From b034c519f53cffbac21c3db79ee24cdd8f1ce4a2 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Sun, 2 Nov 2008 02:05:48 +0100 Subject: Add gensec_settings structure. This wraps loadparm_context for now, but should in the future only contain some settings required for gensec. --- source4/auth/gensec/gensec.c | 29 ++++++++++++------- source4/auth/gensec/gensec.h | 15 ++++++++-- source4/auth/gensec/gensec_gssapi.c | 42 ++++++++++++++-------------- source4/auth/gensec/gensec_krb5.c | 16 +++++------ source4/auth/gensec/schannel.c | 10 +++---- source4/auth/ntlm/auth_server.c | 1 + source4/auth/ntlmssp/ntlmssp_client.c | 30 ++++++++++---------- source4/auth/ntlmssp/ntlmssp_server.c | 26 ++++++++--------- source4/auth/sam.c | 6 ++-- source4/kdc/kpasswdd.c | 4 ++- source4/ldap_server/ldap_bind.c | 2 +- source4/libcli/cliconnect.c | 6 +++- source4/libcli/ldap/ldap_bind.c | 3 +- source4/libcli/libcli.h | 1 + source4/libcli/smb2/connect.c | 3 +- source4/libcli/smb2/session.c | 5 ++-- source4/libcli/smb2/smb2_calls.h | 1 + source4/libcli/smb_composite/connect.c | 1 + source4/libcli/smb_composite/sesssetup.c | 2 +- source4/libcli/smb_composite/smb_composite.h | 1 + source4/librpc/rpc/dcerpc.h | 3 +- source4/librpc/rpc/dcerpc_auth.c | 8 +++--- source4/librpc/rpc/dcerpc_schannel.c | 3 +- source4/librpc/rpc/dcerpc_util.c | 15 +++++++--- source4/param/loadparm.c | 12 ++++++++ source4/param/param.h | 3 +- source4/rpc_server/dcesrv_auth.c | 4 ++- source4/smb_server/smb/negprot.c | 2 +- source4/smb_server/smb/sesssetup.c | 2 +- source4/smb_server/smb2/negprot.c | 2 +- source4/smb_server/smb2/sesssetup.c | 2 +- source4/torture/auth/ntlmssp.c | 5 ++-- source4/torture/basic/secleak.c | 3 +- source4/torture/raw/context.c | 9 ++++-- source4/torture/raw/lock.c | 1 + source4/torture/rpc/remote_pac.c | 7 +++-- source4/torture/rpc/samba3rpc.c | 8 ++++-- source4/utils/ntlm_auth.c | 6 ++-- 38 files changed, 185 insertions(+), 114 deletions(-) diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 5d57383d2a..3416ee10bc 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -477,7 +477,7 @@ const char **gensec_security_oids(struct gensec_security *gensec_security, */ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct event_context *ev, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, struct messaging_context *msg, struct gensec_security **gensec_security) { @@ -501,7 +501,7 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, (*gensec_security)->event_ctx = ev; (*gensec_security)->msg_ctx = msg; - (*gensec_security)->lp_ctx = lp_ctx; + (*gensec_security)->settings = settings; return NT_STATUS_OK; } @@ -529,7 +529,7 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, (*gensec_security)->want_features = parent->want_features; (*gensec_security)->event_ctx = parent->event_ctx; (*gensec_security)->msg_ctx = parent->msg_ctx; - (*gensec_security)->lp_ctx = parent->lp_ctx; + (*gensec_security)->settings = parent->settings; return NT_STATUS_OK; } @@ -543,11 +543,11 @@ _PUBLIC_ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, struct event_context *ev, - struct loadparm_context *lp_ctx) + struct gensec_settings *settings) { NTSTATUS status; - status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security); + status = gensec_start(mem_ctx, ev, settings, NULL, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -564,7 +564,7 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, */ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct event_context *ev, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, struct messaging_context *msg, struct gensec_security **gensec_security) { @@ -580,7 +580,7 @@ _PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, return NT_STATUS_INTERNAL_ERROR; } - status = gensec_start(mem_ctx, ev, lp_ctx, msg, gensec_security); + status = gensec_start(mem_ctx, ev, settings, msg, gensec_security); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -1107,9 +1107,8 @@ _PUBLIC_ NTSTATUS gensec_set_target_hostname(struct gensec_security *gensec_secu _PUBLIC_ const char *gensec_get_target_hostname(struct gensec_security *gensec_security) { /* We allow the target hostname to be overriden for testing purposes */ - const char *target_hostname = lp_parm_string(gensec_security->lp_ctx, NULL, "gensec", "target_hostname"); - if (target_hostname) { - return target_hostname; + if (gensec_security->settings->target_hostname) { + return gensec_security->settings->target_hostname; } if (gensec_security->target.hostname) { @@ -1255,6 +1254,16 @@ static int sort_gensec(struct gensec_security_ops **gs1, struct gensec_security_ return (*gs2)->priority - (*gs1)->priority; } +int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value) +{ + return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value); +} + +bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value) +{ + return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value); +} + /* initialise the GENSEC subsystem */ diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index 0b31882ddd..2a483171f7 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -64,6 +64,7 @@ enum gensec_role struct auth_session_info; struct cli_credentials; +struct gensec_settings; struct gensec_update_request { struct gensec_security *gensec_security; @@ -77,6 +78,12 @@ struct gensec_update_request { } callback; }; +struct gensec_settings { + struct loadparm_context *lp_ctx; + struct smb_iconv_convenience *iconv_convenience; + const char *target_hostname; +}; + struct gensec_security_ops { const char *name; const char *sasl_name; @@ -151,7 +158,6 @@ struct gensec_security_ops_wrapper { struct gensec_security { const struct gensec_security_ops *ops; - struct loadparm_context *lp_ctx; void *private_data; struct cli_credentials *credentials; struct gensec_target target; @@ -161,6 +167,7 @@ struct gensec_security { struct event_context *event_ctx; struct messaging_context *msg_ctx; /* only valid as server */ struct socket_address *my_addr, *peer_addr; + struct gensec_settings *settings; }; /* this structure is used by backends to determine the size of some critical types */ @@ -210,7 +217,7 @@ NTSTATUS gensec_subcontext_start(TALLOC_CTX *mem_ctx, NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct gensec_security **gensec_security, struct event_context *ev, - struct loadparm_context *lp_ctx); + struct gensec_settings *settings); NTSTATUS gensec_start_mech_by_sasl_list(struct gensec_security *gensec_security, const char **sasl_names); NTSTATUS gensec_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, @@ -262,7 +269,7 @@ NTSTATUS gensec_start_mech_by_authtype(struct gensec_security *gensec_security, const char *gensec_get_name_by_authtype(uint8_t authtype); NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx, struct event_context *ev, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, struct messaging_context *msg, struct gensec_security **gensec_security); NTSTATUS gensec_session_info(struct gensec_security *gensec_security, @@ -295,5 +302,7 @@ struct gensec_security_ops **gensec_use_kerberos_mechs(TALLOC_CTX *mem_ctx, NTSTATUS gensec_start_mech_by_sasl_name(struct gensec_security *gensec_security, const char *sasl_name); +int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value); +bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value); #endif /* __GENSEC_H__ */ diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index e307dbb5cb..dcfffef3df 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -154,7 +154,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->gss_exchange_count = 0; gensec_gssapi_state->max_wrap_buf_size - = lp_parm_int(gensec_security->lp_ctx, NULL, "gensec_gssapi", "max wrap buf size", 65536); + = gensec_setting_int(gensec_security->settings, "gensec_gssapi", "max wrap buf size", 65536); gensec_gssapi_state->sasl = false; gensec_gssapi_state->sasl_state = STAGE_GSS_NEG; @@ -170,16 +170,16 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) gensec_gssapi_state->input_chan_bindings = GSS_C_NO_CHANNEL_BINDINGS; gensec_gssapi_state->want_flags = 0; - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "mutual", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "delegation", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "replay", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { gensec_gssapi_state->want_flags |= GSS_C_REPLAY_FLAG; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "sequence", true)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) { gensec_gssapi_state->want_flags |= GSS_C_SEQUENCE_FLAG; } @@ -214,10 +214,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) talloc_free(gensec_gssapi_state); return NT_STATUS_INTERNAL_ERROR; } - if (lp_realm(gensec_security->lp_ctx) && *lp_realm(gensec_security->lp_ctx)) { - char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->lp_ctx)); + if (lp_realm(gensec_security->settings->lp_ctx) && *lp_realm(gensec_security->settings->lp_ctx)) { + char *upper_realm = strupper_talloc(gensec_gssapi_state, lp_realm(gensec_security->settings->lp_ctx)); if (!upper_realm) { - DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->lp_ctx))); + DEBUG(1,("gensec_krb5_start: could not uppercase realm: %s\n", lp_realm(gensec_security->settings->lp_ctx))); talloc_free(gensec_gssapi_state); return NT_STATUS_NO_MEMORY; } @@ -231,7 +231,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) } /* don't do DNS lookups of any kind, it might/will fail for a netbios name */ - ret = gsskrb5_set_dns_canonicalize(lp_parm_bool(gensec_security->lp_ctx, NULL, "krb5", "set_dns_canonicalize", false)); + ret = gsskrb5_set_dns_canonicalize(gensec_setting_bool(gensec_security->settings, "krb5", "set_dns_canonicalize", false)); if (ret) { DEBUG(1,("gensec_krb5_start: gsskrb5_set_dns_canonicalize failed\n")); talloc_free(gensec_gssapi_state); @@ -240,7 +240,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) ret = smb_krb5_init_context(gensec_gssapi_state, gensec_security->event_ctx, - gensec_security->lp_ctx, + gensec_security->settings->lp_ctx, &gensec_gssapi_state->smb_krb5_context); if (ret) { DEBUG(1,("gensec_krb5_start: krb5_init_context failed (%s)\n", @@ -274,7 +274,7 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi } else { ret = cli_credentials_get_server_gss_creds(machine_account, gensec_security->event_ctx, - gensec_security->lp_ctx, &gcc); + gensec_security->settings->lp_ctx, &gcc); if (ret) { DEBUG(1, ("Aquiring acceptor credentials failed: %s\n", error_message(ret))); @@ -336,7 +336,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi gensec_gssapi_state->gss_oid = gss_mech_krb5; principal = gensec_get_target_principal(gensec_security); - if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) { + if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) { name_type = GSS_C_NULL_OID; } else { principal = talloc_asprintf(gensec_gssapi_state, "%s@%s", @@ -362,7 +362,7 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi ret = cli_credentials_get_client_gss_creds(creds, gensec_security->event_ctx, - gensec_security->lp_ctx, &gcc); + gensec_security->settings->lp_ctx, &gcc); switch (ret) { case 0: break; @@ -1142,10 +1142,10 @@ static bool gensec_gssapi_have_feature(struct gensec_security *gensec_security, return false; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "force_new_spnego", false)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "force_new_spnego", false)) { return true; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec_gssapi", "disable_new_spnego", false)) { + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "disable_new_spnego", false)) { return false; } @@ -1256,7 +1256,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi */ if (pac_blob.length) { nt_status = kerberos_pac_blob_to_server_info(mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), + gensec_security->settings->iconv_convenience, pac_blob, gensec_gssapi_state->smb_krb5_context->krb5_context, &server_info); @@ -1290,11 +1290,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return NT_STATUS_NO_MEMORY; } - if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) { + if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n", gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, - gensec_security->lp_ctx, principal_string, + gensec_security->settings->lp_ctx, principal_string, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { @@ -1311,7 +1311,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi /* references the server_info into the session_info */ nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, - gensec_security->lp_ctx, server_info, &session_info); + gensec_security->settings->lp_ctx, server_info, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1334,13 +1334,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return NT_STATUS_NO_MEMORY; } - cli_credentials_set_conf(session_info->credentials, gensec_security->lp_ctx); + cli_credentials_set_conf(session_info->credentials, gensec_security->settings->lp_ctx); /* Just so we don't segfault trying to get at a username */ cli_credentials_set_anonymous(session_info->credentials); ret = cli_credentials_set_client_gss_creds(session_info->credentials, gensec_security->event_ctx, - gensec_security->lp_ctx, + gensec_security->settings->lp_ctx, gensec_gssapi_state->delegated_cred_handle, CRED_SPECIFIED); if (ret) { diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 1f54043038..16867366a4 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -120,7 +120,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) if (cli_credentials_get_krb5_context(creds, gensec_security->event_ctx, - gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) { + gensec_security->settings->lp_ctx, &gensec_krb5_state->smb_krb5_context)) { talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; } @@ -252,7 +252,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), gensec_security->event_ctx, - gensec_security->lp_ctx, &ccache_container); + gensec_security->settings->lp_ctx, &ccache_container); switch (ret) { case 0: break; @@ -267,7 +267,7 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security } in_data.length = 0; - if (principal && lp_client_use_spnego_principal(gensec_security->lp_ctx)) { + if (principal && lp_client_use_spnego_principal(gensec_security->settings->lp_ctx)) { krb5_principal target_principal; ret = krb5_parse_name(gensec_krb5_state->smb_krb5_context->krb5_context, principal, &target_principal); @@ -452,7 +452,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, /* Grab the keytab, however generated */ ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), gensec_security->event_ctx, - gensec_security->lp_ctx, &keytab); + gensec_security->settings->lp_ctx, &keytab); if (ret) { return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -594,7 +594,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security KRB5_AUTHDATA_WIN2K_PAC, &pac_data); - if (ret && lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) { + if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n", principal_string, smb_get_krb5_error_message(context, @@ -607,7 +607,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); - nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string, + nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, principal_string, &server_info); krb5_free_principal(context, client_principal); free(principal_string); @@ -630,7 +630,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security /* decode and verify the pac */ nt_status = kerberos_pac_logon_info(gensec_krb5_state, - lp_iconv_convenience(gensec_security->lp_ctx), + gensec_security->settings->iconv_convenience, &logon_info, pac, gensec_krb5_state->smb_krb5_context->krb5_context, NULL, gensec_krb5_state->keyblock, @@ -655,7 +655,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info); + nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, server_info, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index f21202b86f..e6d38c14a3 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -85,7 +85,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ #endif ndr_err = ndr_push_struct_blob(out, out_mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), &bind_schannel, + gensec_security->settings->iconv_convenience, &bind_schannel, (ndr_push_flags_fn_t)ndr_push_schannel_bind); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); @@ -106,7 +106,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ /* parse the schannel startup blob */ ndr_err = ndr_pull_struct_blob(&in, out_mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), + gensec_security->settings->iconv_convenience, &bind_schannel, (ndr_pull_flags_fn_t)ndr_pull_schannel_bind); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { @@ -126,7 +126,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ /* pull the session key for this client */ status = schannel_fetch_session_key(out_mem_ctx, gensec_security->event_ctx, - gensec_security->lp_ctx, workstation, + gensec_security->settings->lp_ctx, workstation, domain, &creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n", @@ -144,7 +144,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ bind_schannel_ack.unknown3 = 0x6c0000; ndr_err = ndr_push_struct_blob(out, out_mem_ctx, - lp_iconv_convenience(gensec_security->lp_ctx), &bind_schannel_ack, + gensec_security->settings->iconv_convenience, &bind_schannel_ack, (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { status = ndr_map_error2ntstatus(ndr_err); @@ -190,7 +190,7 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, struct auth_session_info **_session_info) { struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); - return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->lp_ctx, _session_info); + return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, _session_info); } static NTSTATUS schannel_start(struct gensec_security *gensec_security) diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c index eeecfbce15..2af0cc8a00 100644 --- a/source4/auth/ntlm/auth_server.c +++ b/source4/auth/ntlm/auth_server.c @@ -146,6 +146,7 @@ static NTSTATUS server_check_password(struct auth_method_context *ctx, session_setup.in.credentials = creds; session_setup.in.workgroup = ""; /* Only used with SPNEGO, which we are not doing */ + session_setup.in.gensec_settings = lp_gensec_settings(session, ctx->auth_ctx->lp_ctx); /* Check password with remove server - this should be async some day */ nt_status = smb_composite_sesssetup(session, &session_setup); diff --git a/source4/auth/ntlmssp/ntlmssp_client.c b/source4/auth/ntlmssp/ntlmssp_client.c index 31da9fc927..e28d8462d4 100644 --- a/source4/auth/ntlmssp/ntlmssp_client.c +++ b/source4/auth/ntlmssp/ntlmssp_client.c @@ -192,7 +192,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, if (gensec_ntlmssp_state->use_nt_response) { flags |= CLI_CRED_NTLM_AUTH; } - if (lp_client_lanman_auth(gensec_security->lp_ctx)) { + if (lp_client_lanman_auth(gensec_security->settings->lp_ctx)) { flags |= CLI_CRED_LANMAN_AUTH; } @@ -217,7 +217,7 @@ NTSTATUS ntlmssp_client_challenge(struct gensec_security *gensec_security, } if ((gensec_ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_LM_KEY) - && lp_client_lanman_auth(gensec_security->lp_ctx) && lm_session_key.length == 16) { + && lp_client_lanman_auth(gensec_security->settings->lp_ctx) && lm_session_key.length == 16) { DATA_BLOB new_session_key = data_blob_talloc(mem_ctx, NULL, 16); if (lm_response.length == 24) { SMBsesskeygen_lm_sess_key(lm_session_key.data, lm_response.data, @@ -308,17 +308,17 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->role = NTLMSSP_CLIENT; - gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx); + gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->settings->lp_ctx); - gensec_ntlmssp_state->unicode = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "unicode", true); + gensec_ntlmssp_state->unicode = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "unicode", true); - gensec_ntlmssp_state->use_nt_response = lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "send_nt_reponse", true); + gensec_ntlmssp_state->use_nt_response = gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "send_nt_reponse", true); - gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->lp_ctx) - && (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "allow_lm_key", false) - || lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false))); + gensec_ntlmssp_state->allow_lm_key = (lp_client_lanman_auth(gensec_security->settings->lp_ctx) + && (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "allow_lm_key", false) + || gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false))); - gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->lp_ctx); + gensec_ntlmssp_state->use_ntlmv2 = lp_client_ntlmv2_auth(gensec_security->settings->lp_ctx); gensec_ntlmssp_state->expected_state = NTLMSSP_INITIAL; @@ -326,27 +326,27 @@ NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security) NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_REQUEST_TARGET; - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "128bit", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "128bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "56bit", false)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "56bit", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "lm_key", false)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "lm_key", false)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_LM_KEY; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "keyexchange", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "keyexchange", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "alwayssign", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "alwayssign", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_client", "ntlm2", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_client", "ntlm2", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } else { /* apparently we can't do ntlmv2 if we don't do ntlm2 */ diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index cb336d5b46..37cc5f318f 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -186,7 +186,7 @@ NTSTATUS ntlmssp_server_negotiate(struct gensec_security *gensec_security, /* Find out the DNS domain name */ dnsdomname[0] = '\0'; - safe_strcpy(dnsdomname, lp_realm(gensec_security->lp_ctx), sizeof(dnsdomname) - 1); + safe_strcpy(dnsdomname, lp_realm(gensec_security->settings->lp_ctx), sizeof(dnsdomname) - 1); strlower_m(dnsdomname); /* Find out the DNS host name */ @@ -722,7 +722,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, NTSTATUS nt_status; struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; - nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->lp_ctx, gensec_ntlmssp_state->server_info, session_info); + nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->settings->lp_ctx, gensec_ntlmssp_state->server_info, session_info); NT_STATUS_NOT_OK_RETURN(nt_status); (*session_info)->session_key = data_blob_talloc(*session_info, @@ -749,14 +749,14 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->role = NTLMSSP_SERVER; gensec_ntlmssp_state->workstation = NULL; - gensec_ntlmssp_state->server_name = lp_netbios_name(gensec_security->lp_ctx); + gensec_ntlmssp_state->server_name = lp_netbios_name(gensec_security->settings->lp_ctx); - gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->lp_ctx); + gensec_ntlmssp_state->domain = lp_workgroup(gensec_security->settings->lp_ctx); gensec_ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE; - gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(gensec_security->lp_ctx) - && lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "allow_lm_key", false)); + gensec_ntlmssp_state->allow_lm_key = (lp_lanman_auth(gensec_security->settings->lp_ctx) + && gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "allow_lm_key", false)); gensec_ntlmssp_state->server_multiple_authentications = false; @@ -767,23 +767,23 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->nt_resp = data_blob(NULL, 0); gensec_ntlmssp_state->encrypted_session_key = data_blob(NULL, 0); - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "128bit", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "128bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_128; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "56bit", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "56bit", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_56; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "keyexchange", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "keyexchange", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_KEY_EXCH; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "alwayssign", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "alwayssign", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } - if (lp_parm_bool(gensec_security->lp_ctx, NULL, "ntlmssp_server", "ntlm2", true)) { + if (gensec_setting_bool(gensec_security->settings, "ntlmssp_server", "ntlm2", true)) { gensec_ntlmssp_state->neg_flags |= NTLMSSP_NEGOTIATE_NTLM2; } @@ -797,7 +797,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) nt_status = auth_context_create(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->msg_ctx, - gensec_security->lp_ctx, + gensec_security->settings->lp_ctx, &gensec_ntlmssp_state->auth_context); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -805,7 +805,7 @@ NTSTATUS gensec_ntlmssp_server_start(struct gensec_security *gensec_security) gensec_ntlmssp_state->may_set_challenge = auth_ntlmssp_may_set_challenge; gensec_ntlmssp_state->set_challenge = auth_ntlmssp_set_challenge; gensec_ntlmssp_state->check_password = auth_ntlmssp_check_password; - gensec_ntlmssp_state->server_role = lp_server_role(gensec_security->lp_ctx); + gensec_ntlmssp_state->server_role = lp_server_role(gensec_security->settings->lp_ctx); return NT_STATUS_OK; } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 4255a6432a..f6a998ae0f 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -447,7 +447,8 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx)); + sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx, + system_session(tmp_ctx, lp_ctx)); if (sam_ctx == NULL) { talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; @@ -459,7 +460,8 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, return nt_status; } - nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, lp_netbios_name(lp_ctx), + nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, + lp_netbios_name(lp_ctx), msgs[0], msgs_domain_ref[0], user_sess_key, lm_sess_key, server_info); diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index f5d92cd3c5..2fa07d0531 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -483,7 +483,9 @@ bool kpasswdd_process(struct kdc_server *kdc, ap_req = data_blob_const(&input->data[header_len], ap_req_len); krb_priv_req = data_blob_const(&input->data[header_len + ap_req_len], krb_priv_len); - nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, kdc->task->msg_ctx, &gensec_security); + nt_status = gensec_server_start(tmp_ctx, kdc->task->event_ctx, + lp_gensec_settings(tmp_ctx, kdc->task->lp_ctx), kdc->task->msg_ctx, + &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return false; diff --git a/source4/ldap_server/ldap_bind.c b/source4/ldap_server/ldap_bind.c index 20777e5261..0fe6fcce90 100644 --- a/source4/ldap_server/ldap_bind.c +++ b/source4/ldap_server/ldap_bind.c @@ -142,7 +142,7 @@ static NTSTATUS ldapsrv_BindSASL(struct ldapsrv_call *call) status = gensec_server_start(conn, conn->connection->event.ctx, - conn->lp_ctx, + lp_gensec_settings(conn, conn->lp_ctx), conn->connection->msg_ctx, &conn->gensec); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/libcli/cliconnect.c b/source4/libcli/cliconnect.c index 6f58cfa8a7..402387f5b5 100644 --- a/source4/libcli/cliconnect.c +++ b/source4/libcli/cliconnect.c @@ -73,7 +73,8 @@ NTSTATUS smbcli_negprot(struct smbcli_state *cli, bool unicode, int maxprotocol) NTSTATUS smbcli_session_setup(struct smbcli_state *cli, struct cli_credentials *credentials, const char *workgroup, - struct smbcli_session_options options) + struct smbcli_session_options options, + struct gensec_settings *gensec_settings) { struct smb_composite_sesssetup setup; NTSTATUS status; @@ -86,6 +87,7 @@ NTSTATUS smbcli_session_setup(struct smbcli_state *cli, setup.in.capabilities = cli->transport->negotiate.capabilities; setup.in.credentials = credentials; setup.in.workgroup = workgroup; + setup.in.gensec_settings = gensec_settings; status = smb_composite_sesssetup(cli->session, &setup); @@ -146,6 +148,7 @@ NTSTATUS smbcli_full_connection(TALLOC_CTX *parent_ctx, const char **ports, const char *sharename, const char *devtype, + const char *socket_options, struct cli_credentials *credentials, struct resolve_context *resolve_ctx, struct event_context *ev, @@ -161,6 +164,7 @@ NTSTATUS smbcli_full_connection(TALLOC_CTX *parent_ctx, status = smbcli_tree_full_connection(parent_ctx, &tree, host, ports, sharename, devtype, + socket_options, credentials, resolve_ctx, ev, options, session_options, diff --git a/source4/libcli/ldap/ldap_bind.c b/source4/libcli/ldap/ldap_bind.c index b66232c02e..a12f7652a5 100644 --- a/source4/libcli/ldap/ldap_bind.c +++ b/source4/libcli/ldap/ldap_bind.c @@ -224,7 +224,8 @@ _PUBLIC_ NTSTATUS ldap_bind_sasl(struct ldap_connection *conn, gensec_init(lp_ctx); status = gensec_client_start(conn, &conn->gensec, - conn->event.event_ctx, lp_ctx); + conn->event.event_ctx, + lp_gensec_settings(conn, lp_ctx)); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to start GENSEC engine (%s)\n", nt_errstr(status))); goto failed; diff --git a/source4/libcli/libcli.h b/source4/libcli/libcli.h index 163852d90a..a4bd727f4c 100644 --- a/source4/libcli/libcli.h +++ b/source4/libcli/libcli.h @@ -64,6 +64,7 @@ enum brl_type { #include "libcli/raw/libcliraw.h" +struct gensec_settings; #include "libcli/libcli_proto.h" #endif /* __LIBCLI_H__ */ diff --git a/source4/libcli/smb2/connect.c b/source4/libcli/smb2/connect.c index 61ee994484..27c78fbce0 100644 --- a/source4/libcli/smb2/connect.c +++ b/source4/libcli/smb2/connect.c @@ -140,7 +140,7 @@ static void continue_negprot(struct smb2_request *req) break; } - state->session = smb2_session_init(transport, global_loadparm, state, true); + state->session = smb2_session_init(transport, lp_gensec_settings(transport, global_loadparm), state, true); if (composite_nomem(state->session, c)) return; creq = smb2_session_setup_spnego_send(state->session, state->credentials); @@ -239,6 +239,7 @@ struct composite_context *smb2_connect_send(TALLOC_CTX *mem_ctx, const char *socket_options) { struct composite_context *c; + const char *default_ports[] = { "445", NULL }; struct smb2_connect_state *state; struct nbt_name name; struct composite_context *creq; diff --git a/source4/libcli/smb2/session.c b/source4/libcli/smb2/session.c index 31b3e942e9..127bb9bcae 100644 --- a/source4/libcli/smb2/session.c +++ b/source4/libcli/smb2/session.c @@ -25,13 +25,12 @@ #include "libcli/smb2/smb2_calls.h" #include "libcli/composite/composite.h" #include "auth/gensec/gensec.h" -#include "param/param.h" /** initialise a smb2_session structure */ struct smb2_session *smb2_session_init(struct smb2_transport *transport, - struct loadparm_context *lp_ctx, + struct gensec_settings *settings, TALLOC_CTX *parent_ctx, bool primary) { struct smb2_session *session; @@ -50,7 +49,7 @@ struct smb2_session *smb2_session_init(struct smb2_transport *transport, /* prepare a gensec context for later use */ status = gensec_client_start(session, &session->gensec, session->transport->socket->event.ctx, - lp_ctx); + settings); if (!NT_STATUS_IS_OK(status)) { talloc_free(session); return NULL; diff --git a/source4/libcli/smb2/smb2_calls.h b/source4/libcli/smb2/smb2_calls.h index f66236af30..ec246b209d 100644 --- a/source4/libcli/smb2/smb2_calls.h +++ b/source4/libcli/smb2/smb2_calls.h @@ -107,4 +107,5 @@ struct smb2_setinfo { struct cli_credentials; struct event_context; struct resolve_context; +struct gensec_settings; #include "libcli/smb2/smb2_proto.h" diff --git a/source4/libcli/smb_composite/connect.c b/source4/libcli/smb_composite/connect.c index 7508035f48..70df0a19ff 100644 --- a/source4/libcli/smb_composite/connect.c +++ b/source4/libcli/smb_composite/connect.c @@ -257,6 +257,7 @@ static NTSTATUS connect_negprot(struct composite_context *c, state->io_setup->in.capabilities = state->transport->negotiate.capabilities; state->io_setup->in.credentials = io->in.credentials; state->io_setup->in.workgroup = io->in.workgroup; + state->io_setup->in.gensec_settings = lp_gensec_settings(state->io_setup, global_loadparm); state->creq = smb_composite_sesssetup_send(state->session, state->io_setup); NT_STATUS_HAVE_NO_MEMORY(state->creq); diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index 2ca12a5898..10f84a5dba 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -408,7 +408,7 @@ static NTSTATUS session_setup_spnego(struct composite_context *c, smbcli_temp_set_signing(session->transport); status = gensec_client_start(session, &session->gensec, c->event_ctx, - global_loadparm); + io->in.gensec_settings); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(status))); return status; diff --git a/source4/libcli/smb_composite/smb_composite.h b/source4/libcli/smb_composite/smb_composite.h index 2b1e368daa..431733d600 100644 --- a/source4/libcli/smb_composite/smb_composite.h +++ b/source4/libcli/smb_composite/smb_composite.h @@ -122,6 +122,7 @@ struct smb_composite_sesssetup { uint32_t capabilities; struct cli_credentials *credentials; const char *workgroup; + struct gensec_settings *gensec_settings; } in; struct { uint16_t vuid; diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index 2f0a34d88d..dfbe6ee7a6 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -40,6 +40,7 @@ enum dcerpc_transport_t { this defines a generic security context for signed/sealed dcerpc pipes. */ struct dcerpc_connection; +struct gensec_settings; struct dcerpc_security { struct dcerpc_auth *auth_info; struct gensec_security *generic_state; @@ -322,7 +323,7 @@ NTSTATUS dcerpc_alter_context(struct dcerpc_pipe *p, NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, const struct ndr_interface_table *table, struct cli_credentials *credentials, - struct loadparm_context *lp_ctx, + struct gensec_settings *gensec_settings, uint8_t auth_type, uint8_t auth_level, const char *service); struct composite_context* dcerpc_pipe_connect_send(TALLOC_CTX *parent_ctx, diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index 2eced55967..7c9d04eeb4 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -222,7 +222,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, struct dcerpc_pipe *p, const struct ndr_interface_table *table, struct cli_credentials *credentials, - struct loadparm_context *lp_ctx, + struct gensec_settings *gensec_settings, uint8_t auth_type, uint8_t auth_level, const char *service) { @@ -251,7 +251,7 @@ struct composite_context *dcerpc_bind_auth_send(TALLOC_CTX *mem_ctx, c->status = gensec_client_start(p, &sec->generic_state, p->conn->event_ctx, - lp_ctx); + gensec_settings); if (!NT_STATUS_IS_OK(c->status)) { DEBUG(1, ("Failed to start GENSEC client mode: %s\n", nt_errstr(c->status))); @@ -387,12 +387,12 @@ NTSTATUS dcerpc_bind_auth_recv(struct composite_context *creq) _PUBLIC_ NTSTATUS dcerpc_bind_auth(struct dcerpc_pipe *p, const struct ndr_interface_table *table, struct cli_credentials *credentials, - struct loadparm_context *lp_ctx, + struct gensec_settings *gensec_settings, uint8_t auth_type, uint8_t auth_level, const char *service) { struct composite_context *creq; - creq = dcerpc_bind_auth_send(p, p, table, credentials, lp_ctx, + creq = dcerpc_bind_auth_send(p, p, table, credentials, gensec_settings, auth_type, auth_level, service); return dcerpc_bind_auth_recv(creq); } diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index 13bbc3d51f..e3add82bf2 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -29,6 +29,7 @@ #include "librpc/gen_ndr/ndr_netlogon_c.h" #include "auth/credentials/credentials.h" #include "librpc/rpc/dcerpc_proto.h" +#include "param/param.h" struct schannel_key_state { struct dcerpc_pipe *pipe; @@ -319,7 +320,7 @@ static void continue_schannel_key(struct composite_context *ctx) /* send bind auth request with received creds */ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, s->credentials, - s->lp_ctx, + lp_gensec_settings(c, s->lp_ctx), DCERPC_AUTH_TYPE_SCHANNEL, s->auth_level, NULL); if (composite_nomem(auth_req, c)) return; diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index ca6a785834..1847b20ee7 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -421,7 +421,8 @@ static void continue_ntlmssp_connection(struct composite_context *ctx) /* initiate a authenticated bind */ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, - s->credentials, s->lp_ctx, + s->credentials, + lp_gensec_settings(c, s->lp_ctx), DCERPC_AUTH_TYPE_NTLMSSP, dcerpc_auth_level(s->pipe->conn), s->table->authservices->names[0]); @@ -453,7 +454,9 @@ static void continue_spnego_after_wrong_pass(struct composite_context *ctx) /* initiate a authenticated bind */ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, - s->credentials, s->lp_ctx, DCERPC_AUTH_TYPE_SPNEGO, + s->credentials, + lp_gensec_settings(c, s->lp_ctx), + DCERPC_AUTH_TYPE_SPNEGO, dcerpc_auth_level(s->pipe->conn), s->table->authservices->names[0]); composite_continue(c, auth_req, continue_auth, c); @@ -572,7 +575,9 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, } else { /* try SPNEGO with fallback to NTLMSSP */ auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, - s->credentials, s->lp_ctx, DCERPC_AUTH_TYPE_SPNEGO, + s->credentials, + lp_gensec_settings(c, s->lp_ctx), + DCERPC_AUTH_TYPE_SPNEGO, dcerpc_auth_level(conn), s->table->authservices->names[0]); composite_continue(c, auth_req, continue_auth_auto, c); @@ -580,7 +585,9 @@ struct composite_context *dcerpc_pipe_auth_send(struct dcerpc_pipe *p, } auth_req = dcerpc_bind_auth_send(c, s->pipe, s->table, - s->credentials, s->lp_ctx, auth_type, + s->credentials, + lp_gensec_settings(c, s->lp_ctx), + auth_type, dcerpc_auth_level(conn), s->table->authservices->names[0]); composite_continue(c, auth_req, continue_auth, c); diff --git a/source4/param/loadparm.c b/source4/param/loadparm.c index 6494199fa4..0c831b23d8 100644 --- a/source4/param/loadparm.c +++ b/source4/param/loadparm.c @@ -66,6 +66,7 @@ #include "libcli/raw/libcliraw.h" #include "rpc_server/common/common.h" #include "lib/socket/socket.h" +#include "auth/gensec/gensec.h" #define standard_sub_basic talloc_strdup @@ -2674,3 +2675,14 @@ _PUBLIC_ struct dcerpc_server_info *lp_dcerpc_server_info(TALLOC_CTX *mem_ctx, s return ret; } + +struct gensec_settings *lp_gensec_settings(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) +{ + struct gensec_settings *settings = talloc(mem_ctx, struct gensec_settings); + if (settings == NULL) + return NULL; + settings->lp_ctx = talloc_reference(settings, lp_ctx); + settings->iconv_convenience = lp_iconv_convenience(lp_ctx); + settings->target_hostname = lp_parm_string(lp_ctx, NULL, "gensec", "target_hostname"); + return settings; +} diff --git a/source4/param/param.h b/source4/param/param.h index 8a653be0a8..80bb5ff128 100644 --- a/source4/param/param.h +++ b/source4/param/param.h @@ -67,6 +67,7 @@ struct loadparm_context; struct loadparm_service; struct smbcli_options; struct smbcli_session_options; +struct gensec_settings; void reload_charcnv(struct loadparm_context *lp_ctx); @@ -166,7 +167,6 @@ int lp_cli_minprotocol(struct loadparm_context *); int lp_security(struct loadparm_context *); bool lp_paranoid_server_security(struct loadparm_context *); int lp_announce_as(struct loadparm_context *); -const char **lp_js_include(struct loadparm_context *); const char *lp_servicename(const struct loadparm_service *service); const char *lp_pathname(struct loadparm_service *, struct loadparm_service *); @@ -329,6 +329,7 @@ void lp_smbcli_options(struct loadparm_context *lp_ctx, void lp_smbcli_session_options(struct loadparm_context *lp_ctx, struct smbcli_session_options *options); struct dcerpc_server_info *lp_dcerpc_server_info(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); +struct gensec_settings *lp_gensec_settings(TALLOC_CTX *, struct loadparm_context *); /* The following definitions come from param/generic.c */ diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index bef7e4be78..5169031d16 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -61,7 +61,9 @@ bool dcesrv_auth_bind(struct dcesrv_call_state *call) return false; } - status = gensec_server_start(dce_conn, call->event_ctx, call->conn->dce_ctx->lp_ctx, call->msg_ctx, &auth->gensec_security); + status = gensec_server_start(dce_conn, call->event_ctx, + lp_gensec_settings(dce_conn, call->conn->dce_ctx->lp_ctx), + call->msg_ctx, &auth->gensec_security); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to start GENSEC for DCERPC server: %s\n", nt_errstr(status))); return false; diff --git a/source4/smb_server/smb/negprot.c b/source4/smb_server/smb/negprot.c index 00ff3862f5..71ee82d162 100644 --- a/source4/smb_server/smb/negprot.c +++ b/source4/smb_server/smb/negprot.c @@ -353,7 +353,7 @@ static void reply_nt1(struct smbsrv_request *req, uint16_t choice) nt_status = gensec_server_start(req->smb_conn, req->smb_conn->connection->event.ctx, - req->smb_conn->lp_ctx, + lp_gensec_settings(req->smb_conn, req->smb_conn->lp_ctx), req->smb_conn->connection->msg_ctx, &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index a12bbd5cec..f34124b1a0 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -365,7 +365,7 @@ static void sesssetup_spnego(struct smbsrv_request *req, union smb_sesssetup *se status = gensec_server_start(req, req->smb_conn->connection->event.ctx, - req->smb_conn->lp_ctx, + lp_gensec_settings(req, req->smb_conn->lp_ctx), req->smb_conn->connection->msg_ctx, &gensec_ctx); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c index 49a2d12ef4..03e5c9356d 100644 --- a/source4/smb_server/smb2/negprot.c +++ b/source4/smb_server/smb2/negprot.c @@ -42,7 +42,7 @@ static NTSTATUS smb2srv_negprot_secblob(struct smb2srv_request *req, DATA_BLOB * nt_status = gensec_server_start(req, req->smb_conn->connection->event.ctx, - req->smb_conn->lp_ctx, + lp_gensec_settings(req, req->smb_conn->lp_ctx), req->smb_conn->connection->msg_ctx, &gensec_security); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/smb_server/smb2/sesssetup.c b/source4/smb_server/smb2/sesssetup.c index 9f8765d6e9..176be0b3ea 100644 --- a/source4/smb_server/smb2/sesssetup.c +++ b/source4/smb_server/smb2/sesssetup.c @@ -126,7 +126,7 @@ static void smb2srv_sesssetup_backend(struct smb2srv_request *req, union smb_ses status = gensec_server_start(req, req->smb_conn->connection->event.ctx, - req->smb_conn->lp_ctx, + lp_gensec_settings(req, req->smb_conn->lp_ctx), req->smb_conn->connection->msg_ctx, &gensec_ctx); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/torture/auth/ntlmssp.c b/source4/torture/auth/ntlmssp.c index 1e8b339997..e62b150a4b 100644 --- a/source4/torture/auth/ntlmssp.c +++ b/source4/torture/auth/ntlmssp.c @@ -23,6 +23,7 @@ #include "auth/ntlmssp/ntlmssp.h" #include "lib/cmdline/popt_common.h" #include "torture/torture.h" +#include "param/param.h" static bool torture_ntlmssp_self_check(struct torture_context *tctx) { @@ -34,7 +35,7 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx) torture_assert_ntstatus_ok(tctx, gensec_client_start(mem_ctx, &gensec_security, - tctx->ev, tctx->lp_ctx), + tctx->ev, lp_gensec_settings(tctx, tctx->lp_ctx)), "gensec client start"); gensec_set_credentials(gensec_security, cmdline_credentials); @@ -89,7 +90,7 @@ static bool torture_ntlmssp_self_check(struct torture_context *tctx) torture_assert_ntstatus_ok(tctx, gensec_client_start(mem_ctx, &gensec_security, - tctx->ev, tctx->lp_ctx), + tctx->ev, lp_gensec_settings(tctx, tctx->lp_ctx)), "Failed to start GENSEC for NTLMSSP"); gensec_set_credentials(gensec_security, cmdline_credentials); diff --git a/source4/torture/basic/secleak.c b/source4/torture/basic/secleak.c index ca1fd444d9..3fdd9a9bbd 100644 --- a/source4/torture/basic/secleak.c +++ b/source4/torture/basic/secleak.c @@ -44,8 +44,9 @@ static bool try_failed_login(struct torture_context *tctx, struct smbcli_state * setup.in.sesskey = cli->transport->negotiate.sesskey; setup.in.capabilities = cli->transport->negotiate.capabilities; setup.in.workgroup = lp_workgroup(tctx->lp_ctx); - setup.in.credentials = cli_credentials_init(session); + setup.in.gensec_settings = lp_gensec_settings(tctx, tctx->lp_ctx); + cli_credentials_set_conf(setup.in.credentials, tctx->lp_ctx); cli_credentials_set_domain(setup.in.credentials, "INVALID-DOMAIN", CRED_SPECIFIED); cli_credentials_set_username(setup.in.credentials, "INVALID-USERNAME", CRED_SPECIFIED); diff --git a/source4/torture/raw/context.c b/source4/torture/raw/context.c index 450ad0f260..a9d36b7788 100644 --- a/source4/torture/raw/context.c +++ b/source4/torture/raw/context.c @@ -74,6 +74,7 @@ static bool test_session(struct smbcli_state *cli, struct torture_context *tctx) struct smbcli_tree *tree; struct smb_composite_sesssetup setup; struct smb_composite_sesssetup setups[15]; + struct gensec_settings *gensec_settings; union smb_open io; union smb_write wr; union smb_close cl; @@ -92,6 +93,7 @@ static bool test_session(struct smbcli_state *cli, struct torture_context *tctx) printf("create a second security context on the same transport\n"); lp_smbcli_session_options(tctx->lp_ctx, &options); + gensec_settings = lp_gensec_settings(tctx, tctx->lp_ctx); session = smbcli_session_init(cli->transport, tctx, false, options); @@ -100,6 +102,7 @@ static bool test_session(struct smbcli_state *cli, struct torture_context *tctx) setup.in.workgroup = lp_workgroup(tctx->lp_ctx); setup.in.credentials = cmdline_credentials; + setup.in.gensec_settings = gensec_settings; status = smb_composite_sesssetup(session, &setup); CHECK_STATUS(status, NT_STATUS_OK); @@ -142,7 +145,6 @@ static bool test_session(struct smbcli_state *cli, struct torture_context *tctx) setup.in.workgroup = lp_workgroup(tctx->lp_ctx); setup.in.credentials = cmdline_credentials; - status = smb_composite_sesssetup(session3, &setup); CHECK_STATUS(status, NT_STATUS_LOGON_FAILURE); @@ -233,6 +235,7 @@ static bool test_session(struct smbcli_state *cli, struct torture_context *tctx) setups[i].in.workgroup = lp_workgroup(tctx->lp_ctx); setups[i].in.credentials = cmdline_credentials; + setups[i].in.gensec_settings = gensec_settings; sessions[i] = smbcli_session_init(cli->transport, tctx, false, options); composite_contexts[i] = smb_composite_sesssetup_send(sessions[i], &setups[i]); @@ -402,6 +405,7 @@ static bool test_tree_ulogoff(struct smbcli_state *cli, struct torture_context * setup.in.capabilities = cli->transport->negotiate.capabilities; setup.in.workgroup = lp_workgroup(tctx->lp_ctx); setup.in.credentials = cmdline_credentials; + setup.in.gensec_settings = lp_gensec_settings(tctx, tctx->lp_ctx); status = smb_composite_sesssetup(session1, &setup); CHECK_STATUS(status, NT_STATUS_OK); session1->vuid = setup.out.vuid; @@ -458,6 +462,7 @@ static bool test_tree_ulogoff(struct smbcli_state *cli, struct torture_context * setup.in.capabilities = cli->transport->negotiate.capabilities; setup.in.workgroup = lp_workgroup(tctx->lp_ctx); setup.in.credentials = cmdline_credentials; + setup.in.gensec_settings = lp_gensec_settings(tctx, tctx->lp_ctx); status = smb_composite_sesssetup(session2, &setup); CHECK_STATUS(status, NT_STATUS_OK); session2->vuid = setup.out.vuid; @@ -657,8 +662,8 @@ static bool test_pid_2sess(struct smbcli_state *cli, struct torture_context *tct setup.in.sesskey = cli->transport->negotiate.sesskey; setup.in.capabilities = cli->transport->negotiate.capabilities; /* ignored in secondary session setup, except by our libs, which care about the extended security bit */ setup.in.workgroup = lp_workgroup(tctx->lp_ctx); - setup.in.credentials = cmdline_credentials; + setup.in.gensec_settings = lp_gensec_settings(tctx, tctx->lp_ctx); status = smb_composite_sesssetup(session, &setup); CHECK_STATUS(status, NT_STATUS_OK); diff --git a/source4/torture/raw/lock.c b/source4/torture/raw/lock.c index dbe071c9ad..2d1eae3a69 100644 --- a/source4/torture/raw/lock.c +++ b/source4/torture/raw/lock.c @@ -598,6 +598,7 @@ static bool test_async(struct torture_context *tctx, setup.in.capabilities = cli->transport->negotiate.capabilities; setup.in.workgroup = lp_workgroup(tctx->lp_ctx); setup.in.credentials = cmdline_credentials; + setup.in.gensec_settings = lp_gensec_settings(tctx, tctx->lp_ctx); status = smb_composite_sesssetup(session, &setup); CHECK_STATUS(status, NT_STATUS_OK); session->vuid = setup.out.vuid; diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 1f03ad6396..0d18228563 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -92,7 +92,8 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, msg_server_ctx != NULL, "Failed to init messaging context"); - status = gensec_client_start(tctx, &gensec_client_context, tctx->ev, tctx->lp_ctx); + status = gensec_client_start(tctx, &gensec_client_context, tctx->ev, + lp_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); status = gensec_set_target_hostname(gensec_client_context, TEST_MACHINE_NAME); @@ -103,7 +104,9 @@ static bool test_PACVerify(struct torture_context *tctx, status = gensec_start_mech_by_sasl_name(gensec_client_context, "GSSAPI"); torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); - status = gensec_server_start(tctx, tctx->ev, tctx->lp_ctx, msg_server_ctx, &gensec_server_context); + status = gensec_server_start(tctx, tctx->ev, + lp_gensec_settings(tctx, tctx->lp_ctx), + msg_server_ctx, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c index 93bcb3a1ea..f466244a40 100644 --- a/source4/torture/rpc/samba3rpc.c +++ b/source4/torture/rpc/samba3rpc.c @@ -160,6 +160,7 @@ bool torture_bind_authcontext(struct torture_context *torture) setup.in.capabilities = cli->transport->negotiate.capabilities; setup.in.workgroup = ""; setup.in.credentials = anon_creds; + setup.in.gensec_settings = lp_gensec_settings(torture, torture->lp_ctx); status = smb_composite_sesssetup(session2, &setup); if (!NT_STATUS_IS_OK(status)) { @@ -233,7 +234,7 @@ static bool bindtest(struct smbcli_state *cli, } status = dcerpc_bind_auth(lsa_pipe, &ndr_table_lsarpc, - credentials, lp_ctx, auth_type, auth_level, + credentials, lp_gensec_settings(lp_ctx, lp_ctx), auth_type, auth_level, NULL); if (!NT_STATUS_IS_OK(status)) { d_printf("dcerpc_bind_auth failed: %s\n", nt_errstr(status)); @@ -384,7 +385,7 @@ static NTSTATUS get_usr_handle(struct smbcli_state *cli, if (admin_creds != NULL) { status = dcerpc_bind_auth(samr_pipe, &ndr_table_samr, - admin_creds, lp_ctx, auth_type, auth_level, + admin_creds, lp_gensec_settings(lp_ctx, lp_ctx), auth_type, auth_level, NULL); if (!NT_STATUS_IS_OK(status)) { d_printf("dcerpc_bind_auth failed: %s\n", @@ -1013,7 +1014,7 @@ static bool schan(struct smbcli_state *cli, #if 1 net_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); status = dcerpc_bind_auth(net_pipe, &ndr_table_netlogon, - wks_creds, lp_ctx, DCERPC_AUTH_TYPE_SCHANNEL, + wks_creds, lp_gensec_settings(lp_ctx, lp_ctx), DCERPC_AUTH_TYPE_SCHANNEL, DCERPC_AUTH_LEVEL_PRIVACY, NULL); #else @@ -1812,6 +1813,7 @@ bool torture_samba3_rpc_getusername(struct torture_context *torture) setup.in.capabilities = cli->transport->negotiate.capabilities; setup.in.workgroup = ""; setup.in.credentials = user_creds; + setup.in.gensec_settings = lp_gensec_settings(torture, torture->lp_ctx); status = smb_composite_sesssetup(session2, &setup); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 99fb3e8081..4964694790 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -473,7 +473,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, case NTLMSSP_CLIENT_1: /* setup the client side */ - nt_status = gensec_client_start(NULL, &state->gensec_state, ev, lp_ctx); + nt_status = gensec_client_start(NULL, &state->gensec_state, ev, + lp_gensec_settings(NULL, lp_ctx)); if (!NT_STATUS_IS_OK(nt_status)) { exit(1); } @@ -486,7 +487,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, if (!msg) { exit(1); } - if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lp_ctx, msg, &state->gensec_state))) { + if (!NT_STATUS_IS_OK(gensec_server_start(state, ev, lp_gensec_settings(state, lp_ctx), + msg, &state->gensec_state))) { exit(1); } break; -- cgit