libcli/auth: pass client_sid to netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit c2ef866fca296c8f3eb1620fdd2bb9bf289d96fc)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index d18759604480875094b2b7f86f629d3fcb2fe68f..236cb6fc180307c321f5943b712bbc0cfec070ae 100644 (file)
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -657,6 +657,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                                                                  const struct samr_Password *machine_password,
                                                                  const struct netr_Credential *credentials_in,
                                                                  struct netr_Credential *credentials_out,
+                                                                 const struct dom_sid *client_sid,
                                                                  uint32_t negotiate_flags)
 {
 
@@ -700,6 +701,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                return NULL;
        }
 
+       creds->sid = dom_sid_dup(creds, client_sid);
+       if (creds->sid == NULL) {
+               talloc_free(creds);
+               return NULL;
+       }
+
        if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
                status = netlogon_creds_init_hmac_sha256(creds,
                                                         client_challenge,

diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index 9f6a8b68b8b1368e78361978578eec41c204103f..edc3284d32cd0a2467f14aefe1e66e36c6a64831 100644 (file)
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -69,6 +69,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
                                                                  const struct samr_Password *machine_password,
                                                                  const struct netr_Credential *credentials_in,
                                                                  struct netr_Credential *credentials_out,
+                                                                 const struct dom_sid *client_sid,
                                                                  uint32_t negotiate_flags);
 NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
                                 const struct netr_Authenticator *received_authenticator,

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 53c100c7a6c55385e9bf4bfc3ec4ab999ae5db9a..467d337f55298737971c71c54cec42819fa193b1 100644 (file)
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1010,6 +1010,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                                           &mach_pwd,
                                           r->in.credentials,
                                           r->out.return_credentials,
+                                          &sid,
                                           neg_flags);
        if (!creds) {
                DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth "
@@ -1020,12 +1021,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
                goto out;
        }
 
-       creds->sid = dom_sid_dup(creds, &sid);
-       if (!creds->sid) {
-               status = NT_STATUS_NO_MEMORY;
-               goto out;
-       }
-
        /* Store off the state so we can continue after client disconnect. */
        become_root();
        status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds);

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 1fc7c4d15882325bcc658cb9cb6c1f9f631ec4ce..4d3e2c106cd8949cc73a8a6b3bea2046c936ea11 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -768,6 +768,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                return NT_STATUS_ACCESS_DENIED;
        }
 
+       *sid = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid");
+       if (*sid == NULL) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        creds = netlogon_creds_server_init(mem_ctx,
                                           r->in.account_name,
                                           r->in.computer_name,
@@ -777,6 +782,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                                           curNtHash,
                                           r->in.credentials,
                                           r->out.return_credentials,
+                                          *sid,
                                           negotiate_flags);
        if (creds == NULL && prevNtHash != NULL) {
                /*
@@ -794,14 +800,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
                                                   prevNtHash,
                                                   r->in.credentials,
                                                   r->out.return_credentials,
+                                                  *sid,
                                                   negotiate_flags);
        }
 
        if (creds == NULL) {
                return NT_STATUS_ACCESS_DENIED;
        }
-       creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
-       *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid));
 
        nt_status = schannel_save_creds_state(mem_ctx,
                                              dce_call->conn->dce_ctx->lp_ctx,