summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/librpc/config.mk3
-rw-r--r--source4/librpc/rpc/dcerpc_connect.c185
-rw-r--r--source4/librpc/rpc/dcerpc_secondary.c317
-rwxr-xr-xsource4/selftest/test_member.sh1
-rw-r--r--source4/winbind/wb_connect_sam.c10
-rw-r--r--source4/winbind/wb_dom_info.c14
-rw-r--r--source4/winbind/wb_init_domain.c22
-rw-r--r--source4/winbind/wb_pam_auth.c176
8 files changed, 397 insertions, 331 deletions
diff --git a/source4/librpc/config.mk b/source4/librpc/config.mk
index f31ccf57f0..5cec7e1f67 100644
--- a/source4/librpc/config.mk
+++ b/source4/librpc/config.mk
@@ -476,7 +476,8 @@ OBJ_FILES = \
rpc/dcerpc_smb.o \
rpc/dcerpc_smb2.o \
rpc/dcerpc_sock.o \
- rpc/dcerpc_connect.o
+ rpc/dcerpc_connect.o \
+ rpc/dcerpc_secondary.o
PRIVATE_DEPENDENCIES = \
samba-socket LIBCLI_RESOLVE LIBCLI_SMB LIBCLI_SMB2 \
LIBNDR NDR_DCERPC RPC_NDR_EPMAPPER \
diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c
index 443b8b458a..3e49e6972b 100644
--- a/source4/librpc/rpc/dcerpc_connect.c
+++ b/source4/librpc/rpc/dcerpc_connect.c
@@ -5,7 +5,7 @@
Copyright (C) Andrew Tridgell 2003
Copyright (C) Jelmer Vernooij 2004
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
Copyright (C) Rafal Szczesniak 2005
This program is free software; you can redistribute it and/or modify
@@ -915,186 +915,3 @@ NTSTATUS dcerpc_pipe_connect(TALLOC_CTX *parent_ctx,
return dcerpc_pipe_connect_recv(c, parent_ctx, pp);
}
-
-struct sec_conn_state {
- struct dcerpc_pipe *pipe;
- struct dcerpc_pipe *pipe2;
- struct dcerpc_binding *binding;
- struct smbcli_tree *tree;
-};
-
-
-static void continue_open_smb(struct composite_context *ctx);
-static void continue_open_tcp(struct composite_context *ctx);
-static void continue_open_pipe(struct composite_context *ctx);
-static void continue_pipe_open(struct composite_context *c);
-
-
-/*
- Send request to create a secondary dcerpc connection from a primary
- connection
-*/
-struct composite_context* dcerpc_secondary_connection_send(struct dcerpc_pipe *p,
- struct dcerpc_binding *b)
-{
- struct composite_context *c;
- struct sec_conn_state *s;
- struct composite_context *pipe_smb_req;
- struct composite_context *pipe_tcp_req;
- struct composite_context *pipe_ncalrpc_req;
-
- /* composite context allocation and setup */
- c = composite_create(p, p->conn->event_ctx);
- if (c == NULL) return NULL;
-
- s = talloc_zero(c, struct sec_conn_state);
- if (composite_nomem(s, c)) return c;
- c->private_data = s;
-
- s->pipe = p;
- s->binding = b;
-
- /* initialise second dcerpc pipe based on primary pipe's event context */
- s->pipe2 = dcerpc_pipe_init(c, s->pipe->conn->event_ctx);
- if (composite_nomem(s->pipe2, c)) return c;
-
- /* open second dcerpc pipe using the same transport as for primary pipe */
- switch (s->pipe->conn->transport.transport) {
- case NCACN_NP:
- /* get smb tree of primary dcerpc pipe opened on smb */
- s->tree = dcerpc_smb_tree(s->pipe->conn);
- if (!s->tree) {
- composite_error(c, NT_STATUS_INVALID_PARAMETER);
- return c;
- }
-
- pipe_smb_req = dcerpc_pipe_open_smb_send(s->pipe2, s->tree,
- s->binding->endpoint);
- composite_continue(c, pipe_smb_req, continue_open_smb, c);
- return c;
-
- case NCACN_IP_TCP:
- pipe_tcp_req = dcerpc_pipe_open_tcp_send(s->pipe2->conn,
- s->binding->host,
- s->binding->target_hostname,
- atoi(s->binding->endpoint));
- composite_continue(c, pipe_tcp_req, continue_open_tcp, c);
- return c;
-
- case NCALRPC:
- pipe_ncalrpc_req = dcerpc_pipe_open_pipe_send(s->pipe2->conn,
- s->binding->endpoint);
- composite_continue(c, pipe_ncalrpc_req, continue_open_pipe, c);
- return c;
-
- default:
- /* looks like a transport we don't support */
- composite_error(c, NT_STATUS_NOT_SUPPORTED);
- }
-
- return c;
-}
-
-
-/*
- Stage 2 of secondary_connection: Receive result of pipe open request on smb
-*/
-static void continue_open_smb(struct composite_context *ctx)
-{
- struct composite_context *c = talloc_get_type(ctx->async.private_data,
- struct composite_context);
-
- c->status = dcerpc_pipe_open_smb_recv(ctx);
- if (!composite_is_ok(c)) return;
-
- continue_pipe_open(c);
-}
-
-
-/*
- Stage 2 of secondary_connection: Receive result of pipe open request on tcp/ip
-*/
-static void continue_open_tcp(struct composite_context *ctx)
-{
- struct composite_context *c = talloc_get_type(ctx->async.private_data,
- struct composite_context);
-
- c->status = dcerpc_pipe_open_tcp_recv(ctx);
- if (!composite_is_ok(c)) return;
-
- continue_pipe_open(c);
-}
-
-
-/*
- Stage 2 of secondary_connection: Receive result of pipe open request on ncalrpc
-*/
-static void continue_open_pipe(struct composite_context *ctx)
-{
- struct composite_context *c = talloc_get_type(ctx->async.private_data,
- struct composite_context);
-
- c->status = dcerpc_pipe_open_pipe_recv(ctx);
- if (!composite_is_ok(c)) return;
-
- continue_pipe_open(c);
-}
-
-
-/*
- Stage 3 of secondary_connection: Get binding data and flags from primary pipe
- and say if we're done ok.
-*/
-static void continue_pipe_open(struct composite_context *c)
-{
- struct sec_conn_state *s;
-
- s = talloc_get_type(c->private_data, struct sec_conn_state);
-
- s->pipe2->conn->flags = s->pipe->conn->flags;
- s->pipe2->binding = s->binding;
- if (!talloc_reference(s->pipe2, s->binding)) {
- composite_error(c, NT_STATUS_NO_MEMORY);
- return;
- }
-
- composite_done(c);
-}
-
-
-/*
- Receive result of secondary rpc connection request and return
- second dcerpc pipe.
-*/
-NTSTATUS dcerpc_secondary_connection_recv(struct composite_context *c,
- struct dcerpc_pipe **p2)
-{
- NTSTATUS status = composite_wait(c);
- struct sec_conn_state *s;
-
- s = talloc_get_type(c->private_data, struct sec_conn_state);
-
- if (NT_STATUS_IS_OK(status)) {
- *p2 = talloc_steal(s->pipe, s->pipe2);
- }
-
- talloc_free(c);
- return status;
-}
-
-/*
- Create a secondary dcerpc connection from a primary connection
- - sync version
-
- If the primary is a SMB connection then the secondary connection
- will be on the same SMB connection, but using a new fnum
-*/
-NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p,
- struct dcerpc_pipe **p2,
- struct dcerpc_binding *b)
-{
- struct composite_context *c;
-
- c = dcerpc_secondary_connection_send(p, b);
- return dcerpc_secondary_connection_recv(c, p2);
-}
diff --git a/source4/librpc/rpc/dcerpc_secondary.c b/source4/librpc/rpc/dcerpc_secondary.c
new file mode 100644
index 0000000000..685055d957
--- /dev/null
+++ b/source4/librpc/rpc/dcerpc_secondary.c
@@ -0,0 +1,317 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ dcerpc connect functions
+
+ Copyright (C) Andrew Tridgell 2003
+ Copyright (C) Jelmer Vernooij 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2007
+ Copyright (C) Rafal Szczesniak 2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+
+#include "includes.h"
+#include "libcli/composite/composite.h"
+#include "lib/events/events.h"
+#include "librpc/rpc/dcerpc.h"
+#include "auth/credentials/credentials.h"
+
+
+struct sec_conn_state {
+ struct dcerpc_pipe *pipe;
+ struct dcerpc_pipe *pipe2;
+ struct dcerpc_binding *binding;
+ struct smbcli_tree *tree;
+};
+
+
+static void continue_open_smb(struct composite_context *ctx);
+static void continue_open_tcp(struct composite_context *ctx);
+static void continue_open_pipe(struct composite_context *ctx);
+static void continue_pipe_open(struct composite_context *c);
+
+
+/*
+ Send request to create a secondary dcerpc connection from a primary
+ connection
+*/
+struct composite_context* dcerpc_secondary_connection_send(struct dcerpc_pipe *p,
+ struct dcerpc_binding *b)
+{
+ struct composite_context *c;
+ struct sec_conn_state *s;
+ struct composite_context *pipe_smb_req;
+ struct composite_context *pipe_tcp_req;
+ struct composite_context *pipe_ncalrpc_req;
+
+ /* composite context allocation and setup */
+ c = composite_create(p, p->conn->event_ctx);
+ if (c == NULL) return NULL;
+
+ s = talloc_zero(c, struct sec_conn_state);
+ if (composite_nomem(s, c)) return c;
+ c->private_data = s;
+
+ s->pipe = p;
+ s->binding = b;
+
+ /* initialise second dcerpc pipe based on primary pipe's event context */
+ s->pipe2 = dcerpc_pipe_init(c, s->pipe->conn->event_ctx);
+ if (composite_nomem(s->pipe2, c)) return c;
+
+ /* open second dcerpc pipe using the same transport as for primary pipe */
+ switch (s->pipe->conn->transport.transport) {
+ case NCACN_NP:
+ /* get smb tree of primary dcerpc pipe opened on smb */
+ s->tree = dcerpc_smb_tree(s->pipe->conn);
+ if (!s->tree) {
+ composite_error(c, NT_STATUS_INVALID_PARAMETER);
+ return c;
+ }
+
+ pipe_smb_req = dcerpc_pipe_open_smb_send(s->pipe2, s->tree,
+ s->binding->endpoint);
+ composite_continue(c, pipe_smb_req, continue_open_smb, c);
+ return c;
+
+ case NCACN_IP_TCP:
+ pipe_tcp_req = dcerpc_pipe_open_tcp_send(s->pipe2->conn,
+ s->binding->host,
+ s->binding->target_hostname,
+ atoi(s->binding->endpoint));
+ composite_continue(c, pipe_tcp_req, continue_open_tcp, c);
+ return c;
+
+ case NCALRPC:
+ pipe_ncalrpc_req = dcerpc_pipe_open_pipe_send(s->pipe2->conn,
+ s->binding->endpoint);
+ composite_continue(c, pipe_ncalrpc_req, continue_open_pipe, c);
+ return c;
+
+ default:
+ /* looks like a transport we don't support */
+ composite_error(c, NT_STATUS_NOT_SUPPORTED);
+ }
+
+ return c;
+}
+
+
+/*
+ Stage 2 of secondary_connection: Receive result of pipe open request on smb
+*/
+static void continue_open_smb(struct composite_context *ctx)
+{
+ struct composite_context *c = talloc_get_type(ctx->async.private_data,
+ struct composite_context);
+
+ c->status = dcerpc_pipe_open_smb_recv(ctx);
+ if (!composite_is_ok(c)) return;
+
+ continue_pipe_open(c);
+}
+
+
+/*
+ Stage 2 of secondary_connection: Receive result of pipe open request on tcp/ip
+*/
+static void continue_open_tcp(struct composite_context *ctx)
+{
+ struct composite_context *c = talloc_get_type(ctx->async.private_data,
+ struct composite_context);
+
+ c->status = dcerpc_pipe_open_tcp_recv(ctx);
+ if (!composite_is_ok(c)) return;
+
+ continue_pipe_open(c);
+}
+
+
+/*
+ Stage 2 of secondary_connection: Receive result of pipe open request on ncalrpc
+*/
+static void continue_open_pipe(struct composite_context *ctx)
+{
+ struct composite_context *c = talloc_get_type(ctx->async.private_data,
+ struct composite_context);
+
+ c->status = dcerpc_pipe_open_pipe_recv(ctx);
+ if (!composite_is_ok(c)) return;
+
+ continue_pipe_open(c);
+}
+
+
+/*
+ Stage 3 of secondary_connection: Get binding data and flags from primary pipe
+ and say if we're done ok.
+*/
+static void continue_pipe_open(struct composite_context *c)
+{
+ struct sec_conn_state *s;
+
+ s = talloc_get_type(c->private_data, struct sec_conn_state);
+
+ s->pipe2->conn->flags = s->pipe->conn->flags;
+ s->pipe2->binding = s->binding;
+ if (!talloc_reference(s->pipe2, s->binding)) {
+ composite_error(c, NT_STATUS_NO_MEMORY);
+ return;
+ }
+
+ composite_done(c);
+}
+
+
+/*
+ Receive result of secondary rpc connection request and return
+ second dcerpc pipe.
+*/
+NTSTATUS dcerpc_secondary_connection_recv(struct composite_context *c,
+ struct dcerpc_pipe **p2)
+{
+ NTSTATUS status = composite_wait(c);
+ struct sec_conn_state *s;
+
+ s = talloc_get_type(c->private_data, struct sec_conn_state);
+
+ if (NT_STATUS_IS_OK(status)) {
+ *p2 = talloc_steal(s->pipe, s->pipe2);
+ }
+
+ talloc_free(c);
+ return status;
+}
+
+/*
+ Create a secondary dcerpc connection from a primary connection
+ - sync version
+
+ If the primary is a SMB connection then the secondary connection
+ will be on the same SMB connection, but using a new fnum
+*/
+NTSTATUS dcerpc_secondary_connection(struct dcerpc_pipe *p,
+ struct dcerpc_pipe **p2,
+ struct dcerpc_binding *b)
+{
+ struct composite_context *c;
+
+ c = dcerpc_secondary_connection_send(p, b);
+ return dcerpc_secondary_connection_recv(c, p2);
+}
+
+/*
+ Create a secondary DCERPC connection, then bind (and possibly
+ authenticate) using the supplied credentials.
+
+ This creates a second connection, to the same host (and on ncacn_np on the same connection) as the first
+*/
+struct sec_auth_conn_state {
+ struct dcerpc_pipe *pipe2;
+ struct dcerpc_binding *binding;
+ const struct dcerpc_interface_table *table;
+ struct cli_credentials *credentials;
+ struct composite_context *ctx;
+};
+
+static void dcerpc_secondary_auth_connection_bind(struct composite_context *ctx);
+static void dcerpc_secondary_auth_connection_continue(struct composite_context *ctx);
+
+struct composite_context* dcerpc_secondary_auth_connection_send(struct dcerpc_pipe *p,
+ struct dcerpc_binding *binding,
+ const struct dcerpc_interface_table *table,
+ struct cli_credentials *credentials)
+{
+
+ struct composite_context *c, *secondary_conn_ctx;
+ struct sec_auth_conn_state *s;
+
+ /* composite context allocation and setup */
+ c = composite_create(p, p->conn->event_ctx);
+ if (c == NULL) return NULL;
+
+ s = talloc_zero(c, struct sec_auth_conn_state);
+ if (composite_nomem(s, c)) return c;
+ c->private_data = s;
+ s->ctx = c;
+
+ s->binding = binding;
+ s->table = table;
+ s->credentials = credentials;
+
+ secondary_conn_ctx = dcerpc_secondary_connection_send(p, binding);
+
+ if (composite_nomem(secondary_conn_ctx, s->ctx)) {
+ talloc_free(c);
+ return NULL;
+ }
+
+ composite_continue(s->ctx, secondary_conn_ctx, dcerpc_secondary_auth_connection_bind,
+ s);
+ return c;
+}
+
+/*
+ Stage 2 of secondary_auth_connection:
+ Having made the secondary connection, we will need to do an (authenticated) bind
+*/
+static void dcerpc_secondary_auth_connection_bind(struct composite_context *ctx)
+{
+ struct composite_context *secondary_auth_ctx;
+ struct sec_auth_conn_state *s = talloc_get_type(ctx->async.private_data,
+ struct sec_auth_conn_state);
+
+ s->ctx->status = dcerpc_secondary_connection_recv(ctx, &s->pipe2);
+ if (!composite_is_ok(s->ctx)) return;
+
+ secondary_auth_ctx = dcerpc_pipe_auth_send(s->pipe2, s->binding, s->table, s->credentials);
+ composite_continue(s->ctx, secondary_auth_ctx, dcerpc_secondary_auth_connection_continue, s);
+
+}
+
+/*
+ Stage 3 of secondary_auth_connection: Receive result of authenticated bind request
+*/
+static void dcerpc_secondary_auth_connection_continue(struct composite_context *ctx)
+{
+ struct sec_auth_conn_state *s = talloc_get_type(ctx->async.private_data,
+ struct sec_auth_conn_state);
+
+ s->ctx->status = dcerpc_pipe_auth_recv(ctx, s, &s->pipe2);
+ if (!composite_is_ok(s->ctx)) return;
+
+ composite_done(s->ctx);
+}
+
+/*
+ Receive an authenticated pipe, created as a secondary connection
+*/
+NTSTATUS dcerpc_secondary_auth_connection_recv(struct composite_context *c,
+ TALLOC_CTX *mem_ctx,
+ struct dcerpc_pipe **p)
+{
+ NTSTATUS status = composite_wait(c);
+ struct sec_auth_conn_state *s;
+
+ s = talloc_get_type(c->private_data, struct sec_auth_conn_state);
+
+ if (NT_STATUS_IS_OK(status)) {
+ *p = talloc_steal(mem_ctx, s->pipe2);
+ }
+
+ talloc_free(c);
+ return status;
+}
diff --git a/source4/selftest/test_member.sh b/source4/selftest/test_member.sh
index a76c10be91..29e3730342 100755
--- a/source4/selftest/test_member.sh
+++ b/source4/selftest/test_member.sh
@@ -5,3 +5,4 @@ incdir=`dirname $0`
plantest "RPC-ECHO against member server with local creds" member $VALGRIND bin/smbtorture $TORTURE_OPTIONS ncacn_np:"\$NETBIOSNAME" -U"\$NETBIOSNAME\\\\\$USERNAME"%"\$PASSWORD" RPC-ECHO "$*"
plantest "RPC-ECHO against member server with domain creds" member $VALGRIND bin/smbtorture $TORTURE_OPTIONS ncacn_np:"\$NETBIOSNAME" -U"\$DOMAIN\\\\\$DC_USERNAME"%"\$DC_PASSWORD" RPC-ECHO "$*"
+plantest "wbinfo -a against member server with domain creds" member $VALGRIND bin/wbinfo -a "\$DOMAIN\\\\\$DC_USERNAME"%"\$DC_PASSWORD" \ No newline at end of file
diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c
index 3ca4734ae9..935ba266d3 100644
--- a/source4/winbind/wb_connect_sam.c
+++ b/source4/winbind/wb_connect_sam.c
@@ -67,8 +67,10 @@ struct composite_context *wb_connect_samr_send(TALLOC_CTX *mem_ctx,
/* this will make the secondary connection on the same IPC$ share,
secured with SPNEGO, NTLMSSP or SCHANNEL */
- ctx = dcerpc_secondary_connection_send(domain->netlogon_pipe,
- domain->samr_binding);
+ ctx = dcerpc_secondary_auth_connection_send(domain->netlogon_pipe,
+ domain->samr_binding,
+ &dcerpc_table_samr,
+ domain->schannel_creds);
composite_continue(state->ctx, ctx, connect_samr_recv_pipe, state);
return result;
@@ -84,8 +86,8 @@ static void connect_samr_recv_pipe(struct composite_context *ctx)
talloc_get_type(ctx->async.private_data,
struct connect_samr_state);
- state->ctx->status = dcerpc_secondary_connection_recv(ctx,
- &state->samr_pipe);
+ state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state,
+ &state->samr_pipe);
if (!composite_is_ok(state->ctx)) return;
state->connect_handle = talloc(state, struct policy_handle);
diff --git a/source4/winbind/wb_dom_info.c b/source4/winbind/wb_dom_info.c
index 571ecb39b2..5ec8f1a159 100644
--- a/source4/winbind/wb_dom_info.c
+++ b/source4/winbind/wb_dom_info.c
@@ -45,7 +45,7 @@ struct composite_context *wb_get_dom_info_send(TALLOC_CTX *mem_ctx,
{
struct composite_context *result, *ctx;
struct get_dom_info_state *state;
- struct dom_sid *dup_sid;
+ struct dom_sid *dom_sid;
result = composite_create(mem_ctx, service->task->event_ctx);
if (result == NULL) goto failed;
@@ -57,11 +57,17 @@ struct composite_context *wb_get_dom_info_send(TALLOC_CTX *mem_ctx,
state->info = talloc_zero(state, struct wb_dom_info);
if (state->info == NULL) goto failed;
- dup_sid = dom_sid_dup(state, sid);
- if (dup_sid == NULL) goto failed;
+ state->info->name = talloc_strdup(state->info, domain_name);
+ if (state->info->name == NULL) goto failed;
+
+ state->info->sid = dom_sid_dup(state->info, sid);
+ if (state->info->sid == NULL) goto failed;
+
+ dom_sid = dom_sid_dup(mem_ctx, sid);
+ if (dom_sid == NULL) goto failed;
ctx = finddcs_send(mem_ctx, domain_name, NBT_NAME_LOGON,
- dup_sid, lp_name_resolve_order(), service->task->event_ctx,
+ dom_sid, lp_name_resolve_order(), service->task->event_ctx,
service->task->msg_ctx);
if (ctx == NULL) goto failed;
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 69ea9c7533..cdc1491f2b 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -202,7 +202,7 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
talloc_get_type(ctx->async.private_data,
struct init_domain_state);
- state->ctx->status = dcerpc_pipe_connect_b_recv(ctx, state,
+ state->ctx->status = dcerpc_pipe_connect_b_recv(ctx, state->domain,
&state->domain->netlogon_pipe);
if (!composite_is_ok(state->ctx)) {
@@ -224,13 +224,17 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx)
/* this will make the secondary connection on the same IPC$ share,
secured with SPNEGO or NTLMSSP */
- ctx = dcerpc_secondary_connection_send(state->domain->netlogon_pipe,
- state->domain->lsa_binding);
+ ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe,
+ state->domain->lsa_binding,
+ &dcerpc_table_lsarpc,
+ state->domain->schannel_creds
+ );
composite_continue(state->ctx, ctx, init_domain_recv_lsa_pipe, state);
}
static bool retry_with_schannel(struct init_domain_state *state,
struct dcerpc_binding *binding,
+ const struct dcerpc_interface_table *table,
void (*continuation)(struct composite_context *))
{
struct composite_context *ctx;
@@ -246,8 +250,10 @@ static bool retry_with_schannel(struct init_domain_state *state,
/* Try again, likewise on the same IPC$ share,
secured with SCHANNEL */
- ctx = dcerpc_secondary_connection_send(state->domain->netlogon_pipe,
- binding);
+ ctx = dcerpc_secondary_auth_connection_send(state->domain->netlogon_pipe,
+ binding,
+ table,
+ state->domain->schannel_creds);
composite_continue(state->ctx, ctx, continuation, state);
return true;
} else {
@@ -264,10 +270,11 @@ static void init_domain_recv_lsa_pipe(struct composite_context *ctx)
talloc_get_type(ctx->async.private_data,
struct init_domain_state);
- state->ctx->status = dcerpc_secondary_connection_recv(ctx,
- &state->domain->lsa_pipe);
+ state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state->domain,
+ &state->domain->lsa_pipe);
if (NT_STATUS_EQUAL(state->ctx->status, NT_STATUS_LOGON_FAILURE)) {
if (retry_with_schannel(state, state->domain->lsa_binding,
+ &dcerpc_table_lsarpc,
init_domain_recv_lsa_pipe)) {
return;
}
@@ -307,6 +314,7 @@ static void init_domain_recv_lsa_policy(struct rpc_request *req)
if ((!NT_STATUS_IS_OK(state->ctx->status)
|| !NT_STATUS_IS_OK(state->lsa_openpolicy.out.result))) {
if (retry_with_schannel(state, state->domain->lsa_binding,
+ &dcerpc_table_lsarpc,
init_domain_recv_lsa_pipe)) {
return;
}
diff --git a/source4/winbind/wb_pam_auth.c b/source4/winbind/wb_pam_auth.c
index fffb7c408c..4874254eff 100644
--- a/source4/winbind/wb_pam_auth.c
+++ b/source4/winbind/wb_pam_auth.c
@@ -28,23 +28,22 @@
#include "libcli/auth/libcli_auth.h"
#include "librpc/gen_ndr/ndr_netlogon.h"
#include "librpc/gen_ndr/ndr_netlogon_c.h"
+#include "librpc/gen_ndr/winbind.h"
/* Oh, there is so much to keep an eye on when authenticating a user. Oh my! */
struct pam_auth_crap_state {
struct composite_context *ctx;
struct event_context *event_ctx;
- uint32_t logon_parameters;
- const char *domain_name;
- const char *user_name;
+
+ struct winbind_SamLogon *req;
char *unix_username;
- const char *workstation;
- DATA_BLOB chal, nt_resp, lm_resp;
- struct creds_CredentialState *creds_state;
- struct netr_Authenticator auth, auth2;
struct netr_NetworkInfo ninfo;
struct netr_LogonSamLogon r;
+ const char *user_name;
+ const char *domain_name;
+
struct netr_UserSessionKey user_session_key;
struct netr_LMSessionKey lm_key;
DATA_BLOB info3;
@@ -54,8 +53,7 @@ struct pam_auth_crap_state {
* NTLM authentication.
*/
-static void pam_auth_crap_recv_domain(struct composite_context *ctx);
-static void pam_auth_crap_recv_samlogon(struct rpc_request *req);
+static void pam_auth_crap_recv_logon(struct composite_context *ctx);
struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx,
struct wbsrv_service *service,
@@ -69,6 +67,8 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx,
{
struct composite_context *result, *ctx;
struct pam_auth_crap_state *state;
+ struct netr_NetworkInfo *ninfo;
+ DATA_BLOB tmp_nt_resp, tmp_lm_resp;
result = composite_create(mem_ctx, service->task->event_ctx);
if (result == NULL) goto failed;
@@ -78,35 +78,43 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx,
state->ctx = result;
result->private_data = state;
- state->logon_parameters = logon_parameters;
+ state->req = talloc(state, struct winbind_SamLogon);
+
+ state->req->in.logon_level = 2;
+ state->req->in.validation_level = 3;
+ ninfo = state->req->in.logon.network = talloc(state, struct netr_NetworkInfo);
+ if (ninfo == NULL) goto failed;
+
+ ninfo->identity_info.account_name.string = talloc_strdup(state, user);
+ ninfo->identity_info.domain_name.string = talloc_strdup(state, domain);
+ ninfo->identity_info.parameter_control = logon_parameters;
+ ninfo->identity_info.logon_id_low = 0;
+ ninfo->identity_info.logon_id_high = 0;
+ ninfo->identity_info.workstation.string = talloc_strdup(state, workstation);
+
+ SMB_ASSERT(chal.length == sizeof(ninfo->challenge));
+ memcpy(ninfo->challenge, chal.data,
+ sizeof(ninfo->challenge));
+
+ tmp_nt_resp = data_blob_talloc(ninfo, nt_resp.data, nt_resp.length);
+ if ((nt_resp.data != NULL) &&
+ (tmp_nt_resp.data == NULL)) goto failed;
- state->domain_name = talloc_strdup(state, domain);
- if (state->domain_name == NULL) goto failed;
+ tmp_lm_resp = data_blob_talloc(ninfo, lm_resp.data, lm_resp.length);
+ if ((lm_resp.data != NULL) &&
+ (tmp_lm_resp.data == NULL)) goto failed;
- state->user_name = talloc_strdup(state, user);
- if (state->user_name == NULL) goto failed;
+ ninfo->nt.length = tmp_nt_resp.length;
+ ninfo->nt.data = tmp_nt_resp.data;
+ ninfo->lm.length = tmp_lm_resp.length;
+ ninfo->lm.data = tmp_lm_resp.data;
state->unix_username = NULL;
- state->workstation = talloc_strdup(state, workstation);
- if (state->workstation == NULL) goto failed;
-
- state->chal = data_blob_talloc(state, chal.data, chal.length);
- if ((chal.data != NULL) && (state->chal.data == NULL)) goto failed;
-
- state->nt_resp = data_blob_talloc(state, nt_resp.data, nt_resp.length);
- if ((nt_resp.data != NULL) &&
- (state->nt_resp.data == NULL)) goto failed;
-
- state->lm_resp = data_blob_talloc(state, lm_resp.data, lm_resp.length);
- if ((lm_resp.data != NULL) &&
- (state->lm_resp.data == NULL)) goto failed;
-
- ctx = wb_sid2domain_send(state, service, service->primary_sid);
+ ctx = wb_sam_logon_send(mem_ctx, service, state->req);
if (ctx == NULL) goto failed;
- ctx->async.fn = pam_auth_crap_recv_domain;
- ctx->async.private_data = state;
+ composite_continue(result, ctx, pam_auth_crap_recv_logon, state);
return result;
failed:
@@ -119,95 +127,19 @@ struct composite_context *wb_cmd_pam_auth_crap_send(TALLOC_CTX *mem_ctx,
Send of a SamLogon request to authenticate a user.
*/
-static void pam_auth_crap_recv_domain(struct composite_context *ctx)
+static void pam_auth_crap_recv_logon(struct composite_context *ctx)
{
+ DATA_BLOB tmp_blob;
+ struct netr_SamBaseInfo *base;
struct pam_auth_crap_state *state =
talloc_get_type(ctx->async.private_data,
struct pam_auth_crap_state);
- struct rpc_request *req;
- struct wbsrv_domain *domain;
-
- state->ctx->status = wb_sid2domain_recv(ctx, &domain);
- if (!composite_is_ok(state->ctx)) return;
- state->creds_state =
- cli_credentials_get_netlogon_creds(domain->schannel_creds);
-
- creds_client_authenticator(state->creds_state, &state->auth);
-
- state->ninfo.identity_info.account_name.string = state->user_name;
- state->ninfo.identity_info.domain_name.string = state->domain_name;
- state->ninfo.identity_info.parameter_control = state->logon_parameters;
- state->ninfo.identity_info.logon_id_low = 0;
- state->ninfo.identity_info.logon_id_high = 0;
- state->ninfo.identity_info.workstation.string = state->workstation;
-
- SMB_ASSERT(state->chal.length == sizeof(state->ninfo.challenge));
- memcpy(state->ninfo.challenge, state->chal.data,
- sizeof(state->ninfo.challenge));
-
- state->ninfo.nt.length = state->nt_resp.length;
- state->ninfo.nt.data = state->nt_resp.data;
- state->ninfo.lm.length = state->lm_resp.length;
- state->ninfo.lm.data = state->lm_resp.data;
-
- state->r.in.server_name = talloc_asprintf(
- state, "\\\\%s", dcerpc_server_name(domain->netlogon_pipe));
- if (composite_nomem(state->r.in.server_name, state->ctx)) return;
-
- ZERO_STRUCT(state->auth2);
-
- state->r.in.computer_name =
- cli_credentials_get_workstation(domain->schannel_creds);
- state->r.in.credential = &state->auth;
- state->r.in.return_authenticator = &state->auth2;
- state->r.in.logon_level = 2;
- state->r.in.validation_level = 3;
- state->r.in.logon.network = &state->ninfo;
- state->r.out.return_authenticator = NULL;
-
- req = dcerpc_netr_LogonSamLogon_send(domain->netlogon_pipe, state,
- &state->r);
- composite_continue_rpc(state->ctx, req, pam_auth_crap_recv_samlogon,
- state);
-}
-
-/*
- NTLM Authentication
-
- Check the SamLogon reply, decrypt and parse out the session keys and the
- info3 structure.
-*/
-static void pam_auth_crap_recv_samlogon(struct rpc_request *req)
-{
- struct pam_auth_crap_state *state =
- talloc_get_type(req->async.private_data,
- struct pam_auth_crap_state);
- struct netr_SamBaseInfo *base;
- DATA_BLOB tmp_blob;
- state->ctx->status = dcerpc_ndr_request_recv(req);
+ state->ctx->status = wb_sam_logon_recv(ctx, state, state->req);
if (!composite_is_ok(state->ctx)) return;
- if ((state->r.out.return_authenticator == NULL) ||
- (!creds_client_check(state->creds_state,
- &state->r.out.return_authenticator->cred))) {
- DEBUG(0, ("Credentials check failed!\n"));
- composite_error(state->ctx, NT_STATUS_ACCESS_DENIED);
- return;
- }
-
- state->ctx->status = state->r.out.result;
- if (!composite_is_ok(state->ctx)) return;
-
- /* Decrypt the session keys before we reform the info3, so the
- * person on the other end of winbindd pipe doesn't have to.
- * They won't have the encryption key anyway */
- creds_decrypt_samlogon(state->creds_state,
- state->r.in.validation_level,
- &state->r.out.validation);
-
state->ctx->status = ndr_push_struct_blob(
- &tmp_blob, state, state->r.out.validation.sam3,
+ &tmp_blob, state, state->req->out.validation.sam3,
(ndr_push_flags_fn_t)ndr_push_netr_SamInfo3);
if (!composite_is_ok(state->ctx)) return;
@@ -220,25 +152,7 @@ static void pam_auth_crap_recv_samlogon(struct rpc_request *req)
SIVAL(state->info3.data, 0, 1);
memcpy(state->info3.data+4, tmp_blob.data, tmp_blob.length);
- /* We actually only ask for level 3, and assume it above, but
- * anyway... */
-
- base = NULL;
- switch(state->r.in.validation_level) {
- case 2:
- base = &state->r.out.validation.sam2->base;
- break;
- case 3:
- base = &state->r.out.validation.sam3->base;
- break;
- case 6:
- base = &state->r.out.validation.sam6->base;
- break;
- }
- if (base == NULL) {
- composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
- return;
- }
+ base = &state->req->out.validation.sam3->base;
state->user_session_key = base->key;
state->lm_key = base->LMSessKey;