summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-12-27 14:59:17 +1100
committerStefan Metzmacher <metze@samba.org>2012-01-06 13:05:44 +0100
commitaf19532d4dbbf4cd0cf7142b9469d04bd5c722a8 (patch)
treeae26e12db2cfdf078da4d97b7e9dcae722df1f97
parent662c557b368ce5e959faf100145a0b1a4f4b1f75 (diff)
downloadsamba-af19532d4dbbf4cd0cf7142b9469d04bd5c722a8.tar.gz
samba-af19532d4dbbf4cd0cf7142b9469d04bd5c722a8.tar.bz2
samba-af19532d4dbbf4cd0cf7142b9469d04bd5c722a8.zip
s3-winbindd: convert cached credentials to use auth_generic/gensec for NTLMSSP
Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--source3/winbindd/winbindd_ccache_access.c79
1 files changed, 46 insertions, 33 deletions
diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c
index 37e8eee727..411b2b4c3a 100644
--- a/source3/winbindd/winbindd_ccache_access.c
+++ b/source3/winbindd/winbindd_ccache_access.c
@@ -6,6 +6,7 @@
Copyright (C) Robert O'Callahan 2006
Copyright (C) Jeremy Allison 2006 (minor fixes to fit into Samba and
protect against integer wrap).
+ Copyright (C) Andrew Bartlett 2011
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -23,7 +24,8 @@
#include "includes.h"
#include "winbindd.h"
-#include "../auth/ntlmssp/ntlmssp.h"
+#include "auth/gensec/gensec.h"
+#include "auth_generic.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
@@ -41,24 +43,19 @@ static bool client_can_access_ccache_entry(uid_t client_uid,
return False;
}
-static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
- const char *domain,
- const unsigned char lm_hash[LM_HASH_LEN],
- const unsigned char nt_hash[NT_HASH_LEN],
- const DATA_BLOB initial_msg,
- const DATA_BLOB challenge_msg,
- DATA_BLOB *auth_msg,
- uint8_t session_key[16])
+static NTSTATUS do_ntlm_auth_with_stored_pw(const char *username,
+ const char *domain,
+ const char *password,
+ const DATA_BLOB initial_msg,
+ const DATA_BLOB challenge_msg,
+ DATA_BLOB *auth_msg,
+ uint8_t session_key[16])
{
NTSTATUS status;
- struct ntlmssp_state *ntlmssp_state = NULL;
- DATA_BLOB dummy_msg, reply;
+ struct auth_generic_state *auth_generic_state = NULL;
+ DATA_BLOB dummy_msg, reply, session_key_blob;
- status = ntlmssp_client_start(NULL,
- lp_netbios_name(),
- lp_workgroup(),
- lp_client_ntlmv2_auth(),
- &ntlmssp_state);
+ status = auth_generic_client_prepare(NULL, &auth_generic_state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not start NTLMSSP client: %s\n",
@@ -66,7 +63,7 @@ static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
goto done;
}
- status = ntlmssp_set_username(ntlmssp_state, username);
+ status = auth_generic_set_username(auth_generic_state, username);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set username: %s\n",
@@ -74,7 +71,7 @@ static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
goto done;
}
- status = ntlmssp_set_domain(ntlmssp_state, domain);
+ status = auth_generic_set_domain(auth_generic_state, domain);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Could not set domain: %s\n",
@@ -82,15 +79,22 @@ static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
goto done;
}
- status = ntlmssp_set_hashes(ntlmssp_state, lm_hash, nt_hash);
+ status = auth_generic_set_password(auth_generic_state, password);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Could not set hashes: %s\n",
+ DEBUG(1, ("Could not set password: %s\n",
nt_errstr(status)));
goto done;
}
- ntlmssp_want_feature(ntlmssp_state, NTLMSSP_FEATURE_SESSION_KEY);
+ gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SESSION_KEY);
+
+ status = auth_generic_client_start(auth_generic_state, GENSEC_OID_NTLMSSP);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Could not start NTLMSSP mech: %s\n",
+ nt_errstr(status)));
+ goto done;
+ }
/* We need to get our protocol handler into the right state. So first
we ask it to generate the initial message. Actually the client has already
@@ -104,8 +108,8 @@ static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
*/
dummy_msg = data_blob_null;
reply = data_blob_null;
- status = ntlmssp_update(ntlmssp_state, dummy_msg, &reply);
- data_blob_free(&dummy_msg);
+ status = gensec_update(auth_generic_state->gensec_security,
+ talloc_tos(), NULL, dummy_msg, &reply);
data_blob_free(&reply);
if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
@@ -115,8 +119,8 @@ static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
}
/* Now we are ready to handle the server's actual response. */
- status = ntlmssp_update(ntlmssp_state, challenge_msg, &reply);
-
+ status = gensec_update(auth_generic_state->gensec_security,
+ NULL, NULL, challenge_msg, &reply);
if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
DEBUG(1, ("We didn't get a response to the challenge! [%s]\n",
nt_errstr(status)));
@@ -124,19 +128,28 @@ static NTSTATUS do_ntlm_auth_with_hashes(const char *username,
goto done;
}
- if (ntlmssp_state->session_key.length != 16) {
- DEBUG(1, ("invalid session key length %d\n",
- (int)ntlmssp_state->session_key.length));
+ status = gensec_session_key(auth_generic_state->gensec_security,
+ talloc_tos(), &session_key_blob);
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
+ DEBUG(1, ("We didn't get the session key we requested! [%s]\n",
+ nt_errstr(status)));
data_blob_free(&reply);
goto done;
}
- *auth_msg = data_blob(reply.data, reply.length);
- memcpy(session_key, ntlmssp_state->session_key.data, 16);
+ if (session_key_blob.length != 16) {
+ DEBUG(1, ("invalid session key length %d\n",
+ (int)session_key_blob.length));
+ data_blob_free(&reply);
+ goto done;
+ }
+ memcpy(session_key, session_key_blob.data, 16);
+ data_blob_free(&session_key_blob);
+ *auth_msg = reply;
status = NT_STATUS_OK;
done:
- TALLOC_FREE(ntlmssp_state);
+ TALLOC_FREE(auth_generic_state);
return status;
}
@@ -257,8 +270,8 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
state->request->extra_data.data + initial_blob_len,
state->request->data.ccache_ntlm_auth.challenge_blob_len);
- result = do_ntlm_auth_with_hashes(
- name_user, name_domain, entry->lm_hash, entry->nt_hash,
+ result = do_ntlm_auth_with_stored_pw(
+ name_user, name_domain, entry->pass,
initial, challenge, &auth,
state->response->data.ccache_ntlm_auth.session_key);