diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 236cb6fc180..342dcd95154 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -701,11 +701,15 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me return NULL; } - creds->sid = dom_sid_dup(creds, client_sid); - if (creds->sid == NULL) { + creds->ex = talloc_zero(creds, + struct netlogon_creds_CredentialState_extra_info); + if (creds->ex == NULL) { talloc_free(creds); return NULL; } + creds->ex->client_sid = *client_sid; + + creds->sid = &creds->ex->client_sid; if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { status = netlogon_creds_init_hmac_sha256(creds, @@ -1193,12 +1197,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_copy( return NULL; } - if (creds_in->sid) { - creds->sid = dom_sid_dup(creds, creds_in->sid); - if (!creds->sid) { + if (creds_in->ex != NULL) { + creds->ex = talloc_zero(creds, + struct netlogon_creds_CredentialState_extra_info); + if (creds->ex == NULL) { talloc_free(creds); return NULL; } + *creds->ex = *creds_in->ex; + } + + if (creds->ex != NULL) { + creds->sid = &creds->ex->client_sid; + } else { + creds->sid = NULL; } memcpy(creds->session_key, creds_in->session_key, sizeof(creds->session_key)); diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c index 2454a433819..ee7ee546baf 100644 --- a/libcli/auth/schannel_state_tdb.c +++ b/libcli/auth/schannel_state_tdb.c @@ -88,6 +88,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc, char *name_upper; NTSTATUS status; + if (creds->ex == NULL) { + return NT_STATUS_INTERNAL_ERROR; + } + + if (creds->sid == NULL) { + return NT_STATUS_INTERNAL_ERROR; + } + if (strlen(creds->computer_name) > 15) { /* * We may want to check for a completely @@ -195,6 +203,13 @@ NTSTATUS schannel_fetch_session_key_tdb(struct db_context *db_sc, NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds); } + if (creds->ex == NULL) { + status = NT_STATUS_INTERNAL_ERROR; + goto done; + } + + creds->sid = &creds->ex->client_sid; + DEBUG(3,("schannel_fetch_session_key_tdb: restored schannel info key %s\n", keystr)); diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl index 3bc8a92c92f..76b0dfd4c55 100644 --- a/librpc/idl/schannel.idl +++ b/librpc/idl/schannel.idl @@ -14,6 +14,17 @@ interface schannel { /* this structure is used internally in the NETLOGON server */ + typedef [flag(NDR_PAHEX)] struct { + /* + * These were only used on the server part + * with a single dom_sid for the client_sid. + * + * On the server we use CLEAR_IF_FIRST, + * so db layout changes don't matter there. + */ + dom_sid client_sid; + } netlogon_creds_CredentialState_extra_info; + typedef [public,flag(NDR_PAHEX)] struct { netr_NegotiateFlags negotiate_flags; uint8 session_key[16]; @@ -24,7 +35,8 @@ interface schannel netr_SchannelType secure_channel_type; [string,charset(UTF8)] uint8 computer_name[]; [string,charset(UTF8)] uint8 account_name[]; - dom_sid *sid; + [skip] dom_sid *sid; + netlogon_creds_CredentialState_extra_info *ex; } netlogon_creds_CredentialState; /* This is used in the schannel_store.tdb */