From c62af4f6526d5b4a47b70ecfc4c1c03b1b64cf18 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Jan 2012 21:03:02 +1100 Subject: s3-librpc Make cli_rpc_pipe_open_spnego_ntlmssp() generic This also avoids passing NULL as the server to gensec_set_target_hostname() in spnego_generic_init_client(). Andrew Bartlett Signed-off-by: Stefan Metzmacher --- source3/rpc_client/cli_pipe.c | 97 ++++------------------------------ source3/rpc_client/cli_pipe.h | 27 ++++------ source3/rpc_client/cli_pipe_schannel.c | 5 +- source3/rpcclient/rpcclient.c | 34 ++++++------ source3/winbindd/winbindd_cm.c | 23 ++++---- 5 files changed, 56 insertions(+), 130 deletions(-) (limited to 'source3') diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 9091d879b8..2ddf7bceb1 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2926,96 +2926,21 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, return NT_STATUS_OK; } -NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli, - const struct ndr_syntax_id *interface, - enum dcerpc_transport_t transport, - enum dcerpc_AuthLevel auth_level, - const char *server, - const char *username, - const char *password, - struct rpc_pipe_client **presult) -{ - struct rpc_pipe_client *result; - struct pipe_auth_data *auth; - struct spnego_context *spnego_ctx; - NTSTATUS status; - const char *target_service = "cifs"; /* TODO: Determine target service from the bindings or interface table */ - - status = cli_rpc_pipe_open(cli, transport, interface, &result); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - auth = talloc(result, struct pipe_auth_data); - if (auth == NULL) { - status = NT_STATUS_NO_MEMORY; - goto err_out; - } - auth->auth_type = DCERPC_AUTH_TYPE_SPNEGO; - auth->auth_level = auth_level; - - if (!username) { - username = ""; - } - auth->user_name = talloc_strdup(auth, username); - if (!auth->user_name) { - status = NT_STATUS_NO_MEMORY; - goto err_out; - } - - /* Fixme, should we fetch/set the Realm ? */ - auth->domain = talloc_strdup(auth, ""); - if (!auth->domain) { - status = NT_STATUS_NO_MEMORY; - goto err_out; - } - - status = spnego_generic_init_client(auth, - GENSEC_OID_KERBEROS5, - (auth->auth_level == - DCERPC_AUTH_LEVEL_INTEGRITY), - (auth->auth_level == - DCERPC_AUTH_LEVEL_PRIVACY), - true, - server, target_service, - auth->domain, auth->user_name, password, - &spnego_ctx); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("spnego_init_client returned %s\n", - nt_errstr(status))); - goto err_out; - } - auth->auth_ctx = spnego_ctx; - - status = rpc_pipe_bind(result, auth); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("cli_rpc_pipe_bind failed with error %s\n", - nt_errstr(status))); - goto err_out; - } - - *presult = result; - return NT_STATUS_OK; - -err_out: - TALLOC_FREE(result); - return status; -} - -NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, - const struct ndr_syntax_id *interface, - enum dcerpc_transport_t transport, - enum dcerpc_AuthLevel auth_level, - const char *domain, - const char *username, - const char *password, - struct rpc_pipe_client **presult) +NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli, + const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, + const char *oid, + enum dcerpc_AuthLevel auth_level, + const char *server, + const char *domain, + const char *username, + const char *password, + struct rpc_pipe_client **presult) { struct rpc_pipe_client *result; struct pipe_auth_data *auth; struct spnego_context *spnego_ctx; NTSTATUS status; - const char *server = NULL; const char *target_service = "cifs"; /* TODO: Determine target service from the bindings or interface table */ status = cli_rpc_pipe_open(cli, transport, interface, &result); @@ -3050,7 +2975,7 @@ NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, } status = spnego_generic_init_client(auth, - GENSEC_OID_NTLMSSP, + oid, (auth->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY), (auth->auth_level == diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h index a9d5784643..25c9fca825 100644 --- a/source3/rpc_client/cli_pipe.h +++ b/source3/rpc_client/cli_pipe.h @@ -95,14 +95,16 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli, const char *password, struct rpc_pipe_client **presult); -NTSTATUS cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli, - const struct ndr_syntax_id *interface, - enum dcerpc_transport_t transport, - enum dcerpc_AuthLevel auth_level, - const char *domain, - const char *username, - const char *password, - struct rpc_pipe_client **presult); +NTSTATUS cli_rpc_pipe_open_spnego(struct cli_state *cli, + const struct ndr_syntax_id *interface, + enum dcerpc_transport_t transport, + const char *oid, + enum dcerpc_AuthLevel auth_level, + const char *server, + const char *domain, + const char *username, + const char *password, + struct rpc_pipe_client **presult); NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, const struct ndr_syntax_id *interface, @@ -137,15 +139,6 @@ NTSTATUS cli_rpc_pipe_open_krb5(struct cli_state *cli, const char *password, struct rpc_pipe_client **presult); -NTSTATUS cli_rpc_pipe_open_spnego_krb5(struct cli_state *cli, - const struct ndr_syntax_id *interface, - enum dcerpc_transport_t transport, - enum dcerpc_AuthLevel auth_level, - const char *server, - const char *username, - const char *password, - struct rpc_pipe_client **presult); - NTSTATUS cli_get_session_key(TALLOC_CTX *mem_ctx, struct rpc_pipe_client *cli, DATA_BLOB *session_key); diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c index 2c937df0f0..4a11f08a12 100644 --- a/source3/rpc_client/cli_pipe_schannel.c +++ b/source3/rpc_client/cli_pipe_schannel.c @@ -27,6 +27,7 @@ #include "librpc/rpc/dcerpc.h" #include "passdb.h" #include "libsmb/libsmb.h" +#include "auth/gensec/gensec.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_CLI @@ -98,9 +99,11 @@ static NTSTATUS get_schannel_session_key_auth_ntlmssp(struct cli_state *cli, struct rpc_pipe_client *netlogon_pipe = NULL; NTSTATUS status; - status = cli_rpc_pipe_open_spnego_ntlmssp( + status = cli_rpc_pipe_open_spnego( cli, &ndr_table_netlogon.syntax_id, NCACN_NP, + GENSEC_OID_NTLMSSP, DCERPC_AUTH_LEVEL_PRIVACY, + cli_state_remote_name(cli), domain, username, password, &netlogon_pipe); if (!NT_STATUS_IS_OK(status)) { return status; diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index 27deff56ff..39b54bf052 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -31,6 +31,7 @@ #include "../libcli/security/security.h" #include "passdb.h" #include "libsmb/libsmb.h" +#include "auth/gensec/gensec.h" enum pipe_auth_type_spnego { PIPE_AUTH_TYPE_SPNEGO_NONE = 0, @@ -690,30 +691,29 @@ static NTSTATUS do_cmd(struct cli_state *cli, &cmd_entry->rpc_pipe); break; case DCERPC_AUTH_TYPE_SPNEGO: + { + /* won't happen, but if it does it will fail in cli_rpc_pipe_open_spnego() eventually */ + const char *oid = "INVALID"; switch (pipe_default_auth_spnego_type) { case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP: - ntresult = cli_rpc_pipe_open_spnego_ntlmssp( - cli, cmd_entry->interface, - default_transport, - pipe_default_auth_level, - get_cmdline_auth_info_domain(auth_info), - get_cmdline_auth_info_username(auth_info), - get_cmdline_auth_info_password(auth_info), - &cmd_entry->rpc_pipe); + oid = GENSEC_OID_NTLMSSP; break; case PIPE_AUTH_TYPE_SPNEGO_KRB5: - ntresult = cli_rpc_pipe_open_spnego_krb5( - cli, cmd_entry->interface, - default_transport, - pipe_default_auth_level, - cli_state_remote_name(cli), - NULL, NULL, - &cmd_entry->rpc_pipe); + oid = GENSEC_OID_KERBEROS5; break; - default: - ntresult = NT_STATUS_INTERNAL_ERROR; } + ntresult = cli_rpc_pipe_open_spnego( + cli, cmd_entry->interface, + default_transport, + oid, + pipe_default_auth_level, + cli_state_remote_name(cli), + get_cmdline_auth_info_domain(auth_info), + get_cmdline_auth_info_username(auth_info), + get_cmdline_auth_info_password(auth_info), + &cmd_entry->rpc_pipe); break; + } case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_KRB5: ntresult = cli_rpc_pipe_open_generic_auth( diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index 8563050273..5d8826127b 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -76,6 +76,7 @@ #include "../libcli/security/security.h" #include "passdb.h" #include "messages.h" +#include "auth/gensec/gensec.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND @@ -2189,14 +2190,16 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, /* We have an authenticated connection. Use a NTLMSSP SPNEGO authenticated SAMR pipe with sign & seal. */ - status = cli_rpc_pipe_open_spnego_ntlmssp(conn->cli, - &ndr_table_samr.syntax_id, - NCACN_NP, - DCERPC_AUTH_LEVEL_PRIVACY, - domain_name, - machine_account, - machine_password, - &conn->samr_pipe); + status = cli_rpc_pipe_open_spnego(conn->cli, + &ndr_table_samr.syntax_id, + NCACN_NP, + GENSEC_OID_NTLMSSP, + DCERPC_AUTH_LEVEL_PRIVACY, + cli_state_remote_name(conn->cli), + domain_name, + machine_account, + machine_password, + &conn->samr_pipe); if (!NT_STATUS_IS_OK(status)) { DEBUG(10,("cm_connect_sam: failed to connect to SAMR " @@ -2427,9 +2430,11 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, /* We have an authenticated connection. Use a NTLMSSP SPNEGO * authenticated LSA pipe with sign & seal. */ - result = cli_rpc_pipe_open_spnego_ntlmssp + result = cli_rpc_pipe_open_spnego (conn->cli, &ndr_table_lsarpc.syntax_id, NCACN_NP, + GENSEC_OID_NTLMSSP, DCERPC_AUTH_LEVEL_PRIVACY, + cli_state_remote_name(conn->cli), conn->cli->domain, conn->cli->user_name, conn->cli->password, &conn->lsa_pipe); -- cgit