libcli/auth: split out netlogon_creds_CredentialState_extra_info

As server we are free to change the netlogon_creds_CredentialState
database record format at will as it uses CLEAR_IF_FIRST.

For now that format doesn't really changes, because we
only move dom_sid into a wrapper structure.

In order to avoid changing all callers in this commit,
we maintain creds->sid as in memory pointer.

In the following patches we'll also use it in order
to store client related information...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 518f57b93bdb84900d3b58cd94bdf1046f82a5a6)

libcli/auth/credentials.c

@@ -701,11 +701,15 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
 		return NULL;
 	}
 
-	creds->sid = dom_sid_dup(creds, client_sid);
+	creds->ex = talloc_zero(creds,
-	if (creds->sid == NULL) {
+			struct netlogon_creds_CredentialState_extra_info);
+	if (creds->ex == NULL) {
 		talloc_free(creds);
 		return NULL;
 	}
+	creds->ex->client_sid = *client_sid;
+
+	creds->sid = &creds->ex->client_sid;
 
 	if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
 		status = netlogon_creds_init_hmac_sha256(creds,
@@ -1193,12 +1197,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_copy(
 		return NULL;
 	}
 
-	if (creds_in->sid) {
+	if (creds_in->ex != NULL) {
-		creds->sid = dom_sid_dup(creds, creds_in->sid);
+		creds->ex = talloc_zero(creds,
-		if (!creds->sid) {
+			struct netlogon_creds_CredentialState_extra_info);
+		if (creds->ex == NULL) {
 			talloc_free(creds);
 			return NULL;
 		}
+		*creds->ex = *creds_in->ex;
+	}
+
+	if (creds->ex != NULL) {
+		creds->sid = &creds->ex->client_sid;
+	} else {
+		creds->sid = NULL;
 	}
 
 	memcpy(creds->session_key, creds_in->session_key, sizeof(creds->session_key));

libcli/auth/schannel_state_tdb.c

@@ -88,6 +88,14 @@ NTSTATUS schannel_store_session_key_tdb(struct db_context *db_sc,
 	char *name_upper;
 	NTSTATUS status;
 
+	if (creds->ex == NULL) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	if (creds->sid == NULL) {
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
 	if (strlen(creds->computer_name) > 15) {
 		/*
 		 * We may want to check for a completely
@@ -195,6 +203,13 @@ NTSTATUS schannel_fetch_session_key_tdb(struct db_context *db_sc,
 		NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
 	}
 
+	if (creds->ex == NULL) {
+		status = NT_STATUS_INTERNAL_ERROR;
+		goto done;
+	}
+
+	creds->sid = &creds->ex->client_sid;
+
 	DEBUG(3,("schannel_fetch_session_key_tdb: restored schannel info key %s\n",
 		keystr));
 

librpc/idl/schannel.idl

@@ -14,6 +14,17 @@ interface schannel
 {
 	/* this structure is used internally in the NETLOGON server */
 
+	typedef [flag(NDR_PAHEX)] struct {
+		/*
+		 * These were only used on the server part
+		 * with a single dom_sid for the client_sid.
+		 *
+		 * On the server we use CLEAR_IF_FIRST,
+		 * so db layout changes don't matter there.
+		 */
+		dom_sid client_sid;
+	} netlogon_creds_CredentialState_extra_info;
+
 	typedef [public,flag(NDR_PAHEX)] struct {
 		netr_NegotiateFlags negotiate_flags;
 		uint8 session_key[16];
@@ -24,7 +35,8 @@ interface schannel
 		netr_SchannelType secure_channel_type;
 		[string,charset(UTF8)] uint8 computer_name[];
 		[string,charset(UTF8)] uint8 account_name[];
-		dom_sid *sid;
+		[skip] dom_sid *sid;
+		netlogon_creds_CredentialState_extra_info *ex;
 	} netlogon_creds_CredentialState;
 
 	/* This is used in the schannel_store.tdb */