3 files changed, 29 insertions, 0 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 7cdcba19ab..41544da8c9 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -6421,6 +6421,8 @@ bool secrets_restore_schannel_session_info(TALLOC_CTX *mem_ctx,
 				struct dcinfo **ppdc);
 bool secrets_store_generic(const char *owner, const char *key, const char *secret);
 char *secrets_fetch_generic(const char *owner, const char *key);
+bool secrets_store_local_schannel_key(uint8_t schannel_key[16]);
+bool secrets_fetch_local_schannel_key(uint8_t schannel_key[16]);
 
 /* The following definitions come from passdb/util_builtin.c  */
 
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index d9f457558b..3c8e2ccf81 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -45,6 +45,8 @@
 
 #define SECRETS_LDAP_BIND_PW "SECRETS/LDAP_BIND_PW"
 
+#define SECRETS_LOCAL_SCHANNEL_KEY "SECRETS/LOCAL_SCHANNEL_KEY"
+
 /* Authenticated user info is stored in secrets.tdb under these keys */
 
 #define SECRETS_AUTH_USER      "SECRETS/AUTH_USER"
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 4527ae7127..306d4d0a35 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -259,6 +259,31 @@ bool secrets_fetch_domain_guid(const char *domain, struct GUID *guid)
 	return True;
 }
 
+bool secrets_store_local_schannel_key(uint8_t schannel_key[16])
+{
+	return secrets_store(SECRETS_LOCAL_SCHANNEL_KEY, schannel_key, 16);
+}
+
+bool secrets_fetch_local_schannel_key(uint8_t schannel_key[16])
+{
+	size_t size = 0;
+	uint8_t *key;
+
+	key = (uint8_t *)secrets_fetch(SECRETS_LOCAL_SCHANNEL_KEY, &size);
+	if (key == NULL) {
+		return false;
+	}
+
+	if (size != 16) {
+		SAFE_FREE(key);
+		return false;
+	}
+
+	memcpy(schannel_key, key, 16);
+	SAFE_FREE(key);
+	return true;
+}
+
 /**
  * Form a key for fetching the machine trust account sec channel type
  *