summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-01-02 13:06:29 +1100
committerStefan Metzmacher <metze@samba.org>2012-01-18 16:23:22 +0100
commite012ad9d8b7cea3a86841fe92b80627a6d07d459 (patch)
tree7ccd7a5650d5f6d3a21cc7e9846402002419cb12 /source3/rpc_server
parent1b6356298ceeb21ebcb125e239316fb29ff623fc (diff)
downloadsamba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.tar.gz
samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.tar.bz2
samba-e012ad9d8b7cea3a86841fe92b80627a6d07d459.zip
s3-librpc Call GSSAPI via the auth_generic layer and gensec
This simplifies a lot of code, as we know we are always dealing with a struct gensec_security, and allows the gensec module being used to implement GSSAPI to be swapped when required for AD-server operation. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_pipe.c76
1 files changed, 4 insertions, 72 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 61e306c199..605ed5420c 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -676,48 +676,6 @@ static bool pipe_auth_generic_verify_final(TALLOC_CTX *mem_ctx,
return true;
}
-/*******************************************************************
- Handle a GSSAPI bind auth.
-*******************************************************************/
-
-static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
- TALLOC_CTX *mem_ctx,
- struct dcerpc_auth *auth_info,
- DATA_BLOB *response)
-{
- NTSTATUS status;
- struct gse_context *gse_ctx = NULL;
-
- status = gssapi_server_auth_start(p,
- (auth_info->auth_level ==
- DCERPC_AUTH_LEVEL_INTEGRITY),
- (auth_info->auth_level ==
- DCERPC_AUTH_LEVEL_PRIVACY),
- true,
- &auth_info->credentials,
- response,
- &gse_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
- nt_errstr(status)));
- goto err;
- }
-
- /* Make sure data is bound to the memctx, to be freed the caller */
- talloc_steal(mem_ctx, response->data);
-
- p->auth.auth_ctx = gse_ctx;
- p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
-
- DEBUG(10, ("KRB5 auth started\n"));
-
- return true;
-
-err:
- TALLOC_FREE(gse_ctx);
- return false;
-}
-
static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
struct gse_context *gse_ctx,
const struct tsocket_address *remote_address,
@@ -769,6 +727,7 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
switch (p->auth.auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
struct gensec_security);
if (!pipe_auth_generic_verify_final(p, gensec_security,
@@ -777,18 +736,6 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
return NT_STATUS_ACCESS_DENIED;
}
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct gse_context);
- status = pipe_gssapi_verify_final(p, gse_ctx,
- p->remote_address,
- &p->session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("gssapi bind failed with: %s",
- nt_errstr(status)));
- return status;
- }
- break;
case DCERPC_AUTH_TYPE_SPNEGO:
spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
struct spnego_context);
@@ -1010,8 +957,8 @@ static bool api_pipe_bind_req(struct pipes_struct *p,
break;
case DCERPC_AUTH_TYPE_KRB5:
- if (!pipe_gssapi_auth_bind(p, pkt,
- &auth_info, &auth_resp)) {
+ if (!pipe_auth_generic_bind(p, pkt,
+ &auth_info, &auth_resp)) {
goto err_exit;
}
break;
@@ -1154,7 +1101,6 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
DATA_BLOB response = data_blob_null;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
NTSTATUS status;
DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
@@ -1200,19 +1146,13 @@ bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
switch (auth_info.auth_type) {
case DCERPC_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_KRB5:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
struct gensec_security);
status = auth_generic_server_step(gensec_security,
pkt, &auth_info.credentials,
&response);
break;
- case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct gse_context);
- status = gssapi_server_step(gse_ctx,
- pkt, &auth_info.credentials,
- &response);
- break;
case DCERPC_AUTH_TYPE_SPNEGO:
spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
struct spnego_context);
@@ -1273,7 +1213,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
int pad_len = 0;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
@@ -1360,13 +1299,6 @@ static bool api_pipe_alter_context(struct pipes_struct *p,
break;
case DCERPC_AUTH_TYPE_KRB5:
- gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
- struct gse_context);
- status = gssapi_server_step(gse_ctx,
- pkt,
- &auth_info.credentials,
- &auth_resp);
- break;
case DCERPC_AUTH_TYPE_NTLMSSP:
gensec_security = talloc_get_type_abort(p->auth.auth_ctx,
struct gensec_security);