summaryrefslogtreecommitdiff
path: root/source3/rpc_client
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-01-02 13:06:29 +1100
committerStefan Metzmacher <metze@samba.org>2012-01-18 16:23:22 +0100
commite012ad9d8b7cea3a86841fe92b80627a6d07d459 (patch)
tree7ccd7a5650d5f6d3a21cc7e9846402002419cb12 /source3/rpc_client
parent1b6356298ceeb21ebcb125e239316fb29ff623fc (diff)
downloadsamba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.tar.gz
samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.tar.bz2
samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.zip
s3-librpc Call GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing with a struct gensec_security, and allows the gensec module being used to implement GSSAPI to be swapped when required for AD-server operation. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/rpc_client')
-rw-r--r--source3/rpc_client/cli_pipe.c142
1 files changed, 3 insertions, 139 deletions
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index ca8655cab1..ce8ab819c5 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -30,7 +30,6 @@
#include "auth_generic.h"
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "librpc/rpc/dcerpc.h"
-#include "librpc/crypto/gse.h"
#include "librpc/crypto/spnego.h"
#include "rpc_dce.h"
#include "cli_pipe.h"
@@ -1006,35 +1005,6 @@ static NTSTATUS create_spnego_auth_bind_req(TALLOC_CTX *mem_ctx,
}
/*******************************************************************
- Creates krb5 auth bind.
- ********************************************************************/
-
-static NTSTATUS create_gssapi_auth_bind_req(TALLOC_CTX *mem_ctx,
- struct pipe_auth_data *auth,
- DATA_BLOB *auth_token)
-{
- struct gse_context *gse_ctx;
- DATA_BLOB in_token = data_blob_null;
- NTSTATUS status;
-
- gse_ctx = talloc_get_type_abort(auth->auth_ctx,
- struct gse_context);
-
- /* Negotiate the initial auth token */
- status = gse_get_client_auth_token(mem_ctx, gse_ctx,
- &in_token,
- auth_token);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- DEBUG(5, ("Created GSS Authentication Token:\n"));
- dump_data(5, auth_token->data, auth_token->length);
-
- return NT_STATUS_OK;
-}
-
-/*******************************************************************
Creates NTLMSSP auth bind.
********************************************************************/
@@ -1171,6 +1141,7 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
ret = create_generic_auth_rpc_bind_req(cli, mem_ctx, &auth_token);
if (!NT_STATUS_IS_OK(ret)) {
return ret;
@@ -1184,13 +1155,6 @@ static NTSTATUS create_rpc_bind_req(TALLOC_CTX *mem_ctx,
}
break;
- case DCERPC_AUTH_TYPE_KRB5:
- ret = create_gssapi_auth_bind_req(mem_ctx, auth, &auth_token);
- if (!NT_STATUS_IS_OK(ret)) {
- return ret;
- }
- break;
-
case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
auth_token = data_blob_talloc(mem_ctx,
"NCALRPC_AUTH_TOKEN",
@@ -1691,7 +1655,6 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
struct pipe_auth_data *pauth = state->cli->auth;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
struct ncacn_packet *pkt = NULL;
struct dcerpc_auth auth;
DATA_BLOB auth_token = data_blob_null;
@@ -1770,6 +1733,7 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
return;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(pauth->auth_ctx,
struct gensec_security);
status = gensec_update(gensec_security, state, NULL,
@@ -1808,24 +1772,6 @@ static void rpc_pipe_bind_step_one_done(struct tevent_req *subreq)
}
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(pauth->auth_ctx,
- struct gse_context);
- status = gse_get_client_auth_token(state,
- gse_ctx,
- &auth.credentials,
- &auth_token);
- if (!NT_STATUS_IS_OK(status)) {
- break;
- }
-
- if (gse_require_more_processing(gse_ctx)) {
- status = rpc_bind_next_send(req, state, &auth_token);
- } else {
- status = rpc_bind_finish_send(req, state, &auth_token);
- }
- break;
-
default:
goto err_out;
}
@@ -2980,82 +2926,6 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli,
return NT_STATUS_OK;
}
-/****************************************************************************
- Open a named pipe to an SMB server and bind using krb5 (bind type 16).
- The idea is this can be called with service_princ, username and password all
- NULL so long as the caller has a TGT.
- ****************************************************************************/
-
-NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli,
- const struct ndr_syntax_id *interface,
- enum dcerpc_transport_t transport,
- enum dcerpc_AuthLevel auth_level,
- const char *server,
- const char *username,
- const char *password,
- struct rpc_pipe_client **presult)
-{
- struct rpc_pipe_client *result;
- struct pipe_auth_data *auth;
- struct gse_context *gse_ctx;
- NTSTATUS status;
-
- status = cli_rpc_pipe_open(cli, transport, interface, &result);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- auth = talloc(result, struct pipe_auth_data);
- if (auth == NULL) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
- auth->auth_type = DCERPC_AUTH_TYPE_KRB5;
- auth->auth_level = auth_level;
-
- if (!username) {
- username = "";
- }
- auth->user_name = talloc_strdup(auth, username);
- if (!auth->user_name) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
-
- /* Fixme, should we fetch/set the Realm ? */
- auth->domain = talloc_strdup(auth, "");
- if (!auth->domain) {
- status = NT_STATUS_NO_MEMORY;
- goto err_out;
- }
-
- status = gse_init_client(auth,
- (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY),
- (auth_level == DCERPC_AUTH_LEVEL_PRIVACY),
- NULL, server, "cifs", username, password,
- GSS_C_DCE_STYLE, &gse_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("gse_init_client returned %s\n",
- nt_errstr(status)));
- goto err_out;
- }
- auth->auth_ctx = gse_ctx;
-
- status = rpc_pipe_bind(result, auth);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n",
- nt_errstr(status)));
- goto err_out;
- }
-
- *presult = result;
- return NT_STATUS_OK;
-
-err_out:
- TALLOC_FREE(result);
- return status;
-}
-
NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli,
const struct ndr_syntax_id *interface,
enum dcerpc_transport_t transport,
@@ -3218,7 +3088,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
struct schannel_state *schannel_auth;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
DATA_BLOB sk = data_blob_null;
bool make_dup = false;
@@ -3246,6 +3115,7 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
make_dup = false;
break;
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(a->auth_ctx,
struct gensec_security);
status = gensec_session_key(gensec_security, mem_ctx, &sk);
@@ -3254,12 +3124,6 @@ NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx,
}
make_dup = false;
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(a->auth_ctx,
- struct gse_context);
- sk = gse_get_session_key(mem_ctx, gse_ctx);
- make_dup = false;
- break;
case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
case DCERPC_AUTH_TYPE_NONE:
sk = data_blob_const(a->user_session_key.data,