libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation()

This will be needed when we implement netr_ServerAuthenticateKerberos...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit a56356e399)

libcli/auth/credentials.c

@@ -830,6 +830,8 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
 static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
 							 uint16_t validation_level,
 							 union netr_Validation *validation,
+							 enum dcerpc_AuthType auth_type,
+							 enum dcerpc_AuthLevel auth_level,
 							 bool do_encrypt)
 {
 	struct netr_SamBaseInfo *base = NULL;
@@ -945,21 +947,29 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C
 
 NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
 						    uint16_t validation_level,
-						    union netr_Validation *validation)
+						    union netr_Validation *validation,
+						    enum dcerpc_AuthType auth_type,
+						    enum dcerpc_AuthLevel auth_level)
 {
 	return netlogon_creds_crypt_samlogon_validation(creds,
 							validation_level,
 							validation,
+							auth_type,
+							auth_level,
 							false);
 }
 
 NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
 						    uint16_t validation_level,
-						    union netr_Validation *validation)
+						    union netr_Validation *validation,
+						    enum dcerpc_AuthType auth_type,
+						    enum dcerpc_AuthLevel auth_level)
 {
 	return netlogon_creds_crypt_samlogon_validation(creds,
 							validation_level,
 							validation,
+							auth_type,
+							auth_level,
 							true);
 }
 

libcli/auth/libcli_auth.h

@@ -17,6 +17,7 @@
 #ifndef __LIBCLI_AUTH_H__
 #define __LIBCLI_AUTH_H__
 
+#include "librpc/gen_ndr/dcerpc.h"
 #include "librpc/gen_ndr/netlogon.h"
 #include "librpc/gen_ndr/wkssvc.h"
 #include "librpc/gen_ndr/schannel.h"

libcli/auth/netlogon_creds_cli.c

@@ -2862,10 +2862,16 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
 	struct netlogon_creds_cli_LogonSamLogon_state *state =
 		tevent_req_data(req,
 		struct netlogon_creds_cli_LogonSamLogon_state);
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
 	NTSTATUS status;
 	NTSTATUS result;
 	bool ok;
 
+	dcerpc_binding_handle_auth_info(state->binding_handle,
+					&auth_type,
+					&auth_level);
+
 	if (state->try_logon_ex) {
 		status = dcerpc_netr_LogonSamLogonEx_recv(subreq,
 							  state->validation,
@@ -2918,7 +2924,9 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
 
 		status = netlogon_creds_decrypt_samlogon_validation(state->ro_creds,
 								    state->validation_level,
-								    state->validation);
+								    state->validation,
+								    auth_type,
+								    auth_level);
 		if (tevent_req_nterror(req, status)) {
 			netlogon_creds_cli_LogonSamLogon_cleanup(req, status);
 			return;
@@ -2992,7 +3000,9 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq)
 
 	status = netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds,
 							    state->validation_level,
-							    state->validation);
+							    state->validation,
+							    auth_type,
+							    auth_level);
 	if (tevent_req_nterror(req, status)) {
 		netlogon_creds_cli_LogonSamLogon_cleanup(req, result);
 		return;

libcli/auth/proto.h

@@ -78,10 +78,14 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState
 				 struct netr_Authenticator *return_authenticator) ;
 NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
 						    uint16_t validation_level,
-						    union netr_Validation *validation);
+						    union netr_Validation *validation,
+						    enum dcerpc_AuthType auth_type,
+						    enum dcerpc_AuthLevel auth_level);
 NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds,
 						    uint16_t validation_level,
-						    union netr_Validation *validation);
+						    union netr_Validation *validation,
+						    enum dcerpc_AuthType auth_type,
+						    enum dcerpc_AuthLevel auth_level);
 NTSTATUS netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds,
 					       enum netr_LogonInfoClass level,
 					       union netr_LogonLevel *logon);

source3/rpc_server/netlogon/srv_netlog_nt.c

@@ -1938,7 +1938,9 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
 
 	status = netlogon_creds_encrypt_samlogon_validation(creds,
 							    r->in.validation_level,
-							    r->out.validation);
+							    r->out.validation,
+							    auth_type,
+							    auth_level);
 
 	return status;
 }

source4/rpc_server/netlogon/dcerpc_netlogon.c

@@ -1673,9 +1673,16 @@ static void dcesrv_netr_LogonSamLogon_base_reply(
 	NTSTATUS status;
 
 	if (NT_STATUS_IS_OK(r->out.result)) {
+		enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+		enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+
+		dcesrv_call_auth_info(state->dce_call, &auth_type, &auth_level);
+
 		status = netlogon_creds_encrypt_samlogon_validation(state->creds,
 								    r->in.validation_level,
-								    r->out.validation);
+								    r->out.validation,
+								    auth_type,
+								    auth_level);
 		if (!NT_STATUS_IS_OK(status)) {
 			DBG_ERR("netlogon_creds_encrypt_samlogon_validation() "
 				"failed - %s\n",

source4/torture/rpc/samlogon.c

@@ -91,6 +91,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
 	struct netr_NetworkInfo ninfo;
 	struct netr_SamBaseInfo *base = NULL;
 	uint16_t validation_level = 0;
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	dcerpc_binding_handle_auth_info(samlogon_state->p->binding_handle,
+					&auth_type,
+					&auth_level);
 
 	samlogon_state->r.in.logon->network = &ninfo;
 	samlogon_state->r_ex.in.logon->network = &ninfo;
@@ -178,7 +184,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
 
 		status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
 								    validation_level,
-								    r->out.validation);
+								    r->out.validation,
+								    auth_type,
+								    auth_level);
 		if (!NT_STATUS_IS_OK(status)) {
 			if (error_string) {
 				*error_string = strdup(nt_errstr(status));
@@ -218,7 +226,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
 
 		status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
 								    validation_level,
-								    r_ex->out.validation);
+								    r_ex->out.validation,
+								    auth_type,
+								    auth_level);
 		if (!NT_STATUS_IS_OK(status)) {
 			if (error_string) {
 				*error_string = strdup(nt_errstr(status));
@@ -266,7 +276,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state,
 
 		status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds,
 								    validation_level,
-								    r_flags->out.validation);
+								    r_flags->out.validation,
+								    auth_type,
+								    auth_level);
 		if (!NT_STATUS_IS_OK(status)) {
 			if (error_string) {
 				*error_string = strdup(nt_errstr(status));