r10792: Fix the "schannel not stored across client disconnects" problem.

Based on the Samba4 solution - stores data in
$samba/private/schannel_store.tdb.
This tdb is not left open but open and closed on demand.
Jeremy.
(This used to be commit a6d8a4b1ff31c5552075455dbd98cb58795958a9)

2 files changed, 20 insertions, 19 deletions

diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 1ad058b519..2dd8b821d8 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -26,8 +26,6 @@
 
 #include "includes.h"
 
-extern struct dcinfo last_dcinfo;
-extern BOOL server_auth2_negotiated;
 extern userdom_struct current_user_info;
 
 #undef DBGC_CLASS
@@ -438,10 +436,14 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u)
 
 	fstrcpy(p->dc->mach_acct, mach_acct);
 	fstrcpy(p->dc->remote_machine, remote_machine);
+	fstrcpy(p->dc->domain, lp_workgroup() );
 
-	server_auth2_negotiated = True;
 	p->dc->authenticated = True;
-	last_dcinfo = *p->dc;
+
+	/* Store off the state so we can continue after client disconnect. */
+	become_root();
+	secrets_store_schannel_session_info(p->mem_ctx, p->dc);
+	unbecome_root();
 
 	return r_u->status;
 }
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ba6d9704e8..1ca5210842 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -36,15 +36,6 @@ extern struct current_user current_user;
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
 
-/*************************************************************
- HACK Alert!
- We need to transfer the session key from one rpc bind to the
- next. This is the way the netlogon schannel works.
-**************************************************************/
-
-struct dcinfo last_dcinfo;
-BOOL server_auth2_negotiated = False;
-
 static void free_pipe_ntlmssp_auth_data(struct pipe_auth_data *auth)
 {
 	AUTH_NTLMSSP_STATE *a = auth->a_u.auth_ntlmssp_state;
@@ -1218,15 +1209,23 @@ static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
 	RPC_HDR_AUTH auth_info;
 	RPC_AUTH_SCHANNEL_NEG neg;
 	RPC_AUTH_VERIFIER auth_verifier;
+	BOOL ret;
+	struct dcinfo stored_dcinfo;
 	uint32 flags;
 
-	if (!server_auth2_negotiated) {
-		DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
+	if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
+		DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
 		return False;
 	}
 
-	if (!smb_io_rpc_auth_schannel_neg("", &neg, rpc_in_p, 0)) {
-		DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
+	ZERO_STRUCT(stored_dcinfo);
+
+	become_root();
+	ret = secrets_restore_schannel_session_info(p->mem_ctx, neg.myname, &stored_dcinfo);
+	unbecome_root();
+
+	if (!ret) {
+		DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
 		return False;
 	}
 
@@ -1236,7 +1235,7 @@ static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
 	}
 
 	memset(p->auth.a_u.schannel_auth->sess_key, 0, sizeof(p->auth.a_u.schannel_auth->sess_key));
-	memcpy(p->auth.a_u.schannel_auth->sess_key, last_dcinfo.sess_key, sizeof(last_dcinfo.sess_key));
+	memcpy(p->auth.a_u.schannel_auth->sess_key, stored_dcinfo.sess_key, sizeof(stored_dcinfo.sess_key));
 
 	p->auth.a_u.schannel_auth->seq_num = 0;
 
@@ -1253,7 +1252,7 @@ static BOOL pipe_schannel_auth_bind(pipes_struct *p, prs_struct *rpc_in_p,
 	if (!p->dc) {
 		return False;
 	}
-	*p->dc = last_dcinfo;
+	*p->dc = stored_dcinfo;
 
 	init_rpc_hdr_auth(&auth_info, RPC_SCHANNEL_AUTH_TYPE, pauth_info->auth_level, RPC_HDR_AUTH_LEN, 1);
 	if(!smb_io_rpc_hdr_auth("", &auth_info, pout_auth, 0)) {