diff options
author | Andrew Bartlett <abartlet@samba.org> | 2006-05-04 10:03:41 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 14:05:36 -0500 |
commit | 5f4d86f955d939e96ec9b81c8a9d080aab4354b6 (patch) | |
tree | b785a6c2aa092fea9bd64391cc45915788b31692 /source4/librpc/rpc | |
parent | 086c9cc5f4a9145ee93060db2eebb3badc325e44 (diff) | |
download | samba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.tar.gz samba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.tar.bz2 samba-5f4d86f955d939e96ec9b81c8a9d080aab4354b6.zip |
r15426: Implement SPNEGO as the default RPC authentication mechanism. Where
this isn't supported, fallback to NTLM.
Also, where we get a failure as 'logon failure', try and do a '3
tries' for the password, like we already do for CIFS. (Incomplete:
needs a mapping between RPC errors and the logon failure NTSTATUS).
Because we don't yet support Kerberos sign/seal to win2k3 SP1 for
DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos
isn't demanded.
Andrew Bartlett
(This used to be commit b3212d1fb91b26c1d326a289560106dffe1d2e80)
Diffstat (limited to 'source4/librpc/rpc')
-rw-r--r-- | source4/librpc/rpc/dcerpc.h | 9 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_connect.c | 51 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_util.c | 156 |
3 files changed, 178 insertions, 38 deletions
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index 4c8a615ce5..39de9fcaa8 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -144,16 +144,19 @@ struct dcerpc_pipe { /* set LIBNDR_FLAG_REF_ALLOC flag when decoding NDR */ #define DCERPC_NDR_REF_ALLOC (1<<14) -#define DCERPC_AUTH_OPTIONS (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5) +#define DCERPC_AUTH_OPTIONS (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5|DCERPC_AUTH_NTLM) -/* enable spnego auth */ +/* select spnego auth */ #define DCERPC_AUTH_SPNEGO (1<<15) -/* enable krb5 auth */ +/* select krb5 auth */ #define DCERPC_AUTH_KRB5 (1<<16) #define DCERPC_SMB2 (1<<17) +/* select NTLM auth */ +#define DCERPC_AUTH_NTLM (1<<18) + /* this is used to find pointers to calls */ diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c index 2b40935be6..64bb78ec60 100644 --- a/source4/librpc/rpc/dcerpc_connect.c +++ b/source4/librpc/rpc/dcerpc_connect.c @@ -28,6 +28,7 @@ #include "smb.h" #include "libcli/composite/composite.h" #include "libcli/smb_composite/smb_composite.h" +#include "lib/events/events.h" #include "libcli/smb2/smb2.h" #include "libcli/smb2/smb2_calls.h" #include "auth/credentials/credentials.h" @@ -762,8 +763,9 @@ static void continue_pipe_auth(struct composite_context *ctx) { struct composite_context *c = talloc_get_type(ctx->async.private_data, struct composite_context); + struct pipe_connect_state *s = talloc_get_type(c->private_data, struct pipe_connect_state); - c->status = dcerpc_pipe_auth_recv(ctx); + c->status = dcerpc_pipe_auth_recv(ctx, s, &s->pipe); if (!composite_is_ok(c)) return; composite_done(c); @@ -775,7 +777,6 @@ static void continue_pipe_auth(struct composite_context *ctx) specified binding structure to determine the endpoint and options */ struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent_ctx, - struct dcerpc_pipe **pp, struct dcerpc_binding *binding, const struct dcerpc_interface_table *table, struct cli_credentials *credentials, @@ -796,16 +797,19 @@ struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent_ctx, c->state = COMPOSITE_STATE_IN_PROGRESS; c->private_data = s; - (*pp) = NULL; + if (ev == NULL) { + ev = event_context_init(c); + if (ev == NULL) { + talloc_free(c); + return NULL; + } + } + c->event_ctx = ev; /* initialise dcerpc pipe structure */ s->pipe = dcerpc_pipe_init(c, ev); if (composite_nomem(s->pipe, c)) return c; - /* get event context from initialised dcerpc pipe */ - c->event_ctx = s->pipe->conn->event_ctx; - (*pp) = s->pipe; - /* store parameters in state structure */ s->binding = binding; s->table = table; @@ -842,12 +846,10 @@ NTSTATUS dcerpc_pipe_connect_b_recv(struct composite_context *c, TALLOC_CTX *mem status = composite_wait(c); - if (NT_STATUS_IS_OK(status) && p) { - s = talloc_get_type(c->private_data, struct pipe_connect_state); - talloc_steal(mem_ctx, s->pipe); - *p = s->pipe; - } - + s = talloc_get_type(c->private_data, struct pipe_connect_state); + talloc_steal(mem_ctx, s->pipe); + *p = s->pipe; + talloc_free(c); return status; } @@ -866,7 +868,7 @@ NTSTATUS dcerpc_pipe_connect_b(TALLOC_CTX *parent_ctx, { struct composite_context *c; - c = dcerpc_pipe_connect_b_send(parent_ctx, pp, binding, table, + c = dcerpc_pipe_connect_b_send(parent_ctx, binding, table, credentials, ev); return dcerpc_pipe_connect_b_recv(c, parent_ctx, pp); } @@ -908,6 +910,15 @@ struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx, c->state = COMPOSITE_STATE_IN_PROGRESS; c->private_data = s; + if (ev == NULL) { + ev = event_context_init(c); + if (ev == NULL) { + talloc_free(c); + return NULL; + } + } + c->event_ctx = ev; + /* parse binding string to the structure */ status = dcerpc_parse_binding(c, binding, &b); if (!NT_STATUS_IS_OK(status)) { @@ -922,12 +933,9 @@ struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx, start connecting to a rpc pipe after binding structure is established */ - pipe_conn_req = dcerpc_pipe_connect_b_send(c, &s->pipe, b, table, + pipe_conn_req = dcerpc_pipe_connect_b_send(c, b, table, credentials, ev); - /* event context for created dcerpc_pipe would be useful... */ - c->event_ctx = s->pipe->conn->event_ctx; - if (composite_nomem(pipe_conn_req, c)) return c; composite_continue(c, pipe_conn_req, continue_pipe_connect_b, c); @@ -947,6 +955,7 @@ static void continue_pipe_connect_b(struct composite_context *ctx) struct pipe_conn_state); c->status = dcerpc_pipe_connect_b_recv(ctx, c, &s->pipe); + talloc_steal(s, s->pipe); if (!composite_is_ok(c)) return; composite_done(c); @@ -965,10 +974,8 @@ NTSTATUS dcerpc_pipe_connect_recv(struct composite_context *c, struct pipe_conn_state *s; status = composite_wait(c); - if (NT_STATUS_IS_OK(status) && pp) { - s = talloc_get_type(c->private_data, struct pipe_conn_state); - *pp = talloc_steal(mem_ctx, s->pipe); - } + s = talloc_get_type(c->private_data, struct pipe_conn_state); + *pp = talloc_steal(mem_ctx, s->pipe); talloc_free(c); return status; diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index dc2eded967..6c8ed7ecd8 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -141,6 +141,7 @@ static const struct { {"seal", DCERPC_SEAL}, {"connect", DCERPC_CONNECT}, {"spnego", DCERPC_AUTH_SPNEGO}, + {"ntlm", DCERPC_AUTH_NTLM}, {"krb5", DCERPC_AUTH_KRB5}, {"validate", DCERPC_DEBUG_VALIDATE_BOTH}, {"print", DCERPC_DEBUG_PRINT_BOTH}, @@ -936,7 +937,7 @@ struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx, epmapper_binding->endpoint = NULL; /* initiate rpc pipe connection */ - pipe_connect_req = dcerpc_pipe_connect_b_send(c, &s->pipe, epmapper_binding, &dcerpc_table_epmapper, + pipe_connect_req = dcerpc_pipe_connect_b_send(c, epmapper_binding, &dcerpc_table_epmapper, anon_creds, c->event_ctx); if (composite_nomem(pipe_connect_req, c)) return c; @@ -981,6 +982,8 @@ struct pipe_auth_state { static void continue_auth_schannel(struct composite_context *ctx); static void continue_auth(struct composite_context *ctx); static void continue_auth_none(struct composite_context *ctx); +static void continue_ntlmssp_connection(struct composite_context *ctx); +static void continue_spnego_after_wrong_pass(struct composite_context *ctx); /* @@ -1011,6 +1014,111 @@ static void continue_auth(struct composite_context *ctx) composite_done(c); } +/* + Stage 2 of pipe_auth: Receive result of authenticated bind request, but handle fallbacks: + SPNEGO -> NTLMSSP +*/ +static void continue_auth_auto(struct composite_context *ctx) +{ + struct composite_context *c = talloc_get_type(ctx->async.private_data, + struct composite_context); + + c->status = dcerpc_bind_auth_recv(ctx); + if (NT_STATUS_EQUAL(c->status, NT_STATUS_INVALID_PARAMETER)) { + struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state); + struct composite_context *sec_conn_req; + + /* send a request for secondary rpc connection */ + sec_conn_req = dcerpc_secondary_connection_send(s->pipe, + s->binding); + if (composite_nomem(sec_conn_req, c)) return; + + composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c); + + return; + } else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) { + struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state); + struct composite_context *sec_conn_req; + if (cli_credentials_wrong_password(s->credentials)) { + /* send a request for secondary rpc connection */ + sec_conn_req = dcerpc_secondary_connection_send(s->pipe, + s->binding); + if (composite_nomem(sec_conn_req, c)) return; + + composite_continue(c, sec_conn_req, continue_spnego_after_wrong_pass, c); + } + } + + if (!composite_is_ok(c)) return; + + composite_done(c); +} + +/* + Stage 3 of pipe_auth (fallback to NTLMSSP case): Receive secondary + rpc connection (the first one can't be used any more, due to the + bind nak) and perform authenticated bind request +*/ +static void continue_ntlmssp_connection(struct composite_context *ctx) +{ + struct composite_context *c; + struct pipe_auth_state *s; + struct composite_context *auth_req; + struct dcerpc_pipe *p2; + + c = talloc_get_type(ctx->async.private_data, struct composite_context); + s = talloc_get_type(c->private_data, struct pipe_auth_state); + + /* receive secondary rpc connection */ + c->status = dcerpc_secondary_connection_recv(ctx, &p2); + talloc_steal(s, p2); + talloc_steal(p2, s->pipe); + s->pipe = p2; + + if (!composite_is_ok(c)) return; + + /* initiate a authenticated bind */ + auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, + s->credentials, DCERPC_AUTH_TYPE_NTLMSSP, + dcerpc_auth_level(s->pipe->conn), + s->table->authservices->names[0]); + if (composite_nomem(auth_req, c)) return; + + composite_continue(c, auth_req, continue_auth, c); +} + +/* + Stage 3 of pipe_auth (retry on wrong password): Receive secondary + rpc connection (the first one can't be used any more, due to the + bind nak) and perform authenticated bind request +*/ +static void continue_spnego_after_wrong_pass(struct composite_context *ctx) +{ + struct composite_context *c; + struct pipe_auth_state *s; + struct composite_context *auth_req; + struct dcerpc_pipe *p2; + + c = talloc_get_type(ctx->async.private_data, struct composite_context); + s = talloc_get_type(c->private_data, struct pipe_auth_state); + + /* receive secondary rpc connection */ + c->status = dcerpc_secondary_connection_recv(ctx, &p2); + talloc_steal(s, p2); + talloc_steal(p2, s->pipe); + s->pipe = p2; + + if (!composite_is_ok(c)) return; + + /* initiate a authenticated bind */ + auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, + s->credentials, DCERPC_AUTH_TYPE_SPNEGO, + dcerpc_auth_level(s->pipe->conn), + s->table->authservices->names[0]); + if (composite_nomem(auth_req, c)) return; + + composite_continue(c, auth_req, continue_auth, c); +} /* @@ -1042,6 +1150,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, struct composite_context *auth_schannel_req; struct composite_context *auth_req; struct composite_context *auth_none_req; + struct dcerpc_connection *conn; /* composite context allocation and setup */ c = talloc_zero(NULL, struct composite_context); @@ -1060,10 +1169,11 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, s->credentials = credentials; s->pipe = p; - s->pipe->conn->flags = binding->flags; + conn = s->pipe->conn; + conn->flags = binding->flags; /* remember the binding string for possible secondary connections */ - s->pipe->conn->binding_string = dcerpc_binding_string(p, binding); + conn->binding_string = dcerpc_binding_string(p, binding); if (!cli_credentials_is_anonymous(s->credentials) && (binding->flags & DCERPC_SCHANNEL) && @@ -1074,13 +1184,13 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, * first */ auth_schannel_req = dcerpc_bind_auth_schannel_send(c, s->pipe, s->table, s->credentials, - dcerpc_auth_level(s->pipe->conn)); + dcerpc_auth_level(conn)); if (composite_nomem(auth_schannel_req, c)) return c; composite_continue(c, auth_schannel_req, continue_auth_schannel, c); } else if (!cli_credentials_is_anonymous(s->credentials) && - !(s->pipe->conn->transport.transport == NCACN_NP && + !(conn->transport.transport == NCACN_NP && !(s->binding->flags & DCERPC_SIGN) && !(s->binding->flags & DCERPC_SEAL))) { @@ -1092,7 +1202,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, uint8_t auth_type; - if ((s->pipe->conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) { + if ((conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) { /* we are doing an authenticated connection, but not using sign or seal. We must force @@ -1100,7 +1210,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, type doesn't allow authentication information to be passed. */ - s->pipe->conn->flags |= DCERPC_CONNECT; + conn->flags |= DCERPC_CONNECT; } if (s->binding->flags & DCERPC_AUTH_SPNEGO) { @@ -1112,13 +1222,22 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, } else if (s->binding->flags & DCERPC_SCHANNEL) { auth_type = DCERPC_AUTH_TYPE_SCHANNEL; - } else { + } else if (s->binding->flags & DCERPC_AUTH_NTLM) { auth_type = DCERPC_AUTH_TYPE_NTLMSSP; + } else { + auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, + s->credentials, DCERPC_AUTH_TYPE_SPNEGO, + dcerpc_auth_level(conn), + s->table->authservices->names[0]); + if (composite_nomem(auth_req, c)) return c; + + composite_continue(c, auth_req, continue_auth_auto, c); + return c; } auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials, auth_type, - dcerpc_auth_level(s->pipe->conn), + dcerpc_auth_level(conn), s->table->authservices->names[0]); if (composite_nomem(auth_req, c)) return c; @@ -1137,8 +1256,13 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, /* Receive result of authenticated bind request on dcerpc pipe + + This returns *p, which may be different to the one originally + supllied, as it rebinds to a new pipe due to authentication fallback + */ -NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c) +NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c, TALLOC_CTX *mem_ctx, + struct dcerpc_pipe **p) { NTSTATUS status; @@ -1149,6 +1273,9 @@ NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c) char *uuid_str = GUID_string(s->pipe, &s->table->syntax_id.uuid); DEBUG(0, ("Failed to bind to uuid %s - %s\n", uuid_str, nt_errstr(status))); talloc_free(uuid_str); + } else { + talloc_steal(mem_ctx, s->pipe); + *p = s->pipe; } talloc_free(c); @@ -1158,16 +1285,19 @@ NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c) /* Perform an authenticated bind if needed - sync version + + This may change *p, as it rebinds to a new pipe due to authentication fallback */ -NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, +NTSTATUS dcerpc_pipe_auth(TALLOC_CTX *mem_ctx, + struct dcerpc_pipe **p, struct dcerpc_binding *binding, const struct dcerpc_interface_table *table, struct cli_credentials *credentials) { struct composite_context *c; - c = dcerpc_pipe_auth_send(p, binding, table, credentials); - return dcerpc_pipe_auth_recv(c); + c = dcerpc_pipe_auth_send(*p, binding, table, credentials); + return dcerpc_pipe_auth_recv(c, mem_ctx, p); } |