diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2005-01-10 10:48:19 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:08:37 -0500 |
| commit | 7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b (patch) | |
| tree | 380cf934d5d65d5ef2af720d381252efc6056c26 /source4/librpc/rpc/dcerpc_auth.c | |
| parent | 047d41cc490c05dd07eeab29913b3f2882887678 (diff) | |
| download | samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.tar.gz samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.tar.bz2 samba-7db9de3ea9d0b3693aea08b3050f378a4ca9cf0b.zip | |
r4635: Fix NTLMSSP to return NT_STATUS_OK when it has constructed the auth
token in the client (the final token in the negotiation).
Consequential fixes in the SPNEGO code, which now uses the out.length
as the indicator of 'I need to send something to the other side'.
Merge the NTLM and SPNEGO DCE-RPC authentication routines in the client.
Fix the RPC-MULTIBIND test consequent to this merge.
Andrew Bartlett
(This used to be commit 43e3516fc03008e97ebb4ad1a0cde464303f43c6)
Diffstat (limited to 'source4/librpc/rpc/dcerpc_auth.c')
| -rw-r--r-- | source4/librpc/rpc/dcerpc_auth.c | 105 |
1 files changed, 91 insertions, 14 deletions
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index 228a99d5c5..1c73bde6e4 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -5,7 +5,7 @@ Copyright (C) Andrew Tridgell 2003 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004 - + Copyright (C) Stefan Metzmacher 2004 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -86,27 +86,33 @@ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, uint8_t auth_type, uint8_t auth goto done; } - status = gensec_update(p->conn->security_state.generic_state, tmp_ctx, - p->conn->security_state.auth_info->credentials, - &credentials); - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - goto done; - } + while (1) { + status = gensec_update(p->conn->security_state.generic_state, tmp_ctx, + p->conn->security_state.auth_info->credentials, + &credentials); + if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { + break; + } - do { - p->conn->security_state.auth_info->credentials = credentials; + if (!credentials.length) { + break; + } + p->conn->security_state.auth_info->credentials = credentials; + if (auth_type == DCERPC_AUTH_TYPE_SPNEGO) { status = dcerpc_alter_context(p, tmp_ctx, &p->syntax, &p->transfer_syntax); - if (NT_STATUS_IS_OK(status)) { - status = gensec_update(p->conn->security_state.generic_state, tmp_ctx, - p->conn->security_state.auth_info->credentials, - &credentials); + if (!NT_STATUS_IS_OK(status)) { + break; } } else { status = dcerpc_auth3(p->conn, tmp_ctx); + credentials = data_blob(NULL, 0); + if (!NT_STATUS_IS_OK(status)) { + break; + } } - } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)); + }; done: talloc_free(tmp_ctx); @@ -122,3 +128,74 @@ done: return status; } +/* + setup GENSEC on a DCE-RPC pipe +*/ +NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p, + const char *uuid, uint_t version, + const char *domain, + const char *username, + const char *password, + uint8_t auth_type) +{ + NTSTATUS status; + + if (!(p->conn->flags & (DCERPC_SIGN | DCERPC_SEAL))) { + p->conn->flags |= DCERPC_CONNECT; + } + + status = gensec_client_start(p, &p->conn->security_state.generic_state); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status))); + return status; + } + + status = gensec_set_domain(p->conn->security_state.generic_state, domain); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n", + domain, nt_errstr(status))); + return status; + } + + status = gensec_set_username(p->conn->security_state.generic_state, username); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n", + username, nt_errstr(status))); + return status; + } + + status = gensec_set_password(p->conn->security_state.generic_state, password); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client password: %s\n", + nt_errstr(status))); + return status; + } + + status = gensec_set_target_hostname(p->conn->security_state.generic_state, + p->conn->transport.peer_name(p->conn)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n", + nt_errstr(status))); + return status; + } + + status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, + auth_type, + dcerpc_auth_level(p->conn)); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC client mechanism %s: %s\n", + gensec_get_name_by_authtype(auth_type), nt_errstr(status))); + return status; + } + + status = dcerpc_bind_auth(p, auth_type, + dcerpc_auth_level(p->conn), + uuid, version); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(2, ("Failed to bind to pipe with %s: %s\n", + gensec_get_name_by_authtype(auth_type), nt_errstr(status))); + return status; + } + + return status; +} |