summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/client.h1
-rw-r--r--source3/rpc_client/cli_pipe.c230
2 files changed, 62 insertions, 169 deletions
diff --git a/source3/include/client.h b/source3/include/client.h
index 3459ae20d0..5ab457a2ab 100644
--- a/source3/include/client.h
+++ b/source3/include/client.h
@@ -58,7 +58,6 @@ struct cli_pipe_auth_data {
NTLMSSP_STATE *ntlmssp_state;
struct kerberos_auth_struct *kerberos_auth;
} a_u;
- void (*cli_auth_data_free_func)(struct cli_pipe_auth_data *);
};
struct rpc_pipe_client {
diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 991029d203..1897cff18e 100644
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -1994,8 +1994,7 @@ static NTSTATUS rpc_finish_spnego_ntlmssp_bind(struct rpc_pipe_client *cli,
****************************************************************************/
static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
- enum pipe_auth_type auth_type,
- enum pipe_auth_level auth_level)
+ struct cli_pipe_auth_data *auth)
{
RPC_HDR hdr;
RPC_HDR_BA hdr_ba;
@@ -2007,8 +2006,10 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
DEBUG(5,("Bind RPC Pipe[%x]: %s auth_type %u, auth_level %u\n",
(unsigned int)cli->fnum,
cli->pipe_name,
- (unsigned int)auth_type,
- (unsigned int)auth_level ));
+ (unsigned int)auth->auth_type,
+ (unsigned int)auth->auth_level ));
+
+ cli->auth = talloc_move(cli, &auth);
prs_init_empty(&rpc_out, talloc_tos(), MARSHALL);
@@ -2018,8 +2019,8 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
status = create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
cli->abstract_syntax,
cli->transfer_syntax,
- auth_type,
- auth_level);
+ cli->auth->auth_type,
+ cli->auth->auth_level);
if (!NT_STATUS_IS_OK(status)) {
prs_mem_free(&rpc_out);
@@ -2067,7 +2068,7 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
cli->max_recv_frag = hdr_ba.bba.max_rsize;
/* For authenticated binds we may need to do 3 or 4 leg binds. */
- switch(auth_type) {
+ switch(cli->auth->auth_type) {
case PIPE_AUTH_TYPE_NONE:
case PIPE_AUTH_TYPE_SCHANNEL:
@@ -2076,8 +2077,10 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
case PIPE_AUTH_TYPE_NTLMSSP:
/* Need to send AUTH3 packet - no reply. */
- status = rpc_finish_auth3_bind(cli, &hdr, &rbuf, rpc_call_id,
- auth_type, auth_level);
+ status = rpc_finish_auth3_bind(
+ cli, &hdr, &rbuf, rpc_call_id,
+ cli->auth->auth_type,
+ cli->auth->auth_level);
if (!NT_STATUS_IS_OK(status)) {
prs_mem_free(&rbuf);
return status;
@@ -2086,10 +2089,10 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
/* Need to send alter context request and reply. */
- status = rpc_finish_spnego_ntlmssp_bind(cli, &hdr, &rbuf, rpc_call_id,
- cli->abstract_syntax,
- cli->transfer_syntax,
- auth_type, auth_level);
+ status = rpc_finish_spnego_ntlmssp_bind(
+ cli, &hdr, &rbuf, rpc_call_id,
+ cli->abstract_syntax, cli->transfer_syntax,
+ cli->auth->auth_type, cli->auth->auth_level);
if (!NT_STATUS_IS_OK(status)) {
prs_mem_free(&rbuf);
return status;
@@ -2100,22 +2103,23 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
/* */
default:
- DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
- (unsigned int)auth_type ));
+ DEBUG(0,("cli_finish_bind_auth: unknown auth type "
+ "%u\n", (unsigned int)cli->auth->auth_type));
prs_mem_free(&rbuf);
return NT_STATUS_INVALID_INFO_CLASS;
}
/* For NTLMSSP ensure the server gave us the auth_level we wanted. */
- if (auth_type == PIPE_AUTH_TYPE_NTLMSSP || auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
- if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+ if (cli->auth->auth_type == PIPE_AUTH_TYPE_NTLMSSP
+ || cli->auth->auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ if (cli->auth->auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
if (!(cli->auth->a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN)) {
DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP signing and server refused.\n"));
prs_mem_free(&rbuf);
return NT_STATUS_INVALID_PARAMETER;
}
}
- if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
+ if (cli->auth->auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
if (!(cli->auth->a_u.ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL)) {
DEBUG(0,("cli_finish_bind_auth: requested NTLMSSSP sealing and server refused.\n"));
prs_mem_free(&rbuf);
@@ -2124,11 +2128,6 @@ static NTSTATUS rpc_pipe_bind(struct rpc_pipe_client *cli,
}
}
- /* Pipe is bound - set up auth_type and auth_level data. */
-
- cli->auth->auth_type = auth_type;
- cli->auth->auth_level = auth_level;
-
prs_mem_free(&rbuf);
return NT_STATUS_OK;
}
@@ -2173,10 +2172,6 @@ static int rpc_pipe_destructor(struct rpc_pipe_client *p)
p->desthost, cli_errstr(p->cli)));
}
- if (p->auth->cli_auth_data_free_func) {
- (*p->auth->cli_auth_data_free_func)(p->auth);
- }
-
DEBUG(10, ("rpc_pipe_destructor: closed pipe %s to machine %s\n",
p->pipe_name, p->desthost ));
@@ -2328,12 +2323,12 @@ static int cli_auth_kerberos_data_destructor(struct kerberos_auth_struct *auth)
return 0;
}
-NTSTATUS rpccli_krb5_bind_data(TALLOC_CTX *mem_ctx,
- enum pipe_auth_level auth_level,
- const char *service_princ,
- const char *username,
- const char *password,
- struct cli_pipe_auth_data **presult)
+NTSTATUS rpccli_kerberos_bind_data(TALLOC_CTX *mem_ctx,
+ enum pipe_auth_level auth_level,
+ const char *service_princ,
+ const char *username,
+ const char *password,
+ struct cli_pipe_auth_data **presult)
{
struct cli_pipe_auth_data *result;
@@ -2419,31 +2414,16 @@ static struct rpc_pipe_client *cli_rpc_pipe_open(struct cli_state *cli, int pipe
return NULL;
}
- result->auth = TALLOC_ZERO_P(result, struct cli_pipe_auth_data);
- if (result->auth == NULL) {
- *perr = NT_STATUS_NO_MEMORY;
- TALLOC_FREE(result);
- return NULL;
- }
-
result->pipe_name = cli_get_pipe_name(pipe_idx);
result->cli = cli;
result->abstract_syntax = pipe_names[pipe_idx].abstr_syntax;
result->transfer_syntax = pipe_names[pipe_idx].trans_syntax;
- result->auth->auth_type = PIPE_AUTH_TYPE_NONE;
- result->auth->auth_level = PIPE_AUTH_LEVEL_NONE;
-
- result->auth->domain = talloc_strdup(result, cli->domain);
- result->auth->user_name = talloc_strdup(result, cli->user_name);
result->desthost = talloc_strdup(result, cli->desthost);
result->srv_name_slash = talloc_asprintf_strupper_m(
result, "\\\\%s", result->desthost);
- if ((result->auth->domain == NULL)
- || (result->auth->user_name == NULL)
- || (result->desthost == NULL)
- || (result->srv_name_slash == NULL)) {
+ if ((result->desthost == NULL) || (result->srv_name_slash == NULL)) {
*perr = NT_STATUS_NO_MEMORY;
TALLOC_FREE(result);
return NULL;
@@ -2487,13 +2467,22 @@ static struct rpc_pipe_client *cli_rpc_pipe_open(struct cli_state *cli, int pipe
struct rpc_pipe_client *cli_rpc_pipe_open_noauth(struct cli_state *cli, int pipe_idx, NTSTATUS *perr)
{
struct rpc_pipe_client *result;
+ struct cli_pipe_auth_data *auth;
result = cli_rpc_pipe_open(cli, pipe_idx, perr);
if (result == NULL) {
return NULL;
}
- *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_NONE, PIPE_AUTH_LEVEL_NONE);
+ *perr = rpccli_anon_bind_data(result, &auth);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ DEBUG(0, ("rpccli_anon_bind_data returned %s\n",
+ nt_errstr(*perr)));
+ TALLOC_FREE(result);
+ return NULL;
+ }
+
+ *perr = rpc_pipe_bind(result, auth);
if (!NT_STATUS_IS_OK(*perr)) {
int lvl = 0;
if (rpccli_is_pipe_idx(result, PI_DSSETUP)) {
@@ -2514,18 +2503,6 @@ struct rpc_pipe_client *cli_rpc_pipe_open_noauth(struct cli_state *cli, int pipe
}
/****************************************************************************
- Free function for NTLMSSP auth.
- ****************************************************************************/
-
-static void cli_ntlmssp_auth_free(struct cli_pipe_auth_data *auth)
-{
- if (auth->a_u.ntlmssp_state) {
- ntlmssp_end(&auth->a_u.ntlmssp_state);
- auth->a_u.ntlmssp_state = NULL;
- }
-}
-
-/****************************************************************************
Open a named pipe to an SMB server and bind using NTLMSSP or SPNEGO NTLMSSP
****************************************************************************/
@@ -2539,66 +2516,24 @@ static struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_internal(struct cli_sta
NTSTATUS *perr)
{
struct rpc_pipe_client *result;
- NTLMSSP_STATE *ntlmssp_state = NULL;
+ struct cli_pipe_auth_data *auth;
result = cli_rpc_pipe_open(cli, pipe_idx, perr);
if (result == NULL) {
return NULL;
}
- result->auth->cli_auth_data_free_func = cli_ntlmssp_auth_free;
-
- TALLOC_FREE(result->auth->domain);
- TALLOC_FREE(result->auth->user_name);
-
- result->auth->domain = talloc_strdup(result, domain);
- result->auth->user_name = talloc_strdup(result, username);
-
- if ((result->auth->domain == NULL)
- || (result->auth->user_name == NULL)) {
- *perr = NT_STATUS_NO_MEMORY;
- goto err;
- }
-
- *perr = ntlmssp_client_start(&ntlmssp_state);
+ *perr = rpccli_ntlmssp_bind_data(
+ result, auth_type, auth_level, domain, username,
+ cli->pwd.null_pwd ? NULL : password, &auth);
if (!NT_STATUS_IS_OK(*perr)) {
- goto err;
- }
-
- result->auth->a_u.ntlmssp_state = ntlmssp_state;
-
- *perr = ntlmssp_set_username(ntlmssp_state, username);
- if (!NT_STATUS_IS_OK(*perr)) {
- goto err;
- }
-
- *perr = ntlmssp_set_domain(ntlmssp_state, domain);
- if (!NT_STATUS_IS_OK(*perr)) {
- goto err;
- }
-
- if (cli->pwd.null_pwd) {
- *perr = ntlmssp_set_password(ntlmssp_state, NULL);
- if (!NT_STATUS_IS_OK(*perr)) {
- goto err;
- }
- } else {
- *perr = ntlmssp_set_password(ntlmssp_state, password);
- if (!NT_STATUS_IS_OK(*perr)) {
- goto err;
- }
- }
-
- /* Turn off sign+seal to allow selected auth level to turn it back on. */
- ntlmssp_state->neg_flags &= ~(NTLMSSP_NEGOTIATE_SIGN|NTLMSSP_NEGOTIATE_SEAL);
-
- if (auth_level == PIPE_AUTH_LEVEL_INTEGRITY) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SIGN;
- } else if (auth_level == PIPE_AUTH_LEVEL_PRIVACY) {
- ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_SIGN;
+ DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
+ nt_errstr(*perr)));
+ TALLOC_FREE(result);
+ return NULL;
}
- *perr = rpc_pipe_bind(result, auth_type, auth_level);
+ *perr = rpc_pipe_bind(result, auth);
if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(0, ("cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error %s\n",
nt_errstr(*perr) ));
@@ -2756,31 +2691,23 @@ struct rpc_pipe_client *cli_rpc_pipe_open_schannel_with_key(struct cli_state *cl
NTSTATUS *perr)
{
struct rpc_pipe_client *result;
+ struct cli_pipe_auth_data *auth;
result = cli_rpc_pipe_open(cli, pipe_idx, perr);
if (result == NULL) {
return NULL;
}
- result->auth->a_u.schannel_auth = TALLOC_ZERO_P(
- result, struct schannel_auth_struct);
- if (!result->auth->a_u.schannel_auth) {
+ *perr = rpccli_schannel_bind_data(result, domain, auth_level,
+ pdc, &auth);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ DEBUG(0, ("rpccli_schannel_bind_data returned %s\n",
+ nt_errstr(*perr)));
TALLOC_FREE(result);
- *perr = NT_STATUS_NO_MEMORY;
return NULL;
}
- TALLOC_FREE(result->auth->domain);
- result->auth->domain = talloc_strdup(result, domain);
- if (result->auth->domain == NULL) {
- TALLOC_FREE(result);
- *perr = NT_STATUS_NO_MEMORY;
- return NULL;
- }
-
- memcpy(result->auth->a_u.schannel_auth->sess_key, pdc->sess_key, 16);
-
- *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_SCHANNEL, auth_level);
+ *perr = rpc_pipe_bind(result, auth);
if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed with error %s\n",
nt_errstr(*perr) ));
@@ -2901,19 +2828,6 @@ struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli,
return result;
}
-#ifdef HAVE_KRB5
-
-/****************************************************************************
- Free function for the kerberos spcific data.
- ****************************************************************************/
-
-static void kerberos_auth_struct_free(struct cli_pipe_auth_data *a)
-{
- data_blob_free(&a->a_u.kerberos_auth->session_key);
-}
-
-#endif
-
/****************************************************************************
Open a named pipe to an SMB server and bind using krb5 (bind type 16).
The idea is this can be called with service_princ, username and password all
@@ -2930,43 +2844,23 @@ struct rpc_pipe_client *cli_rpc_pipe_open_krb5(struct cli_state *cli,
{
#ifdef HAVE_KRB5
struct rpc_pipe_client *result;
+ struct cli_pipe_auth_data *auth;
result = cli_rpc_pipe_open(cli, pipe_idx, perr);
if (result == NULL) {
return NULL;
}
- /* Default service principal is "desthost$@realm" */
- if (!service_princ) {
- service_princ = talloc_asprintf(result, "%s$@%s",
- cli->desthost, lp_realm() );
- if (!service_princ) {
- TALLOC_FREE(result);
- return NULL;
- }
- }
-
- /* Only get a new TGT if username/password are given. */
- if (username && password) {
- int ret = kerberos_kinit_password(username, password, 0, NULL);
- if (ret) {
- TALLOC_FREE(result);
- return NULL;
- }
- }
-
- result->auth->a_u.kerberos_auth = TALLOC_ZERO_P(
- result, struct kerberos_auth_struct);
- if (!result->auth->a_u.kerberos_auth) {
+ *perr = rpccli_kerberos_bind_data(result, auth_level, service_princ,
+ username, password, &auth);
+ if (!NT_STATUS_IS_OK(*perr)) {
+ DEBUG(0, ("rpccli_kerberos_bind_data returned %s\n",
+ nt_errstr(*perr)));
TALLOC_FREE(result);
- *perr = NT_STATUS_NO_MEMORY;
return NULL;
}
- result->auth->a_u.kerberos_auth->service_principal = service_princ;
- result->auth->cli_auth_data_free_func = kerberos_auth_struct_free;
-
- *perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_KRB5, auth_level);
+ *perr = rpc_pipe_bind(result, auth);
if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(0, ("cli_rpc_pipe_open_krb5: cli_rpc_pipe_bind failed with error %s\n",
nt_errstr(*perr) ));