From 85e9412c4786ede6f94d879185d493756d37eebe Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 1 May 2005 19:29:00 +0000 Subject: r6565: Cludge, cludge, cludge... We need to pass the 'secure channel type' to the NETLOGON layer, which must match the account type. (Yes, jelmer objects to this inclusion of the kitchen sink ;-) Andrew Bartlett (This used to be commit 8ee208a926d2b15fdc42753b1f9ee586564c6248) --- source4/librpc/idl/misc.idl | 9 +++++++++ source4/librpc/idl/netlogon.idl | 11 +---------- source4/librpc/rpc/dcerpc.h | 9 ++------- source4/librpc/rpc/dcerpc_schannel.c | 18 ++++-------------- source4/librpc/rpc/dcerpc_util.c | 6 +++--- 5 files changed, 19 insertions(+), 34 deletions(-) (limited to 'source4/librpc') diff --git a/source4/librpc/idl/misc.idl b/source4/librpc/idl/misc.idl index 935032f305..45f4e25602 100644 --- a/source4/librpc/idl/misc.idl +++ b/source4/librpc/idl/misc.idl @@ -22,4 +22,13 @@ interface misc uint32 handle_type; GUID uuid; } policy_handle; + + /* secure channel types */ + /* Only SEC_CHAN_WKSTA can forward requests to other domains. */ + + typedef [public] enum { + SEC_CHAN_WKSTA = 2, + SEC_CHAN_DOMAIN = 4, + SEC_CHAN_BDC = 6 + } netr_SchannelType; } diff --git a/source4/librpc/idl/netlogon.idl b/source4/librpc/idl/netlogon.idl index 0e601b372a..e32b1ee86d 100644 --- a/source4/librpc/idl/netlogon.idl +++ b/source4/librpc/idl/netlogon.idl @@ -248,7 +248,7 @@ interface netlogon [in] uint16 logon_level, [in] [switch_is(logon_level)] netr_LogonLevel logon ); - + /*****************/ @@ -264,15 +264,6 @@ interface netlogon /*****************/ /* Function 0x05 */ - /* secure channel types */ - /* Only SEC_CHAN_WKSTA can forward requests to other domains. */ - - typedef enum { - SEC_CHAN_WKSTA = 2, - SEC_CHAN_DOMAIN = 4, - SEC_CHAN_BDC = 6 - } netr_SchannelType; - NTSTATUS netr_ServerAuthenticate( [in] unistr *server_name, [in] unistr account_name, diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index db7b76a779..89a969a118 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -113,12 +113,7 @@ struct dcerpc_pipe { #define DCERPC_PUSH_BIGENDIAN (1<<7) #define DCERPC_PULL_BIGENDIAN (1<<8) -#define DCERPC_SCHANNEL_BDC (1<<9) -#define DCERPC_SCHANNEL_WORKSTATION (1<<10) -#define DCERPC_SCHANNEL_DOMAIN (1<<11) -#define DCERPC_SCHANNEL_ANY (DCERPC_SCHANNEL_BDC| \ - DCERPC_SCHANNEL_DOMAIN| \ - DCERPC_SCHANNEL_WORKSTATION) +#define DCERPC_SCHANNEL (1<<9) /* use a 128 bit session key */ #define DCERPC_SCHANNEL_128 (1<<12) @@ -129,7 +124,7 @@ struct dcerpc_pipe { /* set LIBNDR_FLAG_REF_ALLOC flag when decoding NDR */ #define DCERPC_NDR_REF_ALLOC (1<<14) -#define DCERPC_AUTH_OPTIONS (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL_ANY|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5) +#define DCERPC_AUTH_OPTIONS (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5) /* enable spnego auth */ #define DCERPC_AUTH_SPNEGO (1<<15) diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index 3ae2624ff9..cc6cbe7b46 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -30,8 +30,7 @@ */ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx, struct dcerpc_pipe *p, - struct cli_credentials *credentials, - int chan_type) + struct cli_credentials *credentials) { NTSTATUS status; struct dcerpc_binding *b; @@ -109,7 +108,8 @@ static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx, a.in.server_name = r.in.server_name; a.in.account_name = cli_credentials_get_username(credentials); - a.in.secure_channel_type = chan_type; + a.in.secure_channel_type = + cli_credentials_get_secure_channel_type(credentials); a.in.computer_name = cli_credentials_get_workstation(credentials); a.in.negotiate_flags = &negotiate_flags; a.out.negotiate_flags = &negotiate_flags; @@ -143,20 +143,10 @@ NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx, struct cli_credentials *credentials) { NTSTATUS status; - int chan_type = 0; - - if (p->conn->flags & DCERPC_SCHANNEL_BDC) { - chan_type = SEC_CHAN_BDC; - } else if (p->conn->flags & DCERPC_SCHANNEL_WORKSTATION) { - chan_type = SEC_CHAN_WKSTA; - } else if (p->conn->flags & DCERPC_SCHANNEL_DOMAIN) { - chan_type = SEC_CHAN_DOMAIN; - } /* Fills in NETLOGON credentials */ status = dcerpc_schannel_key(tmp_ctx, - p, credentials, - chan_type); + p, credentials); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to setup credentials for account %s: %s\n", diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index d1d9977b39..763ec55e50 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -927,7 +927,7 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, p->conn->binding_string = dcerpc_binding_string(p, binding); if (!cli_credentials_is_anonymous(credentials) && - (binding->flags & DCERPC_SCHANNEL_ANY) && + (binding->flags & DCERPC_SCHANNEL) && !cli_credentials_get_netlogon_creds(credentials)) { /* If we don't already have netlogon credentials for @@ -952,7 +952,7 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, auth_type = DCERPC_AUTH_TYPE_SPNEGO; } else if (binding->flags & DCERPC_AUTH_KRB5) { auth_type = DCERPC_AUTH_TYPE_KRB5; - } else if (binding->flags & DCERPC_SCHANNEL_ANY) { + } else if (binding->flags & DCERPC_SCHANNEL) { auth_type = DCERPC_AUTH_TYPE_SCHANNEL; } else { auth_type = DCERPC_AUTH_TYPE_NTLMSSP; @@ -986,7 +986,7 @@ static NTSTATUS dcerpc_pipe_connect_ncacn_np(TALLOC_CTX *tmp_ctx, struct smbcli_state *cli; const char *pipe_name = NULL; - if (binding->flags & DCERPC_SCHANNEL_ANY) { + if (binding->flags & DCERPC_SCHANNEL) { struct cli_credentials *anon_creds = cli_credentials_init(tmp_ctx); cli_credentials_set_anonymous(anon_creds); -- cgit