diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-01-12 09:33:49 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:50:55 -0500 |
| commit | a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f (patch) | |
| tree | 71b27ab4d11e2fc537b0ccf5d4e9c75dcc9757eb | |
| parent | 4c6b9c79ff5d35e1d03ad5eb543db4b6b906b5ce (diff) | |
| download | samba-a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f.tar.gz samba-a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f.tar.bz2 samba-a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f.zip | |
r12865: Upgrade the librpc and libnet code.
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous. This should better
function with servers that set restrict anonymous.
There are too many parts of Samba that get, parse and modify the
binding parameters. Avoid the extra work, and add a binding element
to the struct dcerpc_pipe
The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern. Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.
To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.
Andrew Bartlett
(This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
| -rw-r--r-- | source4/libnet/libnet_join.c | 11 | ||||
| -rw-r--r-- | source4/libnet/libnet_rpc.c | 4 | ||||
| -rw-r--r-- | source4/libnet/libnet_samdump.c | 71 | ||||
| -rw-r--r-- | source4/libnet/libnet_samdump_keytab.c | 42 | ||||
| -rw-r--r-- | source4/libnet/libnet_samsync_ldb.c | 45 | ||||
| -rw-r--r-- | source4/libnet/libnet_vampire.c | 116 | ||||
| -rw-r--r-- | source4/libnet/libnet_vampire.h | 62 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc.h | 1 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_auth.c | 11 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_connect.c | 24 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_schannel.c | 17 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_util.c | 18 | ||||
| -rw-r--r-- | source4/torture/rpc/netlogon.c | 9 | ||||
| -rw-r--r-- | source4/torture/rpc/samlogon.c | 2 | ||||
| -rw-r--r-- | source4/torture/rpc/schannel.c | 2 | ||||
| -rw-r--r-- | source4/utils/net/net_vampire.c | 23 | ||||
| -rw-r--r-- | source4/winbind/wb_connect_lsa.c | 14 | ||||
| -rw-r--r-- | source4/winbind/wb_connect_sam.c | 14 | ||||
| -rw-r--r-- | source4/winbind/wb_init_domain.c | 3 |
19 files changed, 242 insertions, 247 deletions
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c index 616c80b1a4..7a897b1280 100644 --- a/source4/libnet/libnet_join.c +++ b/source4/libnet/libnet_join.c @@ -745,14 +745,11 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru */ /* Find the original binding string */ - status = dcerpc_parse_binding(tmp_ctx, lsa_pipe->conn->binding_string, &samr_binding); - if (!NT_STATUS_IS_OK(status)) { - r->out.error_string = talloc_asprintf(mem_ctx, - "Failed to parse lsa binding '%s'", - lsa_pipe->conn->binding_string); - talloc_free(tmp_ctx); - return status; + samr_binding = talloc(tmp_ctx, struct dcerpc_binding); + if (!samr_binding) { + return NT_STATUS_NO_MEMORY; } + *samr_binding = *lsa_pipe->binding; /* Make binding string for samr, not the other pipe */ status = dcerpc_epm_map_binding(tmp_ctx, samr_binding, diff --git a/source4/libnet/libnet_rpc.c b/source4/libnet/libnet_rpc.c index ffed674f1f..1f98e575d1 100644 --- a/source4/libnet/libnet_rpc.c +++ b/source4/libnet/libnet_rpc.c @@ -57,8 +57,8 @@ static NTSTATUS libnet_RpcConnectSrv(struct libnet_context *ctx, TALLOC_CTX *mem if (!NT_STATUS_IS_OK(status)) { r->out.error_string = talloc_asprintf(mem_ctx, - "dcerpc_pipe_connect to pipe %s failed with %s\n", - r->in.dcerpc_iface->name, binding); + "dcerpc_pipe_connect to pipe %s[%s] failed with %s\n", + r->in.dcerpc_iface->name, binding, nt_errstr(status)); return status; } diff --git a/source4/libnet/libnet_samdump.c b/source4/libnet/libnet_samdump.c index 52513fa1b1..e094293916 100644 --- a/source4/libnet/libnet_samdump.c +++ b/source4/libnet/libnet_samdump.c @@ -151,7 +151,7 @@ static NTSTATUS libnet_samdump_fn(TALLOC_CTX *mem_ctx, return nt_status; } -static NTSTATUS libnet_SamDump_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamDump *r) +NTSTATUS libnet_SamDump(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamDump *r) { NTSTATUS nt_status; struct libnet_SamSync r2; @@ -164,15 +164,16 @@ static NTSTATUS libnet_SamDump_netlogon(struct libnet_context *ctx, TALLOC_CTX * return NT_STATUS_NO_MEMORY; } - samdump_state->secrets = NULL; + samdump_state->secrets = NULL; samdump_state->trusted_domains = NULL; - r2.error_string = NULL; - r2.delta_fn = libnet_samdump_fn; - r2.fn_ctx = samdump_state; - r2.machine_account = NULL; /* TODO: Create a machine account, fill this in, and the delete it */ - nt_status = libnet_SamSync_netlogon(ctx, samdump_state, &r2); - r->error_string = r2.error_string; + r2.out.error_string = NULL; + r2.in.binding_string = r->in.binding_string; + r2.in.delta_fn = libnet_samdump_fn; + r2.in.fn_ctx = samdump_state; + r2.in.machine_account = r->in.machine_account; + nt_status = libnet_SamSync_netlogon(ctx, samdump_state, &r2); + r->out.error_string = r2.out.error_string; if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(samdump_state); @@ -183,49 +184,25 @@ static NTSTATUS libnet_SamDump_netlogon(struct libnet_context *ctx, TALLOC_CTX * for (t=samdump_state->trusted_domains; t; t=t->next) { char *secret_name = talloc_asprintf(mem_ctx, "G$$%s", t->name); for (s=samdump_state->secrets; s; s=s->next) { - if (strcasecmp_m(s->name, secret_name) == 0) { - char *secret_string; - if (convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX, - s->secret.data, s->secret.length, - (void **)&secret_string) == -1) { - r->error_string = talloc_asprintf(mem_ctx, - "Could not convert secret for domain %s to a string\n", - t->name); - talloc_free(samdump_state); - return NT_STATUS_INVALID_PARAMETER; - } - printf("%s\t%s\t%s\n", - t->name, dom_sid_string(mem_ctx, t->sid), - secret_string); + char *secret_string; + if (strcasecmp_m(s->name, secret_name) != 0) { + continue; + } + if (convert_string_talloc(mem_ctx, CH_UTF16, CH_UNIX, + s->secret.data, s->secret.length, + (void **)&secret_string) == -1) { + r->out.error_string = talloc_asprintf(mem_ctx, + "Could not convert secret for domain %s to a string\n", + t->name); + talloc_free(samdump_state); + return NT_STATUS_INVALID_PARAMETER; } + printf("%s\t%s\t%s\n", + t->name, dom_sid_string(mem_ctx, t->sid), + secret_string); } } talloc_free(samdump_state); return nt_status; } - - -static NTSTATUS libnet_SamDump_generic(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamDump *r) -{ - NTSTATUS nt_status; - struct libnet_SamDump r2; - r2.level = LIBNET_SAMDUMP_NETLOGON; - r2.error_string = NULL; - nt_status = libnet_SamDump(ctx, mem_ctx, &r2); - r->error_string = r2.error_string; - - return nt_status; -} - -NTSTATUS libnet_SamDump(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamDump *r) -{ - switch (r->level) { - case LIBNET_SAMDUMP_GENERIC: - return libnet_SamDump_generic(ctx, mem_ctx, r); - case LIBNET_SAMDUMP_NETLOGON: - return libnet_SamDump_netlogon(ctx, mem_ctx, r); - } - - return NT_STATUS_INVALID_LEVEL; -} diff --git a/source4/libnet/libnet_samdump_keytab.c b/source4/libnet/libnet_samdump_keytab.c index e267cfdc2e..f16e0ae383 100644 --- a/source4/libnet/libnet_samdump_keytab.c +++ b/source4/libnet/libnet_samdump_keytab.c @@ -94,17 +94,18 @@ static NTSTATUS libnet_samdump_keytab_fn(TALLOC_CTX *mem_ctx, return nt_status; } -static NTSTATUS libnet_SamDump_keytab_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamDump_keytab *r) +NTSTATUS libnet_SamDump_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamDump_keytab *r) { NTSTATUS nt_status; struct libnet_SamSync r2; - r2.error_string = NULL; - r2.delta_fn = libnet_samdump_keytab_fn; - r2.fn_ctx = r->keytab_name; - r2.machine_account = NULL; /* TODO: Create a machine account, fill this in, and the delete it */ - nt_status = libnet_SamSync_netlogon(ctx, mem_ctx, &r2); - r->error_string = r2.error_string; + r2.out.error_string = NULL; + r2.in.binding_string = r->in.binding_string; + r2.in.delta_fn = libnet_samdump_keytab_fn; + r2.in.fn_ctx = discard_const(r->in.keytab_name); + r2.in.machine_account = r->in.machine_account; + nt_status = libnet_SamSync_netlogon(ctx, mem_ctx, &r2); + r->out.error_string = r2.out.error_string; if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; @@ -112,30 +113,3 @@ static NTSTATUS libnet_SamDump_keytab_netlogon(struct libnet_context *ctx, TALLO return nt_status; } - - - -static NTSTATUS libnet_SamDump_keytab_generic(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamDump_keytab *r) -{ - NTSTATUS nt_status; - struct libnet_SamDump_keytab r2; - r2.level = LIBNET_SAMDUMP_NETLOGON; - r2.error_string = NULL; - r2.keytab_name = r->keytab_name; - nt_status = libnet_SamDump_keytab(ctx, mem_ctx, &r2); - r->error_string = r2.error_string; - - return nt_status; -} - -NTSTATUS libnet_SamDump_keytab(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_SamDump_keytab *r) -{ - switch (r->level) { - case LIBNET_SAMDUMP_GENERIC: - return libnet_SamDump_keytab_generic(ctx, mem_ctx, r); - case LIBNET_SAMDUMP_NETLOGON: - return libnet_SamDump_keytab_netlogon(ctx, mem_ctx, r); - } - - return NT_STATUS_INVALID_LEVEL; -} diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c index 03c551d2f7..2baab53289 100644 --- a/source4/libnet/libnet_samsync_ldb.c +++ b/source4/libnet/libnet_samsync_ldb.c @@ -1053,7 +1053,7 @@ static NTSTATUS libnet_samsync_ldb_fn(TALLOC_CTX *mem_ctx, return nt_status; } -static NTSTATUS libnet_samsync_ldb_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_samsync_ldb *r) +NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_samsync_ldb *r) { NTSTATUS nt_status; struct libnet_SamSync r2; @@ -1063,17 +1063,18 @@ static NTSTATUS libnet_samsync_ldb_netlogon(struct libnet_context *ctx, TALLOC_C return NT_STATUS_NO_MEMORY; } - state->secrets = NULL; + state->secrets = NULL; state->trusted_domains = NULL; - state->sam_ldb = samdb_connect(state, system_session(state)); + state->sam_ldb = samdb_connect(state, system_session(state)); - r2.error_string = NULL; - r2.delta_fn = libnet_samsync_ldb_fn; - r2.fn_ctx = state; - r2.machine_account = NULL; /* TODO: Create a machine account, fill this in, and the delete it */ - nt_status = libnet_SamSync_netlogon(ctx, state, &r2); - r->error_string = r2.error_string; + r2.out.error_string = NULL; + r2.in.binding_string = r->in.binding_string; + r2.in.delta_fn = libnet_samsync_ldb_fn; + r2.in.fn_ctx = state; + r2.in.machine_account = NULL; /* TODO: Create a machine account, fill this in, and the delete it */ + nt_status = libnet_SamSync_netlogon(ctx, state, &r2); + r->out.error_string = r2.out.error_string; if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(state); @@ -1082,29 +1083,3 @@ static NTSTATUS libnet_samsync_ldb_netlogon(struct libnet_context *ctx, TALLOC_C talloc_free(state); return nt_status; } - - - -static NTSTATUS libnet_samsync_ldb_generic(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_samsync_ldb *r) -{ - NTSTATUS nt_status; - struct libnet_samsync_ldb r2; - r2.level = LIBNET_SAMSYNC_LDB_NETLOGON; - r2.error_string = NULL; - nt_status = libnet_samsync_ldb(ctx, mem_ctx, &r2); - r->error_string = r2.error_string; - - return nt_status; -} - -NTSTATUS libnet_samsync_ldb(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, struct libnet_samsync_ldb *r) -{ - switch (r->level) { - case LIBNET_SAMSYNC_LDB_GENERIC: - return libnet_samsync_ldb_generic(ctx, mem_ctx, r); - case LIBNET_SAMSYNC_LDB_NETLOGON: - return libnet_samsync_ldb_netlogon(ctx, mem_ctx, r); - } - - return NT_STATUS_INVALID_LEVEL; -} diff --git a/source4/libnet/libnet_vampire.c b/source4/libnet/libnet_vampire.c index dc271ba577..26e3939205 100644 --- a/source4/libnet/libnet_vampire.c +++ b/source4/libnet/libnet_vampire.c @@ -150,24 +150,15 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx struct creds_CredentialState *creds; struct netr_DatabaseSync dbsync; struct cli_credentials *machine_account; - struct dcerpc_binding *b; struct dcerpc_pipe *p; + struct libnet_context *machine_net_ctx; + struct libnet_RpcConnect *c; const enum netr_SamDatabaseID database_ids[] = {SAM_DATABASE_DOMAIN, SAM_DATABASE_BUILTIN, SAM_DATABASE_PRIVS}; int i; - /* TODO: This is bogus */ - const char **bindings = lp_passwordserver(); - const char *binding; - - if (bindings && bindings[0]) { - binding = bindings[0]; - } else { - return NT_STATUS_INVALID_PARAMETER; - } - samsync_ctx = talloc_named(mem_ctx, 0, "SamSync top context"); - if (!r->machine_account) { + if (!r->in.machine_account) { machine_account = cli_credentials_init(samsync_ctx); if (!machine_account) { talloc_free(samsync_ctx); @@ -176,16 +167,17 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx cli_credentials_set_conf(machine_account); nt_status = cli_credentials_set_machine_account(machine_account); if (!NT_STATUS_IS_OK(nt_status)) { - r->error_string = talloc_strdup(mem_ctx, "Could not obtain machine account password - are we joined to the domain?"); + r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain machine account password - are we joined to the domain?"); talloc_free(samsync_ctx); return nt_status; } } else { - machine_account = r->machine_account; + machine_account = r->in.machine_account; } + /* We cannot do this unless we are a BDC. Check, before we get odd errors later */ if (cli_credentials_get_secure_channel_type(machine_account) != SEC_CHAN_BDC) { - r->error_string + r->out.error_string = talloc_asprintf(mem_ctx, "Our join to domain %s is not as a BDC (%d), please rejoin as a BDC", @@ -195,25 +187,67 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } - /* Connect to DC (take a binding string for now) */ + c = talloc(samsync_ctx, struct libnet_RpcConnect); + if (!c) { + r->out.error_string = NULL; + talloc_free(samsync_ctx); + return NT_STATUS_NO_MEMORY; + } + + if (r->in.binding_string) { + c->level = LIBNET_RPC_CONNECT_BINDING; + c->in.binding = r->in.binding_string; + } else { + /* prepare connect to the NETLOGON pipe of PDC */ + c->level = LIBNET_RPC_CONNECT_PDC; + c->in.name = cli_credentials_get_domain(machine_account); + } + c->in.dcerpc_iface = &dcerpc_table_netlogon; + + /* We must do this as the machine, not as any command-line + * user. So we override the credentials in the + * libnet_context */ + machine_net_ctx = talloc(samsync_ctx, struct libnet_context); + if (!machine_net_ctx) { + r->out.error_string = NULL; + talloc_free(samsync_ctx); + return NT_STATUS_NO_MEMORY; + } + *machine_net_ctx = *ctx; + machine_net_ctx->cred = machine_account; - nt_status = dcerpc_parse_binding(samsync_ctx, binding, &b); + /* connect to the NETLOGON pipe of the PDC */ + nt_status = libnet_RpcConnect(machine_net_ctx, c, c); if (!NT_STATUS_IS_OK(nt_status)) { - r->error_string = talloc_asprintf(mem_ctx, "Bad binding string %s\n", binding); + r->out.error_string = talloc_asprintf(mem_ctx, + "Connection to NETLOGON pipe of DC failed: %s", + c->out.error_string); talloc_free(samsync_ctx); - return NT_STATUS_INVALID_PARAMETER; + return nt_status; } - /* We like schannel */ - b->flags &= ~DCERPC_AUTH_OPTIONS; - b->flags |= DCERPC_SCHANNEL | DCERPC_SEAL /* | DCERPC_SCHANNEL_128 */; + /* This makes a new pipe, on which we can do schannel. We + * should do this in the RpcConnect code, but the abstaction + * layers do not suit yet */ + + nt_status = dcerpc_secondary_connection(c->out.dcerpc_pipe, &p, + c->out.dcerpc_pipe->binding); + + if (!NT_STATUS_IS_OK(nt_status)) { + r->out.error_string = talloc_asprintf(mem_ctx, + "Secondary connection to NETLOGON pipe of DC %s failed: %s", + dcerpc_server_name(p), nt_errstr(nt_status)); + talloc_free(samsync_ctx); + return nt_status; + } - /* Setup schannel */ - nt_status = dcerpc_pipe_connect_b(samsync_ctx, &p, b, - &dcerpc_table_netlogon, - machine_account, ctx->event_ctx); + nt_status = dcerpc_bind_auth_schannel(samsync_ctx, p, &dcerpc_table_netlogon, + machine_account, DCERPC_AUTH_LEVEL_PRIVACY); if (!NT_STATUS_IS_OK(nt_status)) { + r->out.error_string = talloc_asprintf(mem_ctx, + "SCHANNEL authentication to NETLOGON pipe of DC %s failed: %s", + dcerpc_server_name(p), nt_errstr(nt_status)); talloc_free(samsync_ctx); return nt_status; } @@ -222,11 +256,12 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx nt_status = dcerpc_schannel_creds(p->conn->security_state.generic_state, samsync_ctx, &creds); if (!NT_STATUS_IS_OK(nt_status)) { - r->error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer"); + r->out.error_string = talloc_strdup(mem_ctx, "Could not obtain NETLOGON credentials from DCERPC/GENSEC layer"); talloc_free(samsync_ctx); return nt_status; } + /* Setup details for the syncronisation */ dbsync.in.logon_server = talloc_asprintf(samsync_ctx, "\\\\%s", dcerpc_server_name(p)); dbsync.in.computername = cli_credentials_get_workstation(machine_account); dbsync.in.preferredmaximumlength = (uint32_t)-1; @@ -244,40 +279,47 @@ NTSTATUS libnet_SamSync_netlogon(struct libnet_context *ctx, TALLOC_CTX *mem_ctx dbsync_nt_status = dcerpc_netr_DatabaseSync(p, loop_ctx, &dbsync); if (!NT_STATUS_IS_OK(dbsync_nt_status) && !NT_STATUS_EQUAL(dbsync_nt_status, STATUS_MORE_ENTRIES)) { - r->error_string = talloc_asprintf(samsync_ctx, "DatabaseSync failed - %s", nt_errstr(nt_status)); + r->out.error_string = talloc_asprintf(samsync_ctx, "DatabaseSync failed - %s", nt_errstr(nt_status)); talloc_free(samsync_ctx); return nt_status; } if (!creds_client_check(creds, &dbsync.out.return_authenticator.cred)) { - r->error_string = talloc_strdup(samsync_ctx, "Credential chaining failed"); + r->out.error_string = talloc_strdup(samsync_ctx, "Credential chaining failed"); talloc_free(samsync_ctx); return NT_STATUS_ACCESS_DENIED; } dbsync.in.sync_context = dbsync.out.sync_context; + /* For every single remote 'delta' entry: */ for (d=0; d < dbsync.out.delta_enum_array->num_deltas; d++) { char *error_string = NULL; delta_ctx = talloc_named(loop_ctx, 0, "DatabaseSync delta context"); + /* 'Fix' elements, by decrypting and + * de-obfustiating the data */ nt_status = fix_delta(delta_ctx, creds, dbsync.in.database_id, &dbsync.out.delta_enum_array->delta_enum[d], &error_string); if (!NT_STATUS_IS_OK(nt_status)) { - r->error_string = talloc_steal(samsync_ctx, error_string); + r->out.error_string = talloc_steal(samsync_ctx, error_string); talloc_free(samsync_ctx); return nt_status; } - nt_status = r->delta_fn(delta_ctx, - r->fn_ctx, - creds, - dbsync.in.database_id, - &dbsync.out.delta_enum_array->delta_enum[d], - &error_string); + + /* Now call the callback. This will + * do something like print the data or + * write to an ldb */ + nt_status = r->in.delta_fn(delta_ctx, + r->in.fn_ctx, + creds, + dbsync.in.database_id, + &dbsync.out.delta_enum_array->delta_enum[d], + &error_string); if (!NT_STATUS_IS_OK(nt_status)) { - r->error_string = talloc_steal(samsync_ctx, error_string); + r->out.error_string = talloc_steal(samsync_ctx, error_string); talloc_free(samsync_ctx); return nt_status; } diff --git a/source4/libnet/libnet_vampire.h b/source4/libnet/libnet_vampire.h index ed1b3ea828..4bbdf2733a 100644 --- a/source4/libnet/libnet_vampire.h +++ b/source4/libnet/libnet_vampire.h @@ -22,40 +22,50 @@ /* struct and enum for doing a remote domain vampire dump */ struct libnet_SamSync { - NTSTATUS (*delta_fn)(TALLOC_CTX *mem_ctx, - void *private, - struct creds_CredentialState *creds, - enum netr_SamDatabaseID database, - struct netr_DELTA_ENUM *delta, - char **error_string); - void *fn_ctx; - const char *error_string; - struct cli_credentials *machine_account; -}; - -enum libnet_SamDump_level { - LIBNET_SAMDUMP_GENERIC, - LIBNET_SAMDUMP_NETLOGON, + struct { + const char *binding_string; + NTSTATUS (*delta_fn)(TALLOC_CTX *mem_ctx, + void *private, + struct creds_CredentialState *creds, + enum netr_SamDatabaseID database, + struct netr_DELTA_ENUM *delta, + char **error_string); + void *fn_ctx; + struct cli_credentials *machine_account; + } in; + struct { + const char *error_string; + } out; }; struct libnet_SamDump { - enum libnet_SamDump_level level; - const char *error_string; + struct { + const char *binding_string; + struct cli_credentials *machine_account; + } in; + struct { + const char *error_string; + } out; }; struct libnet_SamDump_keytab { - enum libnet_SamDump_level level; - const char *keytab_name; - const char *error_string; -}; - -enum libnet_samsync_ldb_level { - LIBNET_SAMSYNC_LDB_GENERIC, - LIBNET_SAMSYNC_LDB_NETLOGON, + struct { + const char *binding_string; + const char *keytab_name; + struct cli_credentials *machine_account; + } in; + struct { + const char *error_string; + } out; }; struct libnet_samsync_ldb { - enum libnet_samsync_ldb_level level; - const char *error_string; + struct { + const char *binding_string; + struct cli_credentials *machine_account; + } in; + struct { + const char *error_string; + } out; }; diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index cbfe8478b2..df70580db3 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -100,6 +100,7 @@ struct dcerpc_pipe { struct dcerpc_syntax_id transfer_syntax; struct dcerpc_connection *conn; + struct dcerpc_binding *binding; /* the last fault code from a DCERPC fault */ uint32_t last_fault_code; diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index bffa994abe..f0a7dc8ffe 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -168,7 +168,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p, const struct dcerpc_interface_table *table, struct cli_credentials *credentials, - uint8_t auth_type, + uint8_t auth_type, uint8_t auth_level, const char *service) { struct composite_context *c, *creq; @@ -233,8 +233,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, } c->status = gensec_start_mech_by_authtype(sec->generic_state, - auth_type, - dcerpc_auth_level(p->conn)); + auth_type, auth_level); if (!NT_STATUS_IS_OK(c->status)) { DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n", gensec_get_name_by_authtype(auth_type), @@ -249,7 +248,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, } sec->auth_info->auth_type = auth_type; - sec->auth_info->auth_level = dcerpc_auth_level(p->conn); + sec->auth_info->auth_level = auth_level, sec->auth_info->auth_pad_length = 0; sec->auth_info->auth_reserved = 0; sec->auth_info->auth_context_id = random(); @@ -323,11 +322,11 @@ NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq) NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, const struct dcerpc_interface_table *table, struct cli_credentials *credentials, - uint8_t auth_type, + uint8_t auth_type, uint8_t auth_level, const char *service) { struct composite_context *creq; creq = dcerpc_bind_auth_send(p, p, table, credentials, - auth_type, service); + auth_type, auth_level, service); return dcerpc_bind_auth_recv(creq); } diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c index 1c9ab8c0ed..67dfda6d7a 100644 --- a/source4/librpc/rpc/dcerpc_connect.c +++ b/source4/librpc/rpc/dcerpc_connect.c @@ -131,29 +131,19 @@ struct composite_context *dcerpc_pipe_connect_ncacn_np_smb_send(TALLOC_CTX *mem_ conn->in.called_name = strupper_talloc(mem_ctx, s->io.binding->host); conn->in.service = "IPC$"; conn->in.service_type = NULL; - conn->in.fallback_to_anonymous = False; conn->in.workgroup = lp_workgroup(); /* - * provide proper credentials - user supplied or anonymous in case this is - * schannel connection + * provide proper credentials - user supplied, but allow a + * fallback to anonymous if this is an schannel connection + * (might be NT4 not allowing machine logins at session + * setup). */ + s->conn.in.credentials = s->io.creds; if (s->io.binding->flags & DCERPC_SCHANNEL) { - struct cli_credentials *anon_creds; - - anon_creds = cli_credentials_init(mem_ctx); - if (!anon_creds) { - composite_error(c, NT_STATUS_NO_MEMORY); - goto done; - } - - cli_credentials_set_anonymous(anon_creds); - cli_credentials_guess(anon_creds); - - s->conn.in.credentials = anon_creds; - + conn->in.fallback_to_anonymous = True; } else { - s->conn.in.credentials = s->io.creds; + conn->in.fallback_to_anonymous = False; } /* send smb connect request */ diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index 108b678188..64cf6748e8 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -55,16 +55,15 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx, step 1 - establish a netlogon connection, with no authentication */ - /* Find the original binding string */ - status = dcerpc_parse_binding(tmp_ctx, p->conn->binding_string, &b); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string)); - return status; + b = talloc(tmp_ctx, struct dcerpc_binding); + if (!b) { + return NT_STATUS_NO_MEMORY; } + *b = *p->binding; /* Make binding string for netlogon, not the other pipe */ status = dcerpc_epm_map_binding(tmp_ctx, b, - &dcerpc_table_netlogon, + &dcerpc_table_netlogon, p->conn->event_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n", @@ -141,7 +140,8 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx, NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, struct dcerpc_pipe *p, const struct dcerpc_interface_table *table, - struct cli_credentials *credentials) + struct cli_credentials *credentials, + uint8_t auth_level) { NTSTATUS status; @@ -156,7 +156,8 @@ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, return status; } - return dcerpc_bind_auth(p, table, credentials, DCERPC_AUTH_TYPE_SCHANNEL, + return dcerpc_bind_auth(p, table, credentials, + DCERPC_AUTH_TYPE_SCHANNEL, auth_level, NULL); } diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index 15a45ed3f0..6ef91b87b0 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -889,9 +889,10 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, /* If we don't already have netlogon credentials for * the schannel bind, then we have to get these * first */ - status = dcerpc_bind_auth_schannel(tmp_ctx, p, table, credentials); + status = dcerpc_bind_auth_schannel(tmp_ctx, p, table, credentials, + dcerpc_auth_level(p->conn)); } else if (!cli_credentials_is_anonymous(credentials) && - !(binding->transport == NCACN_NP && + !(p->conn->transport.transport == NCACN_NP && !(binding->flags & DCERPC_SIGN) && !(binding->flags & DCERPC_SEAL))) { @@ -925,7 +926,9 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, } status = dcerpc_bind_auth(p, table, - credentials, auth_type, table->authservices->names[0]); + credentials, auth_type, + dcerpc_auth_level(p->conn), + table->authservices->names[0]); } else { status = dcerpc_bind_auth_none(p, table); } @@ -1099,6 +1102,11 @@ NTSTATUS dcerpc_pipe_connect_b(TALLOC_CTX *parent_ctx, return status; } + p->binding = binding; + if (!talloc_reference(p, binding)) { + return NT_STATUS_NO_MEMORY; + } + status = dcerpc_pipe_auth(p, binding, table, credentials); if (!NT_STATUS_IS_OK(status)) { talloc_free(p); @@ -1195,6 +1203,10 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe * } (*p2)->conn->flags = p->conn->flags; + (*p2)->binding = b; + if (!talloc_reference(*p2, b)) { + return NT_STATUS_NO_MEMORY; + } return NT_STATUS_OK; } diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c index ab12362759..6dc3158a9f 100644 --- a/source4/torture/rpc/netlogon.c +++ b/source4/torture/rpc/netlogon.c @@ -1404,7 +1404,6 @@ static BOOL test_GetDomainInfo_async(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) static BOOL test_ManyGetDCName(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) { NTSTATUS status; - struct dcerpc_binding *b; struct dcerpc_pipe *p2; struct lsa_ObjectAttribute attr; struct lsa_QosInfo qos; @@ -1425,13 +1424,7 @@ static BOOL test_ManyGetDCName(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx) printf("Torturing GetDCName\n"); - status = dcerpc_parse_binding(mem_ctx, p->conn->binding_string, &b); - if (!NT_STATUS_IS_OK(status)) { - printf("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string); - return False; - } - - status = dcerpc_secondary_connection(p, &p2, b); + status = dcerpc_secondary_connection(p, &p2, p->binding); if (!NT_STATUS_IS_OK(status)) { printf("Failed to create secondary connection\n"); return False; diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c index 996d78d25f..af29d44347 100644 --- a/source4/torture/rpc/samlogon.c +++ b/source4/torture/rpc/samlogon.c @@ -1742,6 +1742,8 @@ BOOL torture_rpc_samlogon(void) * session key encryption) */ for (i=0; i < ARRAY_SIZE(credential_flags); i++) { + /* TODO: Somehow we lost setting up the different credential flags here! */ + if (!test_InteractiveLogon(p, mem_ctx, creds, usercreds[0].comment, TEST_MACHINE_NAME, diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c index bab0ffc4e8..eba9affce0 100644 --- a/source4/torture/rpc/schannel.c +++ b/source4/torture/rpc/schannel.c @@ -210,6 +210,7 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, status = dcerpc_bind_auth(p_netlogon, &dcerpc_table_netlogon, credentials, DCERPC_AUTH_TYPE_SCHANNEL, + dcerpc_auth_level(p->conn), NULL); if (!NT_STATUS_IS_OK(status)) { @@ -242,6 +243,7 @@ static BOOL test_schannel(TALLOC_CTX *mem_ctx, status = dcerpc_bind_auth(p_lsa, &dcerpc_table_lsarpc, credentials, DCERPC_AUTH_TYPE_SCHANNEL, + dcerpc_auth_level(p->conn), NULL); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/utils/net/net_vampire.c b/source4/utils/net/net_vampire.c index 75ad175c66..f89739225d 100644 --- a/source4/utils/net/net_vampire.c +++ b/source4/utils/net/net_vampire.c @@ -48,7 +48,7 @@ static int net_samdump_keytab(struct net_context *ctx, int argc, const char **ar return net_samdump_keytab_usage(ctx, argc, argv); break; case 1: - r.keytab_name = argv[0]; + r.in.keytab_name = argv[0]; break; } @@ -58,14 +58,15 @@ static int net_samdump_keytab(struct net_context *ctx, int argc, const char **ar } libnetctx->cred = ctx->credentials; - r.level = LIBNET_SAMDUMP_GENERIC; - r.error_string = NULL; + r.out.error_string = NULL; + r.in.machine_account = NULL; + r.in.binding_string = NULL; status = libnet_SamDump_keytab(libnetctx, ctx->mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("libnet_SamDump returned %s: %s\n", nt_errstr(status), - r.error_string)); + r.out.error_string)); return -1; } @@ -103,14 +104,15 @@ int net_samdump(struct net_context *ctx, int argc, const char **argv) } libnetctx->cred = ctx->credentials; - r.level = LIBNET_SAMDUMP_GENERIC; - r.error_string = NULL; + r.out.error_string = NULL; + r.in.machine_account = NULL; + r.in.binding_string = NULL; status = libnet_SamDump(libnetctx, ctx->mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("libnet_SamDump returned %s: %s\n", nt_errstr(status), - r.error_string)); + r.out.error_string)); return -1; } @@ -144,14 +146,15 @@ int net_samsync_ldb(struct net_context *ctx, int argc, const char **argv) } libnetctx->cred = ctx->credentials; - r.level = LIBNET_SAMSYNC_LDB_GENERIC; - r.error_string = NULL; + r.out.error_string = NULL; + r.in.machine_account = NULL; + r.in.binding_string = NULL; status = libnet_samsync_ldb(libnetctx, ctx->mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { DEBUG(0,("libnet_samsync_ldb returned %s: %s\n", nt_errstr(status), - r.error_string)); + r.out.error_string)); return -1; } diff --git a/source4/winbind/wb_connect_lsa.c b/source4/winbind/wb_connect_lsa.c index 76f75eb0a4..1c9cb5f39a 100644 --- a/source4/winbind/wb_connect_lsa.c +++ b/source4/winbind/wb_connect_lsa.c @@ -95,24 +95,32 @@ static void init_lsa_recv_pipe(struct composite_context *ctx) switch (state->auth_type) { case DCERPC_AUTH_TYPE_NONE: ctx = dcerpc_bind_auth_none_send(state, state->lsa_pipe, - &dcerpc_table_lsarpc); + &dcerpc_table_lsarpc); composite_continue(state->ctx, ctx, init_lsa_recv_anon_bind, state); break; case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_SCHANNEL: + { + uint8_t auth_type; + if (lp_winbind_sealed_pipes()) { + auth_type = DCERPC_AUTH_LEVEL_PRIVACY; + } else { + auth_type = DCERPC_AUTH_LEVEL_INTEGRITY; + } if (state->creds == NULL) { composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); return; } - state->lsa_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); ctx = dcerpc_bind_auth_send(state, state->lsa_pipe, - &dcerpc_table_lsarpc, + &dcerpc_table_lsarpc, state->creds, state->auth_type, + auth_type, NULL); composite_continue(state->ctx, ctx, init_lsa_recv_auth_bind, state); break; + } default: composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); } diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index e3b9c82310..1817785508 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -102,24 +102,32 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) switch (state->auth_type) { case DCERPC_AUTH_TYPE_NONE: ctx = dcerpc_bind_auth_none_send(state, state->samr_pipe, - &dcerpc_table_samr); + &dcerpc_table_samr); composite_continue(state->ctx, ctx, connect_samr_recv_anon_bind, state); break; case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_SCHANNEL: + { + uint8_t auth_type; + if (lp_winbind_sealed_pipes()) { + auth_type = DCERPC_AUTH_LEVEL_PRIVACY; + } else { + auth_type = DCERPC_AUTH_LEVEL_INTEGRITY; + } if (state->creds == NULL) { composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); return; } - state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); ctx = dcerpc_bind_auth_send(state, state->samr_pipe, - &dcerpc_table_samr, + &dcerpc_table_samr, state->creds, state->auth_type, + auth_type, NULL); composite_continue(state->ctx, ctx, connect_samr_recv_auth_bind, state); break; + } default: composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); } diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index c9d99ff0b9..b10b5458ba 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -205,9 +205,10 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx) state->domain->netlogon_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); ctx = dcerpc_bind_auth_send(state, state->domain->netlogon_pipe, - &dcerpc_table_netlogon, + &dcerpc_table_netlogon, state->domain->schannel_creds, DCERPC_AUTH_TYPE_SCHANNEL, + DCERPC_AUTH_LEVEL_PRIVACY, NULL); composite_continue(state->ctx, ctx, init_domain_recv_schannel, state); } |