auth/gensec: add support for SEC_CHAN_DNS_DOMAIN to schannel_update()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index ee23e77ace417745b2b7ba336818b6ac45f781f6..9b28c45183c3e4ac489d49854fdd5369afe07f80 100644 (file)
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -459,7 +459,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
                struct schannel_state);
        NTSTATUS status;
        enum ndr_err_code ndr_err;
-       struct NL_AUTH_MESSAGE bind_schannel;
+       struct NL_AUTH_MESSAGE bind_schannel = {};
        struct NL_AUTH_MESSAGE bind_schannel_ack;
        struct netlogon_creds_CredentialState *creds;
        const char *workstation;
@@ -486,26 +486,19 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
                }
 
                bind_schannel.MessageType = NL_NEGOTIATE_REQUEST;
-#if 0
-               /* to support this we'd need to have access to the full domain name */
-               /* 0x17, 23 */
-               bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
-                                     NL_FLAG_OEM_NETBIOS_COMPUTER_NAME |
-                                     NL_FLAG_UTF8_DNS_DOMAIN_NAME |
-                                     NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
-               bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
-               bind_schannel.oem_netbios_computer.a = creds->computer_name;
-               bind_schannel.utf8_dns_domain = cli_credentials_get_realm(gensec_security->credentials);
-               /* w2k3 refuses us if we use the full DNS workstation?
-                why? perhaps because we don't fill in the dNSHostName
-                attribute in the machine account? */
-               bind_schannel.utf8_netbios_computer = creds->computer_name;
-#else
+
                bind_schannel.Flags = NL_FLAG_OEM_NETBIOS_DOMAIN_NAME |
                                      NL_FLAG_OEM_NETBIOS_COMPUTER_NAME;
                bind_schannel.oem_netbios_domain.a = cli_credentials_get_domain(gensec_security->credentials);
                bind_schannel.oem_netbios_computer.a = creds->computer_name;
-#endif
+
+               if (creds->secure_channel_type == SEC_CHAN_DNS_DOMAIN) {
+                       bind_schannel.Flags |= NL_FLAG_UTF8_DNS_DOMAIN_NAME;
+                       bind_schannel.utf8_dns_domain.u = cli_credentials_get_realm(gensec_security->credentials);
+
+                       bind_schannel.Flags |= NL_FLAG_UTF8_NETBIOS_COMPUTER_NAME;
+                       bind_schannel.utf8_netbios_computer.u = creds->computer_name;
+               }
 
                ndr_err = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
                                               (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);