libcli/auth: remember client_requested_flags and auth_time in netlogon_creds_server_i...

author Stefan Metzmacher <metze@samba.org>

Wed, 2 Oct 2024 17:06:59 +0000 (19:06 +0200)

committer Jule Anger <janger@samba.org>

Wed, 13 Nov 2024 10:39:12 +0000 (10:39 +0000)
author Stefan Metzmacher <metze@samba.org>
Wed, 2 Oct 2024 17:06:59 +0000 (19:06 +0200)
committer Jule Anger <janger@samba.org>
Wed, 13 Nov 2024 10:39:12 +0000 (10:39 +0000)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c

index 07b146579f6722854fa78638a6059e94760cd34e..59db4bc28ea77300227dbb92f8ab1e861f2b2fa1 100644 (file)
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -657,11 +657,14 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                                                                   const struct samr_Password *machine_password,
                                                                   const struct netr_Credential *credentials_in,
                                                                   struct netr_Credential *credentials_out,
+                                                                 uint32_t client_requested_flags,
                                                                   const struct dom_sid *client_sid,
                                                                   uint32_t negotiate_flags)
  {
  
         struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
+       struct timeval tv = timeval_current();
+       NTTIME now = timeval_to_nttime(&tv);
         NTSTATUS status;
         bool ok;
  
@@ -707,6 +710,8 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                 talloc_free(creds);
                 return NULL;
         }
+       creds->ex->client_requested_flags = client_requested_flags;
+       creds->ex->auth_time = now;
         creds->ex->client_sid = *client_sid;
  
         if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h

index edc3284d32cd0a2467f14aefe1e66e36c6a64831..3094292657abc53a479b753d11b79a794d2bdede 100644 (file)
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -69,6 +69,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                                                                   const struct samr_Password *machine_password,
                                                                   const struct netr_Credential *credentials_in,
                                                                   struct netr_Credential *credentials_out,
+                                                                 uint32_t client_requested_flags,
                                                                   const struct dom_sid *client_sid,
                                                                   uint32_t negotiate_flags);
  NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl

index ad296f48d845da94de0bb26390049f5800e3724a..619e9e5591c6a793fbd74894c5b1f7bd68c5e947 100644 (file)
--- a/librpc/idl/schannel.idl
+++ b/librpc/idl/schannel.idl
@@ -22,6 +22,8 @@ interface schannel
                  * On the server we use CLEAR_IF_FIRST,
                  * so db layout changes don't matter there.
                  */
+               netr_NegotiateFlags client_requested_flags;
+               NTTIME auth_time;
                 dom_sid client_sid;
         } netlogon_creds_CredentialState_extra_info;
  
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c

index bce18636b523805fdc7685596e6f1d32fde2b28e..384191f76e490a5e8dc7b41b4581910890ced68b 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1010,6 +1010,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                                            &mach_pwd,
                                            r->in.credentials,
                                            r->out.return_credentials,
+                                          in_neg_flags,
                                            &sid,
                                            neg_flags);
         if (!creds) {
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c

index 439383cafc687dc7a76db8fa930f20abf13600e4..4fb2a777404998c1a400cd3f0e55983bc3ff78bc 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -416,6 +416,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                                       "samAccountName",
                                       NULL};
         uint32_t server_flags = 0;
+       uint32_t client_flags = 0;
         uint32_t negotiate_flags = 0;
  
         ZERO_STRUCTP(r->out.return_credentials);
@@ -509,7 +510,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
          * NETLOGON_NEG_STRONG_KEYS from server_flags...
          */
  
-       negotiate_flags = *r->in.negotiate_flags & server_flags;
+       client_flags = *r->in.negotiate_flags;
+       negotiate_flags = client_flags & server_flags;
  
         switch (r->in.secure_channel_type) {
         case SEC_CHAN_WKSTA:
@@ -782,6 +784,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                                            curNtHash,
                                            r->in.credentials,
                                            r->out.return_credentials,
+                                          client_flags,
                                            *sid,
                                            negotiate_flags);
         if (creds == NULL && prevNtHash != NULL) {
@@ -800,6 +803,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                                                    prevNtHash,
                                                    r->in.credentials,
                                                    r->out.return_credentials,
+                                                  client_flags,
                                                    *sid,
                                                    negotiate_flags);
         }
author	Stefan Metzmacher <metze@samba.org>
	Wed, 2 Oct 2024 17:06:59 +0000 (19:06 +0200)
committer	Jule Anger <janger@samba.org>
	Wed, 13 Nov 2024 10:39:12 +0000 (10:39 +0000)
libcli/auth/credentials.c		patch \| blob \| blame \| history
libcli/auth/proto.h		patch \| blob \| blame \| history
librpc/idl/schannel.idl		patch \| blob \| blame \| history
source3/rpc_server/netlogon/srv_netlog_nt.c		patch \| blob \| blame \| history
source4/rpc_server/netlogon/dcerpc_netlogon.c		patch \| blob \| blame \| history