- modified the dcerpc client security code to be generic, so ntlmssp

  and schannel are both instances of possible security modules

- added schannel sign and sign/seal support to the dcerpc client
  code. You select it with binding options of "schannel,sign" or
  "schannel,seal".
(This used to be commit 05db0b9d942cad8f1dd574dc35b759e5e79d4195)

1 files changed, 14 insertions, 1 deletions

diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 96f0b959e7..ba61f28c95 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -275,6 +275,7 @@ static const struct {
 } ncacn_options[] = {
 	{"sign", DCERPC_SIGN},
 	{"seal", DCERPC_SEAL},
+	{"schannel", DCERPC_SCHANNEL},
 	{"validate", DCERPC_DEBUG_VALIDATE_BOTH},
 	{"print", DCERPC_DEBUG_PRINT_BOTH},
 	{"bigendian", DCERPC_PUSH_BIGENDIAN}
@@ -481,11 +482,23 @@ static NTSTATUS dcerpc_pipe_connect_ncacn_np(struct dcerpc_pipe **p,
 	
 	(*p)->flags = binding->flags;
 
-	if (binding->flags & (DCERPC_SIGN | DCERPC_SEAL)) {
+	if (binding->flags & DCERPC_SCHANNEL) {
+		const char *trust_password = secrets_fetch_machine_password();
+		if (!trust_password) {
+			DEBUG(0,("Unable to fetch machine password\n"));
+			goto done;
+		}
+		status = dcerpc_bind_auth_schannel(*p, pipe_uuid, pipe_version, 
+						   lp_workgroup(), 
+						   lp_netbios_name(), 
+						   trust_password);
+	} else if (binding->flags & (DCERPC_SIGN | DCERPC_SEAL)) {
 		status = dcerpc_bind_auth_ntlm(*p, pipe_uuid, pipe_version, domain, username, password);
 	} else {    
 		status = dcerpc_bind_auth_none(*p, pipe_uuid, pipe_version);
 	}
+
+done:
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("Failed to bind to uuid %s - %s\n", pipe_uuid, nt_errstr(status)));
 		dcerpc_pipe_close(*p);