libcli/auth: Provide a struct loadparm_context to schannel calls

This will allow us to pass this down to the tdb_wrap layer. Andrew Bartlett
author: Andrew Bartlett <abartlet@samba.org> 2011-10-12 22:55:34 +1100
committer: Andrew Bartlett <abartlet@samba.org> 2011-10-13 14:06:07 +0200
commit: 5603dab6478fbb40206a8664a308b5db5b1863e8 (patch)
tree: 865595e3efb120830d8d7c52e5da786bbf554d99
parent: 43d84aa619be5851acea82bef77164f0dc3e9f7e (diff)
download: samba-5603dab6478fbb40206a8664a308b5db5b1863e8.tar.gz
samba-5603dab6478fbb40206a8664a308b5db5b1863e8.tar.bz2
samba-5603dab6478fbb40206a8664a308b5db5b1863e8.zip
10 files changed, 83 insertions, 27 deletions
diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
index e3aeb5a9bc..7ee4c1c079 100644
--- a/libcli/auth/schannel_proto.h
+++ b/libcli/auth/schannel_proto.h
@@ -26,7 +26,7 @@
 struct schannel_state;
 
 struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
-					     const char *private_dir);
+					     struct loadparm_context *lp_ctx);
 
 NTSTATUS netsec_incoming_packet(struct schannel_state *state,
 				bool do_unseal,
diff --git a/libcli/auth/schannel_state.h b/libcli/auth/schannel_state.h
index 017fdbe28d..f9d02ddb4e 100644
--- a/libcli/auth/schannel_state.h
+++ b/libcli/auth/schannel_state.h
@@ -24,16 +24,16 @@
 #define _LIBCLI_AUTH_SCHANNEL_STATE_H__
 
 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
-				  const char *db_priv_dir,
+				  struct loadparm_context *lp_ctx,
 				  const char *computer_name,
 				  struct netlogon_creds_CredentialState **creds);
 
 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
-				   const char *db_priv_dir,
+				   struct loadparm_context *lp_ctx,
 				   struct netlogon_creds_CredentialState *creds);
 
 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
-				    const char *db_priv_dir,
+				    struct loadparm_context *lp_ctx,
 				    const char *computer_name,
 				    struct netr_Authenticator *received_authenticator,
 				    struct netr_Authenticator *return_authenticator,
diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 76110b89ef..8910041f99 100644
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -25,6 +25,7 @@
 #include "system/filesys.h"
 #include "../lib/tdb_compat/tdb_compat.h"
 #include "../lib/util/util_tdb.h"
+#include "../lib/param/param.h"
 #include "../libcli/auth/schannel.h"
 #include "../librpc/gen_ndr/ndr_schannel.h"
 #include "lib/util/tdb_wrap.h"
@@ -37,10 +38,10 @@
 *******************************************************************************/
 
 struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
-					     const char *private_dir)
+					     struct loadparm_context *lp_ctx)
 {
 	struct tdb_wrap *tdb_sc = NULL;
-	char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", private_dir);
+	char *fname = lpcfg_private_path(mem_ctx, lp_ctx, "schannel_store.tdb");
 
 	if (!fname) {
 		return NULL;
@@ -201,7 +202,7 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_wrap *tdb_sc,
 *******************************************************************************/
 
 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
-				  const char *db_priv_dir,
+				  struct loadparm_context *lp_ctx,
 				  const char *computer_name,
 				  struct netlogon_creds_CredentialState **_creds)
 {
@@ -215,7 +216,7 @@ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+	tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
 	if (!tdb_sc) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
@@ -239,7 +240,7 @@ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
 *******************************************************************************/
 
 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
-				   const char *db_priv_dir,
+				   struct loadparm_context *lp_ctx,
 				   struct netlogon_creds_CredentialState *creds)
 {
 	TALLOC_CTX *tmpctx;
@@ -251,7 +252,7 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+	tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
 	if (!tdb_sc) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
@@ -273,7 +274,7 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
  ********************************************************************/
 
 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
-				    const char *db_priv_dir,
+				    struct loadparm_context *lp_ctx,
 				    const char *computer_name,
 				    struct netr_Authenticator *received_authenticator,
 				    struct netr_Authenticator *return_authenticator,
@@ -290,7 +291,7 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+	tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
 	if (!tdb_sc) {
 		status = NT_STATUS_ACCESS_DENIED;
 		goto done;
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index acb1ce38f0..2afab44ac2 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -26,7 +26,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
 
 bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
 	source='schannel_state_tdb.c schannel_sign.c',
-	deps='tdb-wrap UTIL_TDB'
+	deps='tdb-wrap UTIL_TDB samba-hostconfig'
 	)
 
 
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 5e945187fa..dc0c33d395 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -44,6 +44,7 @@
 #include "auth.h"
 #include "messages.h"
 #include "../lib/tsocket/tsocket.h"
+#include "lib/param/param.h"
 
 extern userdom_struct current_user_info;
 
@@ -882,6 +883,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 	 * so use a copy to avoid destroying the client values. */
 	uint32_t in_neg_flags = *r->in.negotiate_flags;
 	const char *fn;
+	struct loadparm_context *lp_ctx;
 	struct dom_sid sid;
 	struct samr_Password mach_pwd;
 	struct netlogon_creds_CredentialState *creds;
@@ -993,11 +995,20 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 		goto out;
 	}
 
+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(10, ("loadparm_init_s3 failed\n"));
+		status = NT_STATUS_INTERNAL_ERROR;
+		goto out;
+	}
+
 	/* Store off the state so we can continue after client disconnect. */
 	become_root();
-	status = schannel_save_creds_state(p->mem_ctx, lp_private_dir(), creds);
+	status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds);
 	unbecome_root();
 
+	talloc_unlink(p->mem_ctx, lp_ctx);
+
 	if (!NT_STATUS_IS_OK(status)) {
 		goto out;
 	}
@@ -1078,6 +1089,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 {
 	NTSTATUS status;
 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+	struct loadparm_context *lp_ctx;
 
 	if (schannel_global_required) {
 		status = schannel_check_required(&p->auth,
@@ -1088,10 +1100,16 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 		}
 	}
 
-	status = schannel_check_creds_state(mem_ctx, lp_private_dir(),
+	lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	status = schannel_check_creds_state(mem_ctx, lp_ctx,
 					    computer_name, received_authenticator,
 					    return_authenticator, creds_out);
-
+	talloc_unlink(mem_ctx, lp_ctx);
 	return status;
 }
 
@@ -1731,6 +1749,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
 {
 	NTSTATUS status;
 	struct netlogon_creds_CredentialState *creds = NULL;
+	struct loadparm_context *lp_ctx;
 
 	*r->out.authoritative = true;
 
@@ -1746,10 +1765,18 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
 		return NT_STATUS_INVALID_PARAMETER;
         }
 
+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
 	become_root();
-	status = schannel_get_creds_state(p->mem_ctx, lp_private_dir(),
+	status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
 					  r->in.computer_name, &creds);
 	unbecome_root();
+	talloc_unlink(p->mem_ctx, lp_ctx);
+
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2267,14 +2294,22 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
 	NTSTATUS status;
 	struct netlogon_creds_CredentialState *creds;
 	struct lsa_ForestTrustInformation *info, **info_ptr;
+	struct loadparm_context *lp_ctx;
 
 	/* TODO: check server name */
 
-	status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	status = schannel_check_creds_state(p->mem_ctx, lp_ctx,
 					    r->in.computer_name,
 					    r->in.credential,
 					    r->out.return_authenticator,
 					    &creds);
+	talloc_unlink(p->mem_ctx, lp_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -2367,14 +2402,22 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
 	struct samr_Password *new_owf_enc;
 	struct samr_Password *old_owf_enc;
 	DATA_BLOB session_key;
+	struct loadparm_context *lp_ctx;
+
+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
 
 	/* TODO: check server name */
 
-	status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
+	status = schannel_check_creds_state(p->mem_ctx, lp_ctx,
 					    r->in.computer_name,
 					    r->in.credential,
 					    r->out.return_authenticator,
 					    &creds);
+	talloc_unlink(p->mem_ctx, lp_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 7a616c0ee6..449bf7555b 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -43,6 +43,7 @@
 #include "ntdomain.h"
 #include "rpc_server/srv_pipe.h"
 #include "rpc_server/rpc_contexts.h"
+#include "lib/param/param.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -477,6 +478,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
 	struct netlogon_creds_CredentialState *creds;
 	enum ndr_err_code ndr_err;
 	struct schannel_state *schannel_auth;
+	struct loadparm_context *lp_ctx;
 
 	ndr_err = ndr_pull_struct_blob(
 			&auth_info->credentials, mem_ctx, &neg,
@@ -495,6 +497,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
 		return false;
 	}
 
+	lp_ctx = loadparm_init_s3(p, loadparm_s3_context());
+	if (!lp_ctx) {
+		DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
+		return false;
+	}
+
 	/*
 	 * The neg.oem_netbios_computer.a key here must match the remote computer name
 	 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
@@ -502,10 +510,11 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
 	 */
 
 	become_root();
-	status = schannel_get_creds_state(p, lp_private_dir(),
+	status = schannel_get_creds_state(p, lp_ctx,
 					    neg.oem_netbios_computer.a, &creds);
 	unbecome_root();
-
+	
+	talloc_unlink(p, lp_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
 		return False;
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index e47187a697..acbab9d88c 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -40,6 +40,7 @@
 #include "messages.h"
 #include "smbprofile.h"
 #include "lib/id_cache.h"
+#include "lib/param/param.h"
 
 extern void start_epmd(struct tevent_context *ev_ctx,
 		       struct messaging_context *msg_ctx);
@@ -1150,10 +1151,12 @@ extern void build_options(bool screen);
 	}
 
 	if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) {
-		if (!open_schannel_session_store(NULL, lp_private_dir())) {
+		struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_context());
+		if (!open_schannel_session_store(NULL, lp_ctx)) {
 			DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
 			exit(1);
 		}
+		TALLOC_FREE(lp_ctx);
 	}
 
 	if(!get_global_sam_sid()) {
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 35713ce068..f947d45596 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -154,7 +154,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 		}
 
 		status = schannel_get_creds_state(out_mem_ctx,
-						  lpcfg_private_dir(gensec_security->settings->lp_ctx),
+						  gensec_security->settings->lp_ctx,
 						  workstation, &creds);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index d5a7eebb55..cbf223be47 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -270,7 +270,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
 
 	nt_status = schannel_save_creds_state(mem_ctx,
-					      lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+					      dce_call->conn->dce_ctx->lp_ctx,
 					      creds);
 
 	return nt_status;
@@ -382,7 +382,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 	}
 
 	nt_status = schannel_check_creds_state(mem_ctx,
-					       lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+					       dce_call->conn->dce_ctx->lp_ctx,
 					       computer_name,
 					       received_authenticator,
 					       return_authenticator,
@@ -839,7 +839,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
 	}
 
 	nt_status = schannel_get_creds_state(mem_ctx,
-					     lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+					     dce_call->conn->dce_ctx->lp_ctx,
 					     r->in.computer_name, &creds);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 322e45569f..c8549e2b56 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -393,7 +393,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
 	}
 
 	if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
-		if (!open_schannel_session_store(talloc_autofree_context(), lpcfg_private_dir(cmdline_lp_ctx))) {
+		if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) {
 			DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
 			exit(1);
 		}
author	Andrew Bartlett <abartlet@samba.org>	2011-10-12 22:55:34 +1100
committer	Andrew Bartlett <abartlet@samba.org>	2011-10-13 14:06:07 +0200
commit	5603dab6478fbb40206a8664a308b5db5b1863e8 (patch)
tree	865595e3efb120830d8d7c52e5da786bbf554d99
parent	43d84aa619be5851acea82bef77164f0dc3e9f7e (diff)
download	samba-5603dab6478fbb40206a8664a308b5db5b1863e8.tar.gz samba-5603dab6478fbb40206a8664a308b5db5b1863e8.tar.bz2 samba-5603dab6478fbb40206a8664a308b5db5b1863e8.zip