diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2009-02-13 10:24:16 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2009-02-13 10:24:16 +1100 |
| commit | 71632a16977a93968b0d520a491a52f635e611a1 (patch) | |
| tree | 75604f676004c10bdd9c4ee1cfdf917a90ddfc0b /source4 | |
| parent | 147a2e3440056ec30d8b386901754a58ea3947d1 (diff) | |
| download | samba-71632a16977a93968b0d520a491a52f635e611a1.tar.gz samba-71632a16977a93968b0d520a491a52f635e611a1.tar.bz2 samba-71632a16977a93968b0d520a491a52f635e611a1.zip | |
Remove auth/ntlm as a dependency of GENSEC by means of function pointers.
When starting GENSEC on the server, the auth subsystem context must be
passed in, which now includes function pointers to the key elements.
This should (when the other dependencies are fixed up) allow GENSEC to
exist as a client or server library without bundling in too much of
our server code.
Andrew Bartlett
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/auth/auth.h | 24 | ||||
| -rw-r--r-- | source4/auth/config.mk | 5 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec.c | 22 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec.h | 9 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 2 | ||||
| -rw-r--r-- | source4/auth/ntlm/auth.c | 7 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/config.mk | 2 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp.c | 2 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 21 | ||||
| -rw-r--r-- | source4/auth/samba_server_gensec.c | 73 | ||||
| -rw-r--r-- | source4/kdc/kpasswdd.c | 19 | ||||
| -rw-r--r-- | source4/ldap_server/ldap_bind.c | 16 | ||||
| -rw-r--r-- | source4/rpc_server/config.mk | 2 | ||||
| -rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 16 | ||||
| -rw-r--r-- | source4/smb_server/smb/config.mk | 2 | ||||
| -rw-r--r-- | source4/smb_server/smb/negprot.c | 36 | ||||
| -rw-r--r-- | source4/smb_server/smb/sesssetup.c | 16 | ||||
| -rw-r--r-- | source4/smb_server/smb2/config.mk | 2 | ||||
| -rw-r--r-- | source4/smb_server/smb2/negprot.c | 25 | ||||
| -rw-r--r-- | source4/smb_server/smb2/sesssetup.c | 16 | ||||
| -rw-r--r-- | source4/torture/rpc/remote_pac.c | 2 | ||||
| -rw-r--r-- | source4/utils/ntlm_auth.c | 21 |
22 files changed, 230 insertions, 110 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index e184776140..0ef1e24cd3 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -175,6 +175,20 @@ struct auth_context { /* loadparm context */ struct loadparm_context *lp_ctx; + + NTSTATUS (*check_password)(struct auth_context *auth_ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info); + + NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, const uint8_t **_chal); + + bool (*challenge_may_be_modified)(struct auth_context *auth_ctx); + + NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); + + + }; /* this structure is used by backends to determine the size of some critical types */ @@ -197,6 +211,8 @@ struct auth_critical_sizes { struct ldb_message; struct ldb_context; +struct gensec_security; + NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal); NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, @@ -254,4 +270,12 @@ void auth_check_password_send(struct auth_context *auth_ctx, void *private_data); NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); +NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, + struct tevent_context *event_ctx, + struct messaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + struct cli_credentials *server_credentials, + const char *target_service, + struct gensec_security **gensec_context); + #endif /* _SMBAUTH_H_ */ diff --git a/source4/auth/config.mk b/source4/auth/config.mk index baf4346b4a..7d5050919e 100644 --- a/source4/auth/config.mk +++ b/source4/auth/config.mk @@ -15,6 +15,11 @@ auth_session_OBJ_FILES = $(addprefix $(authsrcdir)/, session.o) $(eval $(call proto_header_template,$(authsrcdir)/session_proto.h,$(auth_session_OBJ_FILES:.o=.c))) +[SUBSYSTEM::samba_server_gensec] +PUBLIC_DEPENDENCIES = CREDENTIALS GENSEC auth + +samba_server_gensec_OBJ_FILES = $(addprefix $(authsrcdir)/, samba_server_gensec.o) + [SUBSYSTEM::auth_system_session] PUBLIC_DEPENDENCIES = CREDENTIALS PRIVATE_DEPENDENCIES = auth_session LIBSAMBA-UTIL LIBSECURITY diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 7169b074e3..2feb545f53 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -508,7 +508,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security, static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct gensec_settings *settings, - struct messaging_context *msg, + struct auth_context *auth_context, struct gensec_security **gensec_security) { if (ev == NULL) { @@ -530,9 +530,9 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, (*gensec_security)->want_features = 0; (*gensec_security)->event_ctx = ev; - (*gensec_security)->msg_ctx = msg; SMB_ASSERT(settings->lp_ctx != NULL); (*gensec_security)->settings = talloc_reference(*gensec_security, settings); + (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context); return NT_STATUS_OK; } @@ -559,8 +559,9 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, (*gensec_security)->subcontext = true; (*gensec_security)->want_features = parent->want_features; (*gensec_security)->event_ctx = parent->event_ctx; - (*gensec_security)->msg_ctx = parent->msg_ctx; + (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context); (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings); + (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context); return NT_STATUS_OK; } @@ -599,10 +600,10 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, @note The mem_ctx is only a parent and may be NULL. */ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct gensec_settings *settings, - struct messaging_context *msg, - struct gensec_security **gensec_security) + struct tevent_context *ev, + struct gensec_settings *settings, + struct auth_context *auth_context, + struct gensec_security **gensec_security) { NTSTATUS status; @@ -611,17 +612,12 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } - if (!msg) { - DEBUG(0,("gensec_server_start: no messaging context given!\n")); - return NT_STATUS_INTERNAL_ERROR; - } - if (!settings) { DEBUG(0,("gensec_server_start: no settings given!\n")); return NT_STATUS_INTERNAL_ERROR; } - status = gensec_start(mem_ctx, ev, settings, msg, gensec_security); + status = gensec_start(mem_ctx, ev, settings, auth_context, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index c627bda024..c4e93ee97b 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -169,9 +169,13 @@ struct gensec_security { bool subcontext; uint32_t want_features; struct tevent_context *event_ctx; - struct messaging_context *msg_ctx; /* only valid as server */ struct socket_address *my_addr, *peer_addr; struct gensec_settings *settings; + + /* When we are a server, this may be filled in to provide an + * NTLM authentication backend, and user lookup (such as if no + * PAC is found) */ + struct auth_context *auth_context; }; /* this structure is used by backends to determine the size of some critical types */ @@ -185,6 +189,7 @@ struct gensec_critical_sizes { struct gensec_security; struct socket_context; +struct auth_context; NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, @@ -274,7 +279,7 @@ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct gensec_settings *settings, - struct messaging_context *msg, + struct auth_context *auth_context, struct gensec_security **gensec_security); NTSTATUS gensec_session_info(struct gensec_security *gensec_security, struct auth_session_info **session_info); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 6c6b928917..6e715d0090 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -793,8 +793,6 @@ _PUBLIC_ NTSTATUS gensec_krb5_init(void) { NTSTATUS ret; - auth_init(); - ret = gensec_register(&gensec_krb5_security_ops); if (!NT_STATUS_IS_OK(ret)) { DEBUG(0,("Failed to register '%s' gensec backend!\n", diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 20967a6bda..2aae4a075e 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -359,6 +359,8 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** int i; struct auth_context *ctx; + auth_init(); + if (!methods) { DEBUG(0,("auth_context_create: No auth method list!?\n")); return NT_STATUS_INTERNAL_ERROR; @@ -405,6 +407,11 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** return NT_STATUS_INTERNAL_ERROR; } + ctx->check_password = auth_check_password; + ctx->get_challenge = auth_get_challenge; + ctx->set_challenge = auth_context_set_challenge; + ctx->challenge_may_be_modified = auth_challenge_may_be_modified; + *auth_ctx = ctx; return NT_STATUS_OK; diff --git a/source4/auth/ntlmssp/config.mk b/source4/auth/ntlmssp/config.mk index 129f58de83..c0446bcac1 100644 --- a/source4/auth/ntlmssp/config.mk +++ b/source4/auth/ntlmssp/config.mk @@ -9,7 +9,7 @@ $(eval $(call proto_header_template,$(authsrcdir)/ntlmssp/msrpc_parse.h,$(MSRPC_ [MODULE::gensec_ntlmssp] SUBSYSTEM = gensec INIT_FUNCTION = gensec_ntlmssp_init -PRIVATE_DEPENDENCIES = MSRPC_PARSE CREDENTIALS auth +PRIVATE_DEPENDENCIES = MSRPC_PARSE CREDENTIALS OUTPUT_TYPE = MERGED_OBJ # End MODULE gensec_ntlmssp ################################################ diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index 1b14e461c3..c4b3a31365 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -434,8 +434,6 @@ _PUBLIC_ NTSTATUS gensec_ntlmssp_init(void) { NTSTATUS ret; - auth_init(); - ret = gensec_register(&gensec_ntlmssp_security_ops); if (!NT_STATUS_IS_OK(ret)) { DEBUG(0,("Failed to register '%s' gensec backend!\n", diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 30bf159df1..9215ccac8c 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -608,7 +608,7 @@ static const uint8_t *auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_sta NTSTATUS status; const uint8_t *chal; - status = auth_get_challenge(gensec_ntlmssp_state->auth_context, &chal); + status = gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context, &chal); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n", nt_errstr(status))); @@ -625,7 +625,7 @@ static const uint8_t *auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_sta */ static bool auth_ntlmssp_may_set_challenge(const struct gensec_ntlmssp_state *gensec_ntlmssp_state) { - return auth_challenge_may_be_modified(gensec_ntlmssp_state->auth_context); + return gensec_ntlmssp_state->auth_context->challenge_may_be_modified(gensec_ntlmssp_state->auth_context); } /** @@ -644,7 +644,9 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct gensec_ntlmssp_state *gensec_n chal = challenge->data; - nt_status = auth_context_set_challenge(auth_context, chal, "NTLMSSP callback (NTLM2)"); + nt_status = gensec_ntlmssp_state->auth_context->set_challenge(auth_context, + chal, + "NTLMSSP callback (NTLM2)"); return nt_status; } @@ -679,8 +681,10 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_ user_info->password.response.nt = gensec_ntlmssp_state->nt_resp; user_info->password.response.nt.data = talloc_steal(user_info, gensec_ntlmssp_state->nt_resp.data); - nt_status = auth_check_password(gensec_ntlmssp_state->auth_context, mem_ctx, - user_info, &gensec_ntlmssp_state->server_info); + nt_status = gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context, + mem_ctx, + user_info, + &gensec_ntlmssp_state->server_info); talloc_free(user_info); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -795,12 +799,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL; } - nt_status = auth_context_create(gensec_ntlmssp_state, - gensec_security->event_ctx, - gensec_security->msg_ctx, - gensec_security->settings->lp_ctx, - &gensec_ntlmssp_state->auth_context); - NT_STATUS_NOT_OK_RETURN(nt_status); + gensec_ntlmssp_state->auth_context = gensec_security->auth_context; gensec_ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge; gensec_ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge; diff --git a/source4/auth/samba_server_gensec.c b/source4/auth/samba_server_gensec.c new file mode 100644 index 0000000000..0576b15eb3 --- /dev/null +++ b/source4/auth/samba_server_gensec.c @@ -0,0 +1,73 @@ +/* + Unix SMB/CIFS implementation. + + Generic Authentication Interface for Samba Servers + + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +/* This code sets up GENSEC in the way that all Samba servers want + * (becaue they have presumed access to the sam.ldb etc */ + +#include "includes.h" +#include "auth/auth.h" +#include "auth/gensec/gensec.h" +#include "param/param.h" + +NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, + struct tevent_context *event_ctx, + struct messaging_context *msg_ctx, + struct loadparm_context *lp_ctx, + struct cli_credentials *server_credentials, + const char *target_service, + struct gensec_security **gensec_context) +{ + NTSTATUS nt_status; + struct gensec_security *gensec_ctx; + struct auth_context *auth_context; + + nt_status = auth_context_create(mem_ctx, + event_ctx, + msg_ctx, + lp_ctx, + &auth_context); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(1, ("Failed to start auth server code: %s\n", nt_errstr(nt_status))); + return nt_status; + } + + nt_status = gensec_server_start(mem_ctx, + event_ctx, + lp_gensec_settings(mem_ctx, lp_ctx), + auth_context, + &gensec_ctx); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(auth_context); + DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(nt_status))); + return nt_status; + } + + talloc_steal(gensec_ctx, auth_context); + + gensec_set_credentials(gensec_ctx, server_credentials); + + if (target_service) { + gensec_set_target_service(gensec_ctx, target_service); + } + *gensec_context = gensec_ctx; + return nt_status; +} diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 27968620e0..39817d922b 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -483,14 +483,6 @@ bool kpasswdd_process(struct kdc_server *kdc, ap_req = data_blob_const(&input->data[header_len], ap_req_len); krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len); - nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, - lp_gensec_settings(tmp_ctx, kdc->task->lp_ctx), kdc->task->msg_ctx, - &gensec_security); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return false; - } - server_credentials = cli_credentials_init(tmp_ctx); if (!server_credentials) { DEBUG(1, ("Failed to init server credentials\n")); @@ -517,7 +509,16 @@ bool kpasswdd_process(struct kdc_server *kdc, return ret; } - nt_status = gensec_set_credentials(gensec_security, server_credentials); + /* We don't strictly need to call this wrapper, and could call + * gensec_server_start directly, as we have no need for NTLM + * and we have a PAC, but this ensures that the wrapper can be + * safely extended for other helpful things in future */ + nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx, + kdc->task->msg_ctx, + kdc->task->lp_ctx, + server_credentials, + "kpasswd", + &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return false; diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index f3f843b920..9abc6115e6 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -140,11 +140,13 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) if (!conn->gensec) { conn->session_info = NULL; - status = gensec_server_start(conn, - conn->connection->event.ctx, - lp_gensec_settings(conn, conn->lp_ctx), - conn->connection->msg_ctx, - &conn->gensec); + status = samba_server_gensec_start(conn, + conn->connection->event.ctx, + conn->connection->msg_ctx, + conn->lp_ctx, + conn->server_credentials, + "ldap", + &conn->gensec); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); result = LDAP_OPERATIONS_ERROR; @@ -152,10 +154,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) nt_errstr(status)); } else { - gensec_set_target_service(conn->gensec, "ldap"); - - gensec_set_credentials(conn->gensec, conn->server_credentials); - gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN); gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL); gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES); diff --git a/source4/rpc_server/config.mk b/source4/rpc_server/config.mk index a7d03ca22d..d05b0a0c0d 100644 --- a/source4/rpc_server/config.mk +++ b/source4/rpc_server/config.mk @@ -203,7 +203,7 @@ dcerpc_browser_OBJ_FILES = $(rpc_serversrcdir)/browser/dcesrv_browser.o PRIVATE_DEPENDENCIES = \ LIBCLI_AUTH \ LIBNDR \ - dcerpc + dcerpc samba_server_gensec dcerpc_server_OBJ_FILES = $(addprefix $(rpc_serversrcdir)/, \ dcerpc_server.o \ diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 5169031d16..e2e3b77948 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -27,6 +27,7 @@ #include "librpc/gen_ndr/ndr_dcerpc.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" +#include "auth/auth.h" #include "param/param.h" /* @@ -61,14 +62,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } - status = gensec_server_start(dce_conn, call->event_ctx, - lp_gensec_settings(dce_conn, call->conn->dce_ctx->lp_ctx), - call->msg_ctx, &auth->gensec_security); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status))); - return false; - } - server_credentials = cli_credentials_init(call); if (!server_credentials) { @@ -84,7 +77,12 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) server_credentials = NULL; } - gensec_set_credentials(auth->gensec_security, server_credentials); + status = samba_server_gensec_start(dce_conn, call->event_ctx, + call->msg_ctx, + call->conn->dce_ctx->lp_ctx, + server_credentials, + NULL, + &auth->gensec_security); status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type, auth->auth_info->auth_level); diff --git a/source4/smb_server/smb/config.mk b/source4/smb_server/smb/config.mk index 9adf334850..eadc122831 100644 --- a/source4/smb_server/smb/config.mk +++ b/source4/smb_server/smb/config.mk @@ -2,7 +2,7 @@ # Start SUBSYSTEM SMB_PROTOCOL [SUBSYSTEM::SMB_PROTOCOL] PUBLIC_DEPENDENCIES = \ - ntvfs LIBPACKET CREDENTIALS + ntvfs LIBPACKET CREDENTIALS samba_server_gensec # End SUBSYSTEM SMB_PROTOCOL ####################### diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c index 71ee82d162..c3399fdd48 100644 --- a/source4/smb_server/smb/negprot.c +++ b/source4/smb_server/smb/negprot.c @@ -350,23 +350,7 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice) DATA_BLOB blob; const char *oid; NTSTATUS nt_status; - - nt_status = gensec_server_start(req->smb_conn, - req->smb_conn->connection->event.ctx, - lp_gensec_settings(req->smb_conn, req->smb_conn->lp_ctx), - req->smb_conn->connection->msg_ctx, - &gensec_security); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status))); - smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n"); - return; - } - - if (req->smb_conn->negotiate.auth_context) { - smbsrv_terminate_connection(req->smb_conn, "reply_nt1: is this a secondary negprot? auth_context is non-NULL!\n"); - return; - } - + server_credentials = cli_credentials_init(req); if (!server_credentials) { @@ -382,6 +366,24 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice) server_credentials = NULL; } + nt_status = samba_server_gensec_start(req, + req->smb_conn->connection->event.ctx, + req->smb_conn->connection->msg_ctx, + req->smb_conn->lp_ctx, + server_credentials, + "cifs", + &gensec_security); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status))); + smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n"); + return; + } + + if (req->smb_conn->negotiate.auth_context) { + smbsrv_terminate_connection(req->smb_conn, "reply_nt1: is this a secondary negprot? auth_context is non-NULL!\n"); + return; + } req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials); gensec_set_target_service(gensec_security, "cifs"); diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index 0767a187e5..e38447703b 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -363,20 +363,18 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se if (!smb_sess) { struct gensec_security *gensec_ctx; - status = gensec_server_start(req, - req->smb_conn->connection->event.ctx, - lp_gensec_settings(req, req->smb_conn->lp_ctx), - req->smb_conn->connection->msg_ctx, - &gensec_ctx); + status = samba_server_gensec_start(req, + req->smb_conn->connection->event.ctx, + req->smb_conn->connection->msg_ctx, + req->smb_conn->lp_ctx, + req->smb_conn->negotiate.server_credentials, + "cifs", + &gensec_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); goto failed; } - gensec_set_credentials(gensec_ctx, req->smb_conn->negotiate.server_credentials); - - gensec_set_target_service(gensec_ctx, "cifs"); - gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY); status = gensec_start_mech_by_oid(gensec_ctx, req->smb_conn->negotiate.oid); diff --git a/source4/smb_server/smb2/config.mk b/source4/smb_server/smb2/config.mk index 68ee6e58f6..f0c3739926 100644 --- a/source4/smb_server/smb2/config.mk +++ b/source4/smb_server/smb2/config.mk @@ -2,7 +2,7 @@ # Start SUBSYSTEM SMB2_PROTOCOL [SUBSYSTEM::SMB2_PROTOCOL] PUBLIC_DEPENDENCIES = \ - ntvfs LIBPACKET LIBCLI_SMB2 + ntvfs LIBPACKET LIBCLI_SMB2 samba_server_gensec # End SUBSYSTEM SMB2_PROTOCOL ####################### diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 03e5c9356d..0b65a19634 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -20,6 +20,7 @@ #include "includes.h" #include "auth/credentials/credentials.h" +#include "auth/auth.h" #include "auth/gensec/gensec.h" #include "libcli/raw/libcliraw.h" #include "libcli/raw/raw_proto.h" @@ -40,17 +41,6 @@ static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB * NTSTATUS nt_status; struct cli_credentials *server_credentials; - nt_status = gensec_server_start(req, - req->smb_conn->connection->event.ctx, - lp_gensec_settings(req, req->smb_conn->lp_ctx), - req->smb_conn->connection->msg_ctx, - &gensec_security); - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status))); - smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n"); - return nt_status; - } - server_credentials = cli_credentials_init(req); if (!server_credentials) { smbsrv_terminate_connection(req->smb_conn, "Failed to init server credentials\n"); @@ -67,6 +57,19 @@ static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB * req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials); + nt_status = samba_server_gensec_start(req, + req->smb_conn->connection->event.ctx, + req->smb_conn->connection->msg_ctx, + req->smb_conn->lp_ctx, + server_credentials, + "cifs", + &gensec_security); + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status))); + smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n"); + return nt_status; + } + gensec_set_target_service(gensec_security, "cifs"); gensec_set_credentials(gensec_security, server_credentials); diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index 176be0b3ea..9a8c1bfaa9 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -124,20 +124,18 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses if (vuid == 0) { struct gensec_security *gensec_ctx; - status = gensec_server_start(req, - req->smb_conn->connection->event.ctx, - lp_gensec_settings(req, req->smb_conn->lp_ctx), - req->smb_conn->connection->msg_ctx, - &gensec_ctx); + status = samba_server_gensec_start(req, + req->smb_conn->connection->event.ctx, + req->smb_conn->connection->msg_ctx, + req->smb_conn->lp_ctx, + req->smb_conn->negotiate.server_credentials, + "cifs", + &gensec_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status))); goto failed; } - gensec_set_credentials(gensec_ctx, req->smb_conn->negotiate.server_credentials); - - gensec_set_target_service(gensec_ctx, "cifs"); - gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY); status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO); diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 0d18228563..5603152ddb 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -106,7 +106,7 @@ static bool test_PACVerify(struct torture_context *tctx, status = gensec_server_start(tctx, tctx->ev, lp_gensec_settings(tctx, tctx->lp_ctx), - msg_server_ctx, &gensec_server_context); + NULL, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index bd262683d5..2c6f353252 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -482,16 +482,33 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, break; case GSS_SPNEGO_SERVER: case SQUID_2_5_NTLMSSP: + { + const char *winbind_method[] = { "winbind", NULL }; + struct auth_context *auth_context; + msg = messaging_client_init(state, lp_messaging_path(state, lp_ctx), lp_iconv_convenience(lp_ctx), ev); if (!msg) { exit(1); } - if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lp_gensec_settings(state, lp_ctx), - msg, &state->gensec_state))) { + nt_status = auth_context_create_methods(mem_ctx, + winbind_method, + ev, + msg, + lp_ctx, + &auth_context); + + if (!NT_STATUS_IS_OK(nt_status)) { + exit(1); + } + + if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, + lp_gensec_settings(state, lp_ctx), + auth_context, &state->gensec_state))) { exit(1); } break; + } default: abort(); } |