From 5c74014ae821d8de9fad54a632498a91f8003815 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 2 Oct 2024 19:06:59 +0200
Subject: [PATCH] libcli/auth: remember client_requested_flags and auth_time in
 netlogon_creds_server_init()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit dfbc5e5a19420311eac3db5ede1c665a9198395d)
---
 libcli/auth/credentials.c                     | 5 +++++
 libcli/auth/proto.h                           | 1 +
 librpc/idl/schannel.idl                       | 2 ++
 source3/rpc_server/netlogon/srv_netlog_nt.c   | 1 +
 source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 +++++-
 5 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 07b146579f6..59db4bc28ea 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -657,11 +657,14 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
 								  const struct samr_Password *machine_password,
 								  const struct netr_Credential *credentials_in,
 								  struct netr_Credential *credentials_out,
+								  uint32_t client_requested_flags,
 								  const struct dom_sid *client_sid,
 								  uint32_t negotiate_flags)
 {
 
 	struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
+	struct timeval tv = timeval_current();
+	NTTIME now = timeval_to_nttime(&tv);
 	NTSTATUS status;
 	bool ok;
 
@@ -707,6 +710,8 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
 		talloc_free(creds);
 		return NULL;
 	}
+	creds->ex->client_requested_flags = client_requested_flags;
+	creds->ex->auth_time = now;
 	creds->ex->client_sid = *client_sid;
 
 	if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index edc3284d32c..3094292657a 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -69,6 +69,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
 								  const struct samr_Password *machine_password,
 								  const struct netr_Credential *credentials_in,
 								  struct netr_Credential *credentials_out,
+								  uint32_t client_requested_flags,
 								  const struct dom_sid *client_sid,
 								  uint32_t negotiate_flags);
 NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds,
diff --git a/librpc/idl/schannel.idl b/librpc/idl/schannel.idl
index ad296f48d84..619e9e5591c 100644
--- a/librpc/idl/schannel.idl
+++ b/librpc/idl/schannel.idl
@@ -22,6 +22,8 @@ interface schannel
 		 * On the server we use CLEAR_IF_FIRST,
 		 * so db layout changes don't matter there.
 		 */
+		netr_NegotiateFlags client_requested_flags;
+		NTTIME auth_time;
 		dom_sid client_sid;
 	} netlogon_creds_CredentialState_extra_info;
 
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index bce18636b52..384191f76e4 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1010,6 +1010,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 					   &mach_pwd,
 					   r->in.credentials,
 					   r->out.return_credentials,
+					   in_neg_flags,
 					   &sid,
 					   neg_flags);
 	if (!creds) {
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 439383cafc6..4fb2a777404 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -416,6 +416,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 				      "samAccountName",
 				      NULL};
 	uint32_t server_flags = 0;
+	uint32_t client_flags = 0;
 	uint32_t negotiate_flags = 0;
 
 	ZERO_STRUCTP(r->out.return_credentials);
@@ -509,7 +510,8 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 	 * NETLOGON_NEG_STRONG_KEYS from server_flags...
 	 */
 
-	negotiate_flags = *r->in.negotiate_flags & server_flags;
+	client_flags = *r->in.negotiate_flags;
+	negotiate_flags = client_flags & server_flags;
 
 	switch (r->in.secure_channel_type) {
 	case SEC_CHAN_WKSTA:
@@ -782,6 +784,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 					   curNtHash,
 					   r->in.credentials,
 					   r->out.return_credentials,
+					   client_flags,
 					   *sid,
 					   negotiate_flags);
 	if (creds == NULL && prevNtHash != NULL) {
@@ -800,6 +803,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
 						   prevNtHash,
 						   r->in.credentials,
 						   r->out.return_credentials,
+						   client_flags,
 						   *sid,
 						   negotiate_flags);
 	}