summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth.h24
-rw-r--r--source4/auth/config.mk5
-rw-r--r--source4/auth/gensec/gensec.c22
-rw-r--r--source4/auth/gensec/gensec.h9
-rw-r--r--source4/auth/gensec/gensec_krb5.c2
-rw-r--r--source4/auth/ntlm/auth.c7
-rw-r--r--source4/auth/ntlmssp/config.mk2
-rw-r--r--source4/auth/ntlmssp/ntlmssp.c2
-rw-r--r--source4/auth/ntlmssp/ntlmssp_server.c21
-rw-r--r--source4/auth/samba_server_gensec.c73
-rw-r--r--source4/kdc/kpasswdd.c19
-rw-r--r--source4/ldap_server/ldap_bind.c16
-rw-r--r--source4/rpc_server/config.mk2
-rw-r--r--source4/rpc_server/dcesrv_auth.c16
-rw-r--r--source4/smb_server/smb/config.mk2
-rw-r--r--source4/smb_server/smb/negprot.c36
-rw-r--r--source4/smb_server/smb/sesssetup.c16
-rw-r--r--source4/smb_server/smb2/config.mk2
-rw-r--r--source4/smb_server/smb2/negprot.c25
-rw-r--r--source4/smb_server/smb2/sesssetup.c16
-rw-r--r--source4/torture/rpc/remote_pac.c2
-rw-r--r--source4/utils/ntlm_auth.c21
22 files changed, 230 insertions, 110 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index e184776140..0ef1e24cd3 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -175,6 +175,20 @@ struct auth_context {
/* loadparm context */
struct loadparm_context *lp_ctx;
+
+ NTSTATUS (*check_password)(struct auth_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info);
+
+ NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, const uint8_t **_chal);
+
+ bool (*challenge_may_be_modified)(struct auth_context *auth_ctx);
+
+ NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
+
+
+
};
/* this structure is used by backends to determine the size of some critical types */
@@ -197,6 +211,8 @@ struct auth_critical_sizes {
struct ldb_message;
struct ldb_context;
+struct gensec_security;
+
NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal);
NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
@@ -254,4 +270,12 @@ void auth_check_password_send(struct auth_context *auth_ctx,
void *private_data);
NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
+NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
+ struct tevent_context *event_ctx,
+ struct messaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ struct cli_credentials *server_credentials,
+ const char *target_service,
+ struct gensec_security **gensec_context);
+
#endif /* _SMBAUTH_H_ */
diff --git a/source4/auth/config.mk b/source4/auth/config.mk
index baf4346b4a..7d5050919e 100644
--- a/source4/auth/config.mk
+++ b/source4/auth/config.mk
@@ -15,6 +15,11 @@ auth_session_OBJ_FILES = $(addprefix $(authsrcdir)/, session.o)
$(eval $(call proto_header_template,$(authsrcdir)/session_proto.h,$(auth_session_OBJ_FILES:.o=.c)))
+[SUBSYSTEM::samba_server_gensec]
+PUBLIC_DEPENDENCIES = CREDENTIALS GENSEC auth
+
+samba_server_gensec_OBJ_FILES = $(addprefix $(authsrcdir)/, samba_server_gensec.o)
+
[SUBSYSTEM::auth_system_session]
PUBLIC_DEPENDENCIES = CREDENTIALS
PRIVATE_DEPENDENCIES = auth_session LIBSAMBA-UTIL LIBSECURITY
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 7169b074e3..2feb545f53 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -508,7 +508,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security,
static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_settings *settings,
- struct messaging_context *msg,
+ struct auth_context *auth_context,
struct gensec_security **gensec_security)
{
if (ev == NULL) {
@@ -530,9 +530,9 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->want_features = 0;
(*gensec_security)->event_ctx = ev;
- (*gensec_security)->msg_ctx = msg;
SMB_ASSERT(settings->lp_ctx != NULL);
(*gensec_security)->settings = talloc_reference(*gensec_security, settings);
+ (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
return NT_STATUS_OK;
}
@@ -559,8 +559,9 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx,
(*gensec_security)->subcontext = true;
(*gensec_security)->want_features = parent->want_features;
(*gensec_security)->event_ctx = parent->event_ctx;
- (*gensec_security)->msg_ctx = parent->msg_ctx;
+ (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
(*gensec_security)->settings = talloc_reference(*gensec_security, parent->settings);
+ (*gensec_security)->auth_context = talloc_reference(*gensec_security, parent->auth_context);
return NT_STATUS_OK;
}
@@ -599,10 +600,10 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx,
@note The mem_ctx is only a parent and may be NULL.
*/
_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct gensec_settings *settings,
- struct messaging_context *msg,
- struct gensec_security **gensec_security)
+ struct tevent_context *ev,
+ struct gensec_settings *settings,
+ struct auth_context *auth_context,
+ struct gensec_security **gensec_security)
{
NTSTATUS status;
@@ -611,17 +612,12 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
return NT_STATUS_INTERNAL_ERROR;
}
- if (!msg) {
- DEBUG(0,("gensec_server_start: no messaging context given!\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
if (!settings) {
DEBUG(0,("gensec_server_start: no settings given!\n"));
return NT_STATUS_INTERNAL_ERROR;
}
- status = gensec_start(mem_ctx, ev, settings, msg, gensec_security);
+ status = gensec_start(mem_ctx, ev, settings, auth_context, gensec_security);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index c627bda024..c4e93ee97b 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -169,9 +169,13 @@ struct gensec_security {
bool subcontext;
uint32_t want_features;
struct tevent_context *event_ctx;
- struct messaging_context *msg_ctx; /* only valid as server */
struct socket_address *my_addr, *peer_addr;
struct gensec_settings *settings;
+
+ /* When we are a server, this may be filled in to provide an
+ * NTLM authentication backend, and user lookup (such as if no
+ * PAC is found) */
+ struct auth_context *auth_context;
};
/* this structure is used by backends to determine the size of some critical types */
@@ -185,6 +189,7 @@ struct gensec_critical_sizes {
struct gensec_security;
struct socket_context;
+struct auth_context;
NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
@@ -274,7 +279,7 @@ const char *gensec_get_name_by_authtype(struct gensec_security *gensec_security,
NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_settings *settings,
- struct messaging_context *msg,
+ struct auth_context *auth_context,
struct gensec_security **gensec_security);
NTSTATUS gensec_session_info(struct gensec_security *gensec_security,
struct auth_session_info **session_info);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 6c6b928917..6e715d0090 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -793,8 +793,6 @@ _PUBLIC_ NTSTATUS gensec_krb5_init(void)
{
NTSTATUS ret;
- auth_init();
-
ret = gensec_register(&gensec_krb5_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 20967a6bda..2aae4a075e 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -359,6 +359,8 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
int i;
struct auth_context *ctx;
+ auth_init();
+
if (!methods) {
DEBUG(0,("auth_context_create: No auth method list!?\n"));
return NT_STATUS_INTERNAL_ERROR;
@@ -405,6 +407,11 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
return NT_STATUS_INTERNAL_ERROR;
}
+ ctx->check_password = auth_check_password;
+ ctx->get_challenge = auth_get_challenge;
+ ctx->set_challenge = auth_context_set_challenge;
+ ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
+
*auth_ctx = ctx;
return NT_STATUS_OK;
diff --git a/source4/auth/ntlmssp/config.mk b/source4/auth/ntlmssp/config.mk
index 129f58de83..c0446bcac1 100644
--- a/source4/auth/ntlmssp/config.mk
+++ b/source4/auth/ntlmssp/config.mk
@@ -9,7 +9,7 @@ $(eval $(call proto_header_template,$(authsrcdir)/ntlmssp/msrpc_parse.h,$(MSRPC_
[MODULE::gensec_ntlmssp]
SUBSYSTEM = gensec
INIT_FUNCTION = gensec_ntlmssp_init
-PRIVATE_DEPENDENCIES = MSRPC_PARSE CREDENTIALS auth
+PRIVATE_DEPENDENCIES = MSRPC_PARSE CREDENTIALS
OUTPUT_TYPE = MERGED_OBJ
# End MODULE gensec_ntlmssp
################################################
diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c
index 1b14e461c3..c4b3a31365 100644
--- a/source4/auth/ntlmssp/ntlmssp.c
+++ b/source4/auth/ntlmssp/ntlmssp.c
@@ -434,8 +434,6 @@ _PUBLIC_ NTSTATUS gensec_ntlmssp_init(void)
{
NTSTATUS ret;
- auth_init();
-
ret = gensec_register(&gensec_ntlmssp_security_ops);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(0,("Failed to register '%s' gensec backend!\n",
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index 30bf159df1..9215ccac8c 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -608,7 +608,7 @@ static const uint8_t *auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_sta
NTSTATUS status;
const uint8_t *chal;
- status = auth_get_challenge(gensec_ntlmssp_state->auth_context, &chal);
+ status = gensec_ntlmssp_state->auth_context->get_challenge(gensec_ntlmssp_state->auth_context, &chal);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("auth_ntlmssp_get_challenge: failed to get challenge: %s\n",
nt_errstr(status)));
@@ -625,7 +625,7 @@ static const uint8_t *auth_ntlmssp_get_challenge(const struct gensec_ntlmssp_sta
*/
static bool auth_ntlmssp_may_set_challenge(const struct gensec_ntlmssp_state *gensec_ntlmssp_state)
{
- return auth_challenge_may_be_modified(gensec_ntlmssp_state->auth_context);
+ return gensec_ntlmssp_state->auth_context->challenge_may_be_modified(gensec_ntlmssp_state->auth_context);
}
/**
@@ -644,7 +644,9 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct gensec_ntlmssp_state *gensec_n
chal = challenge->data;
- nt_status = auth_context_set_challenge(auth_context, chal, "NTLMSSP callback (NTLM2)");
+ nt_status = gensec_ntlmssp_state->auth_context->set_challenge(auth_context,
+ chal,
+ "NTLMSSP callback (NTLM2)");
return nt_status;
}
@@ -679,8 +681,10 @@ static NTSTATUS auth_ntlmssp_check_password(struct gensec_ntlmssp_state *gensec_
user_info->password.response.nt = gensec_ntlmssp_state->nt_resp;
user_info->password.response.nt.data = talloc_steal(user_info, gensec_ntlmssp_state->nt_resp.data);
- nt_status = auth_check_password(gensec_ntlmssp_state->auth_context, mem_ctx,
- user_info, &gensec_ntlmssp_state->server_info);
+ nt_status = gensec_ntlmssp_state->auth_context->check_password(gensec_ntlmssp_state->auth_context,
+ mem_ctx,
+ user_info,
+ &gensec_ntlmssp_state->server_info);
talloc_free(user_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -795,12 +799,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security)
gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_SEAL;
}
- nt_status = auth_context_create(gensec_ntlmssp_state,
- gensec_security->event_ctx,
- gensec_security->msg_ctx,
- gensec_security->settings->lp_ctx,
- &gensec_ntlmssp_state->auth_context);
- NT_STATUS_NOT_OK_RETURN(nt_status);
+ gensec_ntlmssp_state->auth_context = gensec_security->auth_context;
gensec_ntlmssp_state->get_challenge = auth_ntlmssp_get_challenge;
gensec_ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge;
diff --git a/source4/auth/samba_server_gensec.c b/source4/auth/samba_server_gensec.c
new file mode 100644
index 0000000000..0576b15eb3
--- /dev/null
+++ b/source4/auth/samba_server_gensec.c
@@ -0,0 +1,73 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Generic Authentication Interface for Samba Servers
+
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* This code sets up GENSEC in the way that all Samba servers want
+ * (becaue they have presumed access to the sam.ldb etc */
+
+#include "includes.h"
+#include "auth/auth.h"
+#include "auth/gensec/gensec.h"
+#include "param/param.h"
+
+NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
+ struct tevent_context *event_ctx,
+ struct messaging_context *msg_ctx,
+ struct loadparm_context *lp_ctx,
+ struct cli_credentials *server_credentials,
+ const char *target_service,
+ struct gensec_security **gensec_context)
+{
+ NTSTATUS nt_status;
+ struct gensec_security *gensec_ctx;
+ struct auth_context *auth_context;
+
+ nt_status = auth_context_create(mem_ctx,
+ event_ctx,
+ msg_ctx,
+ lp_ctx,
+ &auth_context);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(1, ("Failed to start auth server code: %s\n", nt_errstr(nt_status)));
+ return nt_status;
+ }
+
+ nt_status = gensec_server_start(mem_ctx,
+ event_ctx,
+ lp_gensec_settings(mem_ctx, lp_ctx),
+ auth_context,
+ &gensec_ctx);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(auth_context);
+ DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(nt_status)));
+ return nt_status;
+ }
+
+ talloc_steal(gensec_ctx, auth_context);
+
+ gensec_set_credentials(gensec_ctx, server_credentials);
+
+ if (target_service) {
+ gensec_set_target_service(gensec_ctx, target_service);
+ }
+ *gensec_context = gensec_ctx;
+ return nt_status;
+}
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 27968620e0..39817d922b 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -483,14 +483,6 @@ bool kpasswdd_process(struct kdc_server *kdc,
ap_req = data_blob_const(&input->data[header_len], ap_req_len);
krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len);
- nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx,
- lp_gensec_settings(tmp_ctx, kdc->task->lp_ctx), kdc->task->msg_ctx,
- &gensec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(tmp_ctx);
- return false;
- }
-
server_credentials = cli_credentials_init(tmp_ctx);
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials\n"));
@@ -517,7 +509,16 @@ bool kpasswdd_process(struct kdc_server *kdc,
return ret;
}
- nt_status = gensec_set_credentials(gensec_security, server_credentials);
+ /* We don't strictly need to call this wrapper, and could call
+ * gensec_server_start directly, as we have no need for NTLM
+ * and we have a PAC, but this ensures that the wrapper can be
+ * safely extended for other helpful things in future */
+ nt_status = samba_server_gensec_start(tmp_ctx, kdc->task->event_ctx,
+ kdc->task->msg_ctx,
+ kdc->task->lp_ctx,
+ server_credentials,
+ "kpasswd",
+ &gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return false;
diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c
index f3f843b920..9abc6115e6 100644
--- a/source4/ldap_server/ldap_bind.c
+++ b/source4/ldap_server/ldap_bind.c
@@ -140,11 +140,13 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
if (!conn->gensec) {
conn->session_info = NULL;
- status = gensec_server_start(conn,
- conn->connection->event.ctx,
- lp_gensec_settings(conn, conn->lp_ctx),
- conn->connection->msg_ctx,
- &conn->gensec);
+ status = samba_server_gensec_start(conn,
+ conn->connection->event.ctx,
+ conn->connection->msg_ctx,
+ conn->lp_ctx,
+ conn->server_credentials,
+ "ldap",
+ &conn->gensec);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
result = LDAP_OPERATIONS_ERROR;
@@ -152,10 +154,6 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call)
nt_errstr(status));
} else {
- gensec_set_target_service(conn->gensec, "ldap");
-
- gensec_set_credentials(conn->gensec, conn->server_credentials);
-
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN);
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SEAL);
gensec_want_feature(conn->gensec, GENSEC_FEATURE_ASYNC_REPLIES);
diff --git a/source4/rpc_server/config.mk b/source4/rpc_server/config.mk
index a7d03ca22d..d05b0a0c0d 100644
--- a/source4/rpc_server/config.mk
+++ b/source4/rpc_server/config.mk
@@ -203,7 +203,7 @@ dcerpc_browser_OBJ_FILES = $(rpc_serversrcdir)/browser/dcesrv_browser.o
PRIVATE_DEPENDENCIES = \
LIBCLI_AUTH \
LIBNDR \
- dcerpc
+ dcerpc samba_server_gensec
dcerpc_server_OBJ_FILES = $(addprefix $(rpc_serversrcdir)/, \
dcerpc_server.o \
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 5169031d16..e2e3b77948 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -27,6 +27,7 @@
#include "librpc/gen_ndr/ndr_dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
+#include "auth/auth.h"
#include "param/param.h"
/*
@@ -61,14 +62,6 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
return false;
}
- status = gensec_server_start(dce_conn, call->event_ctx,
- lp_gensec_settings(dce_conn, call->conn->dce_ctx->lp_ctx),
- call->msg_ctx, &auth->gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status)));
- return false;
- }
-
server_credentials
= cli_credentials_init(call);
if (!server_credentials) {
@@ -84,7 +77,12 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call)
server_credentials = NULL;
}
- gensec_set_credentials(auth->gensec_security, server_credentials);
+ status = samba_server_gensec_start(dce_conn, call->event_ctx,
+ call->msg_ctx,
+ call->conn->dce_ctx->lp_ctx,
+ server_credentials,
+ NULL,
+ &auth->gensec_security);
status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type,
auth->auth_info->auth_level);
diff --git a/source4/smb_server/smb/config.mk b/source4/smb_server/smb/config.mk
index 9adf334850..eadc122831 100644
--- a/source4/smb_server/smb/config.mk
+++ b/source4/smb_server/smb/config.mk
@@ -2,7 +2,7 @@
# Start SUBSYSTEM SMB_PROTOCOL
[SUBSYSTEM::SMB_PROTOCOL]
PUBLIC_DEPENDENCIES = \
- ntvfs LIBPACKET CREDENTIALS
+ ntvfs LIBPACKET CREDENTIALS samba_server_gensec
# End SUBSYSTEM SMB_PROTOCOL
#######################
diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c
index 71ee82d162..c3399fdd48 100644
--- a/source4/smb_server/smb/negprot.c
+++ b/source4/smb_server/smb/negprot.c
@@ -350,23 +350,7 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
DATA_BLOB blob;
const char *oid;
NTSTATUS nt_status;
-
- nt_status = gensec_server_start(req->smb_conn,
- req->smb_conn->connection->event.ctx,
- lp_gensec_settings(req->smb_conn, req->smb_conn->lp_ctx),
- req->smb_conn->connection->msg_ctx,
- &gensec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status)));
- smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n");
- return;
- }
-
- if (req->smb_conn->negotiate.auth_context) {
- smbsrv_terminate_connection(req->smb_conn, "reply_nt1: is this a secondary negprot? auth_context is non-NULL!\n");
- return;
- }
-
+
server_credentials
= cli_credentials_init(req);
if (!server_credentials) {
@@ -382,6 +366,24 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice)
server_credentials = NULL;
}
+ nt_status = samba_server_gensec_start(req,
+ req->smb_conn->connection->event.ctx,
+ req->smb_conn->connection->msg_ctx,
+ req->smb_conn->lp_ctx,
+ server_credentials,
+ "cifs",
+ &gensec_security);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status)));
+ smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n");
+ return;
+ }
+
+ if (req->smb_conn->negotiate.auth_context) {
+ smbsrv_terminate_connection(req->smb_conn, "reply_nt1: is this a secondary negprot? auth_context is non-NULL!\n");
+ return;
+ }
req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials);
gensec_set_target_service(gensec_security, "cifs");
diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index 0767a187e5..e38447703b 100644
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -363,20 +363,18 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se
if (!smb_sess) {
struct gensec_security *gensec_ctx;
- status = gensec_server_start(req,
- req->smb_conn->connection->event.ctx,
- lp_gensec_settings(req, req->smb_conn->lp_ctx),
- req->smb_conn->connection->msg_ctx,
- &gensec_ctx);
+ status = samba_server_gensec_start(req,
+ req->smb_conn->connection->event.ctx,
+ req->smb_conn->connection->msg_ctx,
+ req->smb_conn->lp_ctx,
+ req->smb_conn->negotiate.server_credentials,
+ "cifs",
+ &gensec_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
goto failed;
}
- gensec_set_credentials(gensec_ctx, req->smb_conn->negotiate.server_credentials);
-
- gensec_set_target_service(gensec_ctx, "cifs");
-
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
status = gensec_start_mech_by_oid(gensec_ctx, req->smb_conn->negotiate.oid);
diff --git a/source4/smb_server/smb2/config.mk b/source4/smb_server/smb2/config.mk
index 68ee6e58f6..f0c3739926 100644
--- a/source4/smb_server/smb2/config.mk
+++ b/source4/smb_server/smb2/config.mk
@@ -2,7 +2,7 @@
# Start SUBSYSTEM SMB2_PROTOCOL
[SUBSYSTEM::SMB2_PROTOCOL]
PUBLIC_DEPENDENCIES = \
- ntvfs LIBPACKET LIBCLI_SMB2
+ ntvfs LIBPACKET LIBCLI_SMB2 samba_server_gensec
# End SUBSYSTEM SMB2_PROTOCOL
#######################
diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c
index 03e5c9356d..0b65a19634 100644
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -20,6 +20,7 @@
#include "includes.h"
#include "auth/credentials/credentials.h"
+#include "auth/auth.h"
#include "auth/gensec/gensec.h"
#include "libcli/raw/libcliraw.h"
#include "libcli/raw/raw_proto.h"
@@ -40,17 +41,6 @@ static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB *
NTSTATUS nt_status;
struct cli_credentials *server_credentials;
- nt_status = gensec_server_start(req,
- req->smb_conn->connection->event.ctx,
- lp_gensec_settings(req, req->smb_conn->lp_ctx),
- req->smb_conn->connection->msg_ctx,
- &gensec_security);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status)));
- smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n");
- return nt_status;
- }
-
server_credentials = cli_credentials_init(req);
if (!server_credentials) {
smbsrv_terminate_connection(req->smb_conn, "Failed to init server credentials\n");
@@ -67,6 +57,19 @@ static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB *
req->smb_conn->negotiate.server_credentials = talloc_steal(req->smb_conn, server_credentials);
+ nt_status = samba_server_gensec_start(req,
+ req->smb_conn->connection->event.ctx,
+ req->smb_conn->connection->msg_ctx,
+ req->smb_conn->lp_ctx,
+ server_credentials,
+ "cifs",
+ &gensec_security);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(0, ("Failed to start GENSEC: %s\n", nt_errstr(nt_status)));
+ smbsrv_terminate_connection(req->smb_conn, "Failed to start GENSEC\n");
+ return nt_status;
+ }
+
gensec_set_target_service(gensec_security, "cifs");
gensec_set_credentials(gensec_security, server_credentials);
diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c
index 176be0b3ea..9a8c1bfaa9 100644
--- a/source4/smb_server/smb2/sesssetup.c
+++ b/source4/smb_server/smb2/sesssetup.c
@@ -124,20 +124,18 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses
if (vuid == 0) {
struct gensec_security *gensec_ctx;
- status = gensec_server_start(req,
- req->smb_conn->connection->event.ctx,
- lp_gensec_settings(req, req->smb_conn->lp_ctx),
- req->smb_conn->connection->msg_ctx,
- &gensec_ctx);
+ status = samba_server_gensec_start(req,
+ req->smb_conn->connection->event.ctx,
+ req->smb_conn->connection->msg_ctx,
+ req->smb_conn->lp_ctx,
+ req->smb_conn->negotiate.server_credentials,
+ "cifs",
+ &gensec_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC server code: %s\n", nt_errstr(status)));
goto failed;
}
- gensec_set_credentials(gensec_ctx, req->smb_conn->negotiate.server_credentials);
-
- gensec_set_target_service(gensec_ctx, "cifs");
-
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO);
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 0d18228563..5603152ddb 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -106,7 +106,7 @@ static bool test_PACVerify(struct torture_context *tctx,
status = gensec_server_start(tctx, tctx->ev,
lp_gensec_settings(tctx, tctx->lp_ctx),
- msg_server_ctx, &gensec_server_context);
+ NULL, &gensec_server_context);
torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed");
status = gensec_set_credentials(gensec_server_context, credentials);
diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c
index bd262683d5..2c6f353252 100644
--- a/source4/utils/ntlm_auth.c
+++ b/source4/utils/ntlm_auth.c
@@ -482,16 +482,33 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
break;
case GSS_SPNEGO_SERVER:
case SQUID_2_5_NTLMSSP:
+ {
+ const char *winbind_method[] = { "winbind", NULL };
+ struct auth_context *auth_context;
+
msg = messaging_client_init(state, lp_messaging_path(state, lp_ctx),
lp_iconv_convenience(lp_ctx), ev);
if (!msg) {
exit(1);
}
- if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lp_gensec_settings(state, lp_ctx),
- msg, &state->gensec_state))) {
+ nt_status = auth_context_create_methods(mem_ctx,
+ winbind_method,
+ ev,
+ msg,
+ lp_ctx,
+ &auth_context);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ exit(1);
+ }
+
+ if (!NT_STATUS_IS_OK(gensec_server_start(state, ev,
+ lp_gensec_settings(state, lp_ctx),
+ auth_context, &state->gensec_state))) {
exit(1);
}
break;
+ }
default:
abort();
}