From 1a4329be5014c890e409252c6956b528b1dac755 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Feb 2017 08:58:20 +0100 Subject: [PATCH] libcli/auth: use the correct creds value against servers without LogonSamLogonEx If we use the credential chain we need to use the value from netlogon_creds_client_authenticator() to make sure we have the current value to encrypt in logon info. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12586 Signed-off-by: Stefan Metzmacher Reviewed-by: Jeremy Allison Reviewed-by: Ralph Boehme (cherry picked from commit 0ed2a65593b5abc9ba7f40992ed0ed8f448f5836) --- libcli/auth/netlogon_creds_cli.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 38b1351..b97d60e 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -2075,11 +2075,24 @@ struct netlogon_creds_cli_LogonSamLogon_state { /* * the read only credentials before we started the operation + * used for netr_LogonSamLogonEx() if required (validation_level = 3). */ struct netlogon_creds_CredentialState *ro_creds; + /* + * The (locked) credentials used for the credential chain + * used for netr_LogonSamLogonWithFlags() or + * netr_LogonSamLogonWith(). + */ struct netlogon_creds_CredentialState *lk_creds; + /* + * While we have locked the global credentials (lk_creds above) + * we operate an a temporary copy, because a server + * may not support netr_LogonSamLogonWithFlags() and + * didn't process our netr_Authenticator, so we need to + * restart from lk_creds. + */ struct netlogon_creds_CredentialState tmp_creds; struct netr_Authenticator req_auth; struct netr_Authenticator rep_auth; @@ -2311,7 +2324,7 @@ static void netlogon_creds_cli_LogonSamLogon_start(struct tevent_req *req) return; } - netlogon_creds_encrypt_samlogon_logon(state->ro_creds, + netlogon_creds_encrypt_samlogon_logon(&state->tmp_creds, state->logon_level, state->logon); @@ -2414,8 +2427,10 @@ static void netlogon_creds_cli_LogonSamLogon_done(struct tevent_req *subreq) /* * We got a race, lets retry with on authenticator * protection. + * + * netlogon_creds_cli_LogonSamLogon_start() + * will TALLOC_FREE(state->ro_creds); */ - TALLOC_FREE(state->ro_creds); state->try_logon_ex = false; netlogon_creds_cli_LogonSamLogon_start(req); return; -- 1.9.1