r743: Start on a NETLOGON server in Samba4.

Currently this only authentiates the machine, not real users.

As a consequence of running the Samba4 NETLOGON test against Samba4, I
found a number of issues in the SAMR server, which I have addressed.
There are more templates in the provison.ldif for this reason.

I also added some debug to our credentials code, and fixed some bugs
in the auth_sam module.

The static buffer in generate_random_string() bit me badly, so I
removed it in favor of a talloc based system.

Andrew Bartlett
(This used to be commit 94624e519b66def97758b8a48a01ffe9029176f0)

1 files changed, 43 insertions, 3 deletions

diff --git a/source4/libcli/auth/credentials.c b/source4/libcli/auth/credentials.c
index 638bff7e8b..7d56f26b11 100644
--- a/source4/libcli/auth/credentials.c
+++ b/source4/libcli/auth/credentials.c
@@ -4,6 +4,7 @@
    code to manipulate domain credentials
 
    Copyright (C) Andrew Tridgell 1997-2003
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -36,6 +37,10 @@ static void creds_init(struct creds_CredentialState *creds,
 	uint32 sum[2];
 	uint8 sum2[8];
 
+	dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
+	dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
+	dump_data_pw("Machine Pass", machine_password, 16);
+
 	sum[0] = IVAL(client_challenge->data, 0) + IVAL(server_challenge->data, 0);
 	sum[1] = IVAL(client_challenge->data, 4) + IVAL(server_challenge->data, 4);
 
@@ -44,8 +49,6 @@ static void creds_init(struct creds_CredentialState *creds,
 
 	cred_hash1(creds->session_key, sum2, machine_password);
 
-	creds->sequence = time(NULL);
-
 	SIVAL(time_cred.data, 0, IVAL(client_challenge->data, 0));
 	SIVAL(time_cred.data, 4, IVAL(client_challenge->data, 4));
 	cred_hash2(creds->client.data, time_cred.data, creds->session_key, 1);
@@ -136,6 +139,7 @@ void creds_client_init(struct creds_CredentialState *creds,
 		       struct netr_Credential *initial_credential)
 {
 	creds_init(creds, client_challenge, server_challenge, machine_password);
+	creds->sequence = time(NULL);
 
 	*initial_credential = creds->client;
 }
@@ -146,7 +150,8 @@ void creds_client_init(struct creds_CredentialState *creds,
 BOOL creds_client_check(struct creds_CredentialState *creds,
 			const struct netr_Credential *received_credentials)
 {
-	if (memcmp(received_credentials->data, creds->server.data, 8) != 0) {
+	if (!received_credentials || 
+	    memcmp(received_credentials->data, creds->server.data, 8) != 0) {
 		DEBUG(2,("credentials check failed\n"));
 		return False;
 	}
@@ -167,3 +172,38 @@ void creds_client_authenticator(struct creds_CredentialState *creds,
 }
 
 
+/*****************************************************************
+The above functions are common to the client and server interface
+next comes the server specific functions
+******************************************************************/
+
+/*
+  initialise the credentials chain and return the first server
+  credentials
+*/
+void creds_server_init(struct creds_CredentialState *creds,
+		       const struct netr_Credential *client_challenge,
+		       const struct netr_Credential *server_challenge,
+		       const uint8 machine_password[16],
+		       struct netr_Credential *initial_credential)
+{
+	creds_init(creds, client_challenge, server_challenge, machine_password);
+
+	*initial_credential = creds->server;
+}
+
+/*
+  check that a credentials reply from a server is correct
+*/
+BOOL creds_server_check(const struct creds_CredentialState *creds,
+			const struct netr_Credential *received_credentials)
+{
+	if (memcmp(received_credentials->data, creds->client.data, 8) != 0) {
+		DEBUG(2,("credentials check failed\n"));
+		dump_data_pw("client creds", creds->client.data, 8);
+		dump_data_pw("calc   creds", received_credentials->data, 8);
+		return False;
+	}
+	return True;
+}
+