r12865: Upgrade the librpc and libnet code.

In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous.  This should better
function with servers that set restrict anonymous.

There are too many parts of Samba that get, parse and modify the
binding parameters.  Avoid the extra work, and add a binding element
to the struct dcerpc_pipe

The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern.  Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.

To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.

Andrew Bartlett
(This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)

5 files changed, 37 insertions, 34 deletions

diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index cbfe8478b2..df70580db3 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -100,6 +100,7 @@ struct dcerpc_pipe {
 	struct dcerpc_syntax_id transfer_syntax;
 
 	struct dcerpc_connection *conn;
+	struct dcerpc_binding *binding;
 
 	/* the last fault code from a DCERPC fault */
 	uint32_t last_fault_code;
diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c
index bffa994abe..f0a7dc8ffe 100644
--- a/source4/librpc/rpc/dcerpc_auth.c
+++ b/source4/librpc/rpc/dcerpc_auth.c
@@ -168,7 +168,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 						struct dcerpc_pipe *p,
 						const struct dcerpc_interface_table *table,
 						struct cli_credentials *credentials,
-						uint8_t auth_type,
+						uint8_t auth_type, uint8_t auth_level,
 						const char *service)
 {
 	struct composite_context *c, *creq;
@@ -233,8 +233,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 	}
 
 	c->status = gensec_start_mech_by_authtype(sec->generic_state,
-						  auth_type,
-						  dcerpc_auth_level(p->conn));
+						  auth_type, auth_level);
 	if (!NT_STATUS_IS_OK(c->status)) {
 		DEBUG(1, ("Failed to start GENSEC client mechanism %s: %s\n",
 			  gensec_get_name_by_authtype(auth_type),
@@ -249,7 +248,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx,
 	}
 
 	sec->auth_info->auth_type = auth_type;
-	sec->auth_info->auth_level = dcerpc_auth_level(p->conn);
+	sec->auth_info->auth_level = auth_level,
 	sec->auth_info->auth_pad_length = 0;
 	sec->auth_info->auth_reserved = 0;
 	sec->auth_info->auth_context_id = random();
@@ -323,11 +322,11 @@ NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq)
 NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p,
 			  const struct dcerpc_interface_table *table,
 			  struct cli_credentials *credentials,
-			  uint8_t auth_type,
+			  uint8_t auth_type, uint8_t auth_level,
 			  const char *service)
 {
 	struct composite_context *creq;
 	creq = dcerpc_bind_auth_send(p, p, table, credentials,
-				     auth_type, service);
+				     auth_type, auth_level, service);
 	return dcerpc_bind_auth_recv(creq);
 }
diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c
index 1c9ab8c0ed..67dfda6d7a 100644
--- a/source4/librpc/rpc/dcerpc_connect.c
+++ b/source4/librpc/rpc/dcerpc_connect.c
@@ -131,29 +131,19 @@ struct composite_context *dcerpc_pipe_connect_ncacn_np_smb_send(TALLOC_CTX *mem_
 	conn->in.called_name            = strupper_talloc(mem_ctx, s->io.binding->host);
 	conn->in.service                = "IPC$";
 	conn->in.service_type           = NULL;
-	conn->in.fallback_to_anonymous  = False;
 	conn->in.workgroup              = lp_workgroup();
 
 	/*
-	 * provide proper credentials - user supplied or anonymous in case this is
-	 * schannel connection
+	 * provide proper credentials - user supplied, but allow a
+	 * fallback to anonymous if this is an schannel connection
+	 * (might be NT4 not allowing machine logins at session
+	 * setup).
 	 */
+	s->conn.in.credentials = s->io.creds;
 	if (s->io.binding->flags & DCERPC_SCHANNEL) {
-		struct cli_credentials *anon_creds;
-
-		anon_creds = cli_credentials_init(mem_ctx);
-		if (!anon_creds) {
-			composite_error(c, NT_STATUS_NO_MEMORY);
-			goto done;
-		}
-
-		cli_credentials_set_anonymous(anon_creds);
-		cli_credentials_guess(anon_creds);
-
-		s->conn.in.credentials = anon_creds;
-
+		conn->in.fallback_to_anonymous  = True;
 	} else {
-		s->conn.in.credentials = s->io.creds;
+		conn->in.fallback_to_anonymous  = False;
 	}
 
 	/* send smb connect request */
diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c
index 108b678188..64cf6748e8 100644
--- a/source4/librpc/rpc/dcerpc_schannel.c
+++ b/source4/librpc/rpc/dcerpc_schannel.c
@@ -55,16 +55,15 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
 	  step 1 - establish a netlogon connection, with no authentication
 	*/
 
-	/* Find the original binding string */
-	status = dcerpc_parse_binding(tmp_ctx, p->conn->binding_string, &b);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0,("Failed to parse dcerpc binding '%s'\n", p->conn->binding_string));
-		return status;
+	b = talloc(tmp_ctx, struct dcerpc_binding);
+	if (!b) {
+		return NT_STATUS_NO_MEMORY;
 	}
+	*b = *p->binding;
 
 	/* Make binding string for netlogon, not the other pipe */
 	status = dcerpc_epm_map_binding(tmp_ctx, b, 
-									&dcerpc_table_netlogon,
+					&dcerpc_table_netlogon,
 					p->conn->event_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("Failed to map DCERPC/TCP NCACN_NP pipe for '%s' - %s\n", 
@@ -141,7 +140,8 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
 NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, 
 				   struct dcerpc_pipe *p,
 				   const struct dcerpc_interface_table *table,
-				   struct cli_credentials *credentials)
+				   struct cli_credentials *credentials,
+				   uint8_t auth_level)
 {
 	NTSTATUS status;
 
@@ -156,7 +156,8 @@ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
 		return status;
 	}
 
-	return dcerpc_bind_auth(p, table, credentials, DCERPC_AUTH_TYPE_SCHANNEL,
+	return dcerpc_bind_auth(p, table, credentials, 
+				DCERPC_AUTH_TYPE_SCHANNEL, auth_level,
 				NULL);
 }
 
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 15a45ed3f0..6ef91b87b0 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -889,9 +889,10 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
 		/* If we don't already have netlogon credentials for
 		 * the schannel bind, then we have to get these
 		 * first */
-		status = dcerpc_bind_auth_schannel(tmp_ctx, p, table, credentials);
+		status = dcerpc_bind_auth_schannel(tmp_ctx, p, table, credentials,
+						   dcerpc_auth_level(p->conn));
 	} else if (!cli_credentials_is_anonymous(credentials) &&
-		!(binding->transport == NCACN_NP &&
+		!(p->conn->transport.transport == NCACN_NP &&
 		  !(binding->flags & DCERPC_SIGN) &&
 		  !(binding->flags & DCERPC_SEAL))) { 	
 	
@@ -925,7 +926,9 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
 		}
 
 		status = dcerpc_bind_auth(p, table,
-					  credentials, auth_type, table->authservices->names[0]);
+					  credentials, auth_type, 
+					  dcerpc_auth_level(p->conn),
+					  table->authservices->names[0]);
 	} else {
 		status = dcerpc_bind_auth_none(p, table);
 	}
@@ -1099,6 +1102,11 @@ NTSTATUS dcerpc_pipe_connect_b(TALLOC_CTX *parent_ctx,
 		return status;
 	}
 
+	p->binding = binding;
+	if (!talloc_reference(p, binding)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
 	status = dcerpc_pipe_auth(p, binding, table, credentials);
 	if (!NT_STATUS_IS_OK(status)) {
 		talloc_free(p);
@@ -1195,6 +1203,10 @@ NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, struct dcerpc_pipe *
 	}
 
 	(*p2)->conn->flags = p->conn->flags;
+	(*p2)->binding = b;
+	if (!talloc_reference(*p2, b)) {
+		return NT_STATUS_NO_MEMORY;
+	}
 
 	return NT_STATUS_OK;
 }