Merge branch 'v3-2-test' of ssh://jra@git.samba.org/data/git/samba into v3-2-test

(This used to be commit 3957ada4b6aa1f349ac1504125c4013512829ced)

3 files changed, 87 insertions, 126 deletions

diff --git a/source3/libsmb/credentials.c b/source3/libsmb/credentials.c
index f03bf22df1..0043f4e6a9 100644
--- a/source3/libsmb/credentials.c
+++ b/source3/libsmb/credentials.c
@@ -225,6 +225,21 @@ bool creds_server_check(const struct dcinfo *dc, const DOM_CHAL *rcv_cli_chal_in
 	return True;
 }
 
+bool netlogon_creds_server_check(const struct dcinfo *dc,
+				 const struct netr_Credential *rcv_cli_chal_in)
+{
+	if (memcmp(dc->clnt_chal.data, rcv_cli_chal_in->data, 8)) {
+		DEBUG(5,("netlogon_creds_server_check: challenge : %s\n",
+			credstr(rcv_cli_chal_in->data)));
+		DEBUG(5,("calculated: %s\n", credstr(dc->clnt_chal.data)));
+		DEBUG(2,("netlogon_creds_server_check: credentials check failed.\n"));
+		return false;
+	}
+
+	DEBUG(10,("netlogon_creds_server_check: credentials check OK.\n"));
+
+	return true;
+}
 /****************************************************************************
  Replace current seed chal. Internal function - due to split server step below.
 ****************************************************************************/
@@ -273,6 +288,36 @@ bool creds_server_step(struct dcinfo *dc, const DOM_CRED *received_cred, DOM_CRE
 	return True;
 }
 
+bool netlogon_creds_server_step(struct dcinfo *dc,
+				const struct netr_Authenticator *received_cred,
+				struct netr_Authenticator *cred_out)
+{
+	bool ret;
+	struct dcinfo tmp_dc = *dc;
+
+	/* Do all operations on a temporary copy of the dc,
+	   which we throw away if the checks fail. */
+
+	tmp_dc.sequence = received_cred->timestamp;
+
+	creds_step(&tmp_dc);
+
+	/* Create the outgoing credentials */
+	cred_out->timestamp = tmp_dc.sequence + 1;
+	memcpy(&cred_out->cred, &tmp_dc.srv_chal, sizeof(cred_out->cred));
+
+	creds_reseed(&tmp_dc);
+
+	ret = netlogon_creds_server_check(&tmp_dc, &received_cred->cred);
+	if (!ret) {
+		return false;
+	}
+
+	/* creds step succeeded - replace the current creds. */
+	*dc = tmp_dc;
+	return true;
+}
+
 /****************************************************************************
  Create a client credential struct.
 ****************************************************************************/
diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c
index 791752c5d0..7f67fe51f0 100644
--- a/source3/rpc_server/srv_netlog.c
+++ b/source3/rpc_server/srv_netlog.c
@@ -64,29 +64,7 @@ static bool api_net_req_chal(pipes_struct *p)
 
 static bool api_net_auth(pipes_struct *p)
 {
-	NET_Q_AUTH q_u;
-	NET_R_AUTH r_u;
-	prs_struct *data = &p->in_data.data;
-	prs_struct *rdata = &p->out_data.rdata;
-
-	ZERO_STRUCT(q_u);
-	ZERO_STRUCT(r_u);
-
-	/* grab the challenge... */
-	if(!net_io_q_auth("", &q_u, data, 0)) {
-		DEBUG(0,("api_net_auth: Failed to unmarshall NET_Q_AUTH.\n"));
-		return False;
-	}
-
-	r_u.status = _net_auth(p, &q_u, &r_u);
-
-	/* store the response in the SMB stream */
-	if(!net_io_r_auth("", &r_u, rdata, 0)) {
-		DEBUG(0,("api_net_auth: Failed to marshall NET_R_AUTH.\n"));
-		return False;
-	}
-
-	return True;
+	return proxy_netr_call(p, NDR_NETR_SERVERAUTHENTICATE);
 }
 
 /*************************************************************************
@@ -126,29 +104,7 @@ static bool api_net_auth_2(pipes_struct *p)
 
 static bool api_net_srv_pwset(pipes_struct *p)
 {
-	NET_Q_SRV_PWSET q_u;
-	NET_R_SRV_PWSET r_u;
-	prs_struct *data = &p->in_data.data;
-	prs_struct *rdata = &p->out_data.rdata;
-
-	ZERO_STRUCT(q_u);
-	ZERO_STRUCT(r_u);
-
-	/* grab the challenge and encrypted password ... */
-	if(!net_io_q_srv_pwset("", &q_u, data, 0)) {
-		DEBUG(0,("api_net_srv_pwset: Failed to unmarshall NET_Q_SRV_PWSET.\n"));
-		return False;
-	}
-
-	r_u.status = _net_srv_pwset(p, &q_u, &r_u);
-
-	/* store the response in the SMB stream */
-	if(!net_io_r_srv_pwset("", &r_u, rdata, 0)) {
-		DEBUG(0,("api_net_srv_pwset: Failed to marshall NET_R_SRV_PWSET.\n"));
-		return False;
-	}
-
-	return True;
+	return proxy_netr_call(p, NDR_NETR_SERVERPASSWORDSET);
 }
 
 /*************************************************************************
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 3cfab7843d..2b4921921f 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -255,26 +255,11 @@ WERROR _netr_NetrEnumerateTrustedDomains(pipes_struct *p,
 	return WERR_OK;
 }
 
-/***********************************************************************************
- init_net_r_srv_pwset:
- ***********************************************************************************/
-
-static void init_net_r_srv_pwset(NET_R_SRV_PWSET *r_s,
-				 DOM_CRED *srv_cred, NTSTATUS status)
-{
-	DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__));
-
-	memcpy(&r_s->srv_cred, srv_cred, sizeof(r_s->srv_cred));
-	r_s->status = status;
-
-	DEBUG(5,("init_net_r_srv_pwset: %d\n", __LINE__));
-}
-
 /******************************************************************
  gets a machine password entry.  checks access rights of the host.
  ******************************************************************/
 
-static NTSTATUS get_md4pw(char *md4pw, char *mach_acct, uint16 sec_chan_type)
+static NTSTATUS get_md4pw(char *md4pw, const char *mach_acct, uint16 sec_chan_type)
 {
 	struct samu *sampass = NULL;
 	const uint8 *pass;
@@ -413,41 +398,30 @@ NTSTATUS _netr_ServerReqChallenge(pipes_struct *p,
 }
 
 /*************************************************************************
- init_net_r_auth:
+ _netr_ServerAuthenticate
+ Create the initial credentials.
  *************************************************************************/
 
-static void init_net_r_auth(NET_R_AUTH *r_a, DOM_CHAL *resp_cred, NTSTATUS status)
-{
-	memcpy(r_a->srv_chal.data, resp_cred->data, sizeof(resp_cred->data));
-	r_a->status = status;
-}
-
-/*************************************************************************
- _net_auth. Create the initial credentials.
- *************************************************************************/
-
-NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u)
+NTSTATUS _netr_ServerAuthenticate(pipes_struct *p,
+				  struct netr_ServerAuthenticate *r)
 {
 	NTSTATUS status;
-	fstring mach_acct;
-	fstring remote_machine;
 	DOM_CHAL srv_chal_out;
 
 	if (!p->dc || !p->dc->challenge_sent) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),
-				q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
-	rpcstr_pull(remote_machine, q_u->clnt_id.uni_comp_name.buffer,sizeof(fstring),
-				q_u->clnt_id.uni_comp_name.uni_str_len*2,0);
-
-	status = get_md4pw((char *)p->dc->mach_pw, mach_acct, q_u->clnt_id.sec_chan);
+	status = get_md4pw((char *)p->dc->mach_pw,
+			   r->in.account_name,
+			   r->in.secure_channel_type);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("_net_auth: creds_server_check failed. Failed to "
+		DEBUG(0,("_netr_ServerAuthenticate: get_md4pw failed. Failed to "
 			"get password for machine account %s "
 			"from client %s: %s\n",
-			mach_acct, remote_machine, nt_errstr(status) ));
+			r->in.account_name,
+			r->in.computer_name,
+			nt_errstr(status) ));
 		/* always return NT_STATUS_ACCESS_DENIED */
 		return NT_STATUS_ACCESS_DENIED;
 	}
@@ -461,22 +435,25 @@ NTSTATUS _net_auth(pipes_struct *p, NET_Q_AUTH *q_u, NET_R_AUTH *r_u)
 			&srv_chal_out);
 
 	/* Check client credentials are valid. */
-	if (!creds_server_check(p->dc, &q_u->clnt_chal)) {
-		DEBUG(0,("_net_auth: creds_server_check failed. Rejecting auth "
+	if (!netlogon_creds_server_check(p->dc, r->in.credentials)) {
+		DEBUG(0,("_netr_ServerAuthenticate: netlogon_creds_server_check failed. Rejecting auth "
 			"request from client %s machine account %s\n",
-			remote_machine, mach_acct ));
+			r->in.computer_name,
+			r->in.account_name));
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	fstrcpy(p->dc->mach_acct, mach_acct);
-	fstrcpy(p->dc->remote_machine, remote_machine);
+	fstrcpy(p->dc->mach_acct, r->in.account_name);
+	fstrcpy(p->dc->remote_machine, r->in.computer_name);
 	p->dc->authenticated = True;
 
 	/* set up the LSA AUTH response */
 	/* Return the server credentials. */
-	init_net_r_auth(r_u, &srv_chal_out, NT_STATUS_OK);
 
-	return r_u->status;
+	memcpy(r->out.credentials->data, &srv_chal_out.data,
+	       sizeof(r->out.credentials->data));
+
+	return NT_STATUS_OK;
 }
 
 /*************************************************************************
@@ -577,31 +554,32 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u)
 }
 
 /*************************************************************************
- _net_srv_pwset
+ _netr_ServerPasswordSet
  *************************************************************************/
 
-NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *r_u)
+NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
+				 struct netr_ServerPasswordSet *r)
 {
+	NTSTATUS status = NT_STATUS_OK;
 	fstring remote_machine;
 	struct samu *sampass=NULL;
 	bool ret = False;
 	unsigned char pwd[16];
 	int i;
 	uint32 acct_ctrl;
-	DOM_CRED cred_out;
+	struct netr_Authenticator cred_out;
 	const uchar *old_pw;
 
-	DEBUG(5,("_net_srv_pwset: %d\n", __LINE__));
+	DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
 
 	/* We need the remote machine name for the creds lookup. */
-	rpcstr_pull(remote_machine,q_u->clnt_id.login.uni_comp_name.buffer,
-		    sizeof(remote_machine),q_u->clnt_id.login.uni_comp_name.uni_str_len*2,0);
+	fstrcpy(remote_machine, r->in.computer_name);
 
 	if ( (lp_server_schannel() == True) && (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) ) {
 		/* 'server schannel = yes' should enforce use of
 		   schannel, the client did offer it in auth2, but
 		   obviously did not use it. */
-		DEBUG(0,("_net_srv_pwset: client %s not using schannel for netlogon\n",
+		DEBUG(0,("_netr_ServerPasswordSet: client %s not using schannel for netlogon\n",
 			remote_machine ));
 		return NT_STATUS_ACCESS_DENIED;
 	}
@@ -622,12 +600,12 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
 		return NT_STATUS_INVALID_HANDLE;
 	}
 
-	DEBUG(3,("_net_srv_pwset: Server Password Set by remote machine:[%s] on account [%s]\n",
+	DEBUG(3,("_netr_ServerPasswordSet: Server Password Set by remote machine:[%s] on account [%s]\n",
 			remote_machine, p->dc->mach_acct));
 
 	/* Step the creds chain forward. */
-	if (!creds_server_step(p->dc, &q_u->clnt_id.cred, &cred_out)) {
-		DEBUG(2,("_net_srv_pwset: creds_server_step failed. Rejecting auth "
+	if (!netlogon_creds_server_step(p->dc, r->in.credential, &cred_out)) {
+		DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
 			"request from client %s machine account %s\n",
 			remote_machine, p->dc->mach_acct ));
 		return NT_STATUS_INVALID_PARAMETER;
@@ -668,9 +646,9 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
 	}
 
 	/* Woah - what does this to to the credential chain ? JRA */
-	cred_hash3( pwd, q_u->pwd, p->dc->sess_key, 0);
+	cred_hash3(pwd, r->in.new_password->hash, p->dc->sess_key, 0);
 
-	DEBUG(100,("Server password set : new given value was :\n"));
+	DEBUG(100,("_netr_ServerPasswordSet: new given value was :\n"));
 	for(i = 0; i < sizeof(pwd); i++)
 		DEBUG(100,("%02X ", pwd[i]));
 	DEBUG(100,("\n"));
@@ -702,15 +680,17 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
 		}
 
 		become_root();
-		r_u->status = pdb_update_sam_account(sampass);
+		status = pdb_update_sam_account(sampass);
 		unbecome_root();
 	}
 
 	/* set up the LSA Server Password Set response */
-	init_net_r_srv_pwset(r_u, &cred_out, r_u->status);
+
+	memcpy(r->out.return_authenticator, &cred_out,
+	       sizeof(r->out.return_authenticator));
 
 	TALLOC_FREE(sampass);
-	return r_u->status;
+	return status;
 }
 
 /*************************************************************************
@@ -1273,26 +1253,6 @@ NTSTATUS _netr_LogonSamLogoff(pipes_struct *p,
 /****************************************************************
 ****************************************************************/
 
-NTSTATUS _netr_ServerAuthenticate(pipes_struct *p,
-				  struct netr_ServerAuthenticate *r)
-{
-	p->rng_fault_state = true;
-	return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************
-****************************************************************/
-
-NTSTATUS _netr_ServerPasswordSet(pipes_struct *p,
-				 struct netr_ServerPasswordSet *r)
-{
-	p->rng_fault_state = true;
-	return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-/****************************************************************
-****************************************************************/
-
 NTSTATUS _netr_DatabaseDeltas(pipes_struct *p,
 			      struct netr_DatabaseDeltas *r)
 {