diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index d1875960448..236cb6fc180 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -657,6 +657,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me const struct samr_Password *machine_password, const struct netr_Credential *credentials_in, struct netr_Credential *credentials_out, + const struct dom_sid *client_sid, uint32_t negotiate_flags) { @@ -700,6 +701,12 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me return NULL; } + creds->sid = dom_sid_dup(creds, client_sid); + if (creds->sid == NULL) { + talloc_free(creds); + return NULL; + } + if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { status = netlogon_creds_init_hmac_sha256(creds, client_challenge, diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index 9f6a8b68b8b..edc3284d32c 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -69,6 +69,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me const struct samr_Password *machine_password, const struct netr_Credential *credentials_in, struct netr_Credential *credentials_out, + const struct dom_sid *client_sid, uint32_t negotiate_flags); NTSTATUS netlogon_creds_server_step_check(struct netlogon_creds_CredentialState *creds, const struct netr_Authenticator *received_authenticator, diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 1c740fa4730..fb41cda5bbb 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1020,6 +1020,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, &mach_pwd, r->in.credentials, r->out.return_credentials, + &sid, neg_flags); if (!creds) { DEBUG(0,("%s: netlogon_creds_server_check failed. Rejecting auth " @@ -1030,12 +1031,6 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, goto out; } - creds->sid = dom_sid_dup(creds, &sid); - if (!creds->sid) { - status = NT_STATUS_NO_MEMORY; - goto out; - } - /* Store off the state so we can continue after client disconnect. */ become_root(); status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds); diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 61c97042f17..ad0eb9ac076 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -778,6 +778,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( return NT_STATUS_ACCESS_DENIED; } + *sid = samdb_result_dom_sid(mem_ctx, msgs[0], "objectSid"); + if (*sid == NULL) { + return NT_STATUS_ACCESS_DENIED; + } + creds = netlogon_creds_server_init(mem_ctx, r->in.account_name, r->in.computer_name, @@ -787,6 +792,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( curNtHash, r->in.credentials, r->out.return_credentials, + *sid, negotiate_flags); if (creds == NULL && prevNtHash != NULL) { /* @@ -804,14 +810,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( prevNtHash, r->in.credentials, r->out.return_credentials, + *sid, negotiate_flags); } if (creds == NULL) { return NT_STATUS_ACCESS_DENIED; } - creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid"); - *sid = talloc_memdup(mem_ctx, creds->sid, sizeof(struct dom_sid)); nt_status = schannel_save_creds_state(mem_ctx, dce_call->conn->dce_ctx->lp_ctx,