredentialState_legacy Before storing the structure into a ctdb managed volatile database we check against netlogon_creds_CredentialState_legacy (the structure used before recent changes). This makes sure unpatched cluster nodes would not get a parsing error. We'll remove this again in master when we try to implement netr_ServerAuthenticateKerberos() and the related changes to netlogon_creds_CredentialState, which will break the compat... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall --- diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 1b9d26171e1..07547a9178c 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -752,6 +752,7 @@ static NTSTATUS netlogon_creds_cli_store_internal( enum ndr_err_code ndr_err; DATA_BLOB blob; TDB_DATA data; + struct netlogon_creds_CredentialState_legacy lc = { .sequence = 0, }; if (DEBUGLEVEL >= 10) { NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds); @@ -765,6 +766,18 @@ static NTSTATUS netlogon_creds_cli_store_internal( return status; } + ndr_err = ndr_pull_struct_blob_all(&blob, frame, &lc, + (ndr_pull_flags_fn_t)ndr_pull_netlogon_creds_CredentialState_legacy); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + status = ndr_map_error2ntstatus(ndr_err); + TALLOC_FREE(frame); + return status; + } + + if (DEBUGLEVEL >= 11) { + NDR_PRINT_DEBUG(netlogon_creds_CredentialState_legacy, &lc); + } + data.dptr = blob.data; data.dsize = blob.length; diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl index 8905d514f55..9fe4b7aed7c 100644 --- a/librpc/idl/schannel.idl +++ b/librpc/idl/schannel.idl @@ -85,6 +85,19 @@ interface schannel netlogon_creds_CredentialState_extra_info *ex; } netlogon_creds_CredentialState; + typedef [public,flag(NDR_PAHEX)] struct { + netr_NegotiateFlags negotiate_flags; + uint8 session_key[16]; + uint32 sequence; + netr_Credential seed; + netr_Credential client; + netr_Credential server; + netr_SchannelType secure_channel_type; + [string,charset(UTF8)] uint8 computer_name[]; + [string,charset(UTF8)] uint8 account_name[]; + dom_sid *sid; + } netlogon_creds_CredentialState_legacy; + /* This is used in the schannel_store.tdb */ typedef [public] struct { [string,charset(UTF16)] uint16 *computer_name;