r13402: Make Samba4 pass a nastier RPC-SCHANNEL test.

The new RPC-SCHANNEL test shows that the full credentials state must
be kept in some shared memory, for some length of time.  In
particular, clients will reconnect with SCHANNEL (after loosing all
connections) and expect that the credentials chain will remain in the
same place.

To achive this, we do the server-side crypto in a transaction,
including the fetch/store of the shared state.

Andrew Bartlett
(This used to be commit 982a6aa871c9fce17410a9712cd9fa726025ff90)

1 files changed, 139 insertions, 82 deletions

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index f3ef74641d..03d325020f 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -128,6 +128,7 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
 					 struct netr_ServerAuthenticate3 *r)
 {
 	struct server_pipe_state *pipe_state = dce_call->context->private;
+	struct creds_CredentialState *creds;
 	void *sam_ctx;
 	struct samr_Password *mach_pwd;
 	uint16_t acct_flags;
@@ -203,37 +204,39 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	if (pipe_state->creds) {
-		talloc_free(pipe_state->creds);
-	}
-	pipe_state->creds = talloc(pipe_state, struct creds_CredentialState);
-	if (!pipe_state->creds) {
+	creds = talloc(mem_ctx, struct creds_CredentialState);
+	if (!creds) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	creds_server_init(pipe_state->creds, &pipe_state->client_challenge, 
+	creds_server_init(creds, &pipe_state->client_challenge, 
 			  &pipe_state->server_challenge, mach_pwd,
 			  r->out.credentials,
 			  *r->in.negotiate_flags);
 	
-	if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
-		talloc_free(pipe_state->creds);
-		pipe_state->creds = NULL;
+	if (!creds_server_check(creds, r->in.credentials)) {
+		talloc_free(creds);
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	pipe_state->creds->account_name = talloc_steal(pipe_state->creds, r->in.account_name);
+	creds->account_name = talloc_steal(creds, r->in.account_name);
 	
-	pipe_state->creds->computer_name = talloc_steal(pipe_state->creds, r->in.computer_name);
+	creds->computer_name = talloc_steal(creds, r->in.computer_name);
+	creds->domain = talloc_strdup(creds, lp_workgroup());
 
-	pipe_state->creds->secure_channel_type = r->in.secure_channel_type;
+	creds->secure_channel_type = r->in.secure_channel_type;
 
-	pipe_state->creds->sid = samdb_result_dom_sid(pipe_state->creds, msgs[0], "objectSid");
+	creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
 
-	pipe_state->creds->domain = talloc_strdup(pipe_state->creds, lp_workgroup());
 
 	/* remember this session key state */
-	nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds);
+	nt_status = schannel_store_session_key(mem_ctx, creds);
+
+	if (pipe_state->creds) {
+		talloc_free(pipe_state->creds);
+	}
+	talloc_steal(pipe_state, creds);
+	pipe_state->creds = creds;
 
 	return nt_status;
 }
@@ -285,29 +288,76 @@ static NTSTATUS netr_ServerAuthenticate2(struct dcesrv_call_state *dce_call, TAL
 
 
 static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_state,
+					     TALLOC_CTX *mem_ctx, 
 					     struct netr_Authenticator *received_authenticator,
-					     struct netr_Authenticator *return_authenticator) 
+					     struct netr_Authenticator *return_authenticator,
+					     struct creds_CredentialState **creds_out) 
 {
+	struct creds_CredentialState *creds;
+	NTSTATUS nt_status;
+	struct ldb_context *ldb;
+	int ret;
+
 	if (!pipe_state) {
 		DEBUG(1, ("No challenge requested by client, cannot authenticate\n"));
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	return creds_server_step_check(pipe_state->creds, 
-				       received_authenticator, 
-				       return_authenticator);
+	ldb = schannel_db_connect(mem_ctx);
+	if (!ldb) {
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	ret = ldb_transaction_start(ldb);
+	if (ret != 0) {
+		talloc_free(ldb);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	/* Because this is a shared structure (even across
+	 * disconnects) we must update the database every time we
+	 * update the structure */ 
+	
+	nt_status = schannel_fetch_session_key_ldb(ldb, ldb, pipe_state->creds->computer_name, 
+						   pipe_state->creds->domain, &creds);
+	if (NT_STATUS_IS_OK(nt_status)) {
+		nt_status = creds_server_step_check(creds, 
+						    received_authenticator, 
+						    return_authenticator);
+	}
+	if (NT_STATUS_IS_OK(nt_status)) {
+		nt_status = schannel_store_session_key_ldb(ldb, ldb, creds);
+	}
+
+	if (NT_STATUS_IS_OK(nt_status)) {
+		ldb_transaction_commit(ldb);
+		if (creds_out) {
+			*creds_out = creds;
+			talloc_steal(mem_ctx, creds);
+		}
+	} else {
+		ldb_transaction_cancel(ldb);
+	}
+	talloc_free(ldb);
+	return nt_status;
 }
 
+/* 
+  Change the machine account password for the currently connected
+  client.  Supplies only the NT#.
+*/
 
 static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
 				       struct netr_ServerPasswordSet *r)
 {
 	struct server_pipe_state *pipe_state = dce_call->context->private;
-
+	struct creds_CredentialState *creds;
 	struct ldb_context *sam_ctx;
 	NTSTATUS nt_status;
 
-	nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
+	nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, 
+						 &r->in.credential, &r->out.return_authenticator,
+						 &creds);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
 	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
@@ -315,11 +365,11 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
 
-	creds_des_decrypt(pipe_state->creds, &r->in.new_password);
+	creds_des_decrypt(creds, &r->in.new_password);
 
 	/* Using the sid for the account as the key, set the password */
 	nt_status = samdb_set_password_sid(sam_ctx, mem_ctx, 
-					   pipe_state->creds->sid,
+					   creds->sid,
 					   NULL, /* Don't have plaintext */
 					   NULL, &r->in.new_password,
 					   False, /* This is not considered a password change */
@@ -328,6 +378,55 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
 	return nt_status;
 }
 
+/* 
+  Change the machine account password for the currently connected
+  client.  Supplies new plaintext.
+*/
+static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
+				       struct netr_ServerPasswordSet2 *r)
+{
+	struct server_pipe_state *pipe_state = dce_call->context->private;
+	struct creds_CredentialState *creds;
+	struct ldb_context *sam_ctx;
+	NTSTATUS nt_status;
+	char new_pass[512];
+	uint32_t new_pass_len;
+	BOOL ret;
+
+	struct samr_CryptPassword password_buf;
+
+	nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, 
+						 &r->in.credential, &r->out.return_authenticator,
+						 &creds);
+	NT_STATUS_NOT_OK_RETURN(nt_status);
+
+	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
+	if (sam_ctx == NULL) {
+		return NT_STATUS_INVALID_SYSTEM_SERVICE;
+	}
+
+	memcpy(password_buf.data, r->in.new_password.data, 512);
+	SIVAL(password_buf.data,512,r->in.new_password.length);
+	creds_arcfour_crypt(creds, password_buf.data, 516);
+
+	ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
+			       &new_pass_len, STR_UNICODE);
+	if (!ret) {
+		DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	/* Using the sid for the account as the key, set the password */
+	nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
+					   creds->sid,
+					   new_pass, /* we have plaintext */
+					   NULL, NULL,
+					   False, /* This is not considered a password change */
+					   False, /* don't restrict this password change (match w2k3) */
+					   NULL, NULL);
+	return nt_status;
+}
+
 
 /* 
   netr_LogonUasLogon 
@@ -358,7 +457,7 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
 				     struct netr_LogonSamLogonEx *r)
 {
 	struct server_pipe_state *pipe_state = dce_call->context->private;
-
+	struct creds_CredentialState *creds = pipe_state->creds;
 	struct auth_context *auth_context;
 	struct auth_usersupplied_info *user_info;
 	struct auth_serversupplied_info *server_info;
@@ -383,15 +482,15 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
 	case 3:
 	case 5:
 		if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-			creds_arcfour_crypt(pipe_state->creds, 
+			creds_arcfour_crypt(creds, 
 					    r->in.logon.password->lmpassword.hash, 
 					    sizeof(r->in.logon.password->lmpassword.hash));
-			creds_arcfour_crypt(pipe_state->creds, 
+			creds_arcfour_crypt(creds, 
 					    r->in.logon.password->ntpassword.hash, 
 					    sizeof(r->in.logon.password->ntpassword.hash));
 		} else {
-			creds_des_decrypt(pipe_state->creds, &r->in.logon.password->lmpassword);
-			creds_des_decrypt(pipe_state->creds, &r->in.logon.password->ntpassword);
+			creds_des_decrypt(creds, &r->in.logon.password->lmpassword);
+			creds_des_decrypt(creds, &r->in.logon.password->ntpassword);
 		}
 
 		/* TODO: we need to deny anonymous access here */
@@ -459,8 +558,8 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
 		      sizeof(sam->key.key)) != 0) {
 
 		/* This key is sent unencrypted without the ARCFOUR flag set */
-		if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-			creds_arcfour_crypt(pipe_state->creds, 
+		if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+			creds_arcfour_crypt(creds, 
 					    sam->key.key, 
 					    sizeof(sam->key.key));
 		}
@@ -471,12 +570,12 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
 	if ((r->in.validation_level != 6) 
 	    && memcmp(sam->LMSessKey.key, zeros,  
 		      sizeof(sam->LMSessKey.key)) != 0) {
-		if (pipe_state->creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
-			creds_arcfour_crypt(pipe_state->creds, 
+		if (creds->negotiate_flags & NETLOGON_NEG_ARCFOUR) {
+			creds_arcfour_crypt(creds, 
 					    sam->LMSessKey.key, 
 					    sizeof(sam->LMSessKey.key));
 		} else {
-			creds_des_encrypt_LMKey(pipe_state->creds, 
+			creds_des_encrypt_LMKey(creds, 
 						&sam->LMSessKey);
 		}
 	}
@@ -535,7 +634,9 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call,
 	return_authenticator = talloc(mem_ctx, struct netr_Authenticator);
 	NT_STATUS_HAVE_NO_MEMORY(return_authenticator);
 
-	nt_status = netr_creds_server_step_check(pipe_state, r->in.credential, return_authenticator);
+	nt_status = netr_creds_server_step_check(pipe_state, mem_ctx, 
+						 r->in.credential, return_authenticator,
+						 NULL);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
 	ZERO_STRUCT(r2);
@@ -844,8 +945,10 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL
 
 	const char *local_domain;
 
-	status = netr_creds_server_step_check(pipe_state, 
-					      r->in.credential, r->out.return_authenticator);
+	status = netr_creds_server_step_check(pipe_state, mem_ctx, 
+					      r->in.credential, 
+					      r->out.return_authenticator,
+					      NULL);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -918,52 +1021,6 @@ static NTSTATUS netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_call, TALL
 }
 
 
-/* 
-  netr_ServerPasswordSet2 
-*/
-static NTSTATUS netr_ServerPasswordSet2(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-				       struct netr_ServerPasswordSet2 *r)
-{
-	struct server_pipe_state *pipe_state = dce_call->context->private;
-
-	struct ldb_context *sam_ctx;
-	NTSTATUS nt_status;
-	char new_pass[512];
-	uint32_t new_pass_len;
-	BOOL ret;
-
-	struct samr_CryptPassword password_buf;
-
-	nt_status = netr_creds_server_step_check(pipe_state, &r->in.credential, &r->out.return_authenticator);
-	NT_STATUS_NOT_OK_RETURN(nt_status);
-
-	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
-	if (sam_ctx == NULL) {
-		return NT_STATUS_INVALID_SYSTEM_SERVICE;
-	}
-
-	memcpy(password_buf.data, r->in.new_password.data, 512);
-	SIVAL(password_buf.data,512,r->in.new_password.length);
-	creds_arcfour_crypt(pipe_state->creds, password_buf.data, 516);
-
-	ret = decode_pw_buffer(password_buf.data, new_pass, sizeof(new_pass),
-			       &new_pass_len, STR_UNICODE);
-	if (!ret) {
-		DEBUG(3,("netr_ServerPasswordSet2: failed to decode password buffer\n"));
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
-	/* Using the sid for the account as the key, set the password */
-	nt_status = samdb_set_password_sid(sam_ctx, mem_ctx,
-					   pipe_state->creds->sid,
-					   new_pass, /* we have plaintext */
-					   NULL, NULL,
-					   False, /* This is not considered a password change */
-					   False, /* don't restrict this password change (match w2k3) */
-					   NULL, NULL);
-	return nt_status;
-}
-
 
 /* 
   netr_NETRSERVERPASSWORDGET