From: Stefan Metzmacher Date: Wed, 2 Oct 2024 16:46:43 +0000 (+0200) Subject: libcli/auth: pass client_sid to netlogon_creds_server_init() X-Git-Tag: ldb-2.9.2~49 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=878482663eb75b914155ed6b225778a0c2ae39a3;p=thirdparty%2Fsamba.git libcli/auth: pass client_sid to netlogon_creds_server_init() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall (cherry picked from commit c2ef866fca296c8f3eb1620fdd2bb9bf289d96fc) --- diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index d1875960448..236cb6fc180 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -657,6 +657,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me const struct samr_Password *machine_password, const struct netr_Credential *credentials_in, struct netr_Credential *credentials_out, + const struct dom_sid *client_sid, uint32_t negotiate_flags) { @@ -700,6 +701,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me return NULL; } + creds->sid = dom_sid_dup(creds, client_sid); + if (creds->sid == NULL) { + talloc_free(creds); + return NULL; + } + if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { status = netlogon_creds_init_hmac_sha256(creds, client_challenge, diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 9f6a8b68b8b..edc3284d32c 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -69,6 +69,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me const struct samr_Password *machine_password, const struct netr_Credential *credentials_in, struct netr_Credential *credentials_out, + const struct dom_sid *client_sid, uint32_t negotiate_flags); NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds, const struct netr_Authenticator *received_authenticator, diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 53c100c7a6c..467d337f552 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1010,6 +1010,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, &mach_pwd, r->in.credentials, r->out.return_credentials, + &sid, neg_flags); if (!creds) { DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth " @@ -1020,12 +1021,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, goto out; } - creds->sid = dom_sid_dup(creds, &sid); - if (!creds->sid) { - status = NT_STATUS_NO_MEMORY; - goto out; - } - /* Store off the state so we can continue after client disconnect. */ become_root(); status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds); diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 1fc7c4d1588..4d3e2c106cd 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -768,6 +768,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( return NT_STATUS_ACCESS_DENIED; } + *sid = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid"); + if (*sid == NULL) { + return NT_STATUS_ACCESS_DENIED; + } + creds = netlogon_creds_server_init(mem_ctx, r->in.account_name, r->in.computer_name, @@ -777,6 +782,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( curNtHash, r->in.credentials, r->out.return_credentials, + *sid, negotiate_flags); if (creds == NULL && prevNtHash != NULL) { /* @@ -794,14 +800,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( prevNtHash, r->in.credentials, r->out.return_credentials, + *sid, negotiate_flags); } if (creds == NULL) { return NT_STATUS_ACCESS_DENIED; } - creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid"); - *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid)); nt_status = schannel_save_creds_state(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,