summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/gensec/gensec.c90
-rw-r--r--source4/auth/gensec/gensec.h20
-rw-r--r--source4/auth/gensec/gensec_gssapi.c42
-rw-r--r--source4/auth/gensec/gensec_krb5.c16
-rw-r--r--source4/auth/gensec/schannel.c10
-rw-r--r--source4/auth/gensec/spnego.c9
-rw-r--r--source4/auth/kerberos/krb5_init_context.c8
-rw-r--r--source4/auth/ntlm/auth_sam.c5
-rw-r--r--source4/auth/ntlm/auth_server.c3
-rw-r--r--source4/auth/ntlm/ntlm_check.c24
-rw-r--r--source4/auth/ntlm/ntlm_check.h5
-rw-r--r--source4/auth/ntlmssp/ntlmssp.c1
-rw-r--r--source4/auth/ntlmssp/ntlmssp_client.c32
-rw-r--r--source4/auth/ntlmssp/ntlmssp_parse.c3
-rw-r--r--source4/auth/ntlmssp/ntlmssp_server.c29
-rw-r--r--source4/auth/sam.c6
-rw-r--r--source4/auth/system_session.c1
17 files changed, 182 insertions, 122 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 5d57383d2a..7a8da71a7d 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -40,6 +40,12 @@ _PUBLIC_ struct gensec_security_ops **gensec_security_all(void)
return generic_security_ops;
}
+bool gensec_security_ops_enabled(struct gensec_security_ops *ops,
+ struct loadparm_context *lp_ctx)
+{
+ return lp_parm_bool(lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+}
+
/* Sometimes we want to force only kerberos, sometimes we want to
* force it's avoidance. The old list could be either
* gensec_security_all(), or from cli_credentials_gensec_list() (ie,
@@ -76,6 +82,7 @@ _PUBLIC_ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_
j = 0;
for (i=0; old_gensec_list && old_gensec_list[i]; i++) {
int oid_idx;
+
for (oid_idx = 0; old_gensec_list[i]->oid && old_gensec_list[i]->oid[oid_idx]; oid_idx++) {
if (strcmp(old_gensec_list[i]->oid[oid_idx], GENSEC_OID_SPNEGO) == 0) {
new_gensec_list[j] = old_gensec_list[i];
@@ -140,6 +147,9 @@ static const struct gensec_security_ops *gensec_security_by_authtype(struct gens
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (!gensec_security_ops_enabled(backends[i],
+ gensec_security->settings->lp_ctx))
+ continue;
if (backends[i]->auth_type == auth_type) {
backend = backends[i];
talloc_free(mem_ctx);
@@ -163,6 +173,10 @@ const struct gensec_security_ops *gensec_security_by_oid(struct gensec_security
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i],
+ gensec_security->settings->lp_ctx))
+ continue;
if (backends[i]->oid) {
for (j=0; backends[i]->oid[j]; j++) {
if (backends[i]->oid[j] &&
@@ -191,6 +205,8 @@ const struct gensec_security_ops *gensec_security_by_sasl_name(struct gensec_sec
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (!gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx))
+ continue;
if (backends[i]->sasl_name
&& (strcmp(backends[i]->sasl_name, sasl_name) == 0)) {
backend = backends[i];
@@ -215,6 +231,9 @@ static const struct gensec_security_ops *gensec_security_by_name(struct gensec_s
}
backends = gensec_security_mechs(gensec_security, mem_ctx);
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx))
+ continue;
if (backends[i]->name
&& (strcmp(backends[i]->name, name) == 0)) {
backend = backends[i];
@@ -258,6 +277,9 @@ const struct gensec_security_ops **gensec_security_by_sasl_list(struct gensec_se
/* Find backends in our preferred order, by walking our list,
* then looking in the supplied list */
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx))
+ continue;
for (sasl_idx = 0; sasl_names[sasl_idx]; sasl_idx++) {
if (!backends[i]->sasl_name ||
!(strcmp(backends[i]->sasl_name,
@@ -326,6 +348,9 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen
/* Find backends in our preferred order, by walking our list,
* then looking in the supplied list */
for (i=0; backends && backends[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(backends[i], gensec_security->settings->lp_ctx))
+ continue;
if (!backends[i]->oid) {
continue;
}
@@ -374,7 +399,8 @@ const struct gensec_security_ops_wrapper *gensec_security_by_oid_list(struct gen
* Return OIDS from the security subsystems listed
*/
-const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx,
+const char **gensec_security_oids_from_ops(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
struct gensec_security_ops **ops,
const char *skip)
{
@@ -391,6 +417,10 @@ const char **gensec_security_oids_from_ops(TALLOC_CTX *mem_ctx,
}
for (i=0; ops && ops[i]; i++) {
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(ops[i], gensec_security->settings->lp_ctx)) {
+ continue;
+ }
if (!ops[i]->oid) {
continue;
}
@@ -464,7 +494,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security,
{
struct gensec_security_ops **ops
= gensec_security_mechs(gensec_security, mem_ctx);
- return gensec_security_oids_from_ops(mem_ctx, ops, skip);
+ return gensec_security_oids_from_ops(gensec_security, mem_ctx, ops, skip);
}
@@ -477,7 +507,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security,
*/
static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
struct event_context *ev,
- struct loadparm_context *lp_ctx,
+ struct gensec_settings *settings,
struct messaging_context *msg,
struct gensec_security **gensec_security)
{
@@ -501,7 +531,8 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->event_ctx = ev;
(*gensec_security)->msg_ctx = msg;
- (*gensec_security)->lp_ctx = lp_ctx;
+ SMB_ASSERT(settings->lp_ctx != NULL);
+ (*gensec_security)->settings = talloc_reference(*gensec_security, settings);
return NT_STATUS_OK;
}
@@ -529,7 +560,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->want_features = parent->want_features;
(*gensec_security)->event_ctx = parent->event_ctx;
(*gensec_security)->msg_ctx = parent->msg_ctx;
- (*gensec_security)->lp_ctx = parent->lp_ctx;
+ (*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
return NT_STATUS_OK;
}
@@ -543,11 +574,16 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
_PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_security,
struct event_context *ev,
- struct loadparm_context *lp_ctx)
+ struct gensec_settings *settings)
{
NTSTATUS status;
- status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security);
+ if (settings == NULL) {
+ DEBUG(0,("gensec_client_start: no settings given!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = gensec_start(mem_ctx, ev, settings, NULL, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -564,7 +600,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
*/
_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
struct event_context *ev,
- struct loadparm_context *lp_ctx,
+ struct gensec_settings *settings,
struct messaging_context *msg,
struct gensec_security **gensec_security)
{
@@ -580,7 +616,12 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
return NT_STATUS_INTERNAL_ERROR;
}
- status = gensec_start(mem_ctx, ev, lp_ctx, msg, gensec_security);
+ if (!settings) {
+ DEBUG(0,("gensec_server_start: no settings given!\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = gensec_start(mem_ctx, ev, settings, msg, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -653,10 +694,10 @@ _PUBLIC_ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_s
return gensec_start_mech(gensec_security);
}
-_PUBLIC_ const char *gensec_get_name_by_authtype(uint8_t authtype)
+_PUBLIC_ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype)
{
const struct gensec_security_ops *ops;
- ops = gensec_security_by_authtype(NULL, authtype);
+ ops = gensec_security_by_authtype(gensec_security, authtype);
if (ops) {
return ops->name;
}
@@ -664,10 +705,11 @@ _PUBLIC_ const char *gensec_get_name_by_authtype(uint8_t authtype)
}
-_PUBLIC_ const char *gensec_get_name_by_oid(const char *oid_string)
+_PUBLIC_ const char *gensec_get_name_by_oid(struct gensec_security *gensec_security,
+ const char *oid_string)
{
const struct gensec_security_ops *ops;
- ops = gensec_security_by_oid(NULL, oid_string);
+ ops = gensec_security_by_oid(gensec_security, oid_string);
if (ops) {
return ops->name;
}
@@ -697,6 +739,8 @@ NTSTATUS gensec_start_mech_by_ops(struct gensec_security *gensec_security,
_PUBLIC_ NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
const char *mech_oid)
{
+ SMB_ASSERT(gensec_security != NULL);
+
gensec_security->ops = gensec_security_by_oid(gensec_security, mech_oid);
if (!gensec_security->ops) {
DEBUG(3, ("Could not find GENSEC backend for oid=%s\n", mech_oid));
@@ -1107,9 +1151,8 @@ _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_secu
_PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security)
{
/* We allow the target hostname to be overriden for testing purposes */
- const char *target_hostname = lp_parm_string(gensec_security->lp_ctx, NULL, "gensec", "target_hostname");
- if (target_hostname) {
- return target_hostname;
+ if (gensec_security->settings->target_hostname) {
+ return gensec_security->settings->target_hostname;
}
if (gensec_security->target.hostname) {
@@ -1205,11 +1248,6 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
*/
NTSTATUS gensec_register(const struct gensec_security_ops *ops)
{
- if (!lp_parm_bool(global_loadparm, NULL, "gensec", ops->name, ops->enabled)) {
- DEBUG(2,("gensec subsystem %s is disabled\n", ops->name));
- return NT_STATUS_OK;
- }
-
if (gensec_security_by_name(NULL, ops->name) != NULL) {
/* its already registered! */
DEBUG(0,("GENSEC backend '%s' already registered\n",
@@ -1255,6 +1293,16 @@ static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_
return (*gs2)->priority - (*gs1)->priority;
}
+int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
+{
+ return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
+
+bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
+{
+ return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
+}
+
/*
initialise the GENSEC subsystem
*/
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 0b31882ddd..cb7f3aec99 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -64,6 +64,7 @@ enum gensec_role
struct auth_session_info;
struct cli_credentials;
+struct gensec_settings;
struct gensec_update_request {
struct gensec_security *gensec_security;
@@ -77,6 +78,12 @@ struct gensec_update_request {
} callback;
};
+struct gensec_settings {
+ struct loadparm_context *lp_ctx;
+ struct smb_iconv_convenience *iconv_convenience;
+ const char *target_hostname;
+};
+
struct gensec_security_ops {
const char *name;
const char *sasl_name;
@@ -151,7 +158,6 @@ struct gensec_security_ops_wrapper {
struct gensec_security {
const struct gensec_security_ops *ops;
- struct loadparm_context *lp_ctx;
void *private_data;
struct cli_credentials *credentials;
struct gensec_target target;
@@ -161,6 +167,7 @@ struct gensec_security {
struct event_context *event_ctx;
struct messaging_context *msg_ctx; /* only valid as server */
struct socket_address *my_addr, *peer_addr;
+ struct gensec_settings *settings;
};
/* this structure is used by backends to determine the size of some critical types */
@@ -210,7 +217,7 @@ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_security,
struct event_context *ev,
- struct loadparm_context *lp_ctx);
+ struct gensec_settings *settings);
NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security,
const char **sasl_names);
NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
@@ -232,7 +239,7 @@ NTSTATUS gensec_session_key(struct gensec_security *gensec_security,
DATA_BLOB *session_key);
NTSTATUS gensec_start_mech_by_oid(struct gensec_security *gensec_security,
const char *mech_oid);
-const char *gensec_get_name_by_oid(const char *oid_string);
+const char *gensec_get_name_by_oid(struct gensec_security *gensec_security, const char *oid_string);
struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security);
struct socket_address *gensec_get_peer_addr(struct gensec_security *gensec_security);
NTSTATUS gensec_init(struct loadparm_context *lp_ctx);
@@ -259,10 +266,10 @@ NTSTATUS gensec_sign_packet(struct gensec_security *gensec_security,
DATA_BLOB *sig);
NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security,
uint8_t auth_type, uint8_t auth_level);
-const char *gensec_get_name_by_authtype(uint8_t authtype);
+const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security, uint8_t authtype);
NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
struct event_context *ev,
- struct loadparm_context *lp_ctx,
+ struct gensec_settings *settings,
struct messaging_context *msg,
struct gensec_security **gensec_security);
NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
@@ -288,6 +295,7 @@ NTSTATUS gensec_wrap(struct gensec_security *gensec_security,
DATA_BLOB *out);
struct gensec_security_ops **gensec_security_all(void);
+bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct loadparm_context *lp_ctx);
struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
struct gensec_security_ops **old_gensec_list,
struct cli_credentials *creds);
@@ -295,5 +303,7 @@ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx,
NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security,
const char *sasl_name);
+int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value);
+bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value);
#endif /* __GENSEC_H__ */
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e307dbb5cb..dcfffef3df 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -154,7 +154,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->gss_exchange_count = 0;
gensec_gssapi_state->max_wrap_buf_size
- = lp_parm_int(gensec_security->lp_ctx, NULL, "gensec_gssapi", "max wrap buf size", 65536);
+ = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536);
gensec_gssapi_state->sasl = false;
gensec_gssapi_state->sasl_state = STAGE_GSS_NEG;
@@ -170,16 +170,16 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS;
gensec_gssapi_state->want_flags = 0;
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "mutual", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "replay", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "sequence", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG;
}
@@ -214,10 +214,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
talloc_free(gensec_gssapi_state);
return NT_STATUS_INTERNAL_ERROR;
}
- if (lp_realm(gensec_security->lp_ctx) && *lp_realm(gensec_security->lp_ctx)) {
- char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->lp_ctx));
+ if (lp_realm(gensec_security->settings->lp_ctx) && *lp_realm(gensec_security->settings->lp_ctx)) {
+ char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->settings->lp_ctx));
if (!upper_realm) {
- DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->lp_ctx)));
+ DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->settings->lp_ctx)));
talloc_free(gensec_gssapi_state);
return NT_STATUS_NO_MEMORY;
}
@@ -231,7 +231,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
}
/* don't do DNS lookups of any kind, it might/will fail for a netbios name */
- ret = gsskrb5_set_dns_canonicalize(lp_parm_bool(gensec_security->lp_ctx, NULL, "krb5", "set_dns_canonicalize", false));
+ ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false));
if (ret) {
DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n"));
talloc_free(gensec_gssapi_state);
@@ -240,7 +240,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
ret = smb_krb5_init_context(gensec_gssapi_state,
gensec_security->event_ctx,
- gensec_security->lp_ctx,
+ gensec_security->settings->lp_ctx,
&gensec_gssapi_state->smb_krb5_context);
if (ret) {
DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n",
@@ -274,7 +274,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi
} else {
ret = cli_credentials_get_server_gss_creds(machine_account,
gensec_security->event_ctx,
- gensec_security->lp_ctx, &gcc);
+ gensec_security->settings->lp_ctx, &gcc);
if (ret) {
DEBUG(1, ("Aquiring acceptor credentials failed: %s\n",
error_message(ret)));
@@ -336,7 +336,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
gensec_gssapi_state->gss_oid = gss_mech_krb5;
principal = gensec_get_target_principal(gensec_security);
- if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) {
+ if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
name_type = GSS_C_NULL_OID;
} else {
principal = talloc_asprintf(gensec_gssapi_state, "%s@%s",
@@ -362,7 +362,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi
ret = cli_credentials_get_client_gss_creds(creds,
gensec_security->event_ctx,
- gensec_security->lp_ctx, &gcc);
+ gensec_security->settings->lp_ctx, &gcc);
switch (ret) {
case 0:
break;
@@ -1142,10 +1142,10 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security,
return false;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "force_new_spnego", false)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) {
return true;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "disable_new_spnego", false)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) {
return false;
}
@@ -1256,7 +1256,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
*/
if (pac_blob.length) {
nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx),
+ gensec_security->settings->iconv_convenience,
pac_blob,
gensec_gssapi_state->smb_krb5_context->krb5_context,
&server_info);
@@ -1290,11 +1290,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
return NT_STATUS_NO_MEMORY;
}
- if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
+ if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx,
- gensec_security->lp_ctx, principal_string,
+ gensec_security->settings->lp_ctx, principal_string,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
@@ -1311,7 +1311,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
/* references the server_info into the session_info */
nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx,
- gensec_security->lp_ctx, server_info, &session_info);
+ gensec_security->settings->lp_ctx, server_info, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
@@ -1334,13 +1334,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
return NT_STATUS_NO_MEMORY;
}
- cli_credentials_set_conf(session_info->credentials, gensec_security->lp_ctx);
+ cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx);
/* Just so we don't segfault trying to get at a username */
cli_credentials_set_anonymous(session_info->credentials);
ret = cli_credentials_set_client_gss_creds(session_info->credentials,
gensec_security->event_ctx,
- gensec_security->lp_ctx,
+ gensec_security->settings->lp_ctx,
gensec_gssapi_state->delegated_cred_handle,
CRED_SPECIFIED);
if (ret) {
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 1f54043038..16867366a4 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -120,7 +120,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security)
if (cli_credentials_get_krb5_context(creds,
gensec_security->event_ctx,
- gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
+ gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) {
talloc_free(gensec_krb5_state);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -252,7 +252,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security),
gensec_security->event_ctx,
- gensec_security->lp_ctx, &ccache_container);
+ gensec_security->settings->lp_ctx, &ccache_container);
switch (ret) {
case 0:
break;
@@ -267,7 +267,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security
}
in_data.length = 0;
- if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) {
+ if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) {
krb5_principal target_principal;
ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal,
&target_principal);
@@ -452,7 +452,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security,
/* Grab the keytab, however generated */
ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security),
gensec_security->event_ctx,
- gensec_security->lp_ctx, &keytab);
+ gensec_security->settings->lp_ctx, &keytab);
if (ret) {
return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
}
@@ -594,7 +594,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
KRB5_AUTHDATA_WIN2K_PAC,
&pac_data);
- if (ret && lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) {
+ if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
principal_string,
smb_get_krb5_error_message(context,
@@ -607,7 +607,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
- nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string,
+ nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, principal_string,
&server_info);
krb5_free_principal(context, client_principal);
free(principal_string);
@@ -630,7 +630,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
/* decode and verify the pac */
nt_status = kerberos_pac_logon_info(gensec_krb5_state,
- lp_iconv_convenience(gensec_security->lp_ctx),
+ gensec_security->settings->iconv_convenience,
&logon_info, pac,
gensec_krb5_state->smb_krb5_context->krb5_context,
NULL, gensec_krb5_state->keyblock,
@@ -655,7 +655,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
}
/* references the server_info into the session_info */
- nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info);
+ nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, server_info, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index f21202b86f..e6d38c14a3 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -85,7 +85,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
#endif
ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx), &bind_schannel,
+ gensec_security->settings->iconv_convenience, &bind_schannel,
(ndr_push_flags_fn_t)ndr_push_schannel_bind);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
@@ -106,7 +106,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
/* parse the schannel startup blob */
ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx),
+ gensec_security->settings->iconv_convenience,
&bind_schannel,
(ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
@@ -126,7 +126,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
/* pull the session key for this client */
status = schannel_fetch_session_key(out_mem_ctx, gensec_security->event_ctx,
- gensec_security->lp_ctx, workstation,
+ gensec_security->settings->lp_ctx, workstation,
domain, &creds);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
@@ -144,7 +144,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
bind_schannel_ack.unknown3 = 0x6c0000;
ndr_err = ndr_push_struct_blob(out, out_mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx), &bind_schannel_ack,
+ gensec_security->settings->iconv_convenience, &bind_schannel_ack,
(ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
status = ndr_map_error2ntstatus(ndr_err);
@@ -190,7 +190,7 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
struct auth_session_info **_session_info)
{
struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state);
- return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->lp_ctx, _session_info);
+ return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, _session_info);
}
static NTSTATUS schannel_start(struct gensec_security *gensec_security)
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index bf991616bd..e51b215807 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -336,6 +336,11 @@ static NTSTATUS gensec_spnego_server_try_fallback(struct gensec_security *gensec
for (i=0; all_ops[i]; i++) {
bool is_spnego;
NTSTATUS nt_status;
+
+ if (gensec_security != NULL &&
+ !gensec_security_ops_enabled(all_ops[i], gensec_security->settings->lp_ctx))
+ continue;
+
if (!all_ops[i]->oid) {
continue;
}
@@ -969,8 +974,8 @@ static NTSTATUS gensec_spnego_update(struct gensec_security *gensec_security, TA
spnego.negTokenTarg.supportedMech &&
strcmp(spnego.negTokenTarg.supportedMech, spnego_state->neg_oid) != 0) {
DEBUG(3,("GENSEC SPNEGO: client preferred mech (%s) not accepted, server wants: %s\n",
- gensec_get_name_by_oid(spnego.negTokenTarg.supportedMech),
- gensec_get_name_by_oid(spnego_state->neg_oid)));
+ gensec_get_name_by_oid(gensec_security, spnego.negTokenTarg.supportedMech),
+ gensec_get_name_by_oid(gensec_security, spnego_state->neg_oid)));
talloc_free(spnego_state->sub_sec_security);
nt_status = gensec_subcontext_start(spnego_state,
diff --git a/source4/auth/kerberos/krb5_init_context.c b/source4/auth/kerberos/krb5_init_context.c
index 90b542c4c4..06db904130 100644
--- a/source4/auth/kerberos/krb5_init_context.c
+++ b/source4/auth/kerberos/krb5_init_context.c
@@ -250,14 +250,10 @@ krb5_error_code smb_krb5_send_and_recv_func(krb5_context context,
status = NT_STATUS_INVALID_PARAMETER;
switch (hi->proto) {
case KRB5_KRBHST_UDP:
- if (lp_parm_bool(global_loadparm, NULL, "krb5", "udp", true)) {
- status = socket_create(name, SOCKET_TYPE_DGRAM, &smb_krb5->sock, 0);
- }
+ status = socket_create(name, SOCKET_TYPE_DGRAM, &smb_krb5->sock, 0);
break;
case KRB5_KRBHST_TCP:
- if (lp_parm_bool(global_loadparm, NULL, "krb5", "tcp", true)) {
- status = socket_create(name, SOCKET_TYPE_STREAM, &smb_krb5->sock, 0);
- }
+ status = socket_create(name, SOCKET_TYPE_STREAM, &smb_krb5->sock, 0);
break;
case KRB5_KRBHST_HTTP:
talloc_free(smb_krb5);
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 78429106f6..d1be5b6e30 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -185,7 +185,7 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
*lm_sess_key = data_blob(NULL, 0);
*user_sess_key = data_blob(NULL, 0);
status = hash_password_check(mem_ctx,
- auth_context->lp_ctx,
+ lp_lanman_auth(auth_context->lp_ctx),
user_info->password.hash.lanman,
user_info->password.hash.nt,
user_info->mapped.account_name,
@@ -195,7 +195,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
case AUTH_PASSWORD_RESPONSE:
status = ntlm_password_check(mem_ctx,
- auth_context->lp_ctx,
+ lp_lanman_auth(auth_context->lp_ctx),
+ lp_ntlm_auth(auth_context->lp_ctx),
user_info->logon_parameters,
&auth_context->challenge.data,
&user_info->password.response.lanman,
diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c
index 0b1e091eea..fd0ef0fe4a 100644
--- a/source4/auth/ntlm/auth_server.c
+++ b/source4/auth/ntlm/auth_server.c
@@ -66,6 +66,8 @@ static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX
return NT_STATUS_INTERNAL_ERROR;
}
io.in.dest_ports = lp_smb_ports(ctx->auth_ctx->lp_ctx);
+ io.in.socket_options = lp_socket_options(ctx->auth_ctx->lp_ctx);
+ io.in.gensec_settings = lp_gensec_settings(mem_ctx, ctx->auth_ctx->lp_ctx);
io.in.called_name = strupper_talloc(mem_ctx, io.in.dest_host);
@@ -145,6 +147,7 @@ static NTSTATUS server_check_password(struct auth_method_context *ctx,
session_setup.in.credentials = creds;
session_setup.in.workgroup = ""; /* Only used with SPNEGO, which we are not doing */
+ session_setup.in.gensec_settings = lp_gensec_settings(session, ctx->auth_ctx->lp_ctx);
/* Check password with remove server - this should be async some day */
nt_status = smb_composite_sesssetup(session, &session_setup);
diff --git a/source4/auth/ntlm/ntlm_check.c b/source4/auth/ntlm/ntlm_check.c
index b43190c5ba..a3ac7f3347 100644
--- a/source4/auth/ntlm/ntlm_check.c
+++ b/source4/auth/ntlm/ntlm_check.c
@@ -23,7 +23,6 @@
#include "../lib/crypto/crypto.h"
#include "librpc/gen_ndr/netlogon.h"
#include "libcli/auth/libcli_auth.h"
-#include "param/param.h"
#include "auth/ntlm/ntlm_check.h"
/****************************************************************************
@@ -220,7 +219,7 @@ static bool smb_sess_key_ntlmv2(TALLOC_CTX *mem_ctx,
*/
NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
+ bool lanman_auth,
const struct samr_Password *client_lanman,
const struct samr_Password *client_nt,
const char *username,
@@ -242,7 +241,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
}
} else if (client_lanman && stored_lanman) {
- if (!lp_lanman_auth(lp_ctx)) {
+ if (!lanman_auth) {
DEBUG(3,("ntlm_password_check: Interactive logon: only LANMAN password supplied for user %s, and LM passwords are disabled!\n",
username));
return NT_STATUS_WRONG_PASSWORD;
@@ -283,7 +282,8 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
*/
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
+ bool lanman_auth,
+ bool ntlm_auth,
uint32_t logon_parameters,
const DATA_BLOB *challenge,
const DATA_BLOB *lm_response,
@@ -321,7 +321,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
mdfour(client_nt.hash, nt_response->data, nt_response->length);
if (lm_response->length &&
- (convert_string_talloc_convenience(mem_ctx, lp_iconv_convenience(lp_ctx), CH_DOS, CH_UNIX,
+ (convert_string_talloc(mem_ctx, CH_DOS, CH_UNIX,
lm_response->data, lm_response->length,
(void **)&unix_pw) != -1)) {
if (E_deshash(unix_pw, client_lm.hash)) {
@@ -333,7 +333,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
lm_ok = false;
}
return hash_password_check(mem_ctx,
- lp_ctx,
+ lanman_auth,
lm_ok ? &client_lm : NULL,
nt_response->length ? &client_nt : NULL,
username,
@@ -396,7 +396,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
DEBUG(3,("ntlm_password_check: NTLMv2 password check failed\n"));
}
} else if (nt_response->length == 24 && stored_nt) {
- if (lp_ntlm_auth(lp_ctx)) {
+ if (ntlm_auth) {
/* We have the NT MD4 hash challenge available - see if we can
use it (ie. does it exist in the smbpasswd file).
*/
@@ -408,7 +408,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
/* The LM session key for this response is not very secure,
so use it only if we otherwise allow LM authentication */
- if (lp_lanman_auth(lp_ctx) && stored_lanman) {
+ if (lanman_auth && stored_lanman) {
*lm_sess_key = data_blob_talloc(mem_ctx, stored_lanman->hash, 8);
}
return NT_STATUS_OK;
@@ -436,7 +436,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
return NT_STATUS_WRONG_PASSWORD;
}
- if (!lp_lanman_auth(lp_ctx)) {
+ if (!lanman_auth) {
DEBUG(3,("ntlm_password_check: Lanman passwords NOT PERMITTED for user %s\n",
username));
} else if (!stored_lanman) {
@@ -455,7 +455,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
It not very secure, so use it only if we otherwise
allow LM authentication */
- if (lp_lanman_auth(lp_ctx) && stored_lanman) {
+ if (lanman_auth && stored_lanman) {
uint8_t first_8_lm_hash[16];
memcpy(first_8_lm_hash, stored_lanman->hash, 8);
memset(first_8_lm_hash + 8, '\0', 8);
@@ -571,7 +571,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- I think this is related to Win9X pass-though authentication
*/
DEBUG(4,("ntlm_password_check: Checking NT MD4 password in LM field\n"));
- if (lp_ntlm_auth(lp_ctx)) {
+ if (ntlm_auth) {
if (smb_pwd_check_ntlmv1(mem_ctx,
lm_response,
stored_nt->hash, challenge,
@@ -580,7 +580,7 @@ NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
It not very secure, so use it only if we otherwise
allow LM authentication */
- if (lp_lanman_auth(lp_ctx) && stored_lanman) {
+ if (lanman_auth && stored_lanman) {
uint8_t first_8_lm_hash[16];
memcpy(first_8_lm_hash, stored_lanman->hash, 8);
memset(first_8_lm_hash + 8, '\0', 8);
diff --git a/source4/auth/ntlm/ntlm_check.h b/source4/auth/ntlm/ntlm_check.h
index eb115b74d6..df11f7d7a2 100644
--- a/source4/auth/ntlm/ntlm_check.h
+++ b/source4/auth/ntlm/ntlm_check.h
@@ -36,7 +36,7 @@
*/
NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
+ bool lanman_auth,
const struct samr_Password *client_lanman,
const struct samr_Password *client_nt,
const char *username,
@@ -61,7 +61,8 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
*/
NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx,
- struct loadparm_context *lp_ctx,
+ bool lanman_auth,
+ bool ntlm_auth,
uint32_t logon_parameters,
const DATA_BLOB *challenge,
const DATA_BLOB *lm_response,
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index cea18c45a7..1b14e461c3 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -159,7 +159,6 @@ static NTSTATUS gensec_ntlmssp_update_find(struct gensec_ntlmssp_state *gensec_n
}
} else {
if (!msrpc_parse(gensec_ntlmssp_state,
- lp_iconv_convenience(gensec_security->lp_ctx),
&input, "Cd",
"NTLMSSP",
&ntlmssp_command)) {
diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c
index 0ef40200fe..e28d8462d4 100644
--- a/source4/auth/ntlmssp/ntlmssp_client.c
+++ b/source4/auth/ntlmssp/ntlmssp_client.c
@@ -122,7 +122,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
if (!msrpc_parse(mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx),
&in, "CdBd",
"NTLMSSP",
&ntlmssp_command,
@@ -160,7 +159,6 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
if (!msrpc_parse(mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx),
&in, chal_parse_string,
"NTLMSSP",
&ntlmssp_command,
@@ -194,7 +192,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
if (gensec_ntlmssp_state->use_nt_response) {
flags |= CLI_CRED_NTLM_AUTH;
}
- if (lp_client_lanman_auth(gensec_security->lp_ctx)) {
+ if (lp_client_lanman_auth(gensec_security->settings->lp_ctx)) {
flags |= CLI_CRED_LANMAN_AUTH;
}
@@ -219,7 +217,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security,
}
if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY)
- && lp_client_lanman_auth(gensec_security->lp_ctx) && lm_session_key.length == 16) {
+ && lp_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) {
DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16);
if (lm_response.length == 24) {
SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data,
@@ -310,17 +308,17 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->role = NTLMSSP_CLIENT;
- gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx);
+ gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->settings->lp_ctx);
- gensec_ntlmssp_state->unicode = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "unicode", true);
+ gensec_ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true);
- gensec_ntlmssp_state->use_nt_response = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true);
+ gensec_ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true);
- gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->lp_ctx)
- && (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false)
- || lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)));
+ gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->settings->lp_ctx)
+ && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false)
+ || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)));
- gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->lp_ctx);
+ gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->settings->lp_ctx);
gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL;
@@ -328,27 +326,27 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
NTLMSSP_NEGOTIATE_NTLM |
NTLMSSP_REQUEST_TARGET;
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "128bit", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "56bit", false)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
} else {
/* apparently we can't do ntlmv2 if we don't do ntlm2 */
diff --git a/source4/auth/ntlmssp/ntlmssp_parse.c b/source4/auth/ntlmssp/ntlmssp_parse.c
index 24f3ad27af..d606b8d563 100644
--- a/source4/auth/ntlmssp/ntlmssp_parse.c
+++ b/source4/auth/ntlmssp/ntlmssp_parse.c
@@ -186,7 +186,7 @@ if ((head_ofs + amount) > blob->length) { \
return false; \
}
-/*
+/**
this is a tiny msrpc packet parser. This the the partner of msrpc_gen
format specifiers are:
@@ -200,7 +200,6 @@ if ((head_ofs + amount) > blob->length) { \
*/
bool msrpc_parse(TALLOC_CTX *mem_ctx,
- struct smb_iconv_convenience *iconv_convenience,
const DATA_BLOB *blob,
const char *format, ...)
{
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 38973f623d..37cc5f318f 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -136,7 +136,6 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
if (in.length) {
if ((in.length < 16) || !msrpc_parse(out_mem_ctx,
- lp_iconv_convenience(gensec_security->lp_ctx),
&in, "Cdd",
"NTLMSSP",
&ntlmssp_command,
@@ -187,7 +186,7 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security,
/* Find out the DNS domain name */
dnsdomname[0] = '\0';
- safe_strcpy(dnsdomname, lp_realm(gensec_security->lp_ctx), sizeof(dnsdomname) - 1);
+ safe_strcpy(dnsdomname, lp_realm(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1);
strlower_m(dnsdomname);
/* Find out the DNS host name */
@@ -282,7 +281,6 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms
/* now the NTLMSSP encoded auth hashes */
if (!msrpc_parse(gensec_ntlmssp_state,
- lp_iconv_convenience(gensec_ntlmssp_state->gensec_security->lp_ctx),
&request, parse_string,
"NTLMSSP",
&ntlmssp_command,
@@ -309,7 +307,6 @@ static NTSTATUS ntlmssp_server_preauth(struct gensec_ntlmssp_state *gensec_ntlms
/* now the NTLMSSP encoded auth hashes */
if (!msrpc_parse(gensec_ntlmssp_state,
- lp_iconv_convenience(gensec_ntlmssp_state->gensec_security->lp_ctx),
&request, parse_string,
"NTLMSSP",
&ntlmssp_command,
@@ -725,7 +722,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
NTSTATUS nt_status;
struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data;
- nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->lp_ctx, gensec_ntlmssp_state->server_info, session_info);
+ nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, gensec_ntlmssp_state->server_info, session_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
(*session_info)->session_key = data_blob_talloc(*session_info,
@@ -752,14 +749,14 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->role = NTLMSSP_SERVER;
gensec_ntlmssp_state->workstation = NULL;
- gensec_ntlmssp_state->server_name = lp_netbios_name(gensec_security->lp_ctx);
+ gensec_ntlmssp_state->server_name = lp_netbios_name(gensec_security->settings->lp_ctx);
- gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx);
+ gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->settings->lp_ctx);
gensec_ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
- gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(gensec_security->lp_ctx)
- && lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "allow_lm_key", false));
+ gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(gensec_security->settings->lp_ctx)
+ && gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false));
gensec_ntlmssp_state->server_multiple_authentications = false;
@@ -770,23 +767,23 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->nt_resp = data_blob(NULL, 0);
gensec_ntlmssp_state->encrypted_session_key = data_blob(NULL, 0);
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "128bit", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "56bit", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "keyexchange", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "alwayssign", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN;
}
- if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "ntlm2", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) {
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2;
}
@@ -800,7 +797,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
nt_status = auth_context_create(gensec_ntlmssp_state,
gensec_security->event_ctx,
gensec_security->msg_ctx,
- gensec_security->lp_ctx,
+ gensec_security->settings->lp_ctx,
&gensec_ntlmssp_state->auth_context);
NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -808,7 +805,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
gensec_ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge;
gensec_ntlmssp_state->check_password = auth_ntlmssp_check_password;
- gensec_ntlmssp_state->server_role = lp_server_role(gensec_security->lp_ctx);
+ gensec_ntlmssp_state->server_role = lp_server_role(gensec_security->settings->lp_ctx);
return NT_STATUS_OK;
}
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 4255a6432a..f6a998ae0f 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -447,7 +447,8 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx));
+ sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx,
+ system_session(tmp_ctx, lp_ctx));
if (sam_ctx == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SYSTEM_SERVICE;
@@ -459,7 +460,8 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx,
return nt_status;
}
- nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, lp_netbios_name(lp_ctx),
+ nt_status = authsam_make_server_info(tmp_ctx, sam_ctx,
+ lp_netbios_name(lp_ctx),
msgs[0], msgs_domain_ref[0],
user_sess_key, lm_sess_key,
server_info);
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index 1d227fe468..07b0060643 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -234,6 +234,7 @@ NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
struct auth_serversupplied_info **_server_info)
{
struct auth_serversupplied_info *server_info;
+
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
generated by cgit (git 2.34.1) at 2024-10-10 04:38:48 +0000