From 64df4c7c5726ec266628fff40071e06d268b410e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 25 May 2007 08:04:39 +0000 Subject: r23133: I felt pity on Kai, as he starts work on winbind in Samba4, so I decided to clean it up a little. We now use SPNEGO for authentication if possible, and common routines shared with the rest of the librpc codebase. Rather than make a connection to IPC$, then connect the pipes to it, we instead have the lsa and samr pipes as 'secondary connections'. Andrew Bartlett (This used to be commit 86654056b22245a57396544d572de6401069b9e5) --- source4/winbind/wb_connect_sam.c | 121 ++++++--------------------------------- 1 file changed, 16 insertions(+), 105 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 4423e3e91d..ab34e96635 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -1,10 +1,10 @@ /* Unix SMB/CIFS implementation. - Connect to the SAMR pipe, given an smbcli_tree and possibly some - credentials. Try ntlmssp, schannel and anon in that order. + Connect to the SAMR pipe, and return connection and domain handles. Copyright (C) Volker Lendecke 2005 + Copyright (C) Andrew Bartlett 2007 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -27,6 +27,7 @@ #include "libcli/raw/libcliraw.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_samr_c.h" +#include "winbind/wb_server.h" /* Helper to initialize SAMR with a specific auth methods. Verify by opening @@ -34,8 +35,6 @@ struct connect_samr_state { struct composite_context *ctx; - uint8_t auth_type; - struct cli_credentials *creds; struct dom_sid *sid; struct dcerpc_pipe *samr_pipe; @@ -47,21 +46,16 @@ struct connect_samr_state { }; static void connect_samr_recv_pipe(struct composite_context *ctx); -static void connect_samr_recv_anon_bind(struct composite_context *ctx); -static void connect_samr_recv_auth_bind(struct composite_context *ctx); static void connect_samr_recv_conn(struct rpc_request *req); static void connect_samr_recv_open(struct rpc_request *req); -struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, - struct smbcli_tree *tree, - uint8_t auth_type, - struct cli_credentials *creds, - const struct dom_sid *domain_sid) +struct composite_context *wb_connect_samr_send(TALLOC_CTX *mem_ctx, + struct wbsrv_domain *domain) { struct composite_context *result, *ctx; struct connect_samr_state *state; - result = composite_create(mem_ctx, tree->session->transport->socket->event.ctx); + result = composite_create(mem_ctx, domain->netlogon_pipe->conn->event_ctx); if (result == NULL) goto failed; state = talloc(result, struct connect_samr_state); @@ -69,18 +63,14 @@ struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, state->ctx = result; result->private_data = state; - state->auth_type = auth_type; - state->creds = creds; - state->sid = dom_sid_dup(state, domain_sid); + state->sid = dom_sid_dup(state, domain->info->sid); if (state->sid == NULL) goto failed; - state->samr_pipe = dcerpc_pipe_init(state, result->event_ctx); - if (state->samr_pipe == NULL) goto failed; - - ctx = dcerpc_pipe_open_smb_send(state->samr_pipe, tree, - "\\samr"); - ctx->async.fn = connect_samr_recv_pipe; - ctx->async.private_data = state; + /* this will make the secondary connection on the same IPC$ share, + secured with SPNEGO, NTLMSSP or SCHANNEL */ + ctx = dcerpc_secondary_connection_send(domain->netlogon_pipe, + domain->samr_binding); + composite_continue(state->ctx, ctx, connect_samr_recv_pipe, state); return result; failed: @@ -90,78 +80,13 @@ struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, static void connect_samr_recv_pipe(struct composite_context *ctx) { - struct connect_samr_state *state = - talloc_get_type(ctx->async.private_data, - struct connect_samr_state); - - state->ctx->status = dcerpc_pipe_open_smb_recv(ctx); - if (!composite_is_ok(state->ctx)) return; - - switch (state->auth_type) { - case DCERPC_AUTH_TYPE_NONE: - ctx = dcerpc_bind_auth_none_send(state, state->samr_pipe, - &dcerpc_table_samr); - composite_continue(state->ctx, ctx, - connect_samr_recv_anon_bind, state); - break; - case DCERPC_AUTH_TYPE_NTLMSSP: - case DCERPC_AUTH_TYPE_SCHANNEL: - { - uint8_t auth_type; - if (lp_winbind_sealed_pipes()) { - auth_type = DCERPC_AUTH_LEVEL_PRIVACY; - } else { - auth_type = DCERPC_AUTH_LEVEL_INTEGRITY; - } - if (state->creds == NULL) { - composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); - return; - } - ctx = dcerpc_bind_auth_send(state, state->samr_pipe, - &dcerpc_table_samr, - state->creds, state->auth_type, - auth_type, - NULL); - composite_continue(state->ctx, ctx, - connect_samr_recv_auth_bind, state); - break; - } - default: - composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); - } -} - -static void connect_samr_recv_anon_bind(struct composite_context *ctx) -{ - struct connect_samr_state *state = - talloc_get_type(ctx->async.private_data, - struct connect_samr_state); struct rpc_request *req; - - state->ctx->status = dcerpc_bind_auth_none_recv(ctx); - if (!composite_is_ok(state->ctx)) return; - - state->connect_handle = talloc(state, struct policy_handle); - if (composite_nomem(state->connect_handle, state->ctx)) return; - - state->c.in.system_name = - talloc_asprintf(state, "\\\\%s", - dcerpc_server_name(state->samr_pipe)); - state->c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - state->c.out.connect_handle = state->connect_handle; - - req = dcerpc_samr_Connect2_send(state->samr_pipe, state, &state->c); - composite_continue_rpc(state->ctx, req, connect_samr_recv_conn, state); -} - -static void connect_samr_recv_auth_bind(struct composite_context *ctx) -{ struct connect_samr_state *state = talloc_get_type(ctx->async.private_data, struct connect_samr_state); - struct rpc_request *req; - state->ctx->status = dcerpc_bind_auth_recv(ctx); + state->ctx->status = dcerpc_secondary_connection_recv(ctx, + &state->samr_pipe); if (!composite_is_ok(state->ctx)) return; state->connect_handle = talloc(state, struct policy_handle); @@ -175,6 +100,7 @@ static void connect_samr_recv_auth_bind(struct composite_context *ctx) req = dcerpc_samr_Connect2_send(state->samr_pipe, state, &state->c); composite_continue_rpc(state->ctx, req, connect_samr_recv_conn, state); + return; } static void connect_samr_recv_conn(struct rpc_request *req) @@ -215,7 +141,7 @@ static void connect_samr_recv_open(struct rpc_request *req) composite_done(state->ctx); } -NTSTATUS wb_connect_sam_recv(struct composite_context *c, +NTSTATUS wb_connect_samr_recv(struct composite_context *c, TALLOC_CTX *mem_ctx, struct dcerpc_pipe **samr_pipe, struct policy_handle **connect_handle, @@ -234,18 +160,3 @@ NTSTATUS wb_connect_sam_recv(struct composite_context *c, return status; } -NTSTATUS wb_connect_sam(TALLOC_CTX *mem_ctx, - struct smbcli_tree *tree, - uint8_t auth_type, - struct cli_credentials *creds, - const struct dom_sid *domain_sid, - struct dcerpc_pipe **samr_pipe, - struct policy_handle **connect_handle, - struct policy_handle **domain_handle) -{ - struct composite_context *c = - wb_connect_sam_send(mem_ctx, tree, auth_type, creds, - domain_sid); - return wb_connect_sam_recv(c, mem_ctx, samr_pipe, connect_handle, - domain_handle); -} -- cgit