r13402: Make Samba4 pass a nastier RPC-SCHANNEL test.
authorAndrew Bartlett <abartlet@samba.org>
Thu, 9 Feb 2006 02:30:43 +0000 (02:30 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:51:53 +0000 (13:51 -0500)
The new RPC-SCHANNEL test shows that the full credentials state must
be kept in some shared memory, for some length of time.  In
particular, clients will reconnect with SCHANNEL (after loosing all
connections) and expect that the credentials chain will remain in the
same place.

To achive this, we do the server-side crypto in a transaction,
including the fetch/store of the shared state.

Andrew Bartlett

source/auth/gensec/schannel.c
source/auth/gensec/schannel_sign.c
source/auth/gensec/schannel_state.c
source/rpc_server/netlogon/dcerpc_netlogon.c
source/torture/rpc/schannel.c

index dd0bc1eddde4b54cf5093d62070aba06e64d081c..10c8f9853a0cf0693aed7579f27f43c3a54865ff 100644 (file)
@@ -149,7 +149,7 @@ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
                               TALLOC_CTX *mem_ctx,
                               struct creds_CredentialState **creds)
 { 
-       struct schannel_state *state = gensec_security->private_data;
+       struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
 
        *creds = talloc_reference(mem_ctx, state->creds);
        if (!*creds) {
@@ -167,7 +167,7 @@ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
 static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
                                         struct auth_session_info **_session_info) 
 {
-       struct schannel_state *state = gensec_security->private_data;
+       struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
        return auth_anonymous_session_info(state, _session_info);
 }
 
index f143ccd4c7f724bc6f310e480ff0383b0faca5df..b4549ddefd014418d5ab041985c90da45b66d1fa 100644 (file)
@@ -105,7 +105,7 @@ NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
                                const uint8_t *whole_pdu, size_t pdu_length, 
                                const DATA_BLOB *sig)
 {
-       struct schannel_state *state = gensec_security->private_data;
+       struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
        
        uint8_t digest_final[16];
        uint8_t confounder[8];
@@ -156,7 +156,7 @@ NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
                               const uint8_t *whole_pdu, size_t pdu_length, 
                               const DATA_BLOB *sig)
 {
-       struct schannel_state *state = gensec_security->private_data;
+       struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
 
        uint8_t digest_final[16];
        uint8_t seq_num[8];
@@ -204,7 +204,7 @@ NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
                              const uint8_t *whole_pdu, size_t pdu_length, 
                              DATA_BLOB *sig)
 {
-       struct schannel_state *state = gensec_security->private_data;
+       struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
 
        uint8_t digest_final[16];
        uint8_t confounder[8];
@@ -252,7 +252,7 @@ NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
                              const uint8_t *whole_pdu, size_t pdu_length, 
                              DATA_BLOB *sig)
 {
-       struct schannel_state *state = gensec_security->private_data;
+       struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
 
        uint8_t digest_final[16];
        uint8_t seq_num[8];
index 7ef64ca00b33bbb1b5fa650b8770fe0d8ef3e702..a73e450ec81d99ffb21658172de90672dcda20bd 100644 (file)
@@ -29,7 +29,7 @@
 /*
   connect to the schannel ldb
 */
-static struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx)
+struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx)
 {
        char *path;
        struct ldb_context *ldb;
@@ -64,44 +64,35 @@ static struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx)
   remember an established session key for a netr server authentication
   use a simple ldb structure
 */
-NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
-                                   struct creds_CredentialState *creds)
+NTSTATUS schannel_store_session_key_ldb(TALLOC_CTX *mem_ctx,
+                                       struct ldb_context *ldb,
+                                       struct creds_CredentialState *creds)
 {
-       struct ldb_context *ldb;
        struct ldb_message *msg;
-       struct ldb_val val, seed;
+       struct ldb_val val, seed, client_state, server_state;
        char *f;
        char *sct;
        int ret;
 
-       ldb = schannel_db_connect(mem_ctx);
-       if (ldb == NULL) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
        f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags);
 
        if (f == NULL) {
-               talloc_free(ldb);
                return NT_STATUS_NO_MEMORY;
        }
 
        sct = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->secure_channel_type);
 
        if (sct == NULL) {
-               talloc_free(ldb);
                return NT_STATUS_NO_MEMORY;
        }
 
        msg = ldb_msg_new(ldb);
        if (msg == NULL) {
-               talloc_free(ldb);
                return NT_STATUS_NO_MEMORY;
        }
 
        msg->dn = ldb_dn_build_child(msg, "computerName", creds->computer_name, NULL);
        if (msg->dn == NULL) {
-               talloc_free(ldb);
                return NT_STATUS_NO_MEMORY;
        }
 
@@ -111,9 +102,16 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
        seed.data = creds->seed.data;
        seed.length = sizeof(creds->seed.data);
 
+       client_state.data = creds->client.data;
+       client_state.length = sizeof(creds->client.data);
+       server_state.data = creds->server.data;
+       server_state.length = sizeof(creds->server.data);
+
        ldb_msg_add_string(msg, "objectClass", "schannelState");
        ldb_msg_add_value(msg, "sessionKey", &val);
        ldb_msg_add_value(msg, "seed", &seed);
+       ldb_msg_add_value(msg, "clientState", &client_state);
+       ldb_msg_add_value(msg, "serverState", &server_state);
        ldb_msg_add_string(msg, "negotiateFlags", f);
        ldb_msg_add_string(msg, "secureChannelType", sct);
        ldb_msg_add_string(msg, "accountName", creds->account_name);
@@ -121,49 +119,65 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
        ldb_msg_add_string(msg, "flatname", creds->domain);
        samdb_msg_add_dom_sid(ldb, mem_ctx, msg, "objectSid", creds->sid);
 
-       ret = ldb_transaction_start(ldb);
+       ldb_delete(ldb, msg->dn);
+
+       ret = ldb_add(ldb, msg);
+
        if (ret != 0) {
-               DEBUG(0,("Unable to start transaction to add %s to session key db - %s\n", 
+               DEBUG(0,("Unable to add %s to session key db - %s\n", 
                         ldb_dn_linearize(msg, msg->dn), ldb_errstring(ldb)));
-               talloc_free(ldb);
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        }
 
-       ldb_delete(ldb, msg->dn);
+       return NT_STATUS_OK;
+}
 
-       ret = ldb_add(ldb, msg);
+NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
+                                   struct creds_CredentialState *creds)
+{
+       struct ldb_context *ldb;
+       NTSTATUS nt_status;
+       int ret;
+               
+       ldb = schannel_db_connect(mem_ctx);
+       if (!ldb) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
 
+       ret = ldb_transaction_start(ldb);
        if (ret != 0) {
-               DEBUG(0,("Unable to add %s to session key db - %s\n", 
-                        ldb_dn_linearize(msg, msg->dn), ldb_errstring(ldb)));
                talloc_free(ldb);
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        }
 
-       ret = ldb_transaction_commit(ldb);
+       nt_status = schannel_store_session_key_ldb(mem_ctx, ldb, creds);
+
+       if (NT_STATUS_IS_OK(nt_status)) {
+               ret = ldb_transaction_commit(ldb);
+       } else {
+               ret = ldb_transaction_cancel(ldb);
+       }
 
        if (ret != 0) {
-               DEBUG(0,("Unable to commit adding %s to session key db - %s\n", 
-                        ldb_dn_linearize(msg, msg->dn), ldb_errstring(ldb)));
+               DEBUG(0,("Unable to commit adding credentials for %s to schannel key db - %s\n", 
+                        creds->computer_name, ldb_errstring(ldb)));
                talloc_free(ldb);
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        }
 
        talloc_free(ldb);
-
-       return NT_STATUS_OK;
+       return nt_status;
 }
 
-
 /*
   read back a credentials back for a computer
 */
-NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
-                                   const char *computer_name, 
-                                   const char *domain,
-                                   struct creds_CredentialState **creds)
+NTSTATUS schannel_fetch_session_key_ldb(TALLOC_CTX *mem_ctx,
+                                       struct ldb_context *ldb,
+                                       const char *computer_name, 
+                                       const char *domain, 
+                                       struct creds_CredentialState **creds)
 {
-       struct ldb_context *ldb;
        struct ldb_result *res;
        int ret;
        const struct ldb_val *val;
@@ -174,27 +188,21 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       ldb = schannel_db_connect(mem_ctx);
-       if (ldb == NULL) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       expr = talloc_asprintf(mem_ctx, "(&(computerName=%s)(flatname=%s))", computer_name, domain);
+       expr = talloc_asprintf(mem_ctx, "(&(computerName=%s)(flatname=%s))", 
+                              computer_name, domain);
        if (expr == NULL) {
-               talloc_free(ldb);
                return NT_STATUS_NO_MEMORY;
        }
 
        ret = ldb_search(ldb, NULL, LDB_SCOPE_SUBTREE, expr, NULL, &res);
        if (ret != LDB_SUCCESS || res->count != 1) {
-               talloc_free(ldb);
+               DEBUG(3,("schannel: Failed to find a record for client: %s\n", computer_name));
                return NT_STATUS_INVALID_HANDLE;
        }
 
        val = ldb_msg_find_ldb_val(res->msgs[0], "sessionKey");
        if (val == NULL || val->length != 16) {
                DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name));
-               talloc_free(ldb);
                return NT_STATUS_INTERNAL_ERROR;
        }
 
@@ -203,12 +211,25 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
        val = ldb_msg_find_ldb_val(res->msgs[0], "seed");
        if (val == NULL || val->length != 8) {
                DEBUG(1,("schannel: record in schannel DB must contain a vaid seed of length 8, when searching for client: %s\n", computer_name));
-               talloc_free(ldb);
                return NT_STATUS_INTERNAL_ERROR;
        }
 
        memcpy((*creds)->seed.data, val->data, 8);
 
+       val = ldb_msg_find_ldb_val(res->msgs[0], "clientState");
+       if (val == NULL || val->length != 8) {
+               DEBUG(1,("schannel: record in schannel DB must contain a vaid clientState of length 8, when searching for client: %s\n", computer_name));
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+       memcpy((*creds)->client.data, val->data, 8);
+
+       val = ldb_msg_find_ldb_val(res->msgs[0], "serverState");
+       if (val == NULL || val->length != 8) {
+               DEBUG(1,("schannel: record in schannel DB must contain a vaid serverState of length 8, when searching for client: %s\n", computer_name));
+               return NT_STATUS_INTERNAL_ERROR;
+       }
+       memcpy((*creds)->server.data, val->data, 8);
+
        (*creds)->negotiate_flags = ldb_msg_find_int(res->msgs[0], "negotiateFlags", 0);
 
        (*creds)->secure_channel_type = ldb_msg_find_int(res->msgs[0], "secureChannelType", 0);
@@ -221,7 +242,25 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
 
        (*creds)->sid = samdb_result_dom_sid(*creds, res->msgs[0], "objectSid");
 
-       talloc_free(ldb);
-
        return NT_STATUS_OK;
 }
+
+NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
+                                       const char *computer_name, 
+                                       const char *domain, 
+                                       struct creds_CredentialState **creds)
+{
+       NTSTATUS nt_status;
+       struct ldb_context *ldb;
+
+       ldb = schannel_db_connect(mem_ctx);
+       if (!ldb) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       nt_status = schannel_fetch_session_key_ldb(mem_ctx, ldb,
+                                                  computer_name, domain, 
+                                                  creds);
+       talloc_free(ldb);
+       return nt_status;
+}
index f3ef74641dad6936850a8ce8e1b7a1b862ef4f35..03d325020f172557c3eaf0a97a91cc5b64cbf922 100644 (file)
@@ -128,6 +128,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
                                         struct netr_ServerAuthenticate3 *r)
 {
        struct server_pipe_state *pipe_state = dce_call->context->private;
+       struct creds_CredentialState *creds;
        void *sam_ctx;
        struct samr_Password *mach_pwd;
        uint16_t acct_flags;
@@ -203,37 +204,39 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       if (pipe_state->creds) {
-               talloc_free(pipe_state->creds);
-       }
-       pipe_state->creds = talloc(pipe_state, struct creds_CredentialState);
-       if (!pipe_state->creds) {
+       creds = talloc(mem_ctx, struct creds_CredentialState);
+       if (!creds) {
                return NT_STATUS_NO_MEMORY;
        }
 
-       creds_server_init(pipe_state->creds, &pipe_state->client_challenge, 
+       creds_server_init(creds, &pipe_state->client_challenge, 
                          &pipe_state->server_challenge, mach_pwd,
                          r->out.credentials,
                          *r->in.negotiate_flags);
        
-       if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
-               talloc_free(pipe_state->creds);
-               pipe_state->creds = NULL;
+       if (!creds_server_check(creds, r->in.credentials)) {
+               talloc_free(creds);
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       pipe_state->creds->account_name = talloc_steal(pipe_state->creds, r->in.account_name);
+       creds->account_name = talloc_steal(creds, r->in.account_name);
        
-       pipe_state->creds->computer_name = talloc_steal(pipe_state->creds, r->in.computer_name);
+       creds->computer_name = talloc_steal(creds, r->in.computer_name);
+       creds->domain = talloc_strdup(creds, lp_workgroup());
 
-       pipe_state->creds->secure_channel_type = r->in.secure_channel_type;
+       creds->secure_channel_type = r->in.secure_channel_type;
 
-       pipe_state->creds->sid = samdb_result_dom_sid(pipe_state->creds, msgs[0], "objectSid");
+       creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
 
-       pipe_state->creds->domain = talloc_strdup(pipe_state->creds, lp_workgroup());
 
        /* remember this session key state */
-       nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds);
+       nt_status = schannel_store_session_key(mem_ctx, creds);
+
+       if (pipe_state->creds) {
+               talloc_free(pipe_state->creds);
+       }
+       talloc_steal(pipe_state, creds);
+       pipe_state->creds = creds;
 
        return nt_status;
 }
@@ -285,29 +288,76 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL
 
 
 static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state,
+                                            TALLOC_CTX *mem_ctx, 
                                             struct netr_Authenticator *received_authenticator,
-                                            struct netr_Authenticator *return_authenticator) 
+                                            struct netr_Authenticator *return_authenticator,
+                                            struct creds_CredentialState **creds_out) 
 {
+       struct creds_CredentialState *creds;
+       NTSTATUS nt_status;
+       struct ldb_context *ldb;
+       int ret;
+
        if (!pipe_state) {
                DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       return creds_server_step_check(pipe_state->creds, 
-                                      received_authenticator, 
-                                      return_authenticator);
+       ldb = schannel_db_connect(mem_ctx);
+       if (!ldb) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       ret = ldb_transaction_start(ldb);
+       if (ret != 0) {
+               talloc_free(ldb);
+               return NT_STATUS_INTERNAL_DB_CORRUPTION;
+       }
+
+       /* Because this is a shared structure (even across
+        * disconnects) we must update the database every time we
+        * update the structure */ 
+       
+       nt_status = schannel_fetch_session_key_ldb(ldb, ldb, pipe_state->creds->computer_name, 
+                                                  pipe_state->creds->domain, &creds);
+       if (NT_STATUS_IS_OK(nt_status)) {
+               nt_status = creds_server_step_check(creds, 
+                                                   received_authenticator, 
+                                                   return_authenticator);
+       }
+       if (NT_STATUS_IS_OK(nt_status)) {
+               nt_status = schannel_store_session_key_ldb(ldb, ldb, creds);
+       }
+
+       if (NT_STATUS_IS_OK(nt_status)) {
+               ldb_transaction_commit(ldb);
+               if (creds_out) {
+                       *creds_out = creds;
+                       talloc_steal(mem_ctx, creds);
+               }
+       } else {
+               ldb_transaction_cancel(ldb);
+       }
+       talloc_free(ldb);
+       return nt_status;
 }
 
+/* 
+  Change the machine account password for the currently connected
+  client.  Supplies only the NT#.
+*/
 
 static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                       struct netr_ServerPasswordSet *r)
 {
        struct server_pipe_state *pipe_state = dce_call->context->private;
-
+       struct creds_CredentialState *creds;
        struct ldb_context *sam_ctx;
        NTSTATUS nt_status;
 
-       nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
+       nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, 
+                                                &r->in.credential, &r->out.return_authenticator,
+                                                &creds);
        NT_STATUS_NOT_OK_RETURN(nt_status);
 
        sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
@@ -315,11 +365,11 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
                return NT_STATUS_INVALID_SYSTEM_SERVICE;
        }
 
-       creds_des_decrypt(pipe_state->creds, &r->in.new_password);
+       creds_des_decrypt(creds, &r->in.new_password);
 
        /* Using the sid for the account as the key, set the password */
        nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, 
-                                          pipe_state->creds->sid,
+                                          creds->sid,
                                           NULL, /* Don't have plaintext */
                                           NULL, &r->in.new_password,
                                           False, /* This is not considered a password change */
@@ -328,6 +378,55 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
        return nt_status;
 }
 
+/* 
+  Change the machine account password for the currently connected
+  client.  Supplies new plaintext.
+*/
+static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+                                      struct netr_ServerPasswordSet2 *r)
+{
+       struct server_pipe_state *pipe_state = dce_call->context->private;
+       struct creds_CredentialState *creds;
+       struct ldb_context *sam_ctx;
+       NTSTATUS nt_status;
+       char new_pass[512];
+       uint32_t new_pass_len;
+       BOOL ret;
+
+       struct samr_CryptPassword password_buf;
+
+       nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, 
+                                                &r->in.credential, &r->out.return_authenticator,
+                                                &creds);
+       NT_STATUS_NOT_OK_RETURN(nt_status);
+
+       sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
+       if (sam_ctx == NULL) {
+               return NT_STATUS_INVALID_SYSTEM_SERVICE;
+       }
+
+       memcpy(password_buf.data, r->in.new_password.data, 512);
+       SIVAL(password_buf.data,512,r->in.new_password.length);
+       creds_arcfour_crypt(creds, password_buf.data, 516);
+
+       ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
+                              &new_pass_len, STR_UNICODE);
+       if (!ret) {
+               DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       /* Using the sid for the account as the key, set the password */
+       nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
+                                          creds->sid,
+                                          new_pass, /* we have plaintext */
+                                          NULL, NULL,
+                                          False, /* This is not considered a password change */
+                                          False, /* don't restrict this password change (match w2k3) */
+                                          NULL, NULL);
+       return nt_status;
+}
+
 
 /* 
   netr_LogonUasLogon 
@@ -358,7 +457,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
                                     struct netr_LogonSamLogonEx *r)
 {
        struct server_pipe_state *pipe_state = dce_call->context->private;
-
+       struct creds_CredentialState *creds = pipe_state->creds;
        struct auth_context *auth_context;
        struct auth_usersupplied_info *user_info;
        struct auth_serversupplied_info *server_info;
@@ -383,15 +482,15 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
        case 3:
        case 5:
                if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-                       creds_arcfour_crypt(pipe_state->creds, 
+                       creds_arcfour_crypt(creds, 
                                            r->in.logon.password->lmpassword.hash, 
                                            sizeof(r->in.logon.password->lmpassword.hash));
-                       creds_arcfour_crypt(pipe_state->creds, 
+                       creds_arcfour_crypt(creds, 
                                            r->in.logon.password->ntpassword.hash, 
                                            sizeof(r->in.logon.password->ntpassword.hash));
                } else {
-                       creds_des_decrypt(pipe_state->creds, &r->in.logon.password->lmpassword);
-                       creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword);
+                       creds_des_decrypt(creds, &r->in.logon.password->lmpassword);
+                       creds_des_decrypt(creds, &r->in.logon.password->ntpassword);
                }
 
                /* TODO: we need to deny anonymous access here */
@@ -459,8 +558,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
                      sizeof(sam->key.key)) != 0) {
 
                /* This key is sent unencrypted without the ARCFOUR flag set */
-               if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-                       creds_arcfour_crypt(pipe_state->creds, 
+               if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+                       creds_arcfour_crypt(creds, 
                                            sam->key.key, 
                                            sizeof(sam->key.key));
                }
@@ -471,12 +570,12 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
        if ((r->in.validation_level != 6) 
            && memcmp(sam->LMSessKey.key, zeros,  
                      sizeof(sam->LMSessKey.key)) != 0) {
-               if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-                       creds_arcfour_crypt(pipe_state->creds, 
+               if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+                       creds_arcfour_crypt(creds, 
                                            sam->LMSessKey.key, 
                                            sizeof(sam->LMSessKey.key));
                } else {
-                       creds_des_encrypt_LMKey(pipe_state->creds, 
+                       creds_des_encrypt_LMKey(creds, 
                                                &sam->LMSessKey);
                }
        }
@@ -535,7 +634,9 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call,
        return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
        NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
 
-       nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, return_authenticator);
+       nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, 
+                                                r->in.credential, return_authenticator,
+                                                NULL);
        NT_STATUS_NOT_OK_RETURN(nt_status);
 
        ZERO_STRUCT(r2);
@@ -844,8 +945,10 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL
 
        const char *local_domain;
 
-       status = netr_creds_server_step_check(pipe_state, 
-                                             r->in.credential, r->out.return_authenticator);
+       status = netr_creds_server_step_check(pipe_state, mem_ctx, 
+                                             r->in.credential, 
+                                             r->out.return_authenticator,
+                                             NULL);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
@@ -918,52 +1021,6 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL
 }
 
 
-/* 
-  netr_ServerPasswordSet2 
-*/
-static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                                      struct netr_ServerPasswordSet2 *r)
-{
-       struct server_pipe_state *pipe_state = dce_call->context->private;
-
-       struct ldb_context *sam_ctx;
-       NTSTATUS nt_status;
-       char new_pass[512];
-       uint32_t new_pass_len;
-       BOOL ret;
-
-       struct samr_CryptPassword password_buf;
-
-       nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
-       NT_STATUS_NOT_OK_RETURN(nt_status);
-
-       sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
-       if (sam_ctx == NULL) {
-               return NT_STATUS_INVALID_SYSTEM_SERVICE;
-       }
-
-       memcpy(password_buf.data, r->in.new_password.data, 512);
-       SIVAL(password_buf.data,512,r->in.new_password.length);
-       creds_arcfour_crypt(pipe_state->creds, password_buf.data, 516);
-
-       ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
-                              &new_pass_len, STR_UNICODE);
-       if (!ret) {
-               DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
-               return NT_STATUS_ACCESS_DENIED;
-       }
-
-       /* Using the sid for the account as the key, set the password */
-       nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
-                                          pipe_state->creds->sid,
-                                          new_pass, /* we have plaintext */
-                                          NULL, NULL,
-                                          False, /* This is not considered a password change */
-                                          False, /* don't restrict this password change (match w2k3) */
-                                          NULL, NULL);
-       return nt_status;
-}
-
 
 /* 
   netr_NETRSERVERPASSWORDGET 
index 8e2aa4128139ab63830c96e942ef0a962a97d32e..9084fb7ac394248248455dd2d7c24cc0f190d601 100644 (file)
@@ -393,15 +393,18 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx,
                goto failed;
        }
        
-       /* We can only do the 'ex' ops, because the original SamLogon
-        * call does shared credentials stuff Samba4 doesn't pass
-        * yet */
-
+       /* Try the schannel-only SamLogonEx operation */
        if (!test_netlogon_ex_ops(p_netlogon2, test_ctx, credentials, creds)) {
                printf("Failed to process schannel secured NETLOGON EX ops\n");
                ret = False;
        }
 
+       /* And the more traditional style */
+       if (!test_netlogon_ops(p_netlogon2, test_ctx, credentials, creds)) {
+               printf("Failed to process schannel secured NETLOGON EX ops\n");
+               ret = False;
+       }
+
        torture_leave_domain(join_ctx);
        talloc_free(test_ctx);
        return ret;