From 91154188e28e63b19b9d2b9180b8e72145790ffd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 28 Oct 2024 12:43:44 +0100 Subject: [PATCH] libcli/auth: pass auth_{type,level} to netlogon_creds_{de,en}crypt_samlogon_validation() This will be needed when we implement netr_ServerAuthenticateKerberos... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher Reviewed-by: Douglas Bagnall (cherry picked from commit a56356e399339d5bce2e699431cd3e6186229170) --- libcli/auth/credentials.c | 14 ++++++++++++-- libcli/auth/libcli_auth.h | 1 + libcli/auth/netlogon_creds_cli.c | 14 ++++++++++++-- libcli/auth/proto.h | 8 ++++++-- source3/rpc_server/netlogon/srv_netlog_nt.c | 4 +++- source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++++++- source4/torture/rpc/samlogon.c | 18 +++++++++++++++--- 7 files changed, 57 insertions(+), 11 deletions(-) diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index c9c8ddb5394..0f5dd1a676a 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -830,6 +830,8 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_CredentialState *creds, uint16_t validation_level, union netr_Validation *validation, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, bool do_encrypt) { struct netr_SamBaseInfo *base = NULL; @@ -945,21 +947,29 @@ static NTSTATUS netlogon_creds_crypt_samlogon_validation(struct netlogon_creds_C NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds, uint16_t validation_level, - union netr_Validation *validation) + union netr_Validation *validation, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level) { return netlogon_creds_crypt_samlogon_validation(creds, validation_level, validation, + auth_type, + auth_level, false); } NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds, uint16_t validation_level, - union netr_Validation *validation) + union netr_Validation *validation, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level) { return netlogon_creds_crypt_samlogon_validation(creds, validation_level, validation, + auth_type, + auth_level, true); } diff --git a/libcli/auth/libcli_auth.h b/libcli/auth/libcli_auth.h index c5c7a7b0fa8..518dc3c2ca5 100644 --- a/libcli/auth/libcli_auth.h +++ b/libcli/auth/libcli_auth.h @@ -17,6 +17,7 @@ #ifndef __LIBCLI_AUTH_H__ #define __LIBCLI_AUTH_H__ +#include "librpc/gen_ndr/dcerpc.h" #include "librpc/gen_ndr/netlogon.h" #include "librpc/gen_ndr/wkssvc.h" #include "librpc/gen_ndr/schannel.h" diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 07547a9178c..4f5a5f5d2ca 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -2862,10 +2862,16 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq) struct netlogon_creds_cli_LogonSamLogon_state *state = tevent_req_data(req, struct netlogon_creds_cli_LogonSamLogon_state); + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; NTSTATUS status; NTSTATUS result; bool ok; + dcerpc_binding_handle_auth_info(state->binding_handle, + &auth_type, + &auth_level); + if (state->try_logon_ex) { status = dcerpc_netr_LogonSamLogonEx_recv(subreq, state->validation, @@ -2918,7 +2924,9 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq) status = netlogon_creds_decrypt_samlogon_validation(state->ro_creds, state->validation_level, - state->validation); + state->validation, + auth_type, + auth_level); if (tevent_req_nterror(req, status)) { netlogon_creds_cli_LogonSamLogon_cleanup(req, status); return; @@ -2992,7 +3000,9 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq) status = netlogon_creds_decrypt_samlogon_validation(&state->tmp_creds, state->validation_level, - state->validation); + state->validation, + auth_type, + auth_level); if (tevent_req_nterror(req, status)) { netlogon_creds_cli_LogonSamLogon_cleanup(req, result); return; diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index ae68aab192a..1eec792d804 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -78,10 +78,14 @@ NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState struct netr_Authenticator *return_authenticator) ; NTSTATUS netlogon_creds_decrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds, uint16_t validation_level, - union netr_Validation *validation); + union netr_Validation *validation, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level); NTSTATUS netlogon_creds_encrypt_samlogon_validation(struct netlogon_creds_CredentialState *creds, uint16_t validation_level, - union netr_Validation *validation); + union netr_Validation *validation, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level); NTSTATUS netlogon_creds_decrypt_samlogon_logon(struct netlogon_creds_CredentialState *creds, enum netr_LogonInfoClass level, union netr_LogonLevel *logon); diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 4900742c6bf..843b2c4dfbe 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1938,7 +1938,9 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, status = netlogon_creds_encrypt_samlogon_validation(creds, r->in.validation_level, - r->out.validation); + r->out.validation, + auth_type, + auth_level); return status; } diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index be7c5665655..70e41699b9b 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1673,9 +1673,16 @@ static void dcesrv_netr_LogonSamLogon_base_reply( NTSTATUS status; if (NT_STATUS_IS_OK(r->out.result)) { + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + + dcesrv_call_auth_info(state->dce_call, &auth_type, &auth_level); + status = netlogon_creds_encrypt_samlogon_validation(state->creds, r->in.validation_level, - r->out.validation); + r->out.validation, + auth_type, + auth_level); if (!NT_STATUS_IS_OK(status)) { DBG_ERR("netlogon_creds_encrypt_samlogon_validation() " "failed - %s\n", diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index f16db644241..a9f8ff5b5b6 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -91,6 +91,12 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, struct netr_NetworkInfo ninfo; struct netr_SamBaseInfo *base = NULL; uint16_t validation_level = 0; + enum dcerpc_AuthType auth_type; + enum dcerpc_AuthLevel auth_level; + + dcerpc_binding_handle_auth_info(samlogon_state->p->binding_handle, + &auth_type, + &auth_level); samlogon_state->r.in.logon->network = &ninfo; samlogon_state->r_ex.in.logon->network = &ninfo; @@ -178,7 +184,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds, validation_level, - r->out.validation); + r->out.validation, + auth_type, + auth_level); if (!NT_STATUS_IS_OK(status)) { if (error_string) { *error_string = strdup(nt_errstr(status)); @@ -218,7 +226,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds, validation_level, - r_ex->out.validation); + r_ex->out.validation, + auth_type, + auth_level); if (!NT_STATUS_IS_OK(status)) { if (error_string) { *error_string = strdup(nt_errstr(status)); @@ -266,7 +276,9 @@ static NTSTATUS check_samlogon(struct samlogon_state *samlogon_state, status = netlogon_creds_decrypt_samlogon_validation(samlogon_state->creds, validation_level, - r_flags->out.validation); + r_flags->out.validation, + auth_type, + auth_level); if (!NT_STATUS_IS_OK(status)) { if (error_string) { *error_string = strdup(nt_errstr(status));