diff options
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/credentials/credentials.c | 4 | ||||
| -rw-r--r-- | source4/auth/credentials/credentials.h | 6 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec.h | 4 | ||||
| -rw-r--r-- | source4/auth/gensec/schannel.c | 29 | ||||
| -rw-r--r-- | source4/auth/gensec/schannel.h | 6 | ||||
| -rw-r--r-- | source4/auth/ntlmssp/ntlmssp.h | 5 |
6 files changed, 31 insertions, 23 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 5fb180d7b1..83901db6a5 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -668,7 +668,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred, */ _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, - struct creds_CredentialState *netlogon_creds) + struct netlogon_creds_CredentialState *netlogon_creds) { cred->netlogon_creds = talloc_reference(cred, netlogon_creds); } @@ -677,7 +677,7 @@ _PUBLIC_ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, * Return attached NETLOGON credentials */ -struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred) +struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred) { return cred->netlogon_creds; } diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index 3c2fb8f2e6..311cdc2450 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -102,7 +102,7 @@ struct cli_credentials { /* Private handle for the callback routines to use */ void *priv_data; - struct creds_CredentialState *netlogon_creds; + struct netlogon_creds_CredentialState *netlogon_creds; enum netr_SchannelType secure_channel_type; int kvno; @@ -167,7 +167,7 @@ int cli_credentials_get_keytab(struct cli_credentials *cred, struct loadparm_context *lp_ctx, struct keytab_container **_ktc); const char *cli_credentials_get_domain(struct cli_credentials *cred); -struct creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); +struct netlogon_creds_CredentialState *cli_credentials_get_netlogon_creds(struct cli_credentials *cred); void cli_credentials_set_machine_account_pending(struct cli_credentials *cred, struct loadparm_context *lp_ctx); void cli_credentials_set_conf(struct cli_credentials *cred, @@ -210,7 +210,7 @@ bool cli_credentials_set_realm(struct cli_credentials *cred, void cli_credentials_set_secure_channel_type(struct cli_credentials *cred, enum netr_SchannelType secure_channel_type); void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, - struct creds_CredentialState *netlogon_creds); + struct netlogon_creds_CredentialState *netlogon_creds); NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, struct smb_krb5_context *smb_krb5_context); NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index c4e93ee97b..3b27e0f733 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -284,10 +284,10 @@ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, NTSTATUS gensec_session_info(struct gensec_security *gensec_security, struct auth_session_info **session_info); NTSTATUS auth_nt_status_squash(NTSTATUS nt_status); -struct creds_CredentialState; +struct netlogon_creds_CredentialState; NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, - struct creds_CredentialState **creds); + struct netlogon_creds_CredentialState **creds); NTSTATUS gensec_set_peer_addr(struct gensec_security *gensec_security, struct socket_address *peer_addr); NTSTATUS gensec_set_my_addr(struct gensec_security *gensec_security, struct socket_address *my_addr); diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index e6d38c14a3..b71748943b 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -27,8 +27,6 @@ #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" #include "auth/gensec/schannel.h" -#include "auth/gensec/schannel_state.h" -#include "auth/gensec/schannel_proto.h" #include "librpc/rpc/dcerpc.h" #include "param/param.h" #include "auth/session_proto.h" @@ -52,8 +50,8 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ enum ndr_err_code ndr_err; struct schannel_bind bind_schannel; struct schannel_bind_ack bind_schannel_ack; - struct creds_CredentialState *creds; - + struct netlogon_creds_CredentialState *creds; + struct ldb_context *schannel_ldb; const char *workstation; const char *domain; *out = data_blob(NULL, 0); @@ -124,10 +122,22 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ domain = bind_schannel.u.info3.domain; } + if (strcasecmp_m(domain, lp_workgroup(gensec_security->settings->lp_ctx)) != 0) { + DEBUG(3, ("Request for schannel to incorrect domain: %s != our domain %s\n", + domain, lp_workgroup(gensec_security->settings->lp_ctx))); + + return NT_STATUS_LOGON_FAILURE; + } + + schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx, + gensec_security->settings->lp_ctx); + if (!schannel_ldb) { + return NT_STATUS_ACCESS_DENIED; + } /* pull the session key for this client */ - status = schannel_fetch_session_key(out_mem_ctx, gensec_security->event_ctx, - gensec_security->settings->lp_ctx, workstation, - domain, &creds); + status = schannel_fetch_session_key(schannel_ldb, + out_mem_ctx, workstation, &creds); + talloc_free(schannel_ldb); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n", workstation, nt_errstr(status))); @@ -167,9 +177,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ */ /* TODO: make this non-public */ + _PUBLIC_ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security, - TALLOC_CTX *mem_ctx, - struct creds_CredentialState **creds) + TALLOC_CTX *mem_ctx, + struct netlogon_creds_CredentialState **creds) { struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); diff --git a/source4/auth/gensec/schannel.h b/source4/auth/gensec/schannel.h index 2ddea29006..ee841ef639 100644 --- a/source4/auth/gensec/schannel.h +++ b/source4/auth/gensec/schannel.h @@ -20,7 +20,9 @@ along with this program. If not, see <http://www.gnu.org/licenses/>. */ -#include "libcli/auth/credentials.h" +#include "auth/gensec/schannel_proto.h" +#include "auth/gensec/schannel_state.h" +#include "libcli/auth/schannel_state.h" enum schannel_position { SCHANNEL_STATE_START = 0, @@ -31,6 +33,6 @@ struct schannel_state { enum schannel_position state; uint32_t seq_num; bool initiator; - struct creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds; }; diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h index df950e4756..ff7225bb3c 100644 --- a/source4/auth/ntlmssp/ntlmssp.h +++ b/source4/auth/ntlmssp/ntlmssp.h @@ -66,11 +66,6 @@ enum ntlmssp_message_type #define NTLMSSP_NEGOTIATE_KEY_EXCH 0x40000000 #define NTLMSSP_NEGOTIATE_56 0x80000000 -#define NTLMSSP_NAME_TYPE_SERVER 0x01 -#define NTLMSSP_NAME_TYPE_DOMAIN 0x02 -#define NTLMSSP_NAME_TYPE_SERVER_DNS 0x03 -#define NTLMSSP_NAME_TYPE_DOMAIN_DNS 0x04 - #define NTLMSSP_SIGN_VERSION 1 #define NTLMSSP_SIG_SIZE 16 |