From 17355fbbd4c4a904bb75c1d8ba98948edaf0fe68 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 15 Oct 2005 22:01:15 +0000 Subject: r11094: Connect to SAM, implement getdcname (This used to be commit a14398715eceecf204caf815a8769ba8214d0576) --- source4/winbind/wb_connect_sam.c | 210 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 210 insertions(+) create mode 100644 source4/winbind/wb_connect_sam.c (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c new file mode 100644 index 0000000000..8693356c7a --- /dev/null +++ b/source4/winbind/wb_connect_sam.c @@ -0,0 +1,210 @@ +/* + Unix SMB/CIFS implementation. + + Connect to the SAMR pipe, given an smbcli_tree and possibly some + credentials. Try ntlmssp, schannel and anon in that order. + + Copyright (C) Volker Lendecke 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "libcli/composite/composite.h" + +#include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_samr.h" + + +/* Helper to initialize SAMR with a specific auth methods. Verify by opening + * the SAM handle */ + +struct connect_samr_state { + struct composite_context *ctx; + uint8_t auth_type; + struct cli_credentials *creds; + struct dom_sid *sid; + + struct dcerpc_pipe *samr_pipe; + struct policy_handle *connect_handle; + struct policy_handle *domain_handle; + + struct samr_Connect2 c; + struct samr_OpenDomain o; +}; + +static void connect_samr_recv_pipe(struct composite_context *ctx); +static void connect_samr_recv_conn(struct rpc_request *req); +static void connect_samr_recv_open(struct rpc_request *req); + +struct composite_context *wb_connect_sam_send(struct smbcli_tree *tree, + uint8_t auth_type, + struct cli_credentials *creds, + const struct dom_sid *domain_sid) +{ + struct composite_context *result, *ctx; + struct connect_samr_state *state; + + result = talloc(NULL, struct composite_context); + if (result == NULL) goto failed; + result->state = COMPOSITE_STATE_IN_PROGRESS; + result->async.fn = NULL; + result->event_ctx = tree->session->transport->socket->event.ctx; + + state = talloc(result, struct connect_samr_state); + if (state == NULL) goto failed; + state->ctx = result; + result->private_data = state; + + state->auth_type = auth_type; + state->creds = creds; + state->sid = dom_sid_dup(state, domain_sid); + if (state->sid == NULL) goto failed; + + state->samr_pipe = dcerpc_pipe_init(state, result->event_ctx); + if (state->samr_pipe == NULL) goto failed; + + ctx = dcerpc_pipe_open_smb_send(state->samr_pipe->conn, tree, + "\\samr"); + ctx->async.fn = connect_samr_recv_pipe; + ctx->async.private_data = state; + return result; + + failed: + talloc_free(result); + return NULL; +} + +static void connect_samr_recv_pipe(struct composite_context *ctx) +{ + struct connect_samr_state *state = + talloc_get_type(ctx->async.private_data, + struct connect_samr_state); + struct rpc_request *req; + + state->ctx->status = dcerpc_pipe_open_smb_recv(ctx); + if (!composite_is_ok(state->ctx)) return; + + switch (state->auth_type) { + case DCERPC_AUTH_TYPE_NONE: + state->ctx->status = + dcerpc_bind_auth_none(state->samr_pipe, + DCERPC_SAMR_UUID, + DCERPC_SAMR_VERSION); + break; + case DCERPC_AUTH_TYPE_NTLMSSP: + case DCERPC_AUTH_TYPE_SCHANNEL: + if (state->creds == NULL) { + composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); + return; + } + state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); + state->ctx->status = + dcerpc_bind_auth_password(state->samr_pipe, + DCERPC_SAMR_UUID, + DCERPC_SAMR_VERSION, + state->creds, + state->auth_type, + NULL); + break; + default: + state->ctx->status = NT_STATUS_INTERNAL_ERROR; + + } + + state->connect_handle = talloc(state, struct policy_handle); + if (composite_nomem(state->connect_handle, state->ctx)) return; + + state->c.in.system_name = + talloc_asprintf(state, "\\\\%s", + dcerpc_server_name(state->samr_pipe)); + state->c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + state->c.out.connect_handle = state->connect_handle; + + req = dcerpc_samr_Connect2_send(state->samr_pipe, state, &state->c); + composite_continue_rpc(state->ctx, req, connect_samr_recv_conn, state); +} + +static void connect_samr_recv_conn(struct rpc_request *req) +{ + struct connect_samr_state *state = + talloc_get_type(req->async.private, + struct connect_samr_state); + + state->ctx->status = dcerpc_ndr_request_recv(req); + if (!composite_is_ok(state->ctx)) return; + state->ctx->status = state->c.out.result; + if (!composite_is_ok(state->ctx)) return; + + state->domain_handle = talloc(state, struct policy_handle); + if (composite_nomem(state->domain_handle, state->ctx)) return; + + state->o.in.connect_handle = state->connect_handle; + state->o.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + state->o.in.sid = state->sid; + state->o.out.domain_handle = state->domain_handle; + + req = dcerpc_samr_OpenDomain_send(state->samr_pipe, state, &state->o); + composite_continue_rpc(state->ctx, req, + connect_samr_recv_open, state); +} + +static void connect_samr_recv_open(struct rpc_request *req) +{ + struct connect_samr_state *state = + talloc_get_type(req->async.private, + struct connect_samr_state); + + state->ctx->status = dcerpc_ndr_request_recv(req); + if (!composite_is_ok(state->ctx)) return; + state->ctx->status = state->o.out.result; + if (!composite_is_ok(state->ctx)) return; + + composite_done(state->ctx); +} + +NTSTATUS wb_connect_sam_recv(struct composite_context *c, + TALLOC_CTX *mem_ctx, + struct dcerpc_pipe **samr_pipe, + struct policy_handle **connect_handle, + struct policy_handle **domain_handle) +{ + NTSTATUS status = composite_wait(c); + if (NT_STATUS_IS_OK(status)) { + struct connect_samr_state *state = + talloc_get_type(c->private_data, + struct connect_samr_state); + *samr_pipe = talloc_steal(mem_ctx, state->samr_pipe); + *connect_handle = talloc_steal(mem_ctx, state->connect_handle); + *domain_handle = talloc_steal(mem_ctx, state->domain_handle); + } + talloc_free(c); + return status; +} + +NTSTATUS wb_connect_sam(struct smbcli_tree *tree, + uint8_t auth_type, + struct cli_credentials *creds, + const struct dom_sid *domain_sid, + TALLOC_CTX *mem_ctx, + struct dcerpc_pipe **samr_pipe, + struct policy_handle **connect_handle, + struct policy_handle **domain_handle) +{ + struct composite_context *c = + wb_connect_sam_send(tree, auth_type, creds, domain_sid); + return wb_connect_sam_recv(c, mem_ctx, samr_pipe, connect_handle, + domain_handle); +} -- cgit From 6b6a739eca1e16c0c101289b1984a639fce10223 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 5 Nov 2005 09:34:07 +0000 Subject: r11517: Cleanup time, this looks larger than it is. This mainly gets rid of wb_domain_request, now that we have queued rpc requests. Volker (This used to be commit 848522d1b64c1c283ac1ea7ce7f1a7a1b014a2aa) --- source4/winbind/wb_connect_sam.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 8693356c7a..2ce189a5c7 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -49,7 +49,8 @@ static void connect_samr_recv_pipe(struct composite_context *ctx); static void connect_samr_recv_conn(struct rpc_request *req); static void connect_samr_recv_open(struct rpc_request *req); -struct composite_context *wb_connect_sam_send(struct smbcli_tree *tree, +struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, + struct smbcli_tree *tree, uint8_t auth_type, struct cli_credentials *creds, const struct dom_sid *domain_sid) @@ -57,7 +58,7 @@ struct composite_context *wb_connect_sam_send(struct smbcli_tree *tree, struct composite_context *result, *ctx; struct connect_samr_state *state; - result = talloc(NULL, struct composite_context); + result = talloc(mem_ctx, struct composite_context); if (result == NULL) goto failed; result->state = COMPOSITE_STATE_IN_PROGRESS; result->async.fn = NULL; @@ -194,17 +195,18 @@ NTSTATUS wb_connect_sam_recv(struct composite_context *c, return status; } -NTSTATUS wb_connect_sam(struct smbcli_tree *tree, +NTSTATUS wb_connect_sam(TALLOC_CTX *mem_ctx, + struct smbcli_tree *tree, uint8_t auth_type, struct cli_credentials *creds, const struct dom_sid *domain_sid, - TALLOC_CTX *mem_ctx, struct dcerpc_pipe **samr_pipe, struct policy_handle **connect_handle, struct policy_handle **domain_handle) { struct composite_context *c = - wb_connect_sam_send(tree, auth_type, creds, domain_sid); + wb_connect_sam_send(mem_ctx, tree, auth_type, creds, + domain_sid); return wb_connect_sam_recv(c, mem_ctx, samr_pipe, connect_handle, domain_handle); } -- cgit From f2dedc629ca0d15a59de38812abb0b290fed0a37 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Nov 2005 16:28:39 +0000 Subject: r11809: Make dcerpc_bind_auth async. This also removes dcerpc_bind_auth_password, the only user of dcerpc_bind_auth. And this was not only passwords anyway. Andrew Bartlett, as usual: Please take a close look. Thanks, Volker (This used to be commit 2ff2dae3d035af6cb0c131573cfd983fc9a58eee) --- source4/winbind/wb_connect_sam.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 2ce189a5c7..c806a6688b 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -113,12 +113,11 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) } state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); state->ctx->status = - dcerpc_bind_auth_password(state->samr_pipe, - DCERPC_SAMR_UUID, - DCERPC_SAMR_VERSION, - state->creds, - state->auth_type, - NULL); + dcerpc_bind_auth(state->samr_pipe, + DCERPC_SAMR_UUID, + DCERPC_SAMR_VERSION, + state->creds, state->auth_type, + NULL); break; default: state->ctx->status = NT_STATUS_INTERNAL_ERROR; -- cgit From a6852523d677f6c39a92e0e2b5d970211b29558b Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sun, 20 Nov 2005 17:34:56 +0000 Subject: r11812: Convert winbind to the async bind routines. Also remove tridge's hack for the winbind "bug" :-) Volker (This used to be commit fb9a3c7ef376f289288c71bc47d67f548ddb7194) --- source4/winbind/wb_connect_sam.c | 62 +++++++++++++++++++++++++++++++--------- 1 file changed, 49 insertions(+), 13 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index c806a6688b..b5511a1a12 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -46,6 +46,8 @@ struct connect_samr_state { }; static void connect_samr_recv_pipe(struct composite_context *ctx); +static void connect_samr_recv_anon_bind(struct composite_context *ctx); +static void connect_samr_recv_auth_bind(struct composite_context *ctx); static void connect_samr_recv_conn(struct rpc_request *req); static void connect_samr_recv_open(struct rpc_request *req); @@ -93,17 +95,17 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) struct connect_samr_state *state = talloc_get_type(ctx->async.private_data, struct connect_samr_state); - struct rpc_request *req; state->ctx->status = dcerpc_pipe_open_smb_recv(ctx); if (!composite_is_ok(state->ctx)) return; switch (state->auth_type) { case DCERPC_AUTH_TYPE_NONE: - state->ctx->status = - dcerpc_bind_auth_none(state->samr_pipe, - DCERPC_SAMR_UUID, - DCERPC_SAMR_VERSION); + ctx = dcerpc_bind_auth_none_send(state, state->samr_pipe, + DCERPC_SAMR_UUID, + DCERPC_SAMR_VERSION); + composite_continue(state->ctx, ctx, + connect_samr_recv_anon_bind, state); break; case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_SCHANNEL: @@ -112,17 +114,51 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) return; } state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); - state->ctx->status = - dcerpc_bind_auth(state->samr_pipe, - DCERPC_SAMR_UUID, - DCERPC_SAMR_VERSION, - state->creds, state->auth_type, - NULL); + ctx = dcerpc_bind_auth_send(state, state->samr_pipe, + DCERPC_SAMR_UUID, + DCERPC_SAMR_VERSION, + state->creds, state->auth_type, + NULL); + composite_continue(state->ctx, ctx, + connect_samr_recv_auth_bind, state); break; default: - state->ctx->status = NT_STATUS_INTERNAL_ERROR; - + composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); } +} + +static void connect_samr_recv_anon_bind(struct composite_context *ctx) +{ + struct connect_samr_state *state = + talloc_get_type(ctx->async.private_data, + struct connect_samr_state); + struct rpc_request *req; + + state->ctx->status = dcerpc_bind_auth_none_recv(ctx); + if (!composite_is_ok(state->ctx)) return; + + state->connect_handle = talloc(state, struct policy_handle); + if (composite_nomem(state->connect_handle, state->ctx)) return; + + state->c.in.system_name = + talloc_asprintf(state, "\\\\%s", + dcerpc_server_name(state->samr_pipe)); + state->c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + state->c.out.connect_handle = state->connect_handle; + + req = dcerpc_samr_Connect2_send(state->samr_pipe, state, &state->c); + composite_continue_rpc(state->ctx, req, connect_samr_recv_conn, state); +} + +static void connect_samr_recv_auth_bind(struct composite_context *ctx) +{ + struct connect_samr_state *state = + talloc_get_type(ctx->async.private_data, + struct connect_samr_state); + struct rpc_request *req; + + state->ctx->status = dcerpc_bind_auth_recv(ctx); + if (!composite_is_ok(state->ctx)) return; state->connect_handle = talloc(state, struct policy_handle); if (composite_nomem(state->connect_handle, state->ctx)) return; -- cgit From acd6a086b341096fcbea1775ce748587fcc8020a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 27 Dec 2005 14:28:01 +0000 Subject: r12510: Change the DCE/RPC interfaces to take a pointer to a dcerpc_interface_table struct rather then a tuple of interface name, UUID and version. This removes the requirement for having a global list of DCE/RPC interfaces, except for these parts of the code that use that list explicitly (ndrdump and the scanner torture test). This should also allow us to remove the hack that put the authservice parameter in the dcerpc_binding struct as it can now be read directly from dcerpc_interface_table. I will now modify some of these functions to take a dcerpc_syntax_id structure rather then a full dcerpc_interface_table. (This used to be commit 8aae0f168e54c01d0866ad6e0da141dbd828574f) --- source4/winbind/wb_connect_sam.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index b5511a1a12..e3b9c82310 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -102,8 +102,7 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) switch (state->auth_type) { case DCERPC_AUTH_TYPE_NONE: ctx = dcerpc_bind_auth_none_send(state, state->samr_pipe, - DCERPC_SAMR_UUID, - DCERPC_SAMR_VERSION); + &dcerpc_table_samr); composite_continue(state->ctx, ctx, connect_samr_recv_anon_bind, state); break; @@ -115,8 +114,7 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) } state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); ctx = dcerpc_bind_auth_send(state, state->samr_pipe, - DCERPC_SAMR_UUID, - DCERPC_SAMR_VERSION, + &dcerpc_table_samr, state->creds, state->auth_type, NULL); composite_continue(state->ctx, ctx, -- cgit From a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 12 Jan 2006 09:33:49 +0000 Subject: r12865: Upgrade the librpc and libnet code. In librpc, always try SMB level authentication, even if trying schannel, but allow fallback to anonymous. This should better function with servers that set restrict anonymous. There are too many parts of Samba that get, parse and modify the binding parameters. Avoid the extra work, and add a binding element to the struct dcerpc_pipe The libnet vampire code has been refactored, to reduce extra layers and to better conform with the standard argument pattern. Also, take advantage of the new libnet_Lookup code, so we don't require the silly 'password server' smb.conf parameter. To better support forcing traffic to be sealed for the vampire operation, the dcerpc_bind_auth() function now takes an auth level parameter. Andrew Bartlett (This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa) --- source4/winbind/wb_connect_sam.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index e3b9c82310..1817785508 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -102,24 +102,32 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) switch (state->auth_type) { case DCERPC_AUTH_TYPE_NONE: ctx = dcerpc_bind_auth_none_send(state, state->samr_pipe, - &dcerpc_table_samr); + &dcerpc_table_samr); composite_continue(state->ctx, ctx, connect_samr_recv_anon_bind, state); break; case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_SCHANNEL: + { + uint8_t auth_type; + if (lp_winbind_sealed_pipes()) { + auth_type = DCERPC_AUTH_LEVEL_PRIVACY; + } else { + auth_type = DCERPC_AUTH_LEVEL_INTEGRITY; + } if (state->creds == NULL) { composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); return; } - state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); ctx = dcerpc_bind_auth_send(state, state->samr_pipe, - &dcerpc_table_samr, + &dcerpc_table_samr, state->creds, state->auth_type, + auth_type, NULL); composite_continue(state->ctx, ctx, connect_samr_recv_auth_bind, state); break; + } default: composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); } -- cgit From 4ac2be99588b48b0652a524bf12fb1aa9c3f5fbb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 7 Mar 2006 11:07:23 +0000 Subject: r13924: Split more prototypes out of include/proto.h + initial work on header file dependencies (This used to be commit 122835876748a3eaf5e8d31ad1abddab9acb8781) --- source4/winbind/wb_connect_sam.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 1817785508..2c26ffe29a 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -25,6 +25,7 @@ #include "libcli/composite/composite.h" #include "libcli/raw/libcliraw.h" +#include "libcli/security/proto.h" #include "librpc/gen_ndr/ndr_samr.h" -- cgit From 1060f6b3f621cb70b075a879f129e57f10fdbf8a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 14 Mar 2006 23:35:30 +0000 Subject: r14402: Generate seperate headers for RPC client functions. (This used to be commit 7054ebf0249930843a2baf4d023ae8f62cedb109) --- source4/winbind/wb_connect_sam.c | 1 + 1 file changed, 1 insertion(+) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 2c26ffe29a..e1f4d6a317 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -27,6 +27,7 @@ #include "libcli/raw/libcliraw.h" #include "libcli/security/proto.h" #include "librpc/gen_ndr/ndr_samr.h" +#include "librpc/gen_ndr/ndr_samr_c.h" /* Helper to initialize SAMR with a specific auth methods. Verify by opening -- cgit From 4f1c8daa36a7a0372c5fd9eab51f3c16ee81c49d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 16 Mar 2006 12:43:28 +0000 Subject: r14470: Remove some unnecessary headers. (This used to be commit f7312dab3b9aba2b2b82e8a6e0c483a32a03a63a) --- source4/winbind/wb_connect_sam.c | 1 - 1 file changed, 1 deletion(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index e1f4d6a317..e496cc3c58 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -26,7 +26,6 @@ #include "libcli/raw/libcliraw.h" #include "libcli/security/proto.h" -#include "librpc/gen_ndr/ndr_samr.h" #include "librpc/gen_ndr/ndr_samr_c.h" -- cgit From 1af925f394b1084779f5b1b5a10c2ec512d7e5be Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 2 Apr 2006 12:02:01 +0000 Subject: r14860: create libcli/security/security.h metze (This used to be commit 9ec706238c173992dc938d537bdf1103bf519dbf) --- source4/winbind/wb_connect_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index e496cc3c58..5e5a33d2c1 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -25,7 +25,7 @@ #include "libcli/composite/composite.h" #include "libcli/raw/libcliraw.h" -#include "libcli/security/proto.h" +#include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_samr_c.h" -- cgit From 60fd088c480e474c3db8870f1288462a8452cea3 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Mon, 26 Feb 2007 05:37:19 +0000 Subject: r21535: - fixed a crash in the RAW-ACLS test. When a dcerpc_pipe is created using the pattern in the clilsa code, it didn't fill in the p->binding structure. This affects nearly all users of dcerpc_pipe_open_smb(), so the simplest fix is to ensure that dcerpc_pipe_open_smb() initialises the binding if its not already there. - re-enable the RAW-ACLS test (This used to be commit d8875c286d2be49c01703d8fd58bbc1842054bd9) --- source4/winbind/wb_connect_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 5e5a33d2c1..393c5f8437 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -80,7 +80,7 @@ struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, state->samr_pipe = dcerpc_pipe_init(state, result->event_ctx); if (state->samr_pipe == NULL) goto failed; - ctx = dcerpc_pipe_open_smb_send(state->samr_pipe->conn, tree, + ctx = dcerpc_pipe_open_smb_send(state->samr_pipe, tree, "\\samr"); ctx->async.fn = connect_samr_recv_pipe; ctx->async.private_data = state; -- cgit From fcdb99f7ce049494063c88a495dabd8849cf251c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sun, 29 Apr 2007 21:40:48 +0000 Subject: r22582: Cleanups towards making winbind work again. We still have a long way to go, as this has bitrotted over the past months. This change in particular catches winbind up with the next composite_create() function. We also needed to remove an unused flags field, and fill in the lm response. Andrew Bartlett (This used to be commit bd26e4ffaf1c060fdc3aae28fd4393e83c5a83ea) --- source4/winbind/wb_connect_sam.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 393c5f8437..a14b7bd83b 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -61,11 +61,8 @@ struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, struct composite_context *result, *ctx; struct connect_samr_state *state; - result = talloc(mem_ctx, struct composite_context); + result = composite_create(mem_ctx, tree->session->transport->socket->event.ctx); if (result == NULL) goto failed; - result->state = COMPOSITE_STATE_IN_PROGRESS; - result->async.fn = NULL; - result->event_ctx = tree->session->transport->socket->event.ctx; state = talloc(result, struct connect_samr_state); if (state == NULL) goto failed; -- cgit From 40cd2d778093d7799b27b6beb37166d8a53f965c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 May 2007 14:52:54 +0000 Subject: r22944: fix bug #4618: rename private -> private_data metze (This used to be commit 58551f2f28fce8f1fcd04736c47ecd7458f32ea2) --- source4/winbind/wb_connect_sam.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index a14b7bd83b..4423e3e91d 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -180,7 +180,7 @@ static void connect_samr_recv_auth_bind(struct composite_context *ctx) static void connect_samr_recv_conn(struct rpc_request *req) { struct connect_samr_state *state = - talloc_get_type(req->async.private, + talloc_get_type(req->async.private_data, struct connect_samr_state); state->ctx->status = dcerpc_ndr_request_recv(req); @@ -204,7 +204,7 @@ static void connect_samr_recv_conn(struct rpc_request *req) static void connect_samr_recv_open(struct rpc_request *req) { struct connect_samr_state *state = - talloc_get_type(req->async.private, + talloc_get_type(req->async.private_data, struct connect_samr_state); state->ctx->status = dcerpc_ndr_request_recv(req); -- cgit From 64df4c7c5726ec266628fff40071e06d268b410e Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 25 May 2007 08:04:39 +0000 Subject: r23133: I felt pity on Kai, as he starts work on winbind in Samba4, so I decided to clean it up a little. We now use SPNEGO for authentication if possible, and common routines shared with the rest of the librpc codebase. Rather than make a connection to IPC$, then connect the pipes to it, we instead have the lsa and samr pipes as 'secondary connections'. Andrew Bartlett (This used to be commit 86654056b22245a57396544d572de6401069b9e5) --- source4/winbind/wb_connect_sam.c | 121 ++++++--------------------------------- 1 file changed, 16 insertions(+), 105 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 4423e3e91d..ab34e96635 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -1,10 +1,10 @@ /* Unix SMB/CIFS implementation. - Connect to the SAMR pipe, given an smbcli_tree and possibly some - credentials. Try ntlmssp, schannel and anon in that order. + Connect to the SAMR pipe, and return connection and domain handles. Copyright (C) Volker Lendecke 2005 + Copyright (C) Andrew Bartlett 2007 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -27,6 +27,7 @@ #include "libcli/raw/libcliraw.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_samr_c.h" +#include "winbind/wb_server.h" /* Helper to initialize SAMR with a specific auth methods. Verify by opening @@ -34,8 +35,6 @@ struct connect_samr_state { struct composite_context *ctx; - uint8_t auth_type; - struct cli_credentials *creds; struct dom_sid *sid; struct dcerpc_pipe *samr_pipe; @@ -47,21 +46,16 @@ struct connect_samr_state { }; static void connect_samr_recv_pipe(struct composite_context *ctx); -static void connect_samr_recv_anon_bind(struct composite_context *ctx); -static void connect_samr_recv_auth_bind(struct composite_context *ctx); static void connect_samr_recv_conn(struct rpc_request *req); static void connect_samr_recv_open(struct rpc_request *req); -struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, - struct smbcli_tree *tree, - uint8_t auth_type, - struct cli_credentials *creds, - const struct dom_sid *domain_sid) +struct composite_context *wb_connect_samr_send(TALLOC_CTX *mem_ctx, + struct wbsrv_domain *domain) { struct composite_context *result, *ctx; struct connect_samr_state *state; - result = composite_create(mem_ctx, tree->session->transport->socket->event.ctx); + result = composite_create(mem_ctx, domain->netlogon_pipe->conn->event_ctx); if (result == NULL) goto failed; state = talloc(result, struct connect_samr_state); @@ -69,18 +63,14 @@ struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, state->ctx = result; result->private_data = state; - state->auth_type = auth_type; - state->creds = creds; - state->sid = dom_sid_dup(state, domain_sid); + state->sid = dom_sid_dup(state, domain->info->sid); if (state->sid == NULL) goto failed; - state->samr_pipe = dcerpc_pipe_init(state, result->event_ctx); - if (state->samr_pipe == NULL) goto failed; - - ctx = dcerpc_pipe_open_smb_send(state->samr_pipe, tree, - "\\samr"); - ctx->async.fn = connect_samr_recv_pipe; - ctx->async.private_data = state; + /* this will make the secondary connection on the same IPC$ share, + secured with SPNEGO, NTLMSSP or SCHANNEL */ + ctx = dcerpc_secondary_connection_send(domain->netlogon_pipe, + domain->samr_binding); + composite_continue(state->ctx, ctx, connect_samr_recv_pipe, state); return result; failed: @@ -90,78 +80,13 @@ struct composite_context *wb_connect_sam_send(TALLOC_CTX *mem_ctx, static void connect_samr_recv_pipe(struct composite_context *ctx) { - struct connect_samr_state *state = - talloc_get_type(ctx->async.private_data, - struct connect_samr_state); - - state->ctx->status = dcerpc_pipe_open_smb_recv(ctx); - if (!composite_is_ok(state->ctx)) return; - - switch (state->auth_type) { - case DCERPC_AUTH_TYPE_NONE: - ctx = dcerpc_bind_auth_none_send(state, state->samr_pipe, - &dcerpc_table_samr); - composite_continue(state->ctx, ctx, - connect_samr_recv_anon_bind, state); - break; - case DCERPC_AUTH_TYPE_NTLMSSP: - case DCERPC_AUTH_TYPE_SCHANNEL: - { - uint8_t auth_type; - if (lp_winbind_sealed_pipes()) { - auth_type = DCERPC_AUTH_LEVEL_PRIVACY; - } else { - auth_type = DCERPC_AUTH_LEVEL_INTEGRITY; - } - if (state->creds == NULL) { - composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); - return; - } - ctx = dcerpc_bind_auth_send(state, state->samr_pipe, - &dcerpc_table_samr, - state->creds, state->auth_type, - auth_type, - NULL); - composite_continue(state->ctx, ctx, - connect_samr_recv_auth_bind, state); - break; - } - default: - composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); - } -} - -static void connect_samr_recv_anon_bind(struct composite_context *ctx) -{ - struct connect_samr_state *state = - talloc_get_type(ctx->async.private_data, - struct connect_samr_state); struct rpc_request *req; - - state->ctx->status = dcerpc_bind_auth_none_recv(ctx); - if (!composite_is_ok(state->ctx)) return; - - state->connect_handle = talloc(state, struct policy_handle); - if (composite_nomem(state->connect_handle, state->ctx)) return; - - state->c.in.system_name = - talloc_asprintf(state, "\\\\%s", - dcerpc_server_name(state->samr_pipe)); - state->c.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; - state->c.out.connect_handle = state->connect_handle; - - req = dcerpc_samr_Connect2_send(state->samr_pipe, state, &state->c); - composite_continue_rpc(state->ctx, req, connect_samr_recv_conn, state); -} - -static void connect_samr_recv_auth_bind(struct composite_context *ctx) -{ struct connect_samr_state *state = talloc_get_type(ctx->async.private_data, struct connect_samr_state); - struct rpc_request *req; - state->ctx->status = dcerpc_bind_auth_recv(ctx); + state->ctx->status = dcerpc_secondary_connection_recv(ctx, + &state->samr_pipe); if (!composite_is_ok(state->ctx)) return; state->connect_handle = talloc(state, struct policy_handle); @@ -175,6 +100,7 @@ static void connect_samr_recv_auth_bind(struct composite_context *ctx) req = dcerpc_samr_Connect2_send(state->samr_pipe, state, &state->c); composite_continue_rpc(state->ctx, req, connect_samr_recv_conn, state); + return; } static void connect_samr_recv_conn(struct rpc_request *req) @@ -215,7 +141,7 @@ static void connect_samr_recv_open(struct rpc_request *req) composite_done(state->ctx); } -NTSTATUS wb_connect_sam_recv(struct composite_context *c, +NTSTATUS wb_connect_samr_recv(struct composite_context *c, TALLOC_CTX *mem_ctx, struct dcerpc_pipe **samr_pipe, struct policy_handle **connect_handle, @@ -234,18 +160,3 @@ NTSTATUS wb_connect_sam_recv(struct composite_context *c, return status; } -NTSTATUS wb_connect_sam(TALLOC_CTX *mem_ctx, - struct smbcli_tree *tree, - uint8_t auth_type, - struct cli_credentials *creds, - const struct dom_sid *domain_sid, - struct dcerpc_pipe **samr_pipe, - struct policy_handle **connect_handle, - struct policy_handle **domain_handle) -{ - struct composite_context *c = - wb_connect_sam_send(mem_ctx, tree, auth_type, creds, - domain_sid); - return wb_connect_sam_recv(c, mem_ctx, samr_pipe, connect_handle, - domain_handle); -} -- cgit From 0479a2f1cbae51fcd8dbdc3c148c808421fb4d25 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 10 Jul 2007 02:07:03 +0000 Subject: r23792: convert Samba4 to GPLv3 There are still a few tidyups of old FSF addresses to come (in both s3 and s4). More commits soon. (This used to be commit fcf38a38ac691abd0fa51b89dc951a08e89fdafa) --- source4/winbind/wb_connect_sam.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index ab34e96635..3ca4734ae9 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -8,7 +8,7 @@ This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 2 of the License, or + the Free Software Foundation; either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, @@ -17,8 +17,7 @@ GNU General Public License for more details. You should have received a copy of the GNU General Public License - along with this program; if not, write to the Free Software - Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + along with this program. If not, see . */ #include "includes.h" -- cgit From c86e98aa8070137834f0587b613e215db8802f27 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Jul 2007 11:27:29 +0000 Subject: r23890: Allow wbinfo -a to work against Samba4's winbind. Add a test for wbinfo -a to test_member.sh Reimplement the server-side 'pam_auth' and 'pam_auth_crap' calls to use the same SamLogon code as auth_winbind uses. In my previous code, we did not bind to the LSA and SAMR pipes, before attempting operations. We now do this (how we passed any tests before is beyond me). This required some rework, particularly to make it easier to setup secondary connections. The new rpc_secondary_auth_connection() function also performs the bind. The dcerpc_connect.c file was getting to big, so things have been merged into dcerpc_secondary.c. Andrew Bartlett (This used to be commit 365778a993b7d76af6d53ba2a598b7e271741dc5) --- source4/winbind/wb_connect_sam.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 3ca4734ae9..935ba266d3 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -67,8 +67,10 @@ struct composite_context *wb_connect_samr_send(TALLOC_CTX *mem_ctx, /* this will make the secondary connection on the same IPC$ share, secured with SPNEGO, NTLMSSP or SCHANNEL */ - ctx = dcerpc_secondary_connection_send(domain->netlogon_pipe, - domain->samr_binding); + ctx = dcerpc_secondary_auth_connection_send(domain->netlogon_pipe, + domain->samr_binding, + &dcerpc_table_samr, + domain->schannel_creds); composite_continue(state->ctx, ctx, connect_samr_recv_pipe, state); return result; @@ -84,8 +86,8 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) talloc_get_type(ctx->async.private_data, struct connect_samr_state); - state->ctx->status = dcerpc_secondary_connection_recv(ctx, - &state->samr_pipe); + state->ctx->status = dcerpc_secondary_auth_connection_recv(ctx, state, + &state->samr_pipe); if (!composite_is_ok(state->ctx)) return; state->connect_handle = talloc(state, struct policy_handle); -- cgit From dc25ec5ce736b21cdcccddff12e6c9d9c0706df8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 23 Jul 2007 02:56:51 +0000 Subject: r23995: Work to allow mimir's libnet code to be called from winbind. We now setup a libnet_ctx for each domain. We should then be able to replace/merge some more of the winbind code with libnet calls, referencing domain->libnet_ctx. Andrew Bartlett (This used to be commit bad2dc14d704be59300f619c84694c11620559e0) --- source4/winbind/wb_connect_sam.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 935ba266d3..e9adce9c19 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -70,7 +70,7 @@ struct composite_context *wb_connect_samr_send(TALLOC_CTX *mem_ctx, ctx = dcerpc_secondary_auth_connection_send(domain->netlogon_pipe, domain->samr_binding, &dcerpc_table_samr, - domain->schannel_creds); + domain->libnet_ctx->cred); composite_continue(state->ctx, ctx, connect_samr_recv_pipe, state); return result; @@ -145,8 +145,8 @@ static void connect_samr_recv_open(struct rpc_request *req) NTSTATUS wb_connect_samr_recv(struct composite_context *c, TALLOC_CTX *mem_ctx, struct dcerpc_pipe **samr_pipe, - struct policy_handle **connect_handle, - struct policy_handle **domain_handle) + struct policy_handle *connect_handle, + struct policy_handle *domain_handle) { NTSTATUS status = composite_wait(c); if (NT_STATUS_IS_OK(status)) { @@ -154,8 +154,8 @@ NTSTATUS wb_connect_samr_recv(struct composite_context *c, talloc_get_type(c->private_data, struct connect_samr_state); *samr_pipe = talloc_steal(mem_ctx, state->samr_pipe); - *connect_handle = talloc_steal(mem_ctx, state->connect_handle); - *domain_handle = talloc_steal(mem_ctx, state->domain_handle); + *connect_handle = *state->connect_handle; + *domain_handle = *state->domain_handle; } talloc_free(c); return status; -- cgit From f14bd1a90ab47a418c0ec2492990a417a0bb3bf6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sun, 19 Aug 2007 21:23:03 +0000 Subject: r24557: rename 'dcerpc_table_' -> 'ndr_table_' metze (This used to be commit 84651aee81aaabbebf52ffc3fbcbabb2eec6eed5) --- source4/winbind/wb_connect_sam.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index e9adce9c19..49861b3c33 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -69,7 +69,7 @@ struct composite_context *wb_connect_samr_send(TALLOC_CTX *mem_ctx, secured with SPNEGO, NTLMSSP or SCHANNEL */ ctx = dcerpc_secondary_auth_connection_send(domain->netlogon_pipe, domain->samr_binding, - &dcerpc_table_samr, + &ndr_table_samr, domain->libnet_ctx->cred); composite_continue(state->ctx, ctx, connect_samr_recv_pipe, state); return result; -- cgit From 4c4323009fa83f00ed319de59a3aad48fcd65994 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Fri, 7 Dec 2007 02:37:04 +0100 Subject: r26327: Explicit loadparm_context for RPC client functions. (This used to be commit eeb2251d22b3d6e0379444a73af69d1014692b07) --- source4/winbind/wb_connect_sam.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'source4/winbind/wb_connect_sam.c') diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index 49861b3c33..efd715b164 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -70,7 +70,8 @@ struct composite_context *wb_connect_samr_send(TALLOC_CTX *mem_ctx, ctx = dcerpc_secondary_auth_connection_send(domain->netlogon_pipe, domain->samr_binding, &ndr_table_samr, - domain->libnet_ctx->cred); + domain->libnet_ctx->cred, + domain->libnet_ctx->lp_ctx); composite_continue(state->ctx, ctx, connect_samr_recv_pipe, state); return result; -- cgit