r15426: Implement SPNEGO as the default RPC authentication mechanism. Where

this isn't supported, fallback to NTLM.

Also, where we get a failure as 'logon failure', try and do a '3
tries' for the password, like we already do for CIFS.  (Incomplete:
needs a mapping between RPC errors and the logon failure NTSTATUS).

Because we don't yet support Kerberos sign/seal to win2k3 SP1 for
DCE/RPC, disable this (causing SPNEGO to negotiate NTLM) when kerberos
isn't demanded.

Andrew Bartlett
(This used to be commit b3212d1fb91b26c1d326a289560106dffe1d2e80)

3 files changed, 178 insertions, 38 deletions

diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 4c8a615ce5..39de9fcaa8 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -144,16 +144,19 @@ struct dcerpc_pipe {
 /* set LIBNDR_FLAG_REF_ALLOC flag when decoding NDR */
 #define DCERPC_NDR_REF_ALLOC           (1<<14)
 
-#define DCERPC_AUTH_OPTIONS    (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5)
+#define DCERPC_AUTH_OPTIONS    (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5|DCERPC_AUTH_NTLM)
 
-/* enable spnego auth */
+/* select spnego auth */
 #define DCERPC_AUTH_SPNEGO             (1<<15)
 
-/* enable krb5 auth */
+/* select krb5 auth */
 #define DCERPC_AUTH_KRB5               (1<<16)
 
 #define DCERPC_SMB2                    (1<<17)
 
+/* select NTLM auth */
+#define DCERPC_AUTH_NTLM               (1<<18)
+
 /*
   this is used to find pointers to calls
 */
diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c
index 2b40935be6..64bb78ec60 100644
--- a/source4/librpc/rpc/dcerpc_connect.c
+++ b/source4/librpc/rpc/dcerpc_connect.c
@@ -28,6 +28,7 @@
 #include "smb.h"
 #include "libcli/composite/composite.h"
 #include "libcli/smb_composite/smb_composite.h"
+#include "lib/events/events.h"
 #include "libcli/smb2/smb2.h"
 #include "libcli/smb2/smb2_calls.h"
 #include "auth/credentials/credentials.h"
@@ -762,8 +763,9 @@ static void continue_pipe_auth(struct composite_context *ctx)
 {
 	struct composite_context *c = talloc_get_type(ctx->async.private_data,
 						      struct composite_context);
+	struct pipe_connect_state *s = talloc_get_type(c->private_data, struct pipe_connect_state);
 
-	c->status = dcerpc_pipe_auth_recv(ctx);
+	c->status = dcerpc_pipe_auth_recv(ctx, s, &s->pipe);
 	if (!composite_is_ok(c)) return;
 
 	composite_done(c);
@@ -775,7 +777,6 @@ static void continue_pipe_auth(struct composite_context *ctx)
   specified binding structure to determine the endpoint and options
 */
 struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent_ctx,
-						     struct dcerpc_pipe **pp,
 						     struct dcerpc_binding *binding,
 						     const struct dcerpc_interface_table *table,
 						     struct cli_credentials *credentials,
@@ -796,16 +797,19 @@ struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent_ctx,
 	c->state = COMPOSITE_STATE_IN_PROGRESS;
 	c->private_data = s;
 
-	(*pp) = NULL;
+	if (ev == NULL) {
+		ev = event_context_init(c);
+		if (ev == NULL) {
+			talloc_free(c);
+			return NULL;
+		}
+	}
+	c->event_ctx = ev;
 
 	/* initialise dcerpc pipe structure */
 	s->pipe = dcerpc_pipe_init(c, ev);
 	if (composite_nomem(s->pipe, c)) return c;
 
-	/* get event context from initialised dcerpc pipe */
-	c->event_ctx = s->pipe->conn->event_ctx;
-	(*pp) = s->pipe;
-
 	/* store parameters in state structure */
 	s->binding      = binding;
 	s->table        = table;
@@ -842,12 +846,10 @@ NTSTATUS dcerpc_pipe_connect_b_recv(struct composite_context *c, TALLOC_CTX *mem
 	
 	status = composite_wait(c);
 	
-	if (NT_STATUS_IS_OK(status) && p) {
-		s = talloc_get_type(c->private_data, struct pipe_connect_state);
-		talloc_steal(mem_ctx, s->pipe);
-		*p = s->pipe;
-	}
-	
+	s = talloc_get_type(c->private_data, struct pipe_connect_state);
+	talloc_steal(mem_ctx, s->pipe);
+	*p = s->pipe;
+
 	talloc_free(c);
 	return status;
 }
@@ -866,7 +868,7 @@ NTSTATUS dcerpc_pipe_connect_b(TALLOC_CTX *parent_ctx,
 {
 	struct composite_context *c;
 	
-	c = dcerpc_pipe_connect_b_send(parent_ctx, pp, binding, table,
+	c = dcerpc_pipe_connect_b_send(parent_ctx, binding, table,
 				       credentials, ev);
 	return dcerpc_pipe_connect_b_recv(c, parent_ctx, pp);
 }
@@ -908,6 +910,15 @@ struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx,
 	c->state = COMPOSITE_STATE_IN_PROGRESS;
 	c->private_data = s;
 
+	if (ev == NULL) {
+		ev = event_context_init(c);
+		if (ev == NULL) {
+			talloc_free(c);
+			return NULL;
+		}
+	}
+	c->event_ctx = ev;
+
 	/* parse binding string to the structure */
 	status = dcerpc_parse_binding(c, binding, &b);
 	if (!NT_STATUS_IS_OK(status)) {
@@ -922,12 +933,9 @@ struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx,
 	   start connecting to a rpc pipe after binding structure
 	   is established
 	 */
-	pipe_conn_req = dcerpc_pipe_connect_b_send(c, &s->pipe, b, table,
+	pipe_conn_req = dcerpc_pipe_connect_b_send(c, b, table,
 						   credentials, ev);
 
-	/* event context for created dcerpc_pipe would be useful... */
-	c->event_ctx = s->pipe->conn->event_ctx;
-
 	if (composite_nomem(pipe_conn_req, c)) return c;
 
 	composite_continue(c, pipe_conn_req, continue_pipe_connect_b, c);
@@ -947,6 +955,7 @@ static void continue_pipe_connect_b(struct composite_context *ctx)
 						    struct pipe_conn_state);
 
 	c->status = dcerpc_pipe_connect_b_recv(ctx, c, &s->pipe);
+	talloc_steal(s, s->pipe);
 	if (!composite_is_ok(c)) return;
 
 	composite_done(c);
@@ -965,10 +974,8 @@ NTSTATUS dcerpc_pipe_connect_recv(struct composite_context *c,
 	struct pipe_conn_state *s;
 
 	status = composite_wait(c);
-	if (NT_STATUS_IS_OK(status) && pp) {
-		s = talloc_get_type(c->private_data, struct pipe_conn_state);
-		*pp = talloc_steal(mem_ctx, s->pipe);
-	}
+	s = talloc_get_type(c->private_data, struct pipe_conn_state);
+	*pp = talloc_steal(mem_ctx, s->pipe);
 
 	talloc_free(c);
 	return status;
diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index dc2eded967..6c8ed7ecd8 100644
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -141,6 +141,7 @@ static const struct {
 	{"seal", DCERPC_SEAL},
 	{"connect", DCERPC_CONNECT},
 	{"spnego", DCERPC_AUTH_SPNEGO},
+	{"ntlm", DCERPC_AUTH_NTLM},
 	{"krb5", DCERPC_AUTH_KRB5},
 	{"validate", DCERPC_DEBUG_VALIDATE_BOTH},
 	{"print", DCERPC_DEBUG_PRINT_BOTH},
@@ -936,7 +937,7 @@ struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx,
 	epmapper_binding->endpoint   = NULL;
 
 	/* initiate rpc pipe connection */
-	pipe_connect_req = dcerpc_pipe_connect_b_send(c, &s->pipe, epmapper_binding, &dcerpc_table_epmapper,
+	pipe_connect_req = dcerpc_pipe_connect_b_send(c, epmapper_binding, &dcerpc_table_epmapper,
 						      anon_creds, c->event_ctx);
 	if (composite_nomem(pipe_connect_req, c)) return c;
 	
@@ -981,6 +982,8 @@ struct pipe_auth_state {
 static void continue_auth_schannel(struct composite_context *ctx);
 static void continue_auth(struct composite_context *ctx);
 static void continue_auth_none(struct composite_context *ctx);
+static void continue_ntlmssp_connection(struct composite_context *ctx);
+static void continue_spnego_after_wrong_pass(struct composite_context *ctx);
 
 
 /*
@@ -1011,6 +1014,111 @@ static void continue_auth(struct composite_context *ctx)
 	
 	composite_done(c);
 }
+/*
+  Stage 2 of pipe_auth: Receive result of authenticated bind request, but handle fallbacks:
+  SPNEGO -> NTLMSSP
+*/
+static void continue_auth_auto(struct composite_context *ctx)
+{
+	struct composite_context *c = talloc_get_type(ctx->async.private_data,
+						      struct composite_context);
+
+	c->status = dcerpc_bind_auth_recv(ctx);
+	if (NT_STATUS_EQUAL(c->status, NT_STATUS_INVALID_PARAMETER)) {
+		struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
+		struct composite_context *sec_conn_req;
+
+		/* send a request for secondary rpc connection */
+		sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
+								s->binding);
+		if (composite_nomem(sec_conn_req, c)) return;
+		
+		composite_continue(c, sec_conn_req, continue_ntlmssp_connection, c);
+		
+		return;
+	} else if (NT_STATUS_EQUAL(c->status, NT_STATUS_LOGON_FAILURE)) {
+		struct pipe_auth_state *s = talloc_get_type(c->private_data, struct pipe_auth_state);
+		struct composite_context *sec_conn_req;
+		if (cli_credentials_wrong_password(s->credentials)) {
+			/* send a request for secondary rpc connection */
+			sec_conn_req = dcerpc_secondary_connection_send(s->pipe,
+									s->binding);
+			if (composite_nomem(sec_conn_req, c)) return;
+			
+			composite_continue(c, sec_conn_req, continue_spnego_after_wrong_pass, c);
+		}
+	}
+
+	if (!composite_is_ok(c)) return;
+	
+	composite_done(c);
+}
+
+/*
+  Stage 3 of pipe_auth (fallback to NTLMSSP case): Receive secondary
+  rpc connection (the first one can't be used any more, due to the
+  bind nak) and perform authenticated bind request
+*/
+static void continue_ntlmssp_connection(struct composite_context *ctx)
+{
+	struct composite_context *c;
+	struct pipe_auth_state *s;
+	struct composite_context *auth_req;
+	struct dcerpc_pipe *p2;
+
+	c = talloc_get_type(ctx->async.private_data, struct composite_context);
+	s = talloc_get_type(c->private_data, struct pipe_auth_state);
+
+	/* receive secondary rpc connection */
+	c->status = dcerpc_secondary_connection_recv(ctx, &p2);
+	talloc_steal(s, p2);
+	talloc_steal(p2, s->pipe);
+	s->pipe = p2;
+
+	if (!composite_is_ok(c)) return;
+
+	/* initiate a authenticated bind */
+	auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+					 s->credentials, DCERPC_AUTH_TYPE_NTLMSSP,
+					 dcerpc_auth_level(s->pipe->conn),
+					 s->table->authservices->names[0]);
+	if (composite_nomem(auth_req, c)) return;
+		
+	composite_continue(c, auth_req, continue_auth, c);
+}
+
+/*
+  Stage 3 of pipe_auth (retry on wrong password): Receive secondary
+  rpc connection (the first one can't be used any more, due to the
+  bind nak) and perform authenticated bind request
+*/
+static void continue_spnego_after_wrong_pass(struct composite_context *ctx)
+{
+	struct composite_context *c;
+	struct pipe_auth_state *s;
+	struct composite_context *auth_req;
+	struct dcerpc_pipe *p2;
+
+	c = talloc_get_type(ctx->async.private_data, struct composite_context);
+	s = talloc_get_type(c->private_data, struct pipe_auth_state);
+
+	/* receive secondary rpc connection */
+	c->status = dcerpc_secondary_connection_recv(ctx, &p2);
+	talloc_steal(s, p2);
+	talloc_steal(p2, s->pipe);
+	s->pipe = p2;
+
+	if (!composite_is_ok(c)) return;
+
+	/* initiate a authenticated bind */
+	auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+					 s->credentials, DCERPC_AUTH_TYPE_SPNEGO,
+					 dcerpc_auth_level(s->pipe->conn),
+					 s->table->authservices->names[0]);
+	if (composite_nomem(auth_req, c)) return;
+		
+	composite_continue(c, auth_req, continue_auth, c);
+}
 
 
 /*
@@ -1042,6 +1150,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 	struct composite_context *auth_schannel_req;
 	struct composite_context *auth_req;
 	struct composite_context *auth_none_req;
+	struct dcerpc_connection *conn;
 
 	/* composite context allocation and setup */
 	c = talloc_zero(NULL, struct composite_context);
@@ -1060,10 +1169,11 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 	s->credentials  = credentials;
 	s->pipe         = p;
 
-	s->pipe->conn->flags = binding->flags;
+	conn = s->pipe->conn;
+	conn->flags = binding->flags;
 	
 	/* remember the binding string for possible secondary connections */
-	s->pipe->conn->binding_string = dcerpc_binding_string(p, binding);
+	conn->binding_string = dcerpc_binding_string(p, binding);
 
 	if (!cli_credentials_is_anonymous(s->credentials) &&
 	    (binding->flags & DCERPC_SCHANNEL) &&
@@ -1074,13 +1184,13 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 		 * first */
 		auth_schannel_req = dcerpc_bind_auth_schannel_send(c, s->pipe, s->table,
 								   s->credentials,
-								   dcerpc_auth_level(s->pipe->conn));
+								   dcerpc_auth_level(conn));
 		if (composite_nomem(auth_schannel_req, c)) return c;
 
 		composite_continue(c, auth_schannel_req, continue_auth_schannel, c);
 
 	} else if (!cli_credentials_is_anonymous(s->credentials) &&
-		   !(s->pipe->conn->transport.transport == NCACN_NP &&
+		   !(conn->transport.transport == NCACN_NP &&
 		     !(s->binding->flags & DCERPC_SIGN) &&
 		     !(s->binding->flags & DCERPC_SEAL))) {
 
@@ -1092,7 +1202,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 		
 		uint8_t auth_type;
 
-		if ((s->pipe->conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) {
+		if ((conn->flags & (DCERPC_SIGN|DCERPC_SEAL)) == 0) {
 			/*
 			  we are doing an authenticated connection,
 			  but not using sign or seal. We must force
@@ -1100,7 +1210,7 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 			  type doesn't allow authentication
 			  information to be passed.
 			*/
-			s->pipe->conn->flags |= DCERPC_CONNECT;
+			conn->flags |= DCERPC_CONNECT;
 		}
 
 		if (s->binding->flags & DCERPC_AUTH_SPNEGO) {
@@ -1112,13 +1222,22 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 		} else if (s->binding->flags & DCERPC_SCHANNEL) {
 			auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 
-		} else {
+		} else if (s->binding->flags & DCERPC_AUTH_NTLM) {
 			auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+		} else {
+			auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
+							 s->credentials, DCERPC_AUTH_TYPE_SPNEGO,
+							 dcerpc_auth_level(conn),
+							 s->table->authservices->names[0]);
+			if (composite_nomem(auth_req, c)) return c;
+			
+			composite_continue(c, auth_req, continue_auth_auto, c);
+			return c;
 		}
 		
 		auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table,
 						 s->credentials, auth_type,
-						 dcerpc_auth_level(s->pipe->conn),
+						 dcerpc_auth_level(conn),
 						 s->table->authservices->names[0]);
 		if (composite_nomem(auth_req, c)) return c;
 		
@@ -1137,8 +1256,13 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p,
 
 /*
   Receive result of authenticated bind request on dcerpc pipe
+
+  This returns *p, which may be different to the one originally
+  supllied, as it rebinds to a new pipe due to authentication fallback
+
 */
-NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
+NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c, TALLOC_CTX *mem_ctx, 
+			       struct dcerpc_pipe **p)
 {
 	NTSTATUS status;
 
@@ -1149,6 +1273,9 @@ NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
 		char *uuid_str = GUID_string(s->pipe, &s->table->syntax_id.uuid);
 		DEBUG(0, ("Failed to bind to uuid %s - %s\n", uuid_str, nt_errstr(status)));
 		talloc_free(uuid_str);
+	} else {
+		talloc_steal(mem_ctx, s->pipe);
+		*p = s->pipe;
 	}
 
 	talloc_free(c);
@@ -1158,16 +1285,19 @@ NTSTATUS dcerpc_pipe_auth_recv(struct composite_context *c)
 
 /* 
    Perform an authenticated bind if needed - sync version
+
+   This may change *p, as it rebinds to a new pipe due to authentication fallback
 */
-NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, 
+NTSTATUS dcerpc_pipe_auth(TALLOC_CTX *mem_ctx,
+			  struct dcerpc_pipe **p, 
 			  struct dcerpc_binding *binding,
 			  const struct dcerpc_interface_table *table,
 			  struct cli_credentials *credentials)
 {
 	struct composite_context *c;
 
-	c = dcerpc_pipe_auth_send(p, binding, table, credentials);
-	return dcerpc_pipe_auth_recv(c);
+	c = dcerpc_pipe_auth_send(*p, binding, table, credentials);
+	return dcerpc_pipe_auth_recv(c, mem_ctx, p);
 }