From: Stefan Metzmacher Date: Fri, 14 Feb 2025 21:57:20 +0000 (+0100) Subject: libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() return the computer_name X-Git-Tag: tevent-0.17.0~675 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8bbea061409cd36352f10125a318955c11e48d69;p=thirdparty%2Fsamba.git libcli/auth: let NTLMv2_RESPONSE_verify_netlogon_creds() return the computer_name This will be used to implement the MS-NRPC 3.5.4.5.1.2 RODC server cachability validation. Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 792823ed242..79ab72cb852 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -231,7 +231,9 @@ NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name, const struct netlogon_creds_CredentialState *creds, const char *workgroup, size_t num_domains, - const struct trust_forest_domain_info *domains); + const struct trust_forest_domain_info *domains, + TALLOC_CTX *mem_ctx, + char **_computer_name); /*********************************************************** encode a password buffer with a unicode password. The buffer diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c index 468300af437..ed9c52e0ede 100644 --- a/libcli/auth/smbencrypt.c +++ b/libcli/auth/smbencrypt.c @@ -1149,7 +1149,9 @@ NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name, const struct netlogon_creds_CredentialState *creds, const char *workgroup, size_t num_domains, - const struct trust_forest_domain_info *domains) + const struct trust_forest_domain_info *domains, + TALLOC_CTX *mem_ctx, + char **_computer_name) { TALLOC_CTX *frame = NULL; /* RespType + HiRespType */ @@ -1159,6 +1161,10 @@ NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name, enum ndr_err_code err; NTSTATUS status; + if (_computer_name != NULL) { + *_computer_name = NULL; + } + if (response.length < 48) { /* * NTLMv2_RESPONSE has at least 48 bytes. @@ -1273,6 +1279,25 @@ NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name, NDR_PRINT_DEBUG(NTLMv2_RESPONSE, &v2_resp); } + if (_computer_name != NULL) { + const struct AV_PAIR *av_nb_cn = NULL; + const char *nb_cn = NULL; + + av_nb_cn = ndr_ntlmssp_find_av(&v2_resp.Challenge.AvPairs, + MsvAvNbComputerName); + if (av_nb_cn != NULL) { + nb_cn = av_nb_cn->Value.AvNbComputerName; + } + + if (nb_cn != NULL) { + *_computer_name = talloc_strdup(mem_ctx, nb_cn); + if (*_computer_name == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + } + } + switch (creds->secure_channel_type) { case SEC_CHAN_NULL: case SEC_CHAN_LOCAL: diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index aadea689501..39bf2b30841 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1881,7 +1881,9 @@ static NTSTATUS _netr_NTLMv2_RESPONSE_verify( creds, workgroup, num_trusts, - trusts); + trusts, + NULL, /* mem_ctx */ + NULL); /* _computer_name */ if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index f9919466ba4..f8a363734b1 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1555,7 +1555,9 @@ static NTSTATUS dcesrv_netr_NTLMv2_RESPONSE_verify( creds, workgroup, num_trusts, - trusts); + trusts, + NULL, /* mem_ctx */ + NULL); /* _computer_name */ if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status;