summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/dcesrv_spnego.c58
-rw-r--r--source3/rpc_server/srv_pipe.c71
2 files changed, 25 insertions, 104 deletions
diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c
index e89563a9fb..1bea2321ef 100644
--- a/source3/rpc_server/dcesrv_spnego.c
+++ b/source3/rpc_server/dcesrv_spnego.c
@@ -23,6 +23,7 @@
#include "dcesrv_auth_generic.h"
#include "dcesrv_gssapi.h"
#include "dcesrv_spnego.h"
+#include "auth/gensec/gensec.h"
static NTSTATUS spnego_init_server(TALLOC_CTX *mem_ctx,
bool do_sign, bool do_seal,
@@ -55,51 +56,38 @@ static NTSTATUS spnego_server_mech_init(struct spnego_context *sp_ctx,
DATA_BLOB *token_out)
{
struct gensec_security *gensec_security;
- struct gse_context *gse_ctx;
NTSTATUS status;
+ const char *oid;
switch (sp_ctx->mech) {
case SPNEGO_KRB5:
- status = gssapi_server_auth_start(sp_ctx,
- sp_ctx->do_sign,
- sp_ctx->do_seal,
- sp_ctx->is_dcerpc,
- token_in,
- token_out,
- &gse_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to init gssapi server "
- "(%s)\n", nt_errstr(status)));
- return status;
- }
-
- sp_ctx->mech_ctx.gssapi_state = gse_ctx;
+ oid = GENSEC_OID_KERBEROS5;
break;
-
case SPNEGO_NTLMSSP:
- status = auth_generic_server_start(sp_ctx,
- OID_NTLMSSP,
- sp_ctx->do_sign,
- sp_ctx->do_seal,
- sp_ctx->is_dcerpc,
- token_in,
- token_out,
- sp_ctx->remote_address,
- &gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to init ntlmssp server "
- "(%s)\n", nt_errstr(status)));
- return status;
- }
-
- sp_ctx->mech_ctx.gensec_security = gensec_security;
+ oid = GENSEC_OID_NTLMSSP;
break;
-
default:
DEBUG(3, ("No known mechanisms available\n"));
return NT_STATUS_INVALID_PARAMETER;
}
+ status = auth_generic_server_start(sp_ctx,
+ oid,
+ sp_ctx->do_sign,
+ sp_ctx->do_seal,
+ sp_ctx->is_dcerpc,
+ token_in,
+ token_out,
+ sp_ctx->remote_address,
+ &gensec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to init ntlmssp server "
+ "(%s)\n", nt_errstr(status)));
+ return status;
+ }
+
+ sp_ctx->mech_ctx.gensec_security = gensec_security;
+
return NT_STATUS_OK;
}
@@ -150,10 +138,6 @@ NTSTATUS spnego_server_step(struct spnego_context *sp_ctx,
switch(sp_ctx->mech) {
case SPNEGO_KRB5:
- status = gssapi_server_step(
- sp_ctx->mech_ctx.gssapi_state,
- mem_ctx, &token_in, &token_out);
- break;
case SPNEGO_NTLMSSP:
status = auth_generic_server_step(
sp_ctx->mech_ctx.gensec_security,
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 605ed5420c..18389b42e0 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -676,52 +676,11 @@ static bool pipe_auth_generic_verify_final(TALLOC_CTX *mem_ctx,
return true;
}
-static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
- struct gse_context *gse_ctx,
- const struct tsocket_address *remote_address,
- struct auth_session_info **session_info)
-{
- NTSTATUS status;
- bool bret;
-
- /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
- ensure the underlying flags are also set. If not we should
- refuse the bind. */
-
- status = gssapi_server_check_flags(gse_ctx);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Requested Security Layers not honored!\n"));
- return status;
- }
-
- status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
- remote_address, session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, (__location__ ": failed to obtain the server info "
- "for authenticated user: %s\n", nt_errstr(status)));
- return status;
- }
-
- /*
- * We're an authenticated bind over smb, so the session key needs to
- * be set to "SystemLibraryDTC". Weird, but this is what Windows
- * does. See the RPC-SAMBA3SESSIONKEY.
- */
-
- bret = session_info_set_session_key((*session_info), generic_session_key());
- if (!bret) {
- return NT_STATUS_ACCESS_DENIED;
- }
-
- return NT_STATUS_OK;
-}
-
static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
{
enum spnego_mech auth_type;
struct gensec_security *gensec_security;
struct spnego_context *spnego_ctx;
- struct gse_context *gse_ctx;
void *mech_ctx;
NTSTATUS status;
@@ -740,37 +699,15 @@ static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
struct spnego_context);
status = spnego_get_negotiated_mech(spnego_ctx,
- &auth_type, &mech_ctx);
+ &auth_type, &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Bad SPNEGO state (%s)\n",
nt_errstr(status)));
return status;
}
- switch(auth_type) {
- case SPNEGO_KRB5:
- gse_ctx = talloc_get_type_abort(mech_ctx,
- struct gse_context);
- status = pipe_gssapi_verify_final(p, gse_ctx,
- p->remote_address,
- &p->session_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("gssapi bind failed with: %s",
- nt_errstr(status)));
- return status;
- }
- break;
- case SPNEGO_NTLMSSP:
- gensec_security = talloc_get_type_abort(mech_ctx,
- struct gensec_security);
- if (!pipe_auth_generic_verify_final(p, gensec_security,
- p->auth.auth_level,
- &p->session_info)) {
- return NT_STATUS_ACCESS_DENIED;
- }
- break;
- default:
- DEBUG(0, (__location__ ": incorrect spnego type "
- "(%d).\n", auth_type));
+ if (!pipe_auth_generic_verify_final(p, gensec_security,
+ p->auth.auth_level,
+ &p->session_info)) {
return NT_STATUS_ACCESS_DENIED;
}
break;