From 5603dab6478fbb40206a8664a308b5db5b1863e8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 12 Oct 2011 22:55:34 +1100 Subject: libcli/auth: Provide a struct loadparm_context to schannel calls This will allow us to pass this down to the tdb_wrap layer. Andrew Bartlett --- libcli/auth/schannel_proto.h | 2 +- libcli/auth/schannel_state.h | 6 +-- libcli/auth/schannel_state_tdb.c | 17 +++++---- libcli/auth/wscript_build | 2 +- source3/rpc_server/netlogon/srv_netlog_nt.c | 55 ++++++++++++++++++++++++--- source3/rpc_server/srv_pipe.c | 13 ++++++- source3/smbd/server.c | 5 ++- source4/auth/gensec/schannel.c | 2 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 6 +-- source4/smbd/server.c | 2 +- 10 files changed, 83 insertions(+), 27 deletions(-) diff --git a/libcli/auth/schannel_proto.h b/libcli/auth/schannel_proto.h index e3aeb5a9bc..7ee4c1c079 100644 --- a/libcli/auth/schannel_proto.h +++ b/libcli/auth/schannel_proto.h @@ -26,7 +26,7 @@ struct schannel_state; struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx, - const char *private_dir); + struct loadparm_context *lp_ctx); NTSTATUS netsec_incoming_packet(struct schannel_state *state, bool do_unseal, diff --git a/libcli/auth/schannel_state.h b/libcli/auth/schannel_state.h index 017fdbe28d..f9d02ddb4e 100644 --- a/libcli/auth/schannel_state.h +++ b/libcli/auth/schannel_state.h @@ -24,16 +24,16 @@ #define _LIBCLI_AUTH_SCHANNEL_STATE_H__ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx, - const char *db_priv_dir, + struct loadparm_context *lp_ctx, const char *computer_name, struct netlogon_creds_CredentialState **creds); NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, - const char *db_priv_dir, + struct loadparm_context *lp_ctx, struct netlogon_creds_CredentialState *creds); NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, - const char *db_priv_dir, + struct loadparm_context *lp_ctx, const char *computer_name, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c index 76110b89ef..8910041f99 100644 --- a/libcli/auth/schannel_state_tdb.c +++ b/libcli/auth/schannel_state_tdb.c @@ -25,6 +25,7 @@ #include "system/filesys.h" #include "../lib/tdb_compat/tdb_compat.h" #include "../lib/util/util_tdb.h" +#include "../lib/param/param.h" #include "../libcli/auth/schannel.h" #include "../librpc/gen_ndr/ndr_schannel.h" #include "lib/util/tdb_wrap.h" @@ -37,10 +38,10 @@ *******************************************************************************/ struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx, - const char *private_dir) + struct loadparm_context *lp_ctx) { struct tdb_wrap *tdb_sc = NULL; - char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", private_dir); + char *fname = lpcfg_private_path(mem_ctx, lp_ctx, "schannel_store.tdb"); if (!fname) { return NULL; @@ -201,7 +202,7 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_wrap *tdb_sc, *******************************************************************************/ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx, - const char *db_priv_dir, + struct loadparm_context *lp_ctx, const char *computer_name, struct netlogon_creds_CredentialState **_creds) { @@ -215,7 +216,7 @@ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir); + tdb_sc = open_schannel_session_store(tmpctx, lp_ctx); if (!tdb_sc) { return NT_STATUS_ACCESS_DENIED; } @@ -239,7 +240,7 @@ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx, *******************************************************************************/ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, - const char *db_priv_dir, + struct loadparm_context *lp_ctx, struct netlogon_creds_CredentialState *creds) { TALLOC_CTX *tmpctx; @@ -251,7 +252,7 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir); + tdb_sc = open_schannel_session_store(tmpctx, lp_ctx); if (!tdb_sc) { return NT_STATUS_ACCESS_DENIED; } @@ -273,7 +274,7 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx, ********************************************************************/ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, - const char *db_priv_dir, + struct loadparm_context *lp_ctx, const char *computer_name, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, @@ -290,7 +291,7 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir); + tdb_sc = open_schannel_session_store(tmpctx, lp_ctx); if (!tdb_sc) { status = NT_STATUS_ACCESS_DENIED; goto done; diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build index acb1ce38f0..2afab44ac2 100644 --- a/libcli/auth/wscript_build +++ b/libcli/auth/wscript_build @@ -26,7 +26,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL', source='schannel_state_tdb.c schannel_sign.c', - deps='tdb-wrap UTIL_TDB' + deps='tdb-wrap UTIL_TDB samba-hostconfig' ) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 5e945187fa..dc0c33d395 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -44,6 +44,7 @@ #include "auth.h" #include "messages.h" #include "../lib/tsocket/tsocket.h" +#include "lib/param/param.h" extern userdom_struct current_user_info; @@ -882,6 +883,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, * so use a copy to avoid destroying the client values. */ uint32_t in_neg_flags = *r->in.negotiate_flags; const char *fn; + struct loadparm_context *lp_ctx; struct dom_sid sid; struct samr_Password mach_pwd; struct netlogon_creds_CredentialState *creds; @@ -993,11 +995,20 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p, goto out; } + lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context()); + if (lp_ctx == NULL) { + DEBUG(10, ("loadparm_init_s3 failed\n")); + status = NT_STATUS_INTERNAL_ERROR; + goto out; + } + /* Store off the state so we can continue after client disconnect. */ become_root(); - status = schannel_save_creds_state(p->mem_ctx, lp_private_dir(), creds); + status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds); unbecome_root(); + talloc_unlink(p->mem_ctx, lp_ctx); + if (!NT_STATUS_IS_OK(status)) { goto out; } @@ -1078,6 +1089,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, { NTSTATUS status; bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + struct loadparm_context *lp_ctx; if (schannel_global_required) { status = schannel_check_required(&p->auth, @@ -1088,10 +1100,16 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, } } - status = schannel_check_creds_state(mem_ctx, lp_private_dir(), + lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_context()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + status = schannel_check_creds_state(mem_ctx, lp_ctx, computer_name, received_authenticator, return_authenticator, creds_out); - + talloc_unlink(mem_ctx, lp_ctx); return status; } @@ -1731,6 +1749,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, { NTSTATUS status; struct netlogon_creds_CredentialState *creds = NULL; + struct loadparm_context *lp_ctx; *r->out.authoritative = true; @@ -1746,10 +1765,18 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, return NT_STATUS_INVALID_PARAMETER; } + lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } + become_root(); - status = schannel_get_creds_state(p->mem_ctx, lp_private_dir(), + status = schannel_get_creds_state(p->mem_ctx, lp_ctx, r->in.computer_name, &creds); unbecome_root(); + talloc_unlink(p->mem_ctx, lp_ctx); + if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2267,14 +2294,22 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p, NTSTATUS status; struct netlogon_creds_CredentialState *creds; struct lsa_ForestTrustInformation *info, **info_ptr; + struct loadparm_context *lp_ctx; /* TODO: check server name */ - status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(), + lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } + + status = schannel_check_creds_state(p->mem_ctx, lp_ctx, r->in.computer_name, r->in.credential, r->out.return_authenticator, &creds); + talloc_unlink(p->mem_ctx, lp_ctx); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2367,14 +2402,22 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p, struct samr_Password *new_owf_enc; struct samr_Password *old_owf_enc; DATA_BLOB session_key; + struct loadparm_context *lp_ctx; + + lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); + return NT_STATUS_INTERNAL_ERROR; + } /* TODO: check server name */ - status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(), + status = schannel_check_creds_state(p->mem_ctx, lp_ctx, r->in.computer_name, r->in.credential, r->out.return_authenticator, &creds); + talloc_unlink(p->mem_ctx, lp_ctx); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 7a616c0ee6..449bf7555b 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -43,6 +43,7 @@ #include "ntdomain.h" #include "rpc_server/srv_pipe.h" #include "rpc_server/rpc_contexts.h" +#include "lib/param/param.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -477,6 +478,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p, struct netlogon_creds_CredentialState *creds; enum ndr_err_code ndr_err; struct schannel_state *schannel_auth; + struct loadparm_context *lp_ctx; ndr_err = ndr_pull_struct_blob( &auth_info->credentials, mem_ctx, &neg, @@ -495,6 +497,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p, return false; } + lp_ctx = loadparm_init_s3(p, loadparm_s3_context()); + if (!lp_ctx) { + DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n")); + return false; + } + /* * The neg.oem_netbios_computer.a key here must match the remote computer name * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe @@ -502,10 +510,11 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p, */ become_root(); - status = schannel_get_creds_state(p, lp_private_dir(), + status = schannel_get_creds_state(p, lp_ctx, neg.oem_netbios_computer.a, &creds); unbecome_root(); - + + talloc_unlink(p, lp_ctx); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n")); return False; diff --git a/source3/smbd/server.c b/source3/smbd/server.c index e47187a697..acbab9d88c 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -40,6 +40,7 @@ #include "messages.h" #include "smbprofile.h" #include "lib/id_cache.h" +#include "lib/param/param.h" extern void start_epmd(struct tevent_context *ev_ctx, struct messaging_context *msg_ctx); @@ -1150,10 +1151,12 @@ extern void build_options(bool screen); } if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) { - if (!open_schannel_session_store(NULL, lp_private_dir())) { + struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_context()); + if (!open_schannel_session_store(NULL, lp_ctx)) { DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n")); exit(1); } + TALLOC_FREE(lp_ctx); } if(!get_global_sam_sid()) { diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index 35713ce068..f947d45596 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -154,7 +154,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ } status = schannel_get_creds_state(out_mem_ctx, - lpcfg_private_dir(gensec_security->settings->lp_ctx), + gensec_security->settings->lp_ctx, workstation, &creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n", diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index d5a7eebb55..cbf223be47 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -270,7 +270,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid"); nt_status = schannel_save_creds_state(mem_ctx, - lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx), + dce_call->conn->dce_ctx->lp_ctx, creds); return nt_status; @@ -382,7 +382,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc } nt_status = schannel_check_creds_state(mem_ctx, - lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx), + dce_call->conn->dce_ctx->lp_ctx, computer_name, received_authenticator, return_authenticator, @@ -839,7 +839,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, } nt_status = schannel_get_creds_state(mem_ctx, - lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx), + dce_call->conn->dce_ctx->lp_ctx, r->in.computer_name, &creds); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; diff --git a/source4/smbd/server.c b/source4/smbd/server.c index 322e45569f..c8549e2b56 100644 --- a/source4/smbd/server.c +++ b/source4/smbd/server.c @@ -393,7 +393,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[ } if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) { - if (!open_schannel_session_store(talloc_autofree_context(), lpcfg_private_dir(cmdline_lp_ctx))) { + if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) { DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n")); exit(1); } -- cgit