added cli_net_auth_3 client code.

changed cli_nt_setup_creds() to call cli_net_auth_2 or cli_net_auth_3 based on a switch.
pass also the negociation flags all the way.
all the places calling cli_nt_setup_creds() are still using cli_net_aut2(), it's just for future use and for rpcclient.

in the future we will be able to call auth_2 or auth_3 as we want.

	J.F.
(This used to be commit 4d38caca40f98d0584fefb9d66424a3db5b5789e)

8 files changed, 119 insertions, 28 deletions

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index d48cec5b29..f7a268de1f 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -131,6 +131,7 @@ static NTSTATUS connect_to_domain_password_server(struct cli_state **cli,
 	struct in_addr dest_ip;
 	fstring remote_machine;
         NTSTATUS result;
+	uint32 neg_flags = 0x000001ff;
 
 	if (lp_security() == SEC_ADS) {
 		result = ads_resolve_dc(remote_machine, &dest_ip);
@@ -206,7 +207,7 @@ machine %s. Error was : %s.\n", remote_machine, cli_errstr(*cli)));
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd);
+	result = cli_nt_setup_creds(*cli, sec_chan, trust_passwd, &neg_flags, 2);
 
         if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0,("connect_to_domain_password_server: unable to setup the PDC credentials to machine \
diff --git a/source3/libsmb/trust_passwd.c b/source3/libsmb/trust_passwd.c
index d500cb3ab7..4d7acd1988 100644
--- a/source3/libsmb/trust_passwd.c
+++ b/source3/libsmb/trust_passwd.c
@@ -35,7 +35,9 @@ static NTSTATUS just_change_the_password(struct cli_state *cli, TALLOC_CTX *mem_
 					 unsigned char new_trust_passwd_hash[16])
 {
 	NTSTATUS result;
-	result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash);
+	uint32 neg_flags = 0x000001ff;
+
+	result = cli_nt_setup_creds(cli, get_sec_chan(), orig_trust_passwd_hash, &neg_flags, 2);
 	
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(1,("just_change_the_password: unable to setup creds (%s)!\n",
diff --git a/source3/nsswitch/winbindd_cm.c b/source3/nsswitch/winbindd_cm.c
index 997d5b665f..9ac392a6ba 100644
--- a/source3/nsswitch/winbindd_cm.c
+++ b/source3/nsswitch/winbindd_cm.c
@@ -864,6 +864,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
 {
 	NTSTATUS result = NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND;
 	struct winbindd_cm_conn *conn;
+	uint32 neg_flags = 0x000001ff;
 
 	if (!cli) {
 		return NT_STATUS_INVALID_PARAMETER;
@@ -875,7 +876,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
 		return result;
 	}
 	
-	result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd);
+	result = cli_nt_setup_creds(conn->cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
 
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0, ("error connecting to domain password server: %s\n",
@@ -888,8 +889,7 @@ NTSTATUS cm_get_netlogon_cli(char *domain, unsigned char *trust_passwd,
 			}
 			
 			/* Try again */
-			result = cli_nt_setup_creds(
-				conn->cli, get_sec_chan(),trust_passwd);
+			result = cli_nt_setup_creds( conn->cli, get_sec_chan(),trust_passwd, &neg_flags, 2);
 		}
 		
 		if (!NT_STATUS_IS_OK(result)) {
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 58ba32eb2e..eaee3c26e7 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -152,6 +152,83 @@ password ?).\n", cli->desthost ));
         return result;
 }
 
+/****************************************************************************
+LSA Authenticate 3
+
+Send the client credential, receive back a server credential.
+Ensure that the server credential returned matches the session key 
+encrypt of the server challenge originally received. JRA.
+****************************************************************************/
+
+NTSTATUS cli_net_auth3(struct cli_state *cli, 
+		       uint16 sec_chan, 
+		       uint32 *neg_flags, DOM_CHAL *srv_chal)
+{
+        prs_struct qbuf, rbuf;
+        NET_Q_AUTH_3 q;
+        NET_R_AUTH_3 r;
+        NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+	extern pstring global_myname;
+
+        prs_init(&qbuf, MAX_PDU_FRAG_LEN, cli->mem_ctx, MARSHALL);
+        prs_init(&rbuf, 0, cli->mem_ctx, UNMARSHALL);
+
+        /* create and send a MSRPC command with api NET_AUTH2 */
+
+        DEBUG(4,("cli_net_auth3: srv:%s acct:%s sc:%x mc: %s chal %s neg: %x\n",
+                 cli->srv_name_slash, cli->mach_acct, sec_chan, global_myname,
+                 credstr(cli->clnt_cred.challenge.data), *neg_flags));
+
+        /* store the parameters */
+        init_q_auth_3(&q, cli->srv_name_slash, cli->mach_acct, 
+                      sec_chan, global_myname, &cli->clnt_cred.challenge, 
+                      *neg_flags);
+
+        /* turn parameters into data stream */
+
+        if (!net_io_q_auth_3("", &q,  &qbuf, 0) ||
+            !rpc_api_pipe_req(cli, NET_AUTH3, &qbuf, &rbuf)) {
+                goto done;
+        }
+        
+        /* Unmarshall response */
+        
+        if (!net_io_r_auth_3("", &r, &rbuf, 0)) {
+                goto done;
+        }
+
+        result = r.status;
+	*neg_flags = r.srv_flgs.neg_flags;
+
+        if (NT_STATUS_IS_OK(result)) {
+                UTIME zerotime;
+                
+                /*
+                 * Check the returned value using the initial
+                 * server received challenge.
+                 */
+
+                zerotime.time = 0;
+                if (cred_assert( &r.srv_chal, cli->sess_key, srv_chal, 
+                                 zerotime) == 0) {
+
+                        /*
+                         * Server replied with bad credential. Fail.
+                         */
+                        DEBUG(0,("cli_net_auth3: server %s replied with bad credential (bad machine \
+password ?).\n", cli->desthost ));
+                        result = NT_STATUS_ACCESS_DENIED;
+                        goto done;
+                }
+        }
+
+ done:
+        prs_mem_free(&qbuf);
+        prs_mem_free(&rbuf);
+        
+        return result;
+}
+
 /* Return the secure channel type depending on the server role. */
 
 uint16 get_sec_chan(void)
@@ -174,7 +251,7 @@ uint16 get_sec_chan(void)
 
 NTSTATUS cli_nt_setup_creds(struct cli_state *cli, 
 			    uint16 sec_chan,
-			    const unsigned char mach_pwd[16])
+			    const unsigned char mach_pwd[16], uint32 *neg_flags, int level)
 {
         DOM_CHAL clnt_chal;
         DOM_CHAL srv_chal;
@@ -200,24 +277,30 @@ NTSTATUS cli_nt_setup_creds(struct cli_state *cli,
                          cli->sess_key);
         memset((char *)cli->sess_key+8, '\0', 8);
 
-        /******************* Authenticate 2 ********************/
+        /******************* Authenticate 2/3 ********************/
 
-        /* calculate auth-2 credentials */
+        /* calculate auth-2/3 credentials */
         zerotime.time = 0;
-        cred_create(cli->sess_key, &clnt_chal, zerotime, 
-                    &cli->clnt_cred.challenge);
+        cred_create(cli->sess_key, &clnt_chal, zerotime, &cli->clnt_cred.challenge);
 
         /*  
-         * Send client auth-2 challenge.
-         * Receive an auth-2 challenge response and check it.
+         * Send client auth-2/3 challenge.
+         * Receive an auth-2/3 challenge response and check it.
          */
-        
-	result = cli_net_auth2(cli, sec_chan, 0x000001ff, &srv_chal);
+        switch (level) {
+		case 2:
+			result = cli_net_auth2(cli, sec_chan, *neg_flags, &srv_chal);
+			break;
+		case 3:
+			result = cli_net_auth3(cli, sec_chan, neg_flags, &srv_chal);
+			break;
+		default:
+			DEBUG(1,("cli_nt_setup_creds: unsupported auth level: %d\n", level));
+			break;
+	}
 
-	if (!NT_STATUS_IS_OK(result)) {
-                DEBUG(1,("cli_nt_setup_creds: auth2 challenge failed %s\n",
-			 nt_errstr(result)));
-        }
+	if (!NT_STATUS_IS_OK(result))
+                DEBUG(1,("cli_nt_setup_creds: auth%d challenge failed %s\n", level, nt_errstr(result)));
 
         return result;
 }
diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index ffff1dab04..0f61eaaae8 100644
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -151,6 +151,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
         SAM_DELTA_HDR *hdr_deltas;
         SAM_DELTA_CTR *deltas;
 	DOM_CRED ret_creds;
+	uint32 neg_flags = 0x000001ff;
 
         if (argc > 2) {
                 fprintf(stderr, "Usage: %s [database_id]\n", argv[0]);
@@ -173,7 +174,7 @@ static NTSTATUS cmd_netlogon_sam_sync(struct cli_state *cli,
 		goto done;
 	}        
 
-        result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd);
+        result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
 
         if (!NT_STATUS_IS_OK(result)) {
                 fprintf(stderr, "Error initialising session creds\n");
@@ -211,6 +212,7 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli,
         SAM_DELTA_HDR *hdr_deltas;
         SAM_DELTA_CTR *deltas;
         UINT64_S seqnum;
+	uint32 neg_flags = 0x000001ff;
 
         if (argc != 3) {
                 fprintf(stderr, "Usage: %s database_id seqnum\n", argv[0]);
@@ -236,7 +238,7 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct cli_state *cli,
 		goto done;
 	}        
 
-        result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd);
+        result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
 
         if (!NT_STATUS_IS_OK(result)) {
                 fprintf(stderr, "Error initialising session creds\n");
@@ -270,6 +272,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
         int logon_type = NET_LOGON_TYPE;
         char *username, *password;
+	uint32 neg_flags = 0x000001ff;
 
         /* Check arguments */
 
@@ -292,13 +295,12 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
                 return result;
         }
 
-	if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd,
-                                                  NULL)) {
+	if (!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd, NULL)) {
 		fprintf(stderr, "could not fetch trust account password\n");
 		goto done;
 	}        
 
-        result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd);
+        result = cli_nt_setup_creds(cli, get_sec_chan(), trust_passwd, &neg_flags, 2);
 
         if (!NT_STATUS_IS_OK(result)) {
                 fprintf(stderr, "Error initialising session creds\n");
@@ -307,8 +309,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct cli_state *cli,
 
         /* Perform the sam logon */
 
-        result = cli_netlogon_sam_logon(cli, mem_ctx, username, password,
-                                        logon_type);
+        result = cli_netlogon_sam_logon(cli, mem_ctx, username, password, logon_type);
 
 	if (!NT_STATUS_IS_OK(result))
 		goto done;
diff --git a/source3/rpcclient/samsync.c b/source3/rpcclient/samsync.c
index 710614469e..7124f9416a 100644
--- a/source3/rpcclient/samsync.c
+++ b/source3/rpcclient/samsync.c
@@ -362,6 +362,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
         uint32 num_deltas_0, num_deltas_2;
         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	struct pdb_context *in;
+	uint32 neg_flags = 0x000001ff;
 
 	DOM_CRED ret_creds;
 
@@ -384,7 +385,7 @@ static NTSTATUS sam_sync(struct cli_state *cli, unsigned char trust_passwd[16],
 
         /* Request a challenge */
 
-        if (!NT_STATUS_IS_OK(cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_passwd))) {
+        if (!NT_STATUS_IS_OK(cli_nt_setup_creds(cli, SEC_CHAN_BDC, trust_passwd, &neg_flags, 2))) {
                 DEBUG(0, ("Error initialising session creds\n"));
                 goto done;
         }
diff --git a/source3/utils/net_rpc_join.c b/source3/utils/net_rpc_join.c
index c8be93c39c..b08095f1cc 100644
--- a/source3/utils/net_rpc_join.c
+++ b/source3/utils/net_rpc_join.c
@@ -49,6 +49,7 @@ int net_rpc_join_ok(const char *domain)
 	int retval = 1;
 	uint32 channel;
 	NTSTATUS result;
+	uint32 neg_flags = 0x000001ff;
 
 	/* Connect to remote machine */
 	if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) {
@@ -75,7 +76,7 @@ int net_rpc_join_ok(const char *domain)
 
 	CHECK_RPC_ERR(cli_nt_setup_creds(cli, 
 					 channel,
-					 stored_md4_trust_password),
+					 stored_md4_trust_password, &neg_flags, 2),
 			  "error in domain join verification");
 	
 	retval = 0;		/* Success! */
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index a41eae40d1..4ddb931adb 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -143,6 +143,8 @@ int rpc_samdump(int argc, const char **argv)
 	struct cli_state *cli = NULL;
 	uchar trust_password[16];
 	DOM_CRED ret_creds;
+	uint32 neg_flags = 0x000001ff;
+
 
 	ZERO_STRUCT(ret_creds);
 
@@ -161,7 +163,7 @@ int rpc_samdump(int argc, const char **argv)
 		goto fail;
 	}
 	
-	result = cli_nt_setup_creds(cli, SEC_CHAN_BDC,  trust_password);
+	result = cli_nt_setup_creds(cli, SEC_CHAN_BDC,  trust_password, &neg_flags, 2);
 	if (!NT_STATUS_IS_OK(result)) {
 		d_printf("Failed to setup BDC creds\n");
 		goto fail;