diff options
author | Andreas Schneider <asn@samba.org> | 2012-07-17 10:50:48 +0200 |
---|---|---|
committer | Andreas Schneider <asn@samba.org> | 2012-07-17 13:26:37 +0200 |
commit | 18692b060f098015bf2eee0835611eb7d95fd923 (patch) | |
tree | a88d063a3c31f346a7c9a34e5d8029d1d6cab192 /source4 | |
parent | 197781a651d5be0b491a0aa51cc3756049a1e1d5 (diff) | |
download | samba-18692b060f098015bf2eee0835611eb7d95fd923.tar.gz samba-18692b060f098015bf2eee0835611eb7d95fd923.tar.bz2 samba-18692b060f098015bf2eee0835611eb7d95fd923.zip |
s4-auth: Make sure we use the correct credential state.
If we create a copy of the credential state we miss updates to the
credentials.
To establish a netlogon schannel connection we create client credentials
and authenticate with them using
dcerpc_netr_ServerAuthenticate2()
For this we call netlogon_creds_client_authenticator() which increases
the sequence number and steps the credentials. Lets assume the sequence
number is 1002.
After a successful authentication we get the server credentials and we
send bind a auth request with the received creds. This sets up gensec
and the gensec schannel module created a copy of the client creds and
stores it in the schannel auth state. So the creds stored in gensec have
the sequence number 1002.
After that we continue and need the client credentials to call
dcerpc_netr_LogonGetCapabilities()
to verify the connection. So we need to increase the sequence number of
the credentials to 1004 and step the credentials to the next state. The
server always does the same and everything is just fine here.
The connection is established and we want to do another netlogon call.
So we get the creds from gensec and want to do a netlogon call e.g.
dcerpc_netr_SamLogonWithFlags.
We get the needed creds from gensec. The sequence number is 1002 and
we talk to the server. The server is already ahead cause we are already
at sequence number 1004 and the server expects it to be 1006. So the
server gives us ACCESS_DENIED cause we use a copy in gensec.
Signed-off-by: Günther Deschner <gd@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/gensec/schannel.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index 2465e53bff..e7c545fb66 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -77,7 +77,12 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ if (state->creds == NULL) { return NT_STATUS_INVALID_PARAMETER_MIX; } - state->creds = netlogon_creds_copy(state, state->creds); + /* + * We need to create a reference here or we don't get + * updates performed on the credentials if we create a + * copy. + */ + state->creds = talloc_reference(state, state->creds); if (state->creds == NULL) { return NT_STATUS_NO_MEMORY; } |