s4:librpc: fix netlogon connections against servers without AES support

LogonGetCapabilities() only works on the credential chain if
the server supports AES, so we need to work on a temporary copy
until we know the server replied a valid return authenticator.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

1 files changed, 6 insertions, 2 deletions

diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 1480486c32..130ebebd90 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -385,6 +385,7 @@ struct auth_schannel_state {
 	struct loadparm_context *lp_ctx;
 	uint8_t auth_level;
 	struct netlogon_creds_CredentialState *creds_state;
+	struct netlogon_creds_CredentialState save_creds_state;
 	struct netr_Authenticator auth;
 	struct netr_Authenticator return_auth;
 	union netr_Capabilities capabilities;
@@ -449,7 +450,8 @@ static void continue_bind_auth(struct composite_context *ctx)
 		s->creds_state = cli_credentials_get_netlogon_creds(s->credentials);
 		if (composite_nomem(s->creds_state, c)) return;
 
-		netlogon_creds_client_authenticator(s->creds_state, &s->auth);
+		s->save_creds_state = *s->creds_state;
+		netlogon_creds_client_authenticator(&s->save_creds_state, &s->auth);
 
 		s->c.in.server_name = talloc_asprintf(c,
 						      "\\\\%s",
@@ -519,12 +521,14 @@ static void continue_get_capabilities(struct tevent_req *subreq)
 	}
 
 	/* verify credentials */
-	if (!netlogon_creds_client_check(s->creds_state,
+	if (!netlogon_creds_client_check(&s->save_creds_state,
 					 &s->c.out.return_authenticator->cred)) {
 		composite_error(c, NT_STATUS_UNSUCCESSFUL);
 		return;
 	}
 
+	*s->creds_state = s->save_creds_state;
+
 	if (!NT_STATUS_IS_OK(s->c.out.result)) {
 		composite_error(c, s->c.out.result);
 		return;