diff options
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/gensec/gensec.c | 90 | ||||
-rw-r--r-- | source4/auth/gensec/gensec.h | 20 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 42 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 16 | ||||
-rw-r--r-- | source4/auth/gensec/schannel.c | 10 | ||||
-rw-r--r-- | source4/auth/gensec/spnego.c | 9 | ||||
-rw-r--r-- | source4/auth/kerberos/krb5_init_context.c | 8 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 5 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_server.c | 3 | ||||
-rw-r--r-- | source4/auth/ntlm/ntlm_check.c | 24 | ||||
-rw-r--r-- | source4/auth/ntlm/ntlm_check.h | 5 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp.c | 1 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_client.c | 32 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_parse.c | 3 | ||||
-rw-r--r-- | source4/auth/ntlmssp/ntlmssp_server.c | 29 | ||||
-rw-r--r-- | source4/auth/sam.c | 6 | ||||
-rw-r--r-- | source4/auth/system_session.c | 1 |
17 files changed, 182 insertions, 122 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 5d57383d2a..7a8da71a7d 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -40,6 +40,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_all(void) return generic_security_ops; } +bool gensec_security_ops_enabled(struct gensec_security_ops *ops, + struct loadparm_context *lp_ctx) +{ + return lp_parm_bool(lp_ctx, NULL, "gensec", ops->name, ops->enabled); +} + /* Sometimes we want to force only kerberos, sometimes we want to * force it's avoidance. The old list could be either * gensec_security_all(), or from cli_credentials_gensec_list() (ie, @@ -76,6 +82,7 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ j = 0; for (i=0; old_gensec_list && old_gensec_list[i]; i++) { int oid_idx; + for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) { if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) { new_gensec_list[j] = old_gensec_list[i]; @@ -140,6 +147,9 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { + if (!gensec_security_ops_enabled(backends[i], + gensec_security->settings->lp_ctx)) + continue; if (backends[i]->auth_type == auth_type) { backend = backends[i]; talloc_free(mem_ctx); @@ -163,6 +173,10 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], + gensec_security->settings->lp_ctx)) + continue; if (backends[i]->oid) { for (j=0; backends[i]->oid[j]; j++) { if (backends[i]->oid[j] && @@ -191,6 +205,8 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { + if (!gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx)) + continue; if (backends[i]->sasl_name && (strcmp(backends[i]->sasl_name, sasl_name) == 0)) { backend = backends[i]; @@ -215,6 +231,9 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s } backends = gensec_security_mechs(gensec_security, mem_ctx); for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx)) + continue; if (backends[i]->name && (strcmp(backends[i]->name, name) == 0)) { backend = backends[i]; @@ -258,6 +277,9 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se /* Find backends in our preferred order, by walking our list, * then looking in the supplied list */ for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx)) + continue; for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) { if (!backends[i]->sasl_name || !(strcmp(backends[i]->sasl_name, @@ -326,6 +348,9 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen /* Find backends in our preferred order, by walking our list, * then looking in the supplied list */ for (i=0; backends && backends[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx)) + continue; if (!backends[i]->oid) { continue; } @@ -374,7 +399,8 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen * Return OIDS from the security subsystems listed */ -const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx, +const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security, + TALLOC_CTX *mem_ctx, struct gensec_security_ops **ops, const char *skip) { @@ -391,6 +417,10 @@ const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx, } for (i=0; ops && ops[i]; i++) { + if (gensec_security != NULL && + !gensec_security_ops_enabled(ops[i], gensec_security->settings->lp_ctx)) { + continue; + } if (!ops[i]->oid) { continue; } @@ -464,7 +494,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security, { struct gensec_security_ops **ops = gensec_security_mechs(gensec_security, mem_ctx); - return gensec_security_oids_from_ops(mem_ctx, ops, skip); + return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip); } @@ -477,7 +507,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security, */ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct event_context *ev, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, struct messaging_context *msg, struct gensec_security **gensec_security) { @@ -501,7 +531,8 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, (*gensec_security)->event_ctx = ev; (*gensec_security)->msg_ctx = msg; - (*gensec_security)->lp_ctx = lp_ctx; + SMB_ASSERT(settings->lp_ctx != NULL); + (*gensec_security)->settings = talloc_reference(*gensec_security, settings); return NT_STATUS_OK; } @@ -529,7 +560,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, (*gensec_security)->want_features = parent->want_features; (*gensec_security)->event_ctx = parent->event_ctx; (*gensec_security)->msg_ctx = parent->msg_ctx; - (*gensec_security)->lp_ctx = parent->lp_ctx; + (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings); return NT_STATUS_OK; } @@ -543,11 +574,16 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, struct event_context *ev, - struct loadparm_context *lp_ctx) + struct gensec_settings *settings) { NTSTATUS status; - status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security); + if (settings == NULL) { + DEBUG(0,("gensec_client_start: no settings given!\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + status = gensec_start(mem_ctx, ev, settings, NULL, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -564,7 +600,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, */ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct event_context *ev, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, struct messaging_context *msg, struct gensec_security **gensec_security) { @@ -580,7 +616,12 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } - status = gensec_start(mem_ctx, ev, lp_ctx, msg, gensec_security); + if (!settings) { + DEBUG(0,("gensec_server_start: no settings given!\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + status = gensec_start(mem_ctx, ev, settings, msg, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -653,10 +694,10 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s return gensec_start_mech(gensec_security); } -_PUBLIC_ const char *gensec_get_name_by_authtype(uint8_t authtype) +_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype) { const struct gensec_security_ops *ops; - ops = gensec_security_by_authtype(NULL, authtype); + ops = gensec_security_by_authtype(gensec_security, authtype); if (ops) { return ops->name; } @@ -664,10 +705,11 @@ _PUBLIC_ const char *gensec_get_name_by_authtype(uint8_t authtype) } -_PUBLIC_ const char *gensec_get_name_by_oid(const char *oid_string) +_PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, + const char *oid_string) { const struct gensec_security_ops *ops; - ops = gensec_security_by_oid(NULL, oid_string); + ops = gensec_security_by_oid(gensec_security, oid_string); if (ops) { return ops->name; } @@ -697,6 +739,8 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security, _PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, const char *mech_oid) { + SMB_ASSERT(gensec_security != NULL); + gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid); if (!gensec_security->ops) { DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid)); @@ -1107,9 +1151,8 @@ _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_secu _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) { /* We allow the target hostname to be overriden for testing purposes */ - const char *target_hostname = lp_parm_string(gensec_security->lp_ctx, NULL, "gensec", "target_hostname"); - if (target_hostname) { - return target_hostname; + if (gensec_security->settings->target_hostname) { + return gensec_security->settings->target_hostname; } if (gensec_security->target.hostname) { @@ -1205,11 +1248,6 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security) */ NTSTATUS gensec_register(const struct gensec_security_ops *ops) { - if (!lp_parm_bool(global_loadparm, NULL, "gensec", ops->name, ops->enabled)) { - DEBUG(2,("gensec subsystem %s is disabled\n", ops->name)); - return NT_STATUS_OK; - } - if (gensec_security_by_name(NULL, ops->name) != NULL) { /* its already registered! */ DEBUG(0,("GENSEC backend '%s' already registered\n", @@ -1255,6 +1293,16 @@ static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ return (*gs2)->priority - (*gs1)->priority; } +int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value) +{ + return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value); +} + +bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value) +{ + return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value); +} + /* initialise the GENSEC subsystem */ diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index 0b31882ddd..cb7f3aec99 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -64,6 +64,7 @@ enum gensec_role struct auth_session_info; struct cli_credentials; +struct gensec_settings; struct gensec_update_request { struct gensec_security *gensec_security; @@ -77,6 +78,12 @@ struct gensec_update_request { } callback; }; +struct gensec_settings { + struct loadparm_context *lp_ctx; + struct smb_iconv_convenience *iconv_convenience; + const char *target_hostname; +}; + struct gensec_security_ops { const char *name; const char *sasl_name; @@ -151,7 +158,6 @@ struct gensec_security_ops_wrapper { struct gensec_security { const struct gensec_security_ops *ops; - struct loadparm_context *lp_ctx; void *private_data; struct cli_credentials *credentials; struct gensec_target target; @@ -161,6 +167,7 @@ struct gensec_security { struct event_context *event_ctx; struct messaging_context *msg_ctx; /* only valid as server */ struct socket_address *my_addr, *peer_addr; + struct gensec_settings *settings; }; /* this structure is used by backends to determine the size of some critical types */ @@ -210,7 +217,7 @@ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, struct event_context *ev, - struct loadparm_context *lp_ctx); + struct gensec_settings *settings); NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, const char **sasl_names); NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, @@ -232,7 +239,7 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security, DATA_BLOB *session_key); NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security, const char *mech_oid); -const char *gensec_get_name_by_oid(const char *oid_string); +const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string); struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security); struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security); NTSTATUS gensec_init(struct loadparm_context *lp_ctx); @@ -259,10 +266,10 @@ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security, DATA_BLOB *sig); NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, uint8_t auth_type, uint8_t auth_level); -const char *gensec_get_name_by_authtype(uint8_t authtype); +const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype); NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct event_context *ev, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, struct messaging_context *msg, struct gensec_security **gensec_security); NTSTATUS gensec_session_info(struct gensec_security *gensec_security, @@ -288,6 +295,7 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security, DATA_BLOB *out); struct gensec_security_ops **gensec_security_all(void); +bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct loadparm_context *lp_ctx); struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, struct gensec_security_ops **old_gensec_list, struct cli_credentials *creds); @@ -295,5 +303,7 @@ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, const char *sasl_name); +int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value); +bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value); #endif /* __GENSEC_H__ */ diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index e307dbb5cb..dcfffef3df 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -154,7 +154,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->gss_exchange_count = 0; gensec_gssapi_state->max_wrap_buf_size - = lp_parm_int(gensec_security->lp_ctx, NULL, "gensec_gssapi", "max wrap buf size", 65536); + = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536); gensec_gssapi_state->sasl = false; gensec_gssapi_state->sasl_state = STAGE_GSS_NEG; @@ -170,16 +170,16 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS; gensec_gssapi_state->want_flags = 0; - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "mutual", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "delegation", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "replay", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "sequence", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) { gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG; } @@ -214,10 +214,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) talloc_free(gensec_gssapi_state); return NT_STATUS_INTERNAL_ERROR; } - if (lp_realm(gensec_security->lp_ctx) && *lp_realm(gensec_security->lp_ctx)) { - char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->lp_ctx)); + if (lp_realm(gensec_security->settings->lp_ctx) && *lp_realm(gensec_security->settings->lp_ctx)) { + char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->settings->lp_ctx)); if (!upper_realm) { - DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->lp_ctx))); + DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->settings->lp_ctx))); talloc_free(gensec_gssapi_state); return NT_STATUS_NO_MEMORY; } @@ -231,7 +231,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) } /* don't do DNS lookups of any kind, it might/will fail for a netbios name */ - ret = gsskrb5_set_dns_canonicalize(lp_parm_bool(gensec_security->lp_ctx, NULL, "krb5", "set_dns_canonicalize", false)); + ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false)); if (ret) { DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n")); talloc_free(gensec_gssapi_state); @@ -240,7 +240,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) ret = smb_krb5_init_context(gensec_gssapi_state, gensec_security->event_ctx, - gensec_security->lp_ctx, + gensec_security->settings->lp_ctx, &gensec_gssapi_state->smb_krb5_context); if (ret) { DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", @@ -274,7 +274,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi } else { ret = cli_credentials_get_server_gss_creds(machine_account, gensec_security->event_ctx, - gensec_security->lp_ctx, &gcc); + gensec_security->settings->lp_ctx, &gcc); if (ret) { DEBUG(1, ("Aquiring acceptor credentials failed: %s\n", error_message(ret))); @@ -336,7 +336,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi gensec_gssapi_state->gss_oid = gss_mech_krb5; principal = gensec_get_target_principal(gensec_security); - if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) { + if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) { name_type = GSS_C_NULL_OID; } else { principal = talloc_asprintf(gensec_gssapi_state, "%s@%s", @@ -362,7 +362,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi ret = cli_credentials_get_client_gss_creds(creds, gensec_security->event_ctx, - gensec_security->lp_ctx, &gcc); + gensec_security->settings->lp_ctx, &gcc); switch (ret) { case 0: break; @@ -1142,10 +1142,10 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security, return false; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "force_new_spnego", false)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) { return true; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "disable_new_spnego", false)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) { return false; } @@ -1256,7 +1256,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi */ if (pac_blob.length) { nt_status = kerberos_pac_blob_to_server_info(mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), + gensec_security->settings->iconv_convenience, pac_blob, gensec_gssapi_state->smb_krb5_context->krb5_context, &server_info); @@ -1290,11 +1290,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return NT_STATUS_NO_MEMORY; } - if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) { + if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n", gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, - gensec_security->lp_ctx, principal_string, + gensec_security->settings->lp_ctx, principal_string, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { @@ -1311,7 +1311,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi /* references the server_info into the session_info */ nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, - gensec_security->lp_ctx, server_info, &session_info); + gensec_security->settings->lp_ctx, server_info, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1334,13 +1334,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return NT_STATUS_NO_MEMORY; } - cli_credentials_set_conf(session_info->credentials, gensec_security->lp_ctx); + cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx); /* Just so we don't segfault trying to get at a username */ cli_credentials_set_anonymous(session_info->credentials); ret = cli_credentials_set_client_gss_creds(session_info->credentials, gensec_security->event_ctx, - gensec_security->lp_ctx, + gensec_security->settings->lp_ctx, gensec_gssapi_state->delegated_cred_handle, CRED_SPECIFIED); if (ret) { diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 1f54043038..16867366a4 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -120,7 +120,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) if (cli_credentials_get_krb5_context(creds, gensec_security->event_ctx, - gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) { + gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) { talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; } @@ -252,7 +252,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), gensec_security->event_ctx, - gensec_security->lp_ctx, &ccache_container); + gensec_security->settings->lp_ctx, &ccache_container); switch (ret) { case 0: break; @@ -267,7 +267,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security } in_data.length = 0; - if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) { + if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) { krb5_principal target_principal; ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal, &target_principal); @@ -452,7 +452,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, /* Grab the keytab, however generated */ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), gensec_security->event_ctx, - gensec_security->lp_ctx, &keytab); + gensec_security->settings->lp_ctx, &keytab); if (ret) { return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -594,7 +594,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security KRB5_AUTHDATA_WIN2K_PAC, &pac_data); - if (ret && lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) { + if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n", principal_string, smb_get_krb5_error_message(context, @@ -607,7 +607,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); - nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string, + nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, principal_string, &server_info); krb5_free_principal(context, client_principal); free(principal_string); @@ -630,7 +630,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security /* decode and verify the pac */ nt_status = kerberos_pac_logon_info(gensec_krb5_state, - lp_iconv_convenience(gensec_security->lp_ctx), + gensec_security->settings->iconv_convenience, &logon_info, pac, gensec_krb5_state->smb_krb5_context->krb5_context, NULL, gensec_krb5_state->keyblock, @@ -655,7 +655,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info); + nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, server_info, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index f21202b86f..e6d38c14a3 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -85,7 +85,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ #endif ndr_err = ndr_push_struct_blob(out, out_mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), &bind_schannel, + gensec_security->settings->iconv_convenience, &bind_schannel, (ndr_push_flags_fn_t)ndr_push_schannel_bind); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); @@ -106,7 +106,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ /* parse the schannel startup blob */ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), + gensec_security->settings->iconv_convenience, &bind_schannel, (ndr_pull_flags_fn_t)ndr_pull_schannel_bind); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { @@ -126,7 +126,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ /* pull the session key for this client */ status = schannel_fetch_session_key(out_mem_ctx, gensec_security->event_ctx, - gensec_security->lp_ctx, workstation, + gensec_security->settings->lp_ctx, workstation, domain, &creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n", @@ -144,7 +144,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ bind_schannel_ack.unknown3 = 0x6c0000; ndr_err = ndr_push_struct_blob(out, out_mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), &bind_schannel_ack, + gensec_security->settings->iconv_convenience, &bind_schannel_ack, (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); @@ -190,7 +190,7 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, struct auth_session_info **_session_info) { struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); - return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->lp_ctx, _session_info); + return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, _session_info); } static NTSTATUS schannel_start(struct gensec_security *gensec_security) diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c index bf991616bd..e51b215807 100644 --- a/source4/auth/gensec/spnego.c +++ b/source4/auth/gensec/spnego.c @@ -336,6 +336,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec for (i=0; all_ops[i]; i++) { bool is_spnego; NTSTATUS nt_status; + + if (gensec_security != NULL && + !gensec_security_ops_enabled(all_ops[i], gensec_security->settings->lp_ctx)) + continue; + if (!all_ops[i]->oid) { continue; } @@ -969,8 +974,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA spnego.negTokenTarg.supportedMech && strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) { DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n", - gensec_get_name_by_oid(spnego.negTokenTarg.supportedMech), - gensec_get_name_by_oid(spnego_state->neg_oid))); + gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech), + gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid))); talloc_free(spnego_state->sub_sec_security); nt_status = gensec_subcontext_start(spnego_state, diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c index 90b542c4c4..06db904130 100644 --- a/source4/auth/kerberos/krb5_init_context.c +++ b/source4/auth/kerberos/krb5_init_context.c @@ -250,14 +250,10 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context, status = NT_STATUS_INVALID_PARAMETER; switch (hi->proto) { case KRB5_KRBHST_UDP: - if (lp_parm_bool(global_loadparm, NULL, "krb5", "udp", true)) { - status = socket_create(name, SOCKET_TYPE_DGRAM, &smb_krb5->sock, 0); - } + status = socket_create(name, SOCKET_TYPE_DGRAM, &smb_krb5->sock, 0); break; case KRB5_KRBHST_TCP: - if (lp_parm_bool(global_loadparm, NULL, "krb5", "tcp", true)) { - status = socket_create(name, SOCKET_TYPE_STREAM, &smb_krb5->sock, 0); - } + status = socket_create(name, SOCKET_TYPE_STREAM, &smb_krb5->sock, 0); break; case KRB5_KRBHST_HTTP: talloc_free(smb_krb5); diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 78429106f6..d1be5b6e30 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -185,7 +185,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, *lm_sess_key = data_blob(NULL, 0); *user_sess_key = data_blob(NULL, 0); status = hash_password_check(mem_ctx, - auth_context->lp_ctx, + lp_lanman_auth(auth_context->lp_ctx), user_info->password.hash.lanman, user_info->password.hash.nt, user_info->mapped.account_name, @@ -195,7 +195,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context, case AUTH_PASSWORD_RESPONSE: status = ntlm_password_check(mem_ctx, - auth_context->lp_ctx, + lp_lanman_auth(auth_context->lp_ctx), + lp_ntlm_auth(auth_context->lp_ctx), user_info->logon_parameters, &auth_context->challenge.data, &user_info->password.response.lanman, diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c index 0b1e091eea..fd0ef0fe4a 100644 --- a/source4/auth/ntlm/auth_server.c +++ b/source4/auth/ntlm/auth_server.c @@ -66,6 +66,8 @@ static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX return NT_STATUS_INTERNAL_ERROR; } io.in.dest_ports = lp_smb_ports(ctx->auth_ctx->lp_ctx); + io.in.socket_options = lp_socket_options(ctx->auth_ctx->lp_ctx); + io.in.gensec_settings = lp_gensec_settings(mem_ctx, ctx->auth_ctx->lp_ctx); io.in.called_name = strupper_talloc(mem_ctx, io.in.dest_host); @@ -145,6 +147,7 @@ static NTSTATUS server_check_password(struct auth_method_context *ctx, session_setup.in.credentials = creds; session_setup.in.workgroup = ""; /* Only used with SPNEGO, which we are not doing */ + session_setup.in.gensec_settings = lp_gensec_settings(session, ctx->auth_ctx->lp_ctx); /* Check password with remove server - this should be async some day */ nt_status = smb_composite_sesssetup(session, &session_setup); diff --git a/source4/auth/ntlm/ntlm_check.c b/source4/auth/ntlm/ntlm_check.c index b43190c5ba..a3ac7f3347 100644 --- a/source4/auth/ntlm/ntlm_check.c +++ b/source4/auth/ntlm/ntlm_check.c @@ -23,7 +23,6 @@ #include "../lib/crypto/crypto.h" #include "librpc/gen_ndr/netlogon.h" #include "libcli/auth/libcli_auth.h" -#include "param/param.h" #include "auth/ntlm/ntlm_check.h" /**************************************************************************** @@ -220,7 +219,7 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx, */ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, + bool lanman_auth, const struct samr_Password *client_lanman, const struct samr_Password *client_nt, const char *username, @@ -242,7 +241,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, } } else if (client_lanman && stored_lanman) { - if (!lp_lanman_auth(lp_ctx)) { + if (!lanman_auth) { DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n", username)); return NT_STATUS_WRONG_PASSWORD; @@ -283,7 +282,8 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, */ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, + bool lanman_auth, + bool ntlm_auth, uint32_t logon_parameters, const DATA_BLOB *challenge, const DATA_BLOB *lm_response, @@ -321,7 +321,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, mdfour(client_nt.hash, nt_response->data, nt_response->length); if (lm_response->length && - (convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(lp_ctx), CH_DOS, CH_UNIX, + (convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX, lm_response->data, lm_response->length, (void **)&unix_pw) != -1)) { if (E_deshash(unix_pw, client_lm.hash)) { @@ -333,7 +333,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, lm_ok = false; } return hash_password_check(mem_ctx, - lp_ctx, + lanman_auth, lm_ok ? &client_lm : NULL, nt_response->length ? &client_nt : NULL, username, @@ -396,7 +396,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n")); } } else if (nt_response->length == 24 && stored_nt) { - if (lp_ntlm_auth(lp_ctx)) { + if (ntlm_auth) { /* We have the NT MD4 hash challenge available - see if we can use it (ie. does it exist in the smbpasswd file). */ @@ -408,7 +408,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, /* The LM session key for this response is not very secure, so use it only if we otherwise allow LM authentication */ - if (lp_lanman_auth(lp_ctx) && stored_lanman) { + if (lanman_auth && stored_lanman) { *lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8); } return NT_STATUS_OK; @@ -436,7 +436,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, return NT_STATUS_WRONG_PASSWORD; } - if (!lp_lanman_auth(lp_ctx)) { + if (!lanman_auth) { DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n", username)); } else if (!stored_lanman) { @@ -455,7 +455,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, It not very secure, so use it only if we otherwise allow LM authentication */ - if (lp_lanman_auth(lp_ctx) && stored_lanman) { + if (lanman_auth && stored_lanman) { uint8_t first_8_lm_hash[16]; memcpy(first_8_lm_hash, stored_lanman->hash, 8); memset(first_8_lm_hash + 8, '\0', 8); @@ -571,7 +571,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, - I think this is related to Win9X pass-though authentication */ DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n")); - if (lp_ntlm_auth(lp_ctx)) { + if (ntlm_auth) { if (smb_pwd_check_ntlmv1(mem_ctx, lm_response, stored_nt->hash, challenge, @@ -580,7 +580,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, It not very secure, so use it only if we otherwise allow LM authentication */ - if (lp_lanman_auth(lp_ctx) && stored_lanman) { + if (lanman_auth && stored_lanman) { uint8_t first_8_lm_hash[16]; memcpy(first_8_lm_hash, stored_lanman->hash, 8); memset(first_8_lm_hash + 8, '\0', 8); diff --git a/source4/auth/ntlm/ntlm_check.h b/source4/auth/ntlm/ntlm_check.h index eb115b74d6..df11f7d7a2 100644 --- a/source4/auth/ntlm/ntlm_check.h +++ b/source4/auth/ntlm/ntlm_check.h @@ -36,7 +36,7 @@ */ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, + bool lanman_auth, const struct samr_Password *client_lanman, const struct samr_Password *client_nt, const char *username, @@ -61,7 +61,8 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, */ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, + bool lanman_auth, + bool ntlm_auth, uint32_t logon_parameters, const DATA_BLOB *challenge, const DATA_BLOB *lm_response, diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index cea18c45a7..1b14e461c3 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -159,7 +159,6 @@ static NTSTATUS gensec_ntlmssp_update_find(struct gensec_ntlmssp_state *gensec_n } } else { if (!msrpc_parse(gensec_ntlmssp_state, - lp_iconv_convenience(gensec_security->lp_ctx), &input, "Cd", "NTLMSSP", &ntlmssp_command)) { diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 0ef40200fe..e28d8462d4 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -122,7 +122,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if (!msrpc_parse(mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), &in, "CdBd", "NTLMSSP", &ntlmssp_command, @@ -160,7 +159,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if (!msrpc_parse(mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), &in, chal_parse_string, "NTLMSSP", &ntlmssp_command, @@ -194,7 +192,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, if (gensec_ntlmssp_state->use_nt_response) { flags |= CLI_CRED_NTLM_AUTH; } - if (lp_client_lanman_auth(gensec_security->lp_ctx)) { + if (lp_client_lanman_auth(gensec_security->settings->lp_ctx)) { flags |= CLI_CRED_LANMAN_AUTH; } @@ -219,7 +217,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) - && lp_client_lanman_auth(gensec_security->lp_ctx) && lm_session_key.length == 16) { + && lp_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) { DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16); if (lm_response.length == 24) { SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, @@ -310,17 +308,17 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->role = NTLMSSP_CLIENT; - gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx); + gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->settings->lp_ctx); - gensec_ntlmssp_state->unicode = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "unicode", true); + gensec_ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true); - gensec_ntlmssp_state->use_nt_response = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true); + gensec_ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true); - gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->lp_ctx) - && (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false) - || lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false))); + gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->settings->lp_ctx) + && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false) + || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false))); - gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->lp_ctx); + gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->settings->lp_ctx); gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL; @@ -328,27 +326,27 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET; - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "128bit", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "56bit", false)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { /* apparently we can't do ntlmv2 if we don't do ntlm2 */ diff --git a/source4/auth/ntlmssp/ntlmssp_parse.c b/source4/auth/ntlmssp/ntlmssp_parse.c index 24f3ad27af..d606b8d563 100644 --- a/source4/auth/ntlmssp/ntlmssp_parse.c +++ b/source4/auth/ntlmssp/ntlmssp_parse.c @@ -186,7 +186,7 @@ if ((head_ofs + amount) > blob->length) { \ return false; \ } -/* +/** this is a tiny msrpc packet parser. This the the partner of msrpc_gen format specifiers are: @@ -200,7 +200,6 @@ if ((head_ofs + amount) > blob->length) { \ */ bool msrpc_parse(TALLOC_CTX *mem_ctx, - struct smb_iconv_convenience *iconv_convenience, const DATA_BLOB *blob, const char *format, ...) { diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 38973f623d..37cc5f318f 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -136,7 +136,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, if (in.length) { if ((in.length < 16) || !msrpc_parse(out_mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), &in, "Cdd", "NTLMSSP", &ntlmssp_command, @@ -187,7 +186,7 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, /* Find out the DNS domain name */ dnsdomname[0] = '\0'; - safe_strcpy(dnsdomname, lp_realm(gensec_security->lp_ctx), sizeof(dnsdomname) - 1); + safe_strcpy(dnsdomname, lp_realm(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1); strlower_m(dnsdomname); /* Find out the DNS host name */ @@ -282,7 +281,6 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms /* now the NTLMSSP encoded auth hashes */ if (!msrpc_parse(gensec_ntlmssp_state, - lp_iconv_convenience(gensec_ntlmssp_state->gensec_security->lp_ctx), &request, parse_string, "NTLMSSP", &ntlmssp_command, @@ -309,7 +307,6 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms /* now the NTLMSSP encoded auth hashes */ if (!msrpc_parse(gensec_ntlmssp_state, - lp_iconv_convenience(gensec_ntlmssp_state->gensec_security->lp_ctx), &request, parse_string, "NTLMSSP", &ntlmssp_command, @@ -725,7 +722,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, NTSTATUS nt_status; struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; - nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->lp_ctx, gensec_ntlmssp_state->server_info, session_info); + nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, gensec_ntlmssp_state->server_info, session_info); NT_STATUS_NOT_OK_RETURN(nt_status); (*session_info)->session_key = data_blob_talloc(*session_info, @@ -752,14 +749,14 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->role = NTLMSSP_SERVER; gensec_ntlmssp_state->workstation = NULL; - gensec_ntlmssp_state->server_name = lp_netbios_name(gensec_security->lp_ctx); + gensec_ntlmssp_state->server_name = lp_netbios_name(gensec_security->settings->lp_ctx); - gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx); + gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->settings->lp_ctx); gensec_ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE; - gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(gensec_security->lp_ctx) - && lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "allow_lm_key", false)); + gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(gensec_security->settings->lp_ctx) + && gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false)); gensec_ntlmssp_state->server_multiple_authentications = false; @@ -770,23 +767,23 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->nt_resp = data_blob(NULL, 0); gensec_ntlmssp_state->encrypted_session_key = data_blob(NULL, 0); - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "128bit", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "56bit", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "keyexchange", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "alwayssign", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "ntlm2", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } @@ -800,7 +797,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) nt_status = auth_context_create(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->msg_ctx, - gensec_security->lp_ctx, + gensec_security->settings->lp_ctx, &gensec_ntlmssp_state->auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -808,7 +805,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge; gensec_ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge; gensec_ntlmssp_state->check_password = auth_ntlmssp_check_password; - gensec_ntlmssp_state->server_role = lp_server_role(gensec_security->lp_ctx); + gensec_ntlmssp_state->server_role = lp_server_role(gensec_security->settings->lp_ctx); return NT_STATUS_OK; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 4255a6432a..f6a998ae0f 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -447,7 +447,8 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx)); + sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx, + system_session(tmp_ctx, lp_ctx)); if (sam_ctx == NULL) { talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; @@ -459,7 +460,8 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, return nt_status; } - nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, lp_netbios_name(lp_ctx), + nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, + lp_netbios_name(lp_ctx), msgs[0], msgs_domain_ref[0], user_sess_key, lm_sess_key, server_info); diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 1d227fe468..07b0060643 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -234,6 +234,7 @@ NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, struct auth_serversupplied_info **_server_info) { struct auth_serversupplied_info *server_info; + server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); |