diff options
| -rw-r--r-- | source4/librpc/config.mk | 3 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_connect.c | 185 | ||||
| -rw-r--r-- | source4/librpc/rpc/dcerpc_secondary.c | 317 | ||||
| -rwxr-xr-x | source4/selftest/test_member.sh | 1 | ||||
| -rw-r--r-- | source4/winbind/wb_connect_sam.c | 10 | ||||
| -rw-r--r-- | source4/winbind/wb_dom_info.c | 14 | ||||
| -rw-r--r-- | source4/winbind/wb_init_domain.c | 22 | ||||
| -rw-r--r-- | source4/winbind/wb_pam_auth.c | 176 |
8 files changed, 397 insertions, 331 deletions
diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk index f31ccf57f0..5cec7e1f67 100644 --- a/source4/librpc/config.mk +++ b/source4/librpc/config.mk @@ -476,7 +476,8 @@ OBJ_FILES = \ rpc/dcerpc_smb.o \ rpc/dcerpc_smb2.o \ rpc/dcerpc_sock.o \ - rpc/dcerpc_connect.o + rpc/dcerpc_connect.o \ + rpc/dcerpc_secondary.o PRIVATE_DEPENDENCIES = \ samba-socket LIBCLI_RESOLVE LIBCLI_SMB LIBCLI_SMB2 \ LIBNDR NDR_DCERPC RPC_NDR_EPMAPPER \ diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c index 443b8b458a..3e49e6972b 100644 --- a/source4/librpc/rpc/dcerpc_connect.c +++ b/source4/librpc/rpc/dcerpc_connect.c @@ -5,7 +5,7 @@ Copyright (C) Andrew Tridgell 2003 Copyright (C) Jelmer Vernooij 2004 - Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007 Copyright (C) Rafal Szczesniak 2005 This program is free software; you can redistribute it and/or modify @@ -915,186 +915,3 @@ NTSTATUS dcerpc_pipe_connect(TALLOC_CTX *parent_ctx, return dcerpc_pipe_connect_recv(c, parent_ctx, pp); } - -struct sec_conn_state { - struct dcerpc_pipe *pipe; - struct dcerpc_pipe *pipe2; - struct dcerpc_binding *binding; - struct smbcli_tree *tree; -}; - - -static void continue_open_smb(struct composite_context *ctx); -static void continue_open_tcp(struct composite_context *ctx); -static void continue_open_pipe(struct composite_context *ctx); -static void continue_pipe_open(struct composite_context *c); - - -/* - Send request to create a secondary dcerpc connection from a primary - connection -*/ -struct composite_context* dcerpc_secondary_connection_send(struct dcerpc_pipe *p, - struct dcerpc_binding *b) -{ - struct composite_context *c; - struct sec_conn_state *s; - struct composite_context *pipe_smb_req; - struct composite_context *pipe_tcp_req; - struct composite_context *pipe_ncalrpc_req; - - /* composite context allocation and setup */ - c = composite_create(p, p->conn->event_ctx); - if (c == NULL) return NULL; - - s = talloc_zero(c, struct sec_conn_state); - if (composite_nomem(s, c)) return c; - c->private_data = s; - - s->pipe = p; - s->binding = b; - - /* initialise second dcerpc pipe based on primary pipe's event context */ - s->pipe2 = dcerpc_pipe_init(c, s->pipe->conn->event_ctx); - if (composite_nomem(s->pipe2, c)) return c; - - /* open second dcerpc pipe using the same transport as for primary pipe */ - switch (s->pipe->conn->transport.transport) { - case NCACN_NP: - /* get smb tree of primary dcerpc pipe opened on smb */ - s->tree = dcerpc_smb_tree(s->pipe->conn); - if (!s->tree) { - composite_error(c, NT_STATUS_INVALID_PARAMETER); - return c; - } - - pipe_smb_req = dcerpc_pipe_open_smb_send(s->pipe2, s->tree, - s->binding->endpoint); - composite_continue(c, pipe_smb_req, continue_open_smb, c); - return c; - - case NCACN_IP_TCP: - pipe_tcp_req = dcerpc_pipe_open_tcp_send(s->pipe2->conn, - s->binding->host, - s->binding->target_hostname, - atoi(s->binding->endpoint)); - composite_continue(c, pipe_tcp_req, continue_open_tcp, c); - return c; - - case NCALRPC: - pipe_ncalrpc_req = dcerpc_pipe_open_pipe_send(s->pipe2->conn, - s->binding->endpoint); - composite_continue(c, pipe_ncalrpc_req, continue_open_pipe, c); - return c; - - default: - /* looks like a transport we don't support */ - composite_error(c, NT_STATUS_NOT_SUPPORTED); - } - - return c; -} - - -/* - Stage 2 of secondary_connection: Receive result of pipe open request on smb -*/ -static void continue_open_smb(struct composite_context *ctx) -{ - struct composite_context *c = talloc_get_type(ctx->async.private_data, - struct composite_context); - - c->status = dcerpc_pipe_open_smb_recv(ctx); - if (!composite_is_ok(c)) return; - - continue_pipe_open(c); -} - - -/* - Stage 2 of secondary_connection: Receive result of pipe open request on tcp/ip -*/ -static void continue_open_tcp(struct composite_context *ctx) -{ - struct composite_context *c = talloc_get_type(ctx->async.private_data, - struct composite_context); - - c->status = dcerpc_pipe_open_tcp_recv(ctx); - if (!composite_is_ok(c)) return; - - continue_pipe_open(c); -} - - -/* - Stage 2 of secondary_connection: Receive result of pipe open request on ncalrpc -*/ -static void continue_open_pipe(struct composite_context *ctx) -{ - struct composite_context *c = talloc_get_type(ctx->async.private_data, - struct composite_context); - - c->status = dcerpc_pipe_open_pipe_recv(ctx); - if (!composite_is_ok(c)) return; - - continue_pipe_open(c); -} - - -/* - Stage 3 of secondary_connection: Get binding data and flags from primary pipe - and say if we're done ok. -*/ -static void continue_pipe_open(struct composite_context *c) -{ - struct sec_conn_state *s; - - s = talloc_get_type(c->private_data, struct sec_conn_state); - - s->pipe2->conn->flags = s->pipe->conn->flags; - s->pipe2->binding = s->binding; - if (!talloc_reference(s->pipe2, s->binding)) { - composite_error(c, NT_STATUS_NO_MEMORY); - return; - } - - composite_done(c); -} - - -/* - Receive result of secondary rpc connection request and return - second dcerpc pipe. -*/ -NTSTATUS dcerpc_secondary_connection_recv(struct composite_context *c, - struct dcerpc_pipe **p2) -{ - NTSTATUS status = composite_wait(c); - struct sec_conn_state *s; - - s = talloc_get_type(c->private_data, struct sec_conn_state); - - if (NT_STATUS_IS_OK(status)) { - *p2 = talloc_steal(s->pipe, s->pipe2); - } - - talloc_free(c); - return status; -} - -/* - Create a secondary dcerpc connection from a primary connection - - sync version - - If the primary is a SMB connection then the secondary connection - will be on the same SMB connection, but using a new fnum -*/ -NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, - struct dcerpc_pipe **p2, - struct dcerpc_binding *b) -{ - struct composite_context *c; - - c = dcerpc_secondary_connection_send(p, b); - return dcerpc_secondary_connection_recv(c, p2); -} diff --git a/source4/librpc/rpc/dcerpc_secondary.c b/source4/librpc/rpc/dcerpc_secondary.c new file mode 100644 index 0000000000..685055d957 --- /dev/null +++ b/source4/librpc/rpc/dcerpc_secondary.c @@ -0,0 +1,317 @@ +/* + Unix SMB/CIFS implementation. + + dcerpc connect functions + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Jelmer Vernooij 2004 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007 + Copyright (C) Rafal Szczesniak 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + + +#include "includes.h" +#include "libcli/composite/composite.h" +#include "lib/events/events.h" +#include "librpc/rpc/dcerpc.h" +#include "auth/credentials/credentials.h" + + +struct sec_conn_state { + struct dcerpc_pipe *pipe; + struct dcerpc_pipe *pipe2; + struct dcerpc_binding *binding; + struct smbcli_tree *tree; +}; + + +static void continue_open_smb(struct composite_context *ctx); +static void continue_open_tcp(struct composite_context *ctx); +static void continue_open_pipe(struct composite_context *ctx); +static void continue_pipe_open(struct composite_context *c); + + +/* + Send request to create a secondary dcerpc connection from a primary + connection +*/ +struct composite_context* dcerpc_secondary_connection_send(struct dcerpc_pipe *p, + struct dcerpc_binding *b) +{ + struct composite_context *c; + struct sec_conn_state *s; + struct composite_context *pipe_smb_req; + struct composite_context *pipe_tcp_req; + struct composite_context *pipe_ncalrpc_req; + + /* composite context allocation and setup */ + c = composite_create(p, p->conn->event_ctx); + if (c == NULL) return NULL; + + s = talloc_zero(c, struct sec_conn_state); + if (composite_nomem(s, c)) return c; + c->private_data = s; + + s->pipe = p; + s->binding = b; + + /* initialise second dcerpc pipe based on primary pipe's event context */ + s->pipe2 = dcerpc_pipe_init(c, s->pipe->conn->event_ctx); + if (composite_nomem(s->pipe2, c)) return c; + + /* open second dcerpc pipe using the same transport as for primary pipe */ + switch (s->pipe->conn->transport.transport) { + case NCACN_NP: + /* get smb tree of primary dcerpc pipe opened on smb */ + s->tree = dcerpc_smb_tree(s->pipe->conn); + if (!s->tree) { + composite_error(c, NT_STATUS_INVALID_PARAMETER); + return c; + } + + pipe_smb_req = dcerpc_pipe_open_smb_send(s->pipe2, s->tree, + s->binding->endpoint); + composite_continue(c, pipe_smb_req, continue_open_smb, c); + return c; + + case NCACN_IP_TCP: + pipe_tcp_req = dcerpc_pipe_open_tcp_send(s->pipe2->conn, + s->binding->host, + s->binding->target_hostname, + atoi(s->binding->endpoint)); + composite_continue(c, pipe_tcp_req, continue_open_tcp, c); + return c; + + case NCALRPC: + pipe_ncalrpc_req = dcerpc_pipe_open_pipe_send(s->pipe2->conn, + s->binding->endpoint); + composite_continue(c, pipe_ncalrpc_req, continue_open_pipe, c); + return c; + + default: + /* looks like a transport we don't support */ + composite_error(c, NT_STATUS_NOT_SUPPORTED); + } + + return c; +} + + +/* + Stage 2 of secondary_connection: Receive result of pipe open request on smb +*/ +static void continue_open_smb(struct composite_context *ctx) +{ + struct composite_context *c = talloc_get_type(ctx->async.private_data, + struct composite_context); + + c->status = dcerpc_pipe_open_smb_recv(ctx); + if (!composite_is_ok(c)) return; + + continue_pipe_open(c); +} + + +/* + Stage 2 of secondary_connection: Receive result of pipe open request on tcp/ip +*/ +static void continue_open_tcp(struct composite_context *ctx) +{ + struct composite_context *c = talloc_get_type(ctx->async.private_data, + struct composite_context); + + c->status = dcerpc_pipe_open_tcp_recv(ctx); + if (!composite_is_ok(c)) return; + + continue_pipe_open(c); +} + + +/* + Stage 2 of secondary_connection: Receive result of pipe open request on ncalrpc +*/ +static void continue_open_pipe(struct composite_context *ctx) +{ + struct composite_context *c = talloc_get_type(ctx->async.private_data, + struct composite_context); + + c->status = dcerpc_pipe_open_pipe_recv(ctx); + if (!composite_is_ok(c)) return; + + continue_pipe_open(c); +} + + +/* + Stage 3 of secondary_connection: Get binding data and flags from primary pipe + and say if we're done ok. +*/ +static void continue_pipe_open(struct composite_context *c) +{ + struct sec_conn_state *s; + + s = talloc_get_type(c->private_data, struct sec_conn_state); + + s->pipe2->conn->flags = s->pipe->conn->flags; + s->pipe2->binding = s->binding; + if (!talloc_reference(s->pipe2, s->binding)) { + composite_error(c, NT_STATUS_NO_MEMORY); + return; + } + + composite_done(c); +} + + +/* + Receive result of secondary rpc connection request and return + second dcerpc pipe. +*/ +NTSTATUS dcerpc_secondary_connection_recv(struct composite_context *c, + struct dcerpc_pipe **p2) +{ + NTSTATUS status = composite_wait(c); + struct sec_conn_state *s; + + s = talloc_get_type(c->private_data, struct sec_conn_state); + + if (NT_STATUS_IS_OK(status)) { + *p2 = talloc_steal(s->pipe, s->pipe2); + } + + talloc_free(c); + return status; +} + +/* + Create a secondary dcerpc connection from a primary connection + - sync version + + If the primary is a SMB connection then the secondary connection + will be on the same SMB connection, but using a new fnum +*/ +NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p, + struct dcerpc_pipe **p2, + struct dcerpc_binding *b) +{ + struct composite_context *c; + + c = dcerpc_secondary_connection_send(p, b); + return dcerpc_secondary_connection_recv(c, p2); +} + +/* + Create a secondary DCERPC connection, then bind (and possibly + authenticate) using the supplied credentials. + + This creates a second connection, to the same host (and on ncacn_np on the same connection) as the first +*/ +struct sec_auth_conn_state { + struct dcerpc_pipe *pipe2; + struct dcerpc_binding *binding; + const struct dcerpc_interface_table *table; + struct cli_credentials *credentials; + struct composite_context *ctx; +}; + +static void dcerpc_secondary_auth_connection_bind(struct composite_context *ctx); +static void dcerpc_secondary_auth_connection_continue(struct composite_context *ctx); + +struct composite_context* dcerpc_secondary_auth_connection_send(struct dcerpc_pipe *p, + struct dcerpc_binding *binding, + const struct dcerpc_interface_table *table, + struct cli_credentials *credentials) +{ + + struct composite_context *c, *secondary_conn_ctx; + struct sec_auth_conn_state *s; + + /* composite context allocation and setup */ + c = composite_create(p, p->conn->event_ctx); + if (c == NULL) return NULL; + + s = talloc_zero(c, struct sec_auth_conn_state); + if (composite_nomem(s, c)) return c; + c->private_data = s; + s->ctx = c; + + s->binding = binding; + s->table = table; + s->credentials = credentials; + + secondary_conn_ctx = dcerpc_secondary_connection_send(p, binding); + + if (composite_nomem(secondary_conn_ctx, s->ctx)) { + talloc_free(c); + return NULL; + } + + composite_continue(s->ctx, secondary_conn_ctx, dcerpc_secondary_auth_connection_bind, + s); + return c; +} + +/* + Stage 2 of secondary_auth_connection: + Having made the secondary connection, we will need to do an (authenticated) bind +*/ +static void dcerpc_secondary_auth_connection_bind(struct composite_context *ctx) +{ + struct composite_context *secondary_auth_ctx; + struct sec_auth_conn_state *s = talloc_get_type(ctx->async.private_data, + struct sec_auth_conn_state); + + s->ctx->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2); + if (!composite_is_ok(s->ctx)) return; + + secondary_auth_ctx = dcerpc_pipe_auth_send(s->pipe2, s->binding, s->table, s->credentials); + composite_continue(s->ctx, secondary_auth_ctx, dcerpc_secondary_auth_connection_continue, s); + +} + +/* + Stage 3 of secondary_auth_connection: Receive result of authenticated bind request +*/ +static void dcerpc_secondary_auth_connection_continue(struct composite_context *ctx) +{ + struct sec_auth_conn_state *s = talloc_get_type(ctx->async.private_data, + struct sec_auth_conn_state); + + s->ctx->status = dcerpc_pipe_auth_recv(ctx, s, &s->pipe2); + if (!composite_is_ok(s->ctx)) return; + + composite_done(s->ctx); +} + +/* + Receive an authenticated pipe, created as a secondary connection +*/ +NTSTATUS dcerpc_secondary_auth_connection_recv(struct composite_context *c, + TALLOC_CTX *mem_ctx, + struct dcerpc_pipe **p) +{ + NTSTATUS status = composite_wait(c); + struct sec_auth_conn_state *s; + + s = talloc_get_type(c->private_data, struct sec_auth_conn_state); + + if (NT_STATUS_IS_OK(status)) { + *p = talloc_steal(mem_ctx, s->pipe2); + } + + talloc_free(c); + return status; +} diff --git a/source4/selftest/test_member.sh b/source4/selftest/test_member.sh index a76c10be91..29e3730342 100755 --- a/source4/selftest/test_member.sh +++ b/source4/selftest/test_member.sh @@ -5,3 +5,4 @@ incdir=`dirname $0` plantest "RPC-ECHO against member server with local creds" member $VALGRIND bin/smbtorture $TORTURE_OPTIONS ncacn_np:"\$NETBIOSNAME" -U"\$NETBIOSNAME\\\\\$USERNAME"%"\$PASSWORD" RPC-ECHO "$*" plantest "RPC-ECHO against member server with domain creds" member $VALGRIND bin/smbtorture $TORTURE_OPTIONS ncacn_np:"\$NETBIOSNAME" -U"\$DOMAIN\\\\\$DC_USERNAME"%"\$DC_PASSWORD" RPC-ECHO "$*" +plantest "wbinfo -a against member server with domain creds" member $VALGRIND bin/wbinfo -a "\$DOMAIN\\\\\$DC_USERNAME"%"\$DC_PASSWORD"
\ No newline at end of file diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 3ca4734ae9..935ba266d3 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -67,8 +67,10 @@ struct composite_context *wb_connect_samr_send(TALLOC_CTX *mem_ctx, /* this will make the secondary connection on the same IPC$ share, secured with SPNEGO, NTLMSSP or SCHANNEL */ - ctx = dcerpc_secondary_connection_send(domain->netlogon_pipe, - domain->samr_binding); + ctx = dcerpc_secondary_auth_connection_send(domain->netlogon_pipe, + domain->samr_binding, + &dcerpc_table_samr, + domain->schannel_creds); composite_continue(state->ctx, ctx, connect_samr_recv_pipe, state); return result; @@ -84,8 +86,8 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) talloc_get_type(ctx->async.private_data, struct connect_samr_state); - state->ctx->status = dcerpc_secondary_connection_recv(ctx, - &state->samr_pipe); + state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state, + &state->samr_pipe); if (!composite_is_ok(state->ctx)) return; state->connect_handle = talloc(state, struct policy_handle); diff --git a/source4/winbind/wb_dom_info.c b/source4/winbind/wb_dom_info.c index 571ecb39b2..5ec8f1a159 100644 --- a/source4/winbind/wb_dom_info.c +++ b/source4/winbind/wb_dom_info.c @@ -45,7 +45,7 @@ struct composite_context *wb_get_dom_info_send(TALLOC_CTX *mem_ctx, { struct composite_context *result, *ctx; struct get_dom_info_state *state; - struct dom_sid *dup_sid; + struct dom_sid *dom_sid; result = composite_create(mem_ctx, service->task->event_ctx); if (result == NULL) goto failed; @@ -57,11 +57,17 @@ struct composite_context *wb_get_dom_info_send(TALLOC_CTX *mem_ctx, state->info = talloc_zero(state, struct wb_dom_info); if (state->info == NULL) goto failed; - dup_sid = dom_sid_dup(state, sid); - if (dup_sid == NULL) goto failed; + state->info->name = talloc_strdup(state->info, domain_name); + if (state->info->name == NULL) goto failed; + + state->info->sid = dom_sid_dup(state->info, sid); + if (state->info->sid == NULL) goto failed; + + dom_sid = dom_sid_dup(mem_ctx, sid); + if (dom_sid == NULL) goto failed; ctx = finddcs_send(mem_ctx, domain_name, NBT_NAME_LOGON, - dup_sid, lp_name_resolve_order(), service->task->event_ctx, + dom_sid, lp_name_resolve_order(), service->task->event_ctx, service->task->msg_ctx); if (ctx == NULL) goto failed; diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index 69ea9c7533..cdc1491f2b 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -202,7 +202,7 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx) talloc_get_type(ctx->async.private_data, struct init_domain_state); - state->ctx->status = dcerpc_pipe_connect_b_recv(ctx, state, + state->ctx->status = dcerpc_pipe_connect_b_recv(ctx, state->domain, &state->domain->netlogon_pipe); if (!composite_is_ok(state->ctx)) { @@ -224,13 +224,17 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx) /* this will make the secondary connection on the same IPC$ share, secured with SPNEGO or NTLMSSP */ - ctx = dcerpc_secondary_connection_send(state->domain->netlogon_pipe, - state->domain->lsa_binding); + ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe, + state->domain->lsa_binding, + &dcerpc_table_lsarpc, + state->domain->schannel_creds + ); composite_continue(state->ctx, ctx, init_domain_recv_lsa_pipe, state); } static bool retry_with_schannel(struct init_domain_state *state, struct dcerpc_binding *binding, + const struct dcerpc_interface_table *table, void (*continuation)(struct composite_context *)) { struct composite_context *ctx; @@ -246,8 +250,10 @@ static bool retry_with_schannel(struct init_domain_state *state, /* Try again, likewise on the same IPC$ share, secured with SCHANNEL */ - ctx = dcerpc_secondary_connection_send(state->domain->netlogon_pipe, - binding); + ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe, + binding, + table, + state->domain->schannel_creds); composite_continue(state->ctx, ctx, continuation, state); return true; } else { @@ -264,10 +270,11 @@ static void init_domain_recv_lsa_pipe(struct composite_context *ctx) talloc_get_type(ctx->async.private_data, struct init_domain_state); - state->ctx->status = dcerpc_secondary_connection_recv(ctx, - &state->domain->lsa_pipe); + state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state->domain, + &state->domain->lsa_pipe); if (NT_STATUS_EQUAL(state->ctx->status, NT_STATUS_LOGON_FAILURE)) { if (retry_with_schannel(state, state->domain->lsa_binding, + &dcerpc_table_lsarpc, init_domain_recv_lsa_pipe)) { return; } @@ -307,6 +314,7 @@ static void init_domain_recv_lsa_policy(struct rpc_request *req) if ((!NT_STATUS_IS_OK(state->ctx->status) || !NT_STATUS_IS_OK(state->lsa_openpolicy.out.result))) { if (retry_with_schannel(state, state->domain->lsa_binding, + &dcerpc_table_lsarpc, init_domain_recv_lsa_pipe)) { return; } diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c index fffb7c408c..4874254eff 100644 --- a/source4/winbind/wb_pam_auth.c +++ b/source4/winbind/wb_pam_auth.c @@ -28,23 +28,22 @@ #include "libcli/auth/libcli_auth.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" +#include "librpc/gen_ndr/winbind.h" /* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */ struct pam_auth_crap_state { struct composite_context *ctx; struct event_context *event_ctx; - uint32_t logon_parameters; - const char *domain_name; - const char *user_name; + + struct winbind_SamLogon *req; char *unix_username; - const char *workstation; - DATA_BLOB chal, nt_resp, lm_resp; - struct creds_CredentialState *creds_state; - struct netr_Authenticator auth, auth2; struct netr_NetworkInfo ninfo; struct netr_LogonSamLogon r; + const char *user_name; + const char *domain_name; + struct netr_UserSessionKey user_session_key; struct netr_LMSessionKey lm_key; DATA_BLOB info3; @@ -54,8 +53,7 @@ struct pam_auth_crap_state { * NTLM authentication. */ -static void pam_auth_crap_recv_domain(struct composite_context *ctx); -static void pam_auth_crap_recv_samlogon(struct rpc_request *req); +static void pam_auth_crap_recv_logon(struct composite_context *ctx); struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, struct wbsrv_service *service, @@ -69,6 +67,8 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, { struct composite_context *result, *ctx; struct pam_auth_crap_state *state; + struct netr_NetworkInfo *ninfo; + DATA_BLOB tmp_nt_resp, tmp_lm_resp; result = composite_create(mem_ctx, service->task->event_ctx); if (result == NULL) goto failed; @@ -78,35 +78,43 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, state->ctx = result; result->private_data = state; - state->logon_parameters = logon_parameters; + state->req = talloc(state, struct winbind_SamLogon); + + state->req->in.logon_level = 2; + state->req->in.validation_level = 3; + ninfo = state->req->in.logon.network = talloc(state, struct netr_NetworkInfo); + if (ninfo == NULL) goto failed; + + ninfo->identity_info.account_name.string = talloc_strdup(state, user); + ninfo->identity_info.domain_name.string = talloc_strdup(state, domain); + ninfo->identity_info.parameter_control = logon_parameters; + ninfo->identity_info.logon_id_low = 0; + ninfo->identity_info.logon_id_high = 0; + ninfo->identity_info.workstation.string = talloc_strdup(state, workstation); + + SMB_ASSERT(chal.length == sizeof(ninfo->challenge)); + memcpy(ninfo->challenge, chal.data, + sizeof(ninfo->challenge)); + + tmp_nt_resp = data_blob_talloc(ninfo, nt_resp.data, nt_resp.length); + if ((nt_resp.data != NULL) && + (tmp_nt_resp.data == NULL)) goto failed; - state->domain_name = talloc_strdup(state, domain); - if (state->domain_name == NULL) goto failed; + tmp_lm_resp = data_blob_talloc(ninfo, lm_resp.data, lm_resp.length); + if ((lm_resp.data != NULL) && + (tmp_lm_resp.data == NULL)) goto failed; - state->user_name = talloc_strdup(state, user); - if (state->user_name == NULL) goto failed; + ninfo->nt.length = tmp_nt_resp.length; + ninfo->nt.data = tmp_nt_resp.data; + ninfo->lm.length = tmp_lm_resp.length; + ninfo->lm.data = tmp_lm_resp.data; state->unix_username = NULL; - state->workstation = talloc_strdup(state, workstation); - if (state->workstation == NULL) goto failed; - - state->chal = data_blob_talloc(state, chal.data, chal.length); - if ((chal.data != NULL) && (state->chal.data == NULL)) goto failed; - - state->nt_resp = data_blob_talloc(state, nt_resp.data, nt_resp.length); - if ((nt_resp.data != NULL) && - (state->nt_resp.data == NULL)) goto failed; - - state->lm_resp = data_blob_talloc(state, lm_resp.data, lm_resp.length); - if ((lm_resp.data != NULL) && - (state->lm_resp.data == NULL)) goto failed; - - ctx = wb_sid2domain_send(state, service, service->primary_sid); + ctx = wb_sam_logon_send(mem_ctx, service, state->req); if (ctx == NULL) goto failed; - ctx->async.fn = pam_auth_crap_recv_domain; - ctx->async.private_data = state; + composite_continue(result, ctx, pam_auth_crap_recv_logon, state); return result; failed: @@ -119,95 +127,19 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx, Send of a SamLogon request to authenticate a user. */ -static void pam_auth_crap_recv_domain(struct composite_context *ctx) +static void pam_auth_crap_recv_logon(struct composite_context *ctx) { + DATA_BLOB tmp_blob; + struct netr_SamBaseInfo *base; struct pam_auth_crap_state *state = talloc_get_type(ctx->async.private_data, struct pam_auth_crap_state); - struct rpc_request *req; - struct wbsrv_domain *domain; - - state->ctx->status = wb_sid2domain_recv(ctx, &domain); - if (!composite_is_ok(state->ctx)) return; - state->creds_state = - cli_credentials_get_netlogon_creds(domain->schannel_creds); - - creds_client_authenticator(state->creds_state, &state->auth); - - state->ninfo.identity_info.account_name.string = state->user_name; - state->ninfo.identity_info.domain_name.string = state->domain_name; - state->ninfo.identity_info.parameter_control = state->logon_parameters; - state->ninfo.identity_info.logon_id_low = 0; - state->ninfo.identity_info.logon_id_high = 0; - state->ninfo.identity_info.workstation.string = state->workstation; - - SMB_ASSERT(state->chal.length == sizeof(state->ninfo.challenge)); - memcpy(state->ninfo.challenge, state->chal.data, - sizeof(state->ninfo.challenge)); - - state->ninfo.nt.length = state->nt_resp.length; - state->ninfo.nt.data = state->nt_resp.data; - state->ninfo.lm.length = state->lm_resp.length; - state->ninfo.lm.data = state->lm_resp.data; - - state->r.in.server_name = talloc_asprintf( - state, "\\\\%s", dcerpc_server_name(domain->netlogon_pipe)); - if (composite_nomem(state->r.in.server_name, state->ctx)) return; - - ZERO_STRUCT(state->auth2); - - state->r.in.computer_name = - cli_credentials_get_workstation(domain->schannel_creds); - state->r.in.credential = &state->auth; - state->r.in.return_authenticator = &state->auth2; - state->r.in.logon_level = 2; - state->r.in.validation_level = 3; - state->r.in.logon.network = &state->ninfo; - state->r.out.return_authenticator = NULL; - - req = dcerpc_netr_LogonSamLogon_send(domain->netlogon_pipe, state, - &state->r); - composite_continue_rpc(state->ctx, req, pam_auth_crap_recv_samlogon, - state); -} - -/* - NTLM Authentication - - Check the SamLogon reply, decrypt and parse out the session keys and the - info3 structure. -*/ -static void pam_auth_crap_recv_samlogon(struct rpc_request *req) -{ - struct pam_auth_crap_state *state = - talloc_get_type(req->async.private_data, - struct pam_auth_crap_state); - struct netr_SamBaseInfo *base; - DATA_BLOB tmp_blob; - state->ctx->status = dcerpc_ndr_request_recv(req); + state->ctx->status = wb_sam_logon_recv(ctx, state, state->req); if (!composite_is_ok(state->ctx)) return; - if ((state->r.out.return_authenticator == NULL) || - (!creds_client_check(state->creds_state, - &state->r.out.return_authenticator->cred))) { - DEBUG(0, ("Credentials check failed!\n")); - composite_error(state->ctx, NT_STATUS_ACCESS_DENIED); - return; - } - - state->ctx->status = state->r.out.result; - if (!composite_is_ok(state->ctx)) return; - - /* Decrypt the session keys before we reform the info3, so the - * person on the other end of winbindd pipe doesn't have to. - * They won't have the encryption key anyway */ - creds_decrypt_samlogon(state->creds_state, - state->r.in.validation_level, - &state->r.out.validation); - state->ctx->status = ndr_push_struct_blob( - &tmp_blob, state, state->r.out.validation.sam3, + &tmp_blob, state, state->req->out.validation.sam3, (ndr_push_flags_fn_t)ndr_push_netr_SamInfo3); if (!composite_is_ok(state->ctx)) return; @@ -220,25 +152,7 @@ static void pam_auth_crap_recv_samlogon(struct rpc_request *req) SIVAL(state->info3.data, 0, 1); memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length); - /* We actually only ask for level 3, and assume it above, but - * anyway... */ - - base = NULL; - switch(state->r.in.validation_level) { - case 2: - base = &state->r.out.validation.sam2->base; - break; - case 3: - base = &state->r.out.validation.sam3->base; - break; - case 6: - base = &state->r.out.validation.sam6->base; - break; - } - if (base == NULL) { - composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); - return; - } + base = &state->req->out.validation.sam3->base; state->user_session_key = base->key; state->lm_key = base->LMSessKey; |