summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndreas Schneider <asn@samba.org>2011-06-15 11:15:06 +0200
committerAndrew Bartlett <abartlet@samba.org>2011-07-04 18:28:00 +1000
commit45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0 (patch)
treeced1c978daa490107838a440c1fe4a475e0c36d0
parent541f3cf639699d23b9a96e6c615027a5be4581a9 (diff)
downloadsamba-45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0.tar.gz
samba-45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0.tar.bz2
samba-45f70db01070cfb0cdfb6ae0e8ee64da2bf42fc0.zip
s3-auth: Added remote_address to ntlmssp server.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source3/auth/auth_ntlmssp.c11
-rw-r--r--source3/auth/proto.h3
-rw-r--r--source3/include/ntlmssp_wrap.h1
-rw-r--r--source3/librpc/crypto/spnego.h2
-rw-r--r--source3/rpc_server/dcesrv_ntlmssp.c3
-rw-r--r--source3/rpc_server/dcesrv_ntlmssp.h1
-rw-r--r--source3/rpc_server/dcesrv_spnego.c16
-rw-r--r--source3/rpc_server/dcesrv_spnego.h1
-rw-r--r--source3/rpc_server/srv_pipe.c2
-rw-r--r--source3/smbd/seal.c50
-rw-r--r--source3/smbd/sesssetup.c9
-rw-r--r--source3/smbd/smb2_sesssetup.c9
12 files changed, 87 insertions, 21 deletions
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index ad08981d2f..54f7e6d5fc 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -26,6 +26,7 @@
#include "ntlmssp_wrap.h"
#include "../librpc/gen_ndr/netlogon.h"
#include "smbd/smbd.h"
+#include "../lib/tsocket/tsocket.h"
NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
@@ -173,7 +174,8 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
static int auth_ntlmssp_state_destructor(void *ptr);
-NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
+NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
+ struct auth_ntlmssp_state **auth_ntlmssp_state)
{
NTSTATUS nt_status;
bool is_standalone;
@@ -205,6 +207,12 @@ NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state)
return NT_STATUS_NO_MEMORY;
}
+ ans->remote_address = tsocket_address_copy(remote_address, ans);
+ if (ans->remote_address == NULL) {
+ DEBUG(0,("auth_ntlmssp_start: talloc failed!\n"));
+ return NT_STATUS_NO_MEMORY;
+ }
+
nt_status = ntlmssp_server_start(ans,
is_standalone,
netbios_name,
@@ -240,6 +248,7 @@ static int auth_ntlmssp_state_destructor(void *ptr)
ans = talloc_get_type(ptr, struct auth_ntlmssp_state);
+ TALLOC_FREE(ans->remote_address);
TALLOC_FREE(ans->server_info);
TALLOC_FREE(ans->ntlmssp_state);
return 0;
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 46846ac907..a4330155d1 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -69,7 +69,8 @@ NTSTATUS auth_netlogond_init(void);
NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
struct auth_serversupplied_info **session_info);
-NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state **auth_ntlmssp_state);
+NTSTATUS auth_ntlmssp_start(const struct tsocket_address *remote_address,
+ struct auth_ntlmssp_state **auth_ntlmssp_state);
/* The following definitions come from auth/auth_sam.c */
diff --git a/source3/include/ntlmssp_wrap.h b/source3/include/ntlmssp_wrap.h
index ec97f58ed8..abe1e7a3b9 100644
--- a/source3/include/ntlmssp_wrap.h
+++ b/source3/include/ntlmssp_wrap.h
@@ -25,6 +25,7 @@ struct auth_ntlmssp_state {
/* used only by server implementation */
struct auth_context *auth_context;
struct auth_serversupplied_info *server_info;
+ struct tsocket_address *remote_address;
/* used by both client and server implementation */
struct ntlmssp_state *ntlmssp_state;
diff --git a/source3/librpc/crypto/spnego.h b/source3/librpc/crypto/spnego.h
index 68d9243bb0..5e1a79b2af 100644
--- a/source3/librpc/crypto/spnego.h
+++ b/source3/librpc/crypto/spnego.h
@@ -48,6 +48,8 @@ struct spnego_context {
bool do_sign;
bool do_seal;
bool is_dcerpc;
+
+ struct tsocket_address *remote_address;
};
NTSTATUS spnego_gssapi_init_client(TALLOC_CTX *mem_ctx,
diff --git a/source3/rpc_server/dcesrv_ntlmssp.c b/source3/rpc_server/dcesrv_ntlmssp.c
index e43bba732b..8c9484649a 100644
--- a/source3/rpc_server/dcesrv_ntlmssp.c
+++ b/source3/rpc_server/dcesrv_ntlmssp.c
@@ -30,12 +30,13 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
bool is_dcerpc,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
+ const struct tsocket_address *remote_address,
struct auth_ntlmssp_state **ctx)
{
struct auth_ntlmssp_state *a = NULL;
NTSTATUS status;
- status = auth_ntlmssp_start(&a);
+ status = auth_ntlmssp_start(remote_address, &a);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
nt_errstr(status)));
diff --git a/source3/rpc_server/dcesrv_ntlmssp.h b/source3/rpc_server/dcesrv_ntlmssp.h
index a21c512f9e..0c830f3da4 100644
--- a/source3/rpc_server/dcesrv_ntlmssp.h
+++ b/source3/rpc_server/dcesrv_ntlmssp.h
@@ -28,6 +28,7 @@ NTSTATUS ntlmssp_server_auth_start(TALLOC_CTX *mem_ctx,
bool is_dcerpc,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
+ const struct tsocket_address *remote_address,
struct auth_ntlmssp_state **ctx);
NTSTATUS ntlmssp_server_step(struct auth_ntlmssp_state *ctx,
TALLOC_CTX *mem_ctx,
diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c
index fb758e338b..515e59b7e8 100644
--- a/source3/rpc_server/dcesrv_spnego.c
+++ b/source3/rpc_server/dcesrv_spnego.c
@@ -19,6 +19,7 @@
#include "includes.h"
#include "../libcli/auth/spnego.h"
+#include "../lib/tsocket/tsocket.h"
#include "dcesrv_ntlmssp.h"
#include "dcesrv_gssapi.h"
#include "dcesrv_spnego.h"
@@ -26,6 +27,7 @@
static NTSTATUS spnego_init_server(TALLOC_CTX *mem_ctx,
bool do_sign, bool do_seal,
bool is_dcerpc,
+ const struct tsocket_address *remote_address,
struct spnego_context **spnego_ctx)
{
struct spnego_context *sp_ctx = NULL;
@@ -35,6 +37,11 @@ static NTSTATUS spnego_init_server(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
+ sp_ctx->remote_address = tsocket_address_copy(remote_address, sp_ctx);
+ if (sp_ctx->remote_address == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
sp_ctx->do_sign = do_sign;
sp_ctx->do_seal = do_seal;
sp_ctx->is_dcerpc = is_dcerpc;
@@ -76,6 +83,7 @@ static NTSTATUS spnego_server_mech_init(struct spnego_context *sp_ctx,
sp_ctx->is_dcerpc,
token_in,
token_out,
+ sp_ctx->remote_address,
&ntlmssp_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to init ntlmssp server "
@@ -210,6 +218,7 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx,
bool is_dcerpc,
DATA_BLOB *spnego_in,
DATA_BLOB *spnego_out,
+ const struct tsocket_address *remote_address,
struct spnego_context **spnego_ctx)
{
struct spnego_context *sp_ctx;
@@ -223,7 +232,12 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- status = spnego_init_server(mem_ctx, do_sign, do_seal, is_dcerpc, &sp_ctx);
+ status = spnego_init_server(mem_ctx,
+ do_sign,
+ do_seal,
+ is_dcerpc,
+ remote_address,
+ &sp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source3/rpc_server/dcesrv_spnego.h b/source3/rpc_server/dcesrv_spnego.h
index eeb865d805..e6187f64f4 100644
--- a/source3/rpc_server/dcesrv_spnego.h
+++ b/source3/rpc_server/dcesrv_spnego.h
@@ -28,6 +28,7 @@ NTSTATUS spnego_server_auth_start(TALLOC_CTX *mem_ctx,
bool is_dcerpc,
DATA_BLOB *spnego_in,
DATA_BLOB *spnego_out,
+ const struct tsocket_address *remote_address,
struct spnego_context **spnego_ctx);
NTSTATUS spnego_server_step(struct spnego_context *sp_ctx,
TALLOC_CTX *mem_ctx,
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index fc08d56b1e..2504ac20b3 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -442,6 +442,7 @@ static bool pipe_spnego_auth_bind(struct pipes_struct *p,
true,
&auth_info->credentials,
response,
+ p->remote_address,
&spnego_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
@@ -596,6 +597,7 @@ static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
true,
&auth_info->credentials,
response,
+ p->remote_address,
&ntlmssp_state);
if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
diff --git a/source3/smbd/seal.c b/source3/smbd/seal.c
index 26185062a6..f1c0f9cf3b 100644
--- a/source3/smbd/seal.c
+++ b/source3/smbd/seal.c
@@ -27,6 +27,7 @@
#include "../lib/util/asn1.h"
#include "auth.h"
#include "libsmb/libsmb.h"
+#include "../lib/tsocket/tsocket.h"
/******************************************************************************
Server side encryption.
@@ -82,9 +83,11 @@ bool is_encrypted_packet(const uint8_t *inbuf)
Create an auth_ntlmssp_state and ensure pointer copy is correct.
******************************************************************************/
-static NTSTATUS make_auth_ntlmssp(struct smb_srv_trans_enc_ctx *ec)
+static NTSTATUS make_auth_ntlmssp(const struct tsocket_address *remote_address,
+ struct smb_srv_trans_enc_ctx *ec)
{
- NTSTATUS status = auth_ntlmssp_start(&ec->auth_ntlmssp_state);
+ NTSTATUS status = auth_ntlmssp_start(remote_address,
+ &ec->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
return nt_status_squash(status);
}
@@ -256,7 +259,9 @@ static void srv_free_encryption_context(struct smb_srv_trans_enc_ctx **pp_ec)
Create a server encryption context.
******************************************************************************/
-static NTSTATUS make_srv_encryption_context(enum smb_trans_enc_type smb_enc_type, struct smb_srv_trans_enc_ctx **pp_ec)
+static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address,
+ enum smb_trans_enc_type smb_enc_type,
+ struct smb_srv_trans_enc_ctx **pp_ec)
{
struct smb_srv_trans_enc_ctx *ec;
@@ -277,7 +282,8 @@ static NTSTATUS make_srv_encryption_context(enum smb_trans_enc_type smb_enc_type
switch (smb_enc_type) {
case SMB_TRANS_ENC_NTLM:
{
- NTSTATUS status = make_auth_ntlmssp(ec);
+ NTSTATUS status = make_auth_ntlmssp(remote_address,
+ ec);
if (!NT_STATUS_IS_OK(status)) {
srv_free_encryption_context(&ec);
return status;
@@ -368,7 +374,10 @@ NTSTATUS srv_encrypt_buffer(char *buf, char **buf_out)
******************************************************************************/
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
-static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char **ppdata, size_t *p_data_size, DATA_BLOB secblob)
+static NTSTATUS srv_enc_spnego_gss_negotiate(const struct tsocket_address *remote_address,
+ unsigned char **ppdata,
+ size_t *p_data_size,
+ DATA_BLOB secblob)
{
OM_uint32 ret;
OM_uint32 min;
@@ -380,7 +389,9 @@ static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char **ppdata, size_t *p_d
NTSTATUS status;
if (!partial_srv_trans_enc_ctx) {
- status = make_srv_encryption_context(SMB_TRANS_ENC_GSS, &partial_srv_trans_enc_ctx);
+ status = make_srv_encryption_context(remote_address,
+ SMB_TRANS_ENC_GSS,
+ &partial_srv_trans_enc_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -450,13 +461,19 @@ static NTSTATUS srv_enc_spnego_gss_negotiate(unsigned char **ppdata, size_t *p_d
Until success we do everything on the partial enc ctx.
******************************************************************************/
-static NTSTATUS srv_enc_ntlm_negotiate(unsigned char **ppdata, size_t *p_data_size, DATA_BLOB secblob, bool spnego_wrap)
+static NTSTATUS srv_enc_ntlm_negotiate(const struct tsocket_address *remote_address,
+ unsigned char **ppdata,
+ size_t *p_data_size,
+ DATA_BLOB secblob,
+ bool spnego_wrap)
{
NTSTATUS status;
DATA_BLOB chal = data_blob_null;
DATA_BLOB response = data_blob_null;
- status = make_srv_encryption_context(SMB_TRANS_ENC_NTLM, &partial_srv_trans_enc_ctx);
+ status = make_srv_encryption_context(remote_address,
+ SMB_TRANS_ENC_NTLM,
+ &partial_srv_trans_enc_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -517,14 +534,21 @@ static NTSTATUS srv_enc_spnego_negotiate(connection_struct *conn,
TALLOC_FREE(kerb_mech);
#if defined(HAVE_GSSAPI) && defined(HAVE_KRB5)
- status = srv_enc_spnego_gss_negotiate(ppdata, p_data_size, secblob);
+ status = srv_enc_spnego_gss_negotiate(conn->sconn->remote_address,
+ ppdata,
+ p_data_size,
+ secblob);
#else
/* Currently we don't SPNEGO negotiate
* back to NTLMSSP as we do in sessionsetupX. We should... */
return NT_STATUS_LOGON_FAILURE;
#endif
} else {
- status = srv_enc_ntlm_negotiate(ppdata, p_data_size, secblob, true);
+ status = srv_enc_ntlm_negotiate(conn->sconn->remote_address,
+ ppdata,
+ p_data_size,
+ secblob,
+ true);
}
data_blob_free(&secblob);
@@ -628,7 +652,11 @@ static NTSTATUS srv_enc_raw_ntlm_auth(connection_struct *conn,
if (!partial_srv_trans_enc_ctx) {
/* This is the initial step. */
- status = srv_enc_ntlm_negotiate(ppdata, p_data_size, blob, false);
+ status = srv_enc_ntlm_negotiate(conn->sconn->remote_address,
+ ppdata,
+ p_data_size,
+ blob,
+ false);
if (!NT_STATUS_EQUAL(status,NT_STATUS_MORE_PROCESSING_REQUIRED) && !NT_STATUS_IS_OK(status)) {
srv_free_encryption_context(&partial_srv_trans_enc_ctx);
return nt_status_squash(status);
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index dda4ef296e..7d111e3219 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -662,7 +662,8 @@ static void reply_spnego_negotiate(struct smb_request *req,
return;
}
- status = auth_ntlmssp_start(auth_ntlmssp_state);
+ status = auth_ntlmssp_start(sconn->remote_address,
+ auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@@ -763,7 +764,8 @@ static void reply_spnego_auth(struct smb_request *req,
data_blob_free(&secblob);
if (!*auth_ntlmssp_state) {
- status = auth_ntlmssp_start(auth_ntlmssp_state);
+ status = auth_ntlmssp_start(sconn->remote_address,
+ auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
@@ -1175,7 +1177,8 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req)
DATA_BLOB chal;
if (!vuser->auth_ntlmssp_state) {
- status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state);
+ status = auth_ntlmssp_start(sconn->remote_address,
+ &vuser->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
/* Kill the intermediate vuid */
invalidate_vuid(sconn, vuid);
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index c33d1c61be..13dfff0853 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -404,7 +404,8 @@ static NTSTATUS smbd_smb2_spnego_negotiate(struct smbd_smb2_session *session,
status = NT_STATUS_MORE_PROCESSING_REQUIRED;
} else {
/* Fall back to NTLMSSP. */
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_ntlmssp_start(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
@@ -591,7 +592,8 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
}
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_ntlmssp_start(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
data_blob_free(&auth);
TALLOC_FREE(session);
@@ -655,7 +657,8 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
DATA_BLOB secblob_out = data_blob_null;
if (session->auth_ntlmssp_state == NULL) {
- status = auth_ntlmssp_start(&session->auth_ntlmssp_state);
+ status = auth_ntlmssp_start(session->sconn->remote_address,
+ &session->auth_ntlmssp_state);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session);
return status;