From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 14 Feb 2025 19:02:30 +0000 (+0100)
Subject: libcli/auth: pass trust_forest_domain_info array to NTLMv2_RESPONSE_verify_netlogon_creds
X-Git-Tag: tevent-0.17.0~679
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97e256566ffe42fc1bb62623b658247b5d899bde;p=thirdparty%2Fsamba.git

libcli/auth: pass trust_forest_domain_info array to NTLMv2_RESPONSE_verify_netlogon_creds

This will be used in the next commits in order to
implement MS-NRPC 3.5.4.5.1.1 Pass-through domain name validation.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 8a9087bb647..792823ed242 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -217,11 +217,21 @@ bool SMBNTLMv2encrypt(TALLOC_CTX *mem_ctx,
 		      const DATA_BLOB *names_blob,
 		      DATA_BLOB *lm_response, DATA_BLOB *nt_response,
 		      DATA_BLOB *lm_session_key, DATA_BLOB *user_session_key) ;
+struct lsa_TrustDomainInfoInfoEx;
+struct lsa_ForestTrustInformation2;
+struct trust_forest_domain_info {
+	bool is_local_forest;
+	bool is_checked_trust;
+	struct lsa_TrustDomainInfoInfoEx *tdo;
+	struct lsa_ForestTrustInformation2 *fti;
+};
 NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
 			const char *account_domain,
 			const DATA_BLOB response,
 			const struct netlogon_creds_CredentialState *creds,
-			const char *workgroup);
+			const char *workgroup,
+			size_t num_domains,
+			const struct trust_forest_domain_info *domains);
 
 /***********************************************************
  encode a password buffer with a unicode password.  The buffer
diff --git a/libcli/auth/smbencrypt.c b/libcli/auth/smbencrypt.c
index 53ad3d5dc15..cd60f207148 100644
--- a/libcli/auth/smbencrypt.c
+++ b/libcli/auth/smbencrypt.c
@@ -741,7 +741,9 @@ NTSTATUS NTLMv2_RESPONSE_verify_netlogon_creds(const char *account_name,
 			const char *account_domain,
 			const DATA_BLOB response,
 			const struct netlogon_creds_CredentialState *creds,
-			const char *workgroup)
+			const char *workgroup,
+			size_t num_domains,
+			const struct trust_forest_domain_info *domains)
 {
 	TALLOC_CTX *frame = NULL;
 	/* RespType + HiRespType */
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 2a5bfb40a55..ab661931b2c 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1646,13 +1646,17 @@ static NTSTATUS _netr_NTLMv2_RESPONSE_verify(
 	TALLOC_CTX *frame = talloc_stackframe();
 	const char *workgroup = lp_workgroup();
 	NTSTATUS status;
+	size_t num_trusts = 0;
+	struct trust_forest_domain_info *trusts = NULL;
 
 	status = NTLMv2_RESPONSE_verify_netlogon_creds(
 					user_info->client.account_name,
 					user_info->client.domain_name,
 					user_info->password.response.nt,
 					creds,
-					workgroup);
+					workgroup,
+					num_trusts,
+					trusts);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(frame);
 		return status;
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 3af9ce6f225..e1d66a86cdf 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -1424,13 +1424,17 @@ static NTSTATUS dcesrv_netr_NTLMv2_RESPONSE_verify(
 	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
 	const char *workgroup = lpcfg_workgroup(lp_ctx);
 	NTSTATUS status;
+	size_t num_trusts = 0;
+	struct trust_forest_domain_info *trusts = NULL;
 
 	status = NTLMv2_RESPONSE_verify_netlogon_creds(
 					user_info->client.account_name,
 					user_info->client.domain_name,
 					user_info->password.response.nt,
 					creds,
-					workgroup);
+					workgroup,
+					num_trusts,
+					trusts);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(frame);
 		return status;