summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--libcli/auth/schannel_proto.h2
-rw-r--r--libcli/auth/schannel_state.h6
-rw-r--r--libcli/auth/schannel_state_tdb.c17
-rw-r--r--libcli/auth/wscript_build2
-rw-r--r--source3/rpc_server/netlogon/srv_netlog_nt.c55
-rw-r--r--source3/rpc_server/srv_pipe.c13
-rw-r--r--source3/smbd/server.c5
-rw-r--r--source4/auth/gensec/schannel.c2
-rw-r--r--source4/rpc_server/netlogon/dcerpc_netlogon.c6
-rw-r--r--source4/smbd/server.c2
10 files changed, 83 insertions, 27 deletions
diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h
index e3aeb5a9bc..7ee4c1c079 100644
--- a/libcli/auth/schannel_proto.h
+++ b/libcli/auth/schannel_proto.h
@@ -26,7 +26,7 @@
struct schannel_state;
struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
- const char *private_dir);
+ struct loadparm_context *lp_ctx);
NTSTATUS netsec_incoming_packet(struct schannel_state *state,
bool do_unseal,
diff --git a/libcli/auth/schannel_state.h b/libcli/auth/schannel_state.h
index 017fdbe28d..f9d02ddb4e 100644
--- a/libcli/auth/schannel_state.h
+++ b/libcli/auth/schannel_state.h
@@ -24,16 +24,16 @@
#define _LIBCLI_AUTH_SCHANNEL_STATE_H__
NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
- const char *db_priv_dir,
+ struct loadparm_context *lp_ctx,
const char *computer_name,
struct netlogon_creds_CredentialState **creds);
NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
- const char *db_priv_dir,
+ struct loadparm_context *lp_ctx,
struct netlogon_creds_CredentialState *creds);
NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
- const char *db_priv_dir,
+ struct loadparm_context *lp_ctx,
const char *computer_name,
struct netr_Authenticator *received_authenticator,
struct netr_Authenticator *return_authenticator,
diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 76110b89ef..8910041f99 100644
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -25,6 +25,7 @@
#include "system/filesys.h"
#include "../lib/tdb_compat/tdb_compat.h"
#include "../lib/util/util_tdb.h"
+#include "../lib/param/param.h"
#include "../libcli/auth/schannel.h"
#include "../librpc/gen_ndr/ndr_schannel.h"
#include "lib/util/tdb_wrap.h"
@@ -37,10 +38,10 @@
*******************************************************************************/
struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
- const char *private_dir)
+ struct loadparm_context *lp_ctx)
{
struct tdb_wrap *tdb_sc = NULL;
- char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", private_dir);
+ char *fname = lpcfg_private_path(mem_ctx, lp_ctx, "schannel_store.tdb");
if (!fname) {
return NULL;
@@ -201,7 +202,7 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_wrap *tdb_sc,
*******************************************************************************/
NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
- const char *db_priv_dir,
+ struct loadparm_context *lp_ctx,
const char *computer_name,
struct netlogon_creds_CredentialState **_creds)
{
@@ -215,7 +216,7 @@ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+ tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
if (!tdb_sc) {
return NT_STATUS_ACCESS_DENIED;
}
@@ -239,7 +240,7 @@ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
*******************************************************************************/
NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
- const char *db_priv_dir,
+ struct loadparm_context *lp_ctx,
struct netlogon_creds_CredentialState *creds)
{
TALLOC_CTX *tmpctx;
@@ -251,7 +252,7 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+ tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
if (!tdb_sc) {
return NT_STATUS_ACCESS_DENIED;
}
@@ -273,7 +274,7 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
********************************************************************/
NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
- const char *db_priv_dir,
+ struct loadparm_context *lp_ctx,
const char *computer_name,
struct netr_Authenticator *received_authenticator,
struct netr_Authenticator *return_authenticator,
@@ -290,7 +291,7 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+ tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
if (!tdb_sc) {
status = NT_STATUS_ACCESS_DENIED;
goto done;
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index acb1ce38f0..2afab44ac2 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -26,7 +26,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
source='schannel_state_tdb.c schannel_sign.c',
- deps='tdb-wrap UTIL_TDB'
+ deps='tdb-wrap UTIL_TDB samba-hostconfig'
)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 5e945187fa..dc0c33d395 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -44,6 +44,7 @@
#include "auth.h"
#include "messages.h"
#include "../lib/tsocket/tsocket.h"
+#include "lib/param/param.h"
extern userdom_struct current_user_info;
@@ -882,6 +883,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
* so use a copy to avoid destroying the client values. */
uint32_t in_neg_flags = *r->in.negotiate_flags;
const char *fn;
+ struct loadparm_context *lp_ctx;
struct dom_sid sid;
struct samr_Password mach_pwd;
struct netlogon_creds_CredentialState *creds;
@@ -993,11 +995,20 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
goto out;
}
+ lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+ if (lp_ctx == NULL) {
+ DEBUG(10, ("loadparm_init_s3 failed\n"));
+ status = NT_STATUS_INTERNAL_ERROR;
+ goto out;
+ }
+
/* Store off the state so we can continue after client disconnect. */
become_root();
- status = schannel_save_creds_state(p->mem_ctx, lp_private_dir(), creds);
+ status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds);
unbecome_root();
+ talloc_unlink(p->mem_ctx, lp_ctx);
+
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
@@ -1078,6 +1089,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
{
NTSTATUS status;
bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ struct loadparm_context *lp_ctx;
if (schannel_global_required) {
status = schannel_check_required(&p->auth,
@@ -1088,10 +1100,16 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
}
}
- status = schannel_check_creds_state(mem_ctx, lp_private_dir(),
+ lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_context());
+ if (lp_ctx == NULL) {
+ DEBUG(0, ("loadparm_init_s3 failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = schannel_check_creds_state(mem_ctx, lp_ctx,
computer_name, received_authenticator,
return_authenticator, creds_out);
-
+ talloc_unlink(mem_ctx, lp_ctx);
return status;
}
@@ -1731,6 +1749,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
{
NTSTATUS status;
struct netlogon_creds_CredentialState *creds = NULL;
+ struct loadparm_context *lp_ctx;
*r->out.authoritative = true;
@@ -1746,10 +1765,18 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
return NT_STATUS_INVALID_PARAMETER;
}
+ lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+ if (lp_ctx == NULL) {
+ DEBUG(0, ("loadparm_init_s3 failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
become_root();
- status = schannel_get_creds_state(p->mem_ctx, lp_private_dir(),
+ status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
r->in.computer_name, &creds);
unbecome_root();
+ talloc_unlink(p->mem_ctx, lp_ctx);
+
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2267,14 +2294,22 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
NTSTATUS status;
struct netlogon_creds_CredentialState *creds;
struct lsa_ForestTrustInformation *info, **info_ptr;
+ struct loadparm_context *lp_ctx;
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
+ lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+ if (lp_ctx == NULL) {
+ DEBUG(0, ("loadparm_init_s3 failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = schannel_check_creds_state(p->mem_ctx, lp_ctx,
r->in.computer_name,
r->in.credential,
r->out.return_authenticator,
&creds);
+ talloc_unlink(p->mem_ctx, lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2367,14 +2402,22 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
struct samr_Password *new_owf_enc;
struct samr_Password *old_owf_enc;
DATA_BLOB session_key;
+ struct loadparm_context *lp_ctx;
+
+ lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+ if (lp_ctx == NULL) {
+ DEBUG(0, ("loadparm_init_s3 failed\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
/* TODO: check server name */
- status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
+ status = schannel_check_creds_state(p->mem_ctx, lp_ctx,
r->in.computer_name,
r->in.credential,
r->out.return_authenticator,
&creds);
+ talloc_unlink(p->mem_ctx, lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 7a616c0ee6..449bf7555b 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -43,6 +43,7 @@
#include "ntdomain.h"
#include "rpc_server/srv_pipe.h"
#include "rpc_server/rpc_contexts.h"
+#include "lib/param/param.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -477,6 +478,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
struct netlogon_creds_CredentialState *creds;
enum ndr_err_code ndr_err;
struct schannel_state *schannel_auth;
+ struct loadparm_context *lp_ctx;
ndr_err = ndr_pull_struct_blob(
&auth_info->credentials, mem_ctx, &neg,
@@ -495,6 +497,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
return false;
}
+ lp_ctx = loadparm_init_s3(p, loadparm_s3_context());
+ if (!lp_ctx) {
+ DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
+ return false;
+ }
+
/*
* The neg.oem_netbios_computer.a key here must match the remote computer name
* given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
@@ -502,10 +510,11 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
*/
become_root();
- status = schannel_get_creds_state(p, lp_private_dir(),
+ status = schannel_get_creds_state(p, lp_ctx,
neg.oem_netbios_computer.a, &creds);
unbecome_root();
-
+
+ talloc_unlink(p, lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
return False;
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index e47187a697..acbab9d88c 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -40,6 +40,7 @@
#include "messages.h"
#include "smbprofile.h"
#include "lib/id_cache.h"
+#include "lib/param/param.h"
extern void start_epmd(struct tevent_context *ev_ctx,
struct messaging_context *msg_ctx);
@@ -1150,10 +1151,12 @@ extern void build_options(bool screen);
}
if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) {
- if (!open_schannel_session_store(NULL, lp_private_dir())) {
+ struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_context());
+ if (!open_schannel_session_store(NULL, lp_ctx)) {
DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
exit(1);
}
+ TALLOC_FREE(lp_ctx);
}
if(!get_global_sam_sid()) {
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index 35713ce068..f947d45596 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -154,7 +154,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
}
status = schannel_get_creds_state(out_mem_ctx,
- lpcfg_private_dir(gensec_security->settings->lp_ctx),
+ gensec_security->settings->lp_ctx,
workstation, &creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index d5a7eebb55..cbf223be47 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -270,7 +270,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
nt_status = schannel_save_creds_state(mem_ctx,
- lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
creds);
return nt_status;
@@ -382,7 +382,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
}
nt_status = schannel_check_creds_state(mem_ctx,
- lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
computer_name,
received_authenticator,
return_authenticator,
@@ -839,7 +839,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
}
nt_status = schannel_get_creds_state(mem_ctx,
- lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+ dce_call->conn->dce_ctx->lp_ctx,
r->in.computer_name, &creds);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index 322e45569f..c8549e2b56 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -393,7 +393,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
}
if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
- if (!open_schannel_session_store(talloc_autofree_context(), lpcfg_private_dir(cmdline_lp_ctx))) {
+ if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) {
DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
exit(1);
}