binding = bindings[0];
}
+ if (!user_info->account_name) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ if (!user_info->workstation_name) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
credentials = cli_credentials_init(mem_ctx);
+ cli_credentials_set_conf(credentials);
status = cli_credentials_set_machine_account(credentials);
if (!NT_STATUS_IS_OK(status)) {
ninfo.lm.data = user_info->lm_resp.data;
r.in.server_name = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p));
- r.in.workstation = creds->computer_name;
+ r.in.workstation = cli_credentials_get_workstation(credentials);
r.in.credential = &auth;
r.in.return_authenticator = &auth2;
r.in.logon_level = 2;
smbcli_parse_unc(share, NULL, &server, &share);
}
- status = smbcli_full_connection(NULL, &c, lp_netbios_name(), server,
+ status = smbcli_full_connection(NULL, &c, server,
share, NULL, cred);
if (!NT_STATUS_IS_OK(status)) {
d_printf("Connection to \\\\%s\\%s failed - %s\n",
DATA_BLOB secblob;
const char *os;
const char *lanman;
- const char *domain;
+ const char *workgroup;
} in;
struct {
uint16_t action;
DATA_BLOB secblob;
char *os;
char *lanman;
- char *domain;
+ char *workgroup;
uint16_t vuid;
} out;
} spnego;
#################################
# Start SUBSYSTEM GENSEC
[SUBSYSTEM::LIBCLI_AUTH]
-ADD_OBJ_FILES = libcli/auth/schannel_sign.o \
- libcli/auth/credentials.o \
+ADD_OBJ_FILES = libcli/auth/credentials.o \
libcli/auth/session.o \
libcli/auth/smbencrypt.o
REQUIRED_SUBSYSTEMS = \
void creds_client_init(struct creds_CredentialState *creds,
const struct netr_Credential *client_challenge,
const struct netr_Credential *server_challenge,
- const char *computer_name,
- const char *domain,
- const char *account_name,
const struct samr_Password *machine_password,
struct netr_Credential *initial_credential,
uint32_t negotiate_flags)
{
creds->sequence = time(NULL);
creds->negotiate_flags = negotiate_flags;
- creds->computer_name = talloc_strdup(creds, computer_name);
- creds->domain = talloc_strdup(creds, domain);
- creds->account_name = talloc_strdup(creds, account_name);
dump_data_pw("Client chall", client_challenge->data, sizeof(client_challenge->data));
dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data));
Generic Authentication Interface
Copyright (C) Andrew Tridgell 2003
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
(*gensec_security)->ops = NULL;
- ZERO_STRUCT((*gensec_security)->user);
ZERO_STRUCT((*gensec_security)->target);
- ZERO_STRUCT((*gensec_security)->default_user);
-
- (*gensec_security)->default_user.name = "";
- (*gensec_security)->default_user.domain = talloc_strdup(*gensec_security, lp_workgroup());
- (*gensec_security)->default_user.realm = talloc_strdup(*gensec_security, lp_realm());
(*gensec_security)->subcontext = False;
(*gensec_security)->want_features = 0;
(*gensec_security)->gensec_role = GENSEC_CLIENT;
(*gensec_security)->password_callback = NULL;
- ZERO_STRUCT((*gensec_security)->user);
-
return status;
}
}
/**
- * Set a username on a GENSEC context - ensures it is talloc()ed
- *
- */
-
-NTSTATUS gensec_set_username(struct gensec_security *gensec_security, const char *user)
-{
- gensec_security->user.name = talloc_strdup(gensec_security, user);
- if (user && !gensec_security->user.name) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-/**
- * Set a username on a GENSEC context - ensures it is talloc()ed
- *
- */
-
-const char *gensec_get_username(struct gensec_security *gensec_security)
-{
- if (gensec_security->user.name) {
- return gensec_security->user.name;
- }
- return gensec_security->default_user.name;
-}
-
-/**
- * Set a domain on a GENSEC context - ensures it is talloc()ed
+ * Associate a credentails structure with a GENSEC context - talloc_reference()s it to the context
*
*/
-NTSTATUS gensec_set_domain(struct gensec_security *gensec_security, const char *domain)
+NTSTATUS gensec_set_credentials(struct gensec_security *gensec_security, struct cli_credentials *credentials)
{
- gensec_security->user.domain = talloc_strdup(gensec_security, domain);
- if (domain && !gensec_security->user.domain) {
- return NT_STATUS_NO_MEMORY;
- }
+ gensec_security->credentials = talloc_reference(gensec_security, credentials);
return NT_STATUS_OK;
}
/**
- * Return the NT domain for this GENSEC context
+ * Return the credentails structure associated with a GENSEC context
*
*/
-const char *gensec_get_domain(struct gensec_security *gensec_security)
+struct cli_credentials *gensec_get_credentials(struct gensec_security *gensec_security)
{
- if (gensec_security->user.domain) {
- return gensec_security->user.domain;
- } else if (gensec_security->user.realm) {
- return gensec_security->user.realm;
- }
- return gensec_security->default_user.domain;
-}
-
-/**
- * Set the client workstation on a GENSEC context - ensures it is talloc()ed
- *
- */
-
-NTSTATUS gensec_set_workstation(struct gensec_security *gensec_security, const char *workstation)
-{
- gensec_security->user.workstation = talloc_strdup(gensec_security, workstation);
- if (workstation && !gensec_security->user.workstation) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-/**
- * Return the client workstation on a GENSEC context - ensures it is talloc()ed
- *
- */
-
-const char *gensec_get_workstation(struct gensec_security *gensec_security)
-{
- if (gensec_security->user.workstation) {
- return gensec_security->user.workstation;
- } else {
- return lp_netbios_name();
- }
-}
-
-/**
- * Set a kerberos realm on a GENSEC context - ensures it is talloc()ed
- *
- */
-
-NTSTATUS gensec_set_realm(struct gensec_security *gensec_security, const char *realm)
-{
- gensec_security->user.realm = talloc_strdup(gensec_security, realm);
- if (realm && !gensec_security->user.realm) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-/**
- * Return the Krb5 realm for this context
- *
- */
-
-const char *gensec_get_realm(struct gensec_security *gensec_security)
-{
- if (gensec_security->user.realm) {
- return gensec_security->user.realm;
- } else if (gensec_security->user.domain) {
- return gensec_security->user.domain;
- }
- return gensec_security->default_user.realm;
-}
-
-/**
- * Return a kerberos principal for this context, if one has been set
- *
- */
-
-char *gensec_get_client_principal(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx)
-{
- const char *realm = gensec_get_realm(gensec_security);
- if (realm) {
- return talloc_asprintf(mem_ctx, "%s@%s",
- gensec_get_username(gensec_security),
- gensec_get_realm(gensec_security));
- } else {
- return talloc_strdup(mem_ctx, gensec_get_username(gensec_security));
- }
-}
-
-/**
- * Set the password outright on GENSEC context - ensures it is talloc()ed, and that we will
- * not do a callback
- *
- */
-
-NTSTATUS gensec_set_password(struct gensec_security *gensec_security,
- const char *password)
-{
- gensec_security->user.password = talloc_strdup(gensec_security, password);
- if (password && !gensec_security->user.password) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-/**
- * Set the target principal name (if already known) on a GENSEC context - ensures it is talloc()ed
- *
- */
-
-NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
-{
- gensec_security->target.principal = talloc_strdup(gensec_security, principal);
- if (!gensec_security->target.principal) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
+ return gensec_security->credentials;
}
/**
return "host";
}
-const char *gensec_get_target_principal(struct gensec_security *gensec_security)
-{
- const char *mechListMIC;
-
- if (gensec_security->target.principal) {
- return gensec_security->target.principal;
- }
-
- mechListMIC = talloc_asprintf(gensec_security,"%s$@%s",
- lp_netbios_name(),
- lp_realm());
- return mechListMIC;
-}
-
-/**
- * Set a password callback, if the gensec module we use demands a password
- */
-
-void gensec_set_password_callback(struct gensec_security *gensec_security,
- gensec_password_callback callback, void *callback_private_data)
-{
- gensec_security->password_callback = callback;
- gensec_security->password_callback_private = callback_private_data;
-}
-
-/**
- * Get (or call back for) a password.
- */
-
-NTSTATUS gensec_get_password(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- char **password)
-{
- if (gensec_security->user.password) {
- *password = talloc_strdup(mem_ctx, gensec_security->user.password);
- if (!*password) {
- return NT_STATUS_NO_MEMORY;
- } else {
- return NT_STATUS_OK;
- }
- }
- if (!gensec_security->password_callback) {
- *password = NULL;
- return NT_STATUS_OK;
- }
- return gensec_security->password_callback(gensec_security, mem_ctx, password);
-}
-
/*
register a GENSEC backend.
*/
NTSTATUS gensec_init(void)
{
- gensec_dcerpc_schannel_init();
return NT_STATUS_OK;
}
Generic Authentication Interface
Copyright (C) Andrew Tridgell 2003
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#define GENSEC_OID_KERBEROS5_USER2USER "1 2 840 113554 1 2 2 3"
struct gensec_security;
-struct gensec_user {
- const char *workstation;
- const char *domain;
- const char *realm;
- const char *name;
- const char *password;
-};
struct gensec_target {
const char *principal;
const char *hostname;
void *password_callback_private;
const struct gensec_security_ops *ops;
void *private_data;
- struct gensec_user user;
- struct gensec_user default_user;
+ struct cli_credentials *credentials;
struct gensec_target target;
enum gensec_role gensec_role;
BOOL subcontext;
# End MODULE gensec_ntlmssp
################################################
+################################################
+# Start MODULE gensec_schannel
+[MODULE::gensec_schannel]
+SUBSYSTEM = GENSEC
+INIT_FUNCTION = gensec_schannel_init
+INIT_OBJ_FILES = libcli/auth/schannel.o
+ADD_OBJ_FILES = \
+ libcli/auth/schannel_sign.o
+REQUIRED_SUBSYSTEMS = AUTH SCHANNELDB
+# End MODULE gensec_ntlmssp
+################################################
+
################################################
# Start SUBSYSTEM SCHANNELDB
[SUBSYSTEM::SCHANNELDB]
struct gensec_krb5_state *gensec_krb5_state;
krb5_error_code ret;
NTSTATUS nt_status;
-
+ const char *hostname = gensec_get_target_hostname(gensec_security);
+ if (!hostname) {
+ DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
nt_status = gensec_krb5_start(gensec_security);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
while (1) {
- if (gensec_security->target.principal) {
- DEBUG(5, ("Finding ticket for target [%s]\n", gensec_security->target.principal));
- ret = ads_krb5_mk_req(gensec_krb5_state->context,
- &gensec_krb5_state->auth_context,
- AP_OPTS_USE_SUBKEY | AP_OPTS_MUTUAL_REQUIRED,
- gensec_security->target.principal,
- gensec_krb5_state->ccache,
- &gensec_krb5_state->ticket);
- } else {
+ {
krb5_data in_data;
- const char *hostname = gensec_get_target_hostname(gensec_security);
- if (!hostname) {
- DEBUG(1, ("Could not determine hostname for target computer, cannot use kerberos\n"));
- return NT_STATUS_ACCESS_DENIED;
- }
-
in_data.length = 0;
ret = krb5_mk_req(gensec_krb5_state->context,
case 0:
return NT_STATUS_OK;
case KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN:
- DEBUG(3, ("Server is not registered with our KDC: %s\n",
- error_message(ret)));
+ DEBUG(3, ("Server [%s] is not registered with our KDC: %s\n",
+ hostname, error_message(ret)));
return NT_STATUS_ACCESS_DENIED;
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5KRB_AP_ERR_TKT_EXPIRED:
case KRB5_CC_END:
+ /* Too much clock skew - we will need to kinit to re-skew the clock */
+ case KRB5KRB_AP_ERR_SKEW:
+ case KRB5_KDCREP_SKEW:
{
DEBUG(3, ("kerberos (mk_req) failed: %s\n",
error_message(ret)));
/* fall down to remaining code */
}
+
+
/* just don't print a message for these really ordinary messages */
case KRB5_FCC_NOFILE:
case KRB5_CC_NOTFOUND:
case ENOENT:
+
{
- char *password;
+ const char *password;
char *ccache_string;
time_t kdc_time = 0;
- nt_status = gensec_get_password(gensec_security,
- gensec_security,
- &password);
+ password = cli_credentials_get_password(gensec_security->credentials);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
/* this string should be unique */
ccache_string = talloc_asprintf(gensec_krb5_state, "MEMORY:%s:%s:%s",
- gensec_get_client_principal(gensec_security, gensec_krb5_state),
- gensec_get_target_principal(gensec_security),
+ cli_credentials_get_principal(gensec_security->credentials, gensec_krb5_state),
+ gensec_get_target_hostname(gensec_security),
generate_random_str(gensec_krb5_state, 16));
ret = krb5_cc_resolve(gensec_krb5_state->context, ccache_string, &gensec_krb5_state->ccache);
}
ret = kerberos_kinit_password_cc(gensec_krb5_state->context, gensec_krb5_state->ccache,
- gensec_get_client_principal(gensec_security, gensec_krb5_state),
- password, NULL, &kdc_time);
+ cli_credentials_get_principal(gensec_security->credentials, gensec_krb5_state),
+ password, NULL, &kdc_time);
/* cope with ticket being in the future due to clock skew */
if ((unsigned)kdc_time > time(NULL)) {
int time_offset =(unsigned)kdc_time-t;
DEBUG(4,("Advancing clock by %d seconds to cope with clock skew\n", time_offset));
krb5_set_real_time(gensec_krb5_state->context, t + time_offset + 1, 0);
+ break;
}
+ if (ret == KRB5KRB_AP_ERR_SKEW || ret == KRB5_KDCREP_SKEW) {
+ DEBUG(1,("kinit for %s failed (%s)\n",
+ cli_credentials_get_principal(gensec_security->credentials, gensec_krb5_state),
+ error_message(ret)));
+ return NT_STATUS_TIME_DIFFERENCE_AT_DC;
+ }
if (ret) {
- DEBUG(1,("kinit failed (%s)\n",
+ DEBUG(1,("kinit for %s failed (%s)\n",
+ cli_credentials_get_principal(gensec_security->credentials, gensec_krb5_state),
error_message(ret)));
return NT_STATUS_WRONG_PASSWORD;
}
NT_STATUS_NOT_OK_RETURN(nt_status);
nt_status = auth_check_password(gensec_ntlmssp_state->auth_context, gensec_ntlmssp_state,
- user_info, &gensec_ntlmssp_state->server_info);
+ user_info, &gensec_ntlmssp_state->server_info);
talloc_free(user_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
static NTSTATUS gensec_ntlmssp_client_start(struct gensec_security *gensec_security)
{
struct gensec_ntlmssp_state *gensec_ntlmssp_state;
- char *password = NULL;
+ const char *password = NULL;
NTSTATUS nt_status;
nt_status = gensec_ntlmssp_start(gensec_security);
}
nt_status = ntlmssp_set_domain(gensec_ntlmssp_state->ntlmssp_state,
- gensec_security->user.domain);
+ cli_credentials_get_domain(gensec_security->credentials));
NT_STATUS_NOT_OK_RETURN(nt_status);
nt_status = ntlmssp_set_username(gensec_ntlmssp_state->ntlmssp_state,
- gensec_security->user.name);
+ cli_credentials_get_username(gensec_security->credentials));
NT_STATUS_NOT_OK_RETURN(nt_status);
- if (gensec_security->user.name) {
- nt_status = gensec_get_password(gensec_security, gensec_ntlmssp_state, &password);
- NT_STATUS_NOT_OK_RETURN(nt_status);
- }
+ password = cli_credentials_get_password(gensec_security->credentials);
- if (password) {
- nt_status = ntlmssp_set_password(gensec_ntlmssp_state->ntlmssp_state, password);
- NT_STATUS_NOT_OK_RETURN(nt_status);
- }
+ nt_status = ntlmssp_set_password(gensec_ntlmssp_state->ntlmssp_state, password);
+ NT_STATUS_NOT_OK_RETURN(nt_status);
nt_status = ntlmssp_set_workstation(gensec_ntlmssp_state->ntlmssp_state,
- gensec_get_workstation(gensec_security));
+ cli_credentials_get_workstation(gensec_security->credentials));
gensec_security->private_data = gensec_ntlmssp_state;
void kerberos_set_creds_enctype(krb5_creds *pcreds, int enctype);
BOOL kerberos_compatible_enctypes(krb5_context context, krb5_enctype enctype1, krb5_enctype enctype2);
void kerberos_free_data_contents(krb5_context context, krb5_data *pdata);
+krb5_error_code smb_krb5_kt_free_entry(krb5_context context, krb5_keytab_entry *kt_entry);
#endif /* HAVE_KRB5 */
* Version 3.0
* NTLMSSP Signing routines
* Copyright (C) Luke Kenneth Casson Leighton 1996-2001
- * Copyright (C) Andrew Bartlett 2003
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2003-2004
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
--- /dev/null
+/*
+ Unix SMB/CIFS implementation.
+
+ dcerpc schannel operations
+
+ Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+#include "librpc/gen_ndr/ndr_schannel.h"
+#include "auth/auth.h"
+#include "libcli/auth/schannel.h"
+
+static size_t schannel_sig_size(struct gensec_security *gensec_security)
+{
+ return 32;
+}
+
+static NTSTATUS schannel_session_key(struct gensec_security *gensec_security,
+ DATA_BLOB *session_key)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB in, DATA_BLOB *out)
+{
+ struct schannel_state *state = gensec_security->private_data;
+ NTSTATUS status;
+ struct schannel_bind bind_schannel;
+ struct schannel_bind_ack bind_schannel_ack;
+ struct creds_CredentialState *creds;
+
+ const char *workstation;
+ const char *domain;
+ *out = data_blob(NULL, 0);
+
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+ if (state->state != SCHANNEL_STATE_START) {
+ /* we could parse the bind ack, but we don't know what it is yet */
+ return NT_STATUS_OK;
+ }
+
+ state->creds = talloc_reference(state, cli_credentials_get_netlogon_creds(gensec_security->credentials));
+
+ bind_schannel.unknown1 = 0;
+#if 0
+ /* to support this we'd need to have access to the full domain name */
+ bind_schannel.bind_type = 23;
+ bind_schannel.u.info23.domain = cli_credentials_get_domain(gensec_security->credentials);
+ bind_schannel.u.info23.account_name = cli_credentials_get_username(gensec_security->credentials);
+ bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(out_mem_ctx, fulldomainname);
+ bind_schannel.u.info23.workstation = str_format_nbt_domain(out_mem_ctx, cli_credentials_get_workstation(gensec_security->credentials));
+#else
+ bind_schannel.bind_type = 3;
+ bind_schannel.u.info3.domain = cli_credentials_get_domain(gensec_security->credentials);
+ bind_schannel.u.info3.workstation = cli_credentials_get_workstation(gensec_security->credentials);
+#endif
+
+ status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
+ (ndr_push_flags_fn_t)ndr_push_schannel_bind);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Could not create schannel bind: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ state->state = SCHANNEL_STATE_UPDATE_1;
+
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+ case GENSEC_SERVER:
+
+ if (state->state != SCHANNEL_STATE_START) {
+ /* no third leg on this protocol */
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* parse the schannel startup blob */
+ status = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
+ (ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (bind_schannel.bind_type == 23) {
+ workstation = bind_schannel.u.info23.workstation;
+ domain = bind_schannel.u.info23.domain;
+ } else {
+ workstation = bind_schannel.u.info3.workstation;
+ domain = bind_schannel.u.info3.domain;
+ }
+
+ /* pull the session key for this client */
+ status = schannel_fetch_session_key(out_mem_ctx, workstation,
+ domain, &creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
+ workstation, nt_errstr(status)));
+ return status;
+ }
+
+ state->creds = talloc_reference(state, creds);
+
+ bind_schannel_ack.unknown1 = 1;
+ bind_schannel_ack.unknown2 = 0;
+ bind_schannel_ack.unknown3 = 0x6c0000;
+
+ status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
+ (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
+ workstation, nt_errstr(status)));
+ return status;
+ }
+
+ state->state = SCHANNEL_STATE_UPDATE_1;
+
+ return NT_STATUS_OK;
+ }
+ return NT_STATUS_INVALID_PARAMETER;
+}
+
+/**
+ * Return the struct creds_CredentialState.
+ *
+ * Make sure not to call this unless gensec is using schannel...
+ */
+
+NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
+ struct creds_CredentialState **creds)
+{
+ struct schannel_state *state = gensec_security->private_data;
+
+ *creds = talloc_reference(mem_ctx, state->creds);
+ if (!*creds) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+}
+
+
+/**
+ * Return the credentials of a logged on user, including session keys
+ * etc.
+ *
+ * Only valid after a successful authentication
+ *
+ * May only be called once per authentication.
+ *
+ */
+
+static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
+ struct auth_session_info **session_info)
+{
+ (*session_info) = talloc(gensec_security, struct auth_session_info);
+ NT_STATUS_HAVE_NO_MEMORY(*session_info);
+
+ ZERO_STRUCTP(*session_info);
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS schannel_start(struct gensec_security *gensec_security)
+{
+ struct schannel_state *state;
+
+ state = talloc(gensec_security, struct schannel_state);
+ if (!state) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->state = SCHANNEL_STATE_START;
+ state->seq_num = 0;
+ gensec_security->private_data = state;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
+{
+ NTSTATUS status;
+ struct schannel_state *state;
+
+ status = schannel_start(gensec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ state = gensec_security->private_data;
+ state->initiator = False;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)
+{
+ NTSTATUS status;
+ struct schannel_state *state;
+
+ status = schannel_start(gensec_security);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ state = gensec_security->private_data;
+ state->initiator = True;
+
+ return NT_STATUS_OK;
+}
+
+
+static BOOL schannel_have_feature(struct gensec_security *gensec_security,
+ uint32_t feature)
+{
+ if (feature & (GENSEC_FEATURE_SIGN |
+ GENSEC_FEATURE_SEAL)) {
+ return True;
+ }
+ return False;
+}
+
+
+static const struct gensec_security_ops gensec_schannel_security_ops = {
+ .name = "schannel",
+ .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
+ .client_start = schannel_client_start,
+ .server_start = schannel_server_start,
+ .update = schannel_update,
+ .seal_packet = schannel_seal_packet,
+ .sign_packet = schannel_sign_packet,
+ .check_packet = schannel_check_packet,
+ .unseal_packet = schannel_unseal_packet,
+ .session_key = schannel_session_key,
+ .session_info = schannel_session_info,
+ .sig_size = schannel_sig_size,
+ .have_feature = schannel_have_feature,
+ .enabled = True
+};
+
+NTSTATUS gensec_schannel_init(void)
+{
+ NTSTATUS ret;
+ ret = gensec_register(&gensec_schannel_security_ops);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(0,("Failed to register '%s' gensec backend!\n",
+ gensec_schannel_security_ops.name));
+ return ret;
+ }
+
+ return ret;
+}
schannel library code
Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
#include "includes.h"
#include "lib/crypto/crypto.h"
-
-struct schannel_state {
- uint8_t session_key[16];
- uint32_t seq_num;
- BOOL initiator;
-};
+#include "libcli/auth/schannel.h"
+#include "libcli/auth/gensec.h"
+#include "libcli/auth/credentials.h"
#define NETSEC_SIGN_SIGNATURE { 0x77, 0x00, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00 }
#define NETSEC_SEAL_SIGNATURE { 0x77, 0x00, 0x7a, 0x00, 0xff, 0xff, 0x00, 0x00 }
uint8_t sequence_key[16];
uint8_t digest1[16];
- hmac_md5(state->session_key, zeros, sizeof(zeros), digest1);
+ hmac_md5(state->creds->session_key, zeros, sizeof(zeros), digest1);
hmac_md5(digest1, packet_digest, 8, sequence_key);
arcfour_crypt(seq_num, sequence_key, 8);
/*
unseal a packet
*/
-NTSTATUS schannel_unseal_packet(struct schannel_state *state,
+NTSTATUS schannel_unseal_packet(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig)
{
+ struct schannel_state *state = gensec_security->private_data;
+
uint8_t digest_final[16];
uint8_t confounder[8];
uint8_t seq_num[8];
RSIVAL(seq_num, 0, state->seq_num);
SIVAL(seq_num, 4, state->initiator?0:0x80);
- netsec_get_sealing_key(state->session_key, seq_num, sealing_key);
+ netsec_get_sealing_key(state->creds->session_key, seq_num, sealing_key);
arcfour_crypt(confounder, sealing_key, 8);
arcfour_crypt(data, sealing_key, length);
- schannel_digest(state->session_key,
+ schannel_digest(state->creds->session_key,
netsec_sig, confounder,
data, length, digest_final);
/*
check the signature on a packet
*/
-NTSTATUS schannel_check_packet(struct schannel_state *state,
+NTSTATUS schannel_check_packet(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
const uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
const DATA_BLOB *sig)
{
+ struct schannel_state *state = gensec_security->private_data;
+
uint8_t digest_final[16];
uint8_t seq_num[8];
static const uint8_t netsec_sig[8] = NETSEC_SIGN_SIGNATURE;
SIVAL(seq_num, 4, state->initiator?0:0x80);
dump_data_pw("seq_num:\n", seq_num, 8);
- dump_data_pw("sess_key:\n", state->session_key, 16);
+ dump_data_pw("sess_key:\n", state->creds->session_key, 16);
- schannel_digest(state->session_key,
+ schannel_digest(state->creds->session_key,
netsec_sig, NULL,
data, length, digest_final);
/*
seal a packet
*/
-NTSTATUS schannel_seal_packet(struct schannel_state *state,
+NTSTATUS schannel_seal_packet(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig)
{
+ struct schannel_state *state = gensec_security->private_data;
+
uint8_t digest_final[16];
uint8_t confounder[8];
uint8_t seq_num[8];
RSIVAL(seq_num, 0, state->seq_num);
SIVAL(seq_num, 4, state->initiator?0x80:0);
- schannel_digest(state->session_key,
+ schannel_digest(state->creds->session_key,
netsec_sig, confounder,
data, length, digest_final);
- netsec_get_sealing_key(state->session_key, seq_num, sealing_key);
+ netsec_get_sealing_key(state->creds->session_key, seq_num, sealing_key);
arcfour_crypt(confounder, sealing_key, 8);
arcfour_crypt(data, sealing_key, length);
/*
sign a packet
*/
-NTSTATUS schannel_sign_packet(struct schannel_state *state,
+NTSTATUS schannel_sign_packet(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
const uint8_t *data, size_t length,
+ const uint8_t *whole_pdu, size_t pdu_length,
DATA_BLOB *sig)
{
+ struct schannel_state *state = gensec_security->private_data;
+
uint8_t digest_final[16];
uint8_t seq_num[8];
static const uint8_t netsec_sig[8] = NETSEC_SIGN_SIGNATURE;
RSIVAL(seq_num, 0, state->seq_num);
SIVAL(seq_num, 4, state->initiator?0x80:0);
- schannel_digest(state->session_key,
+ schannel_digest(state->creds->session_key,
netsec_sig, NULL,
data, length, digest_final);
return NT_STATUS_OK;
}
-
-/*
- create an schannel context state
-*/
-NTSTATUS schannel_start(TALLOC_CTX *mem_ctx,
- struct schannel_state **state,
- const uint8_t session_key[16],
- BOOL initiator)
-{
- (*state) = talloc(mem_ctx, struct schannel_state);
- if (!(*state)) {
- return NT_STATUS_NO_MEMORY;
- }
-
- memcpy((*state)->session_key, session_key, 16);
- (*state)->initiator = initiator;
- (*state)->seq_num = 0;
-
- return NT_STATUS_OK;
-}
spnego_out.negTokenInit.mechTypes = mechlist;
spnego_out.negTokenInit.reqFlags = 0;
spnego_out.negTokenInit.mechListMIC
- = data_blob_string_const(gensec_get_target_principal(gensec_security));
+ = data_blob_string_const(talloc_asprintf(out_mem_ctx, "%s$@%s", lp_netbios_name(), lp_realm()));
spnego_out.negTokenInit.mechToken = unwrapped_out;
if (spnego_write_data(out_mem_ctx, out, &spnego_out) == -1) {
}
if (spnego.negTokenInit.targetPrincipal) {
- DEBUG(5, ("Server claims it's principal name is %s\n", spnego.negTokenInit.targetPrincipal));
- nt_status = gensec_set_target_principal(gensec_security,
- spnego.negTokenInit.targetPrincipal);
- if (!NT_STATUS_IS_OK(nt_status)) {
- spnego_free_data(&spnego);
- return nt_status;
- }
+ DEBUG(5, ("Server claims it's principal name is %s (ignored)\n", spnego.negTokenInit.targetPrincipal));
}
nt_status = gensec_spnego_client_parse_negTokenInit(gensec_security,
/* wrapper around smb_raw_session_setup() */
NTSTATUS smbcli_session_setup(struct smbcli_state *cli,
- struct cli_credentials *credentials)
+ struct cli_credentials *credentials)
{
struct smb_composite_sesssetup setup;
NTSTATUS status;
setup.in.sesskey = cli->transport->negotiate.sesskey;
setup.in.capabilities = cli->transport->negotiate.capabilities;
- if (cli_credentials_is_anonymous(credentials)) {
- if (cli->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_USER_LEVEL) {
- setup.in.password = cli_credentials_get_password(credentials);
- } else {
- setup.in.password = NULL;
- }
- setup.in.user = cli_credentials_get_username(credentials);
- setup.in.domain = cli_credentials_get_domain(credentials);
- }
+ setup.in.credentials = credentials;
+ setup.in.workgroup = lp_workgroup();
status = smb_composite_sesssetup(cli->session, &setup);
*/
NTSTATUS smbcli_full_connection(TALLOC_CTX *parent_ctx,
struct smbcli_state **ret_cli,
- const char *myname,
const char *host,
const char *sharename,
const char *devtype,
*ret_cli = NULL;
status = smbcli_tree_full_connection(parent_ctx,
- &tree, myname, host, 0, sharename, devtype,
+ &tree, host, 0, sharename, devtype,
credentials);
if (!NT_STATUS_IS_OK(status)) {
goto done;
const char *dest_host;
int port;
const char *called_name;
- const char *calling_name;
const char *service;
const char *service_type;
- const char *user;
- const char *domain;
- const char *password;
+ struct cli_credentials *credentials;
+ const char *workgroup;
const char *filename;
} in;
struct {
const char *dest_host;
int port;
const char *called_name;
- const char *calling_name;
const char *service;
const char *service_type;
- const char *user;
- const char *domain;
- const char *password;
+ struct cli_credentials *credentials;
+ const char *workgroup;
} in;
struct {
struct smbcli_tree *tree;
struct {
uint32_t sesskey;
uint32_t capabilities;
- const char *password;
- const char *user;
- const char *domain;
+ struct cli_credentials *credentials;
+ const char *workgroup;
} in;
struct {
uint16_t vuid;
/* prepare a session setup to establish a security context */
state->io_setup->in.sesskey = state->transport->negotiate.sesskey;
state->io_setup->in.capabilities = state->transport->negotiate.capabilities;
- state->io_setup->in.domain = io->in.domain;
- state->io_setup->in.user = io->in.user;
- state->io_setup->in.password = io->in.password;
+ state->io_setup->in.credentials = io->in.credentials;
+ state->io_setup->in.workgroup = io->in.workgroup;
state->creq = smb_composite_sesssetup_send(state->session, state->io_setup);
NT_STATUS_HAVE_NO_MEMORY(state->creq);
state->transport = smbcli_transport_init(state->sock, state, True);
NT_STATUS_HAVE_NO_MEMORY(state->transport);
- calling.name = io->in.calling_name;
+ calling.name = cli_credentials_get_workstation(io->in.credentials);
calling.type = NBT_NAME_CLIENT;
calling.scope = NULL;
status = resolve_name_recv(state->creq, state, &address);
NT_STATUS_NOT_OK_RETURN(status);
- state->creq = smbcli_sock_connect_send(state->sock, address, state->io->in.port);
+ state->creq = smbcli_sock_connect_send(state->sock, address, state->io->in.port, io->in.dest_host);
NT_STATUS_HAVE_NO_MEMORY(state->creq);
state->stage = CONNECT_SOCKET;
state->connect->in.dest_host = io->in.dest_host;
state->connect->in.port = io->in.port;
state->connect->in.called_name = io->in.called_name;
- state->connect->in.calling_name = io->in.calling_name;
state->connect->in.service = io->in.service;
state->connect->in.service_type = io->in.service_type;
- state->connect->in.user = io->in.user;
- state->connect->in.domain = io->in.domain;
- state->connect->in.password = io->in.password;
+ state->connect->in.credentials = io->in.credentials;
+ state->connect->in.workgroup = io->in.workgroup;
state->req = smb_composite_connect_send(state->connect, event_ctx);
if (state->req == NULL) goto failed;
}
/* enforce the local signing required flag */
- if (NT_STATUS_IS_OK(c->status) && state->io->in.user && state->io->in.user[0]) {
+ if (NT_STATUS_IS_OK(c->status) && !cli_credentials_is_anonymous(state->io->in.credentials)) {
if (!session->transport->negotiate.sign_info.doing_signing
&& session->transport->negotiate.sign_info.mandatory_signing) {
DEBUG(0, ("SMB signing required, but server does not support it\n"));
struct smb_composite_sesssetup *io)
{
struct sesssetup_state *state = talloc_get_type(c->private, struct sesssetup_state);
+ const char *password = cli_credentials_get_password(io->in.credentials);
state->setup.nt1.level = RAW_SESSSETUP_NT1;
state->setup.nt1.in.bufsize = session->transport->options.max_xmit;
state->setup.nt1.in.vc_num = 1;
state->setup.nt1.in.sesskey = io->in.sesskey;
state->setup.nt1.in.capabilities = io->in.capabilities;
- state->setup.nt1.in.domain = io->in.domain;
- state->setup.nt1.in.user = io->in.user;
state->setup.nt1.in.os = "Unix";
state->setup.nt1.in.lanman = "Samba";
- if (!io->in.password) {
+ state->setup.old.in.domain = cli_credentials_get_domain(io->in.credentials);
+ state->setup.old.in.user = cli_credentials_get_username(io->in.credentials);
+ if (!password) {
state->setup.nt1.in.password1 = data_blob(NULL, 0);
state->setup.nt1.in.password2 = data_blob(NULL, 0);
} else if (session->transport->negotiate.sec_mode &
NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
- state->setup.nt1.in.password1 = lanman_blob(state, io->in.password,
+ state->setup.nt1.in.password1 = lanman_blob(state, password,
session->transport->negotiate.secblob);
- state->setup.nt1.in.password2 = nt_blob(state, io->in.password,
+ state->setup.nt1.in.password2 = nt_blob(state, password,
session->transport->negotiate.secblob);
- use_nt1_session_keys(session, io->in.password, &state->setup.nt1.in.password2);
+ use_nt1_session_keys(session, password, &state->setup.nt1.in.password2);
} else {
- state->setup.nt1.in.password1 = data_blob_talloc(state, io->in.password, strlen(io->in.password));
+ state->setup.nt1.in.password1 = data_blob_talloc(state, password, strlen(password));
state->setup.nt1.in.password2 = data_blob(NULL, 0);
}
struct smb_composite_sesssetup *io)
{
struct sesssetup_state *state = talloc_get_type(c->private, struct sesssetup_state);
+ const char *password = cli_credentials_get_password(io->in.credentials);
state->setup.old.level = RAW_SESSSETUP_OLD;
state->setup.old.in.bufsize = session->transport->options.max_xmit;
state->setup.old.in.mpx_max = session->transport->options.max_mux;
state->setup.old.in.vc_num = 1;
state->setup.old.in.sesskey = io->in.sesskey;
- state->setup.old.in.domain = io->in.domain;
- state->setup.old.in.user = io->in.user;
+ state->setup.old.in.domain = cli_credentials_get_domain(io->in.credentials);
+ state->setup.old.in.user = cli_credentials_get_username(io->in.credentials);
state->setup.old.in.os = "Unix";
state->setup.old.in.lanman = "Samba";
- if (!io->in.password) {
+ if (!password) {
state->setup.old.in.password = data_blob(NULL, 0);
} else if (session->transport->negotiate.sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) {
- state->setup.old.in.password = lanman_blob(state, io->in.password,
+ state->setup.old.in.password = lanman_blob(state, password,
session->transport->negotiate.secblob);
} else {
state->setup.old.in.password = data_blob_talloc(state,
- io->in.password,
- strlen(io->in.password));
+ password,
+ strlen(password));
}
return smb_raw_session_setup_send(session, &state->setup);
state->setup.spnego.in.vc_num = 1;
state->setup.spnego.in.sesskey = io->in.sesskey;
state->setup.spnego.in.capabilities = io->in.capabilities;
- state->setup.spnego.in.domain = io->in.domain;
state->setup.spnego.in.os = "Unix";
state->setup.spnego.in.lanman = "Samba";
+ state->setup.spnego.in.workgroup = io->in.workgroup;
+
state->setup.spnego.out.vuid = session->vuid;
smbcli_temp_set_signing(session->transport);
gensec_want_feature(session->gensec, GENSEC_FEATURE_SESSION_KEY);
- status = gensec_set_domain(session->gensec, io->in.domain);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
- io->in.domain, nt_errstr(status)));
- return NULL;
- }
-
- status = gensec_set_username(session->gensec, io->in.user);
+ status = gensec_set_credentials(session->gensec, io->in.credentials);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
- io->in.user, nt_errstr(status)));
+ DEBUG(1, ("Failed to start set GENSEC client credentails: %s\n",
+ nt_errstr(status)));
return NULL;
}
- status = gensec_set_password(session->gensec, io->in.password);
+ status = gensec_set_target_hostname(session->gensec, session->transport->socket->hostname);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
+ DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
nt_errstr(status)));
return NULL;
}
- status = gensec_set_target_hostname(session->gensec, session->transport->socket->hostname);
+ status = gensec_set_target_service(session->gensec, "cifs");
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC target hostname: %s\n",
+ DEBUG(1, ("Failed to start set GENSEC target service: %s\n",
nt_errstr(status)));
return NULL;
}
struct ldap_message *ldap_transaction(struct ldap_connection *conn,
struct ldap_message *request);
int ldap_bind_simple(struct ldap_connection *conn, const char *userdn, const char *password);
-int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const char *domain, const char *password);
+int ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds);
struct ldap_connection *ldap_setup_connection(TALLOC_CTX *mem_ctx, const char *url,
const char *userdn, const char *password);
struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx, const char *url,
- const char *username, const char *domain, const char *password);
+ struct cli_credentials *creds);
BOOL ldap_abandon_message(struct ldap_connection *conn, int msgid,
const struct timeval *endtime);
BOOL ldap_setsearchent(struct ldap_connection *conn, struct ldap_message *msg,
return result;
}
-int ldap_bind_sasl(struct ldap_connection *conn, const char *username, const char *domain, const char *password)
+int ldap_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
{
NTSTATUS status;
TALLOC_CTX *mem_ctx = NULL;
gensec_want_feature(conn->gensec, GENSEC_FEATURE_SIGN | GENSEC_FEATURE_SEAL);
- status = gensec_set_domain(conn->gensec, domain);
+ status = gensec_set_credentials(conn->gensec, creds);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
- domain, nt_errstr(status)));
- goto done;
- }
-
- status = gensec_set_username(conn->gensec, username);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
- username, nt_errstr(status)));
- goto done;
- }
-
- status = gensec_set_password(conn->gensec, password);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
+ DEBUG(1, ("Failed to start set GENSEC creds: %s\n",
nt_errstr(status)));
goto done;
}
return conn;
}
-struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx, const char *url,
- const char *username, const char *domain, const char *password)
+struct ldap_connection *ldap_setup_connection_with_sasl(TALLOC_CTX *mem_ctx,
+ const char *url,
+ struct cli_credentials *creds)
{
struct ldap_connection *conn;
int result;
return NULL;
}
- result = ldap_bind_sasl(conn, username, domain, password);
+ result = ldap_bind_sasl(conn, creds);
if (result != LDAP_SUCCESS) {
talloc_free(conn);
return NULL;
smbcli_req_append_blob(req, &parms->spnego.in.secblob);
smbcli_req_append_string(req, parms->spnego.in.os, STR_TERMINATE);
smbcli_req_append_string(req, parms->spnego.in.lanman, STR_TERMINATE);
- smbcli_req_append_string(req, parms->spnego.in.domain, STR_TERMINATE);
+ smbcli_req_append_string(req, parms->spnego.in.workgroup, STR_TERMINATE);
break;
}
p += parms->spnego.out.secblob.length;
p += smbcli_req_pull_string(req, mem_ctx, &parms->spnego.out.os, p, -1, STR_TERMINATE);
p += smbcli_req_pull_string(req, mem_ctx, &parms->spnego.out.lanman, p, -1, STR_TERMINATE);
- p += smbcli_req_pull_string(req, mem_ctx, &parms->spnego.out.domain, p, -1, STR_TERMINATE);
+ p += smbcli_req_pull_string(req, mem_ctx, &parms->spnego.out.workgroup, p, -1, STR_TERMINATE);
break;
}
int port_num;
int *iports;
struct smbcli_socket *sock;
- const char *dest_host;
+ const char *dest_host_addr;
+ const char *dest_hostname;
};
c->status = socket_connect_complete(conn->sock->sock, 0);
if (NT_STATUS_IS_OK(c->status)) {
socket_set_option(conn->sock->sock, lp_socket_options(), NULL);
- conn->sock->hostname = talloc_strdup(conn->sock, conn->dest_host);
+ conn->sock->hostname = talloc_strdup(conn->sock, conn->dest_hostname);
c->state = SMBCLI_REQUEST_DONE;
if (c->async.fn) {
c->async.fn(c);
for (i=conn->port_num+1;conn->iports[i];i++) {
conn->port_num = i;
c->status = smbcli_sock_connect_one(conn->sock,
- conn->dest_host,
+ conn->dest_host_addr,
conn->iports[i], c);
if (NT_STATUS_IS_OK(c->status) ||
NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
this is the async send side of the interface
*/
struct composite_context *smbcli_sock_connect_send(struct smbcli_socket *sock,
- const char *host_addr, int port)
+ const char *host_addr, int port,
+ const char *host_name)
{
struct composite_context *c;
struct clisocket_connect *conn;
conn->iports[1] = 0;
}
- conn->dest_host = talloc_strdup(c, host_addr);
- if (conn->dest_host == NULL) goto failed;
+ conn->dest_host_addr = talloc_strdup(c, host_addr);
+ if (conn->dest_host_addr == NULL) goto failed;
+
+ conn->dest_hostname = talloc_strdup(c, host_name);
+ if (conn->dest_hostname == NULL) goto failed;
c->private = conn;
c->state = SMBCLI_REQUEST_SEND;
conn->port_num = i;
conn->sock->port = conn->iports[i];
c->status = smbcli_sock_connect_one(sock,
- conn->dest_host,
+ conn->dest_host_addr,
conn->iports[i], c);
if (NT_STATUS_IS_OK(c->status) ||
NT_STATUS_EQUAL(c->status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
sync version of the function
*/
-NTSTATUS smbcli_sock_connect(struct smbcli_socket *sock, const char *host_addr, int port)
+NTSTATUS smbcli_sock_connect(struct smbcli_socket *sock, const char *host_addr, int port,
+ const char *host_name)
{
struct composite_context *c;
- c = smbcli_sock_connect_send(sock, host_addr, port);
+ c = smbcli_sock_connect_send(sock, host_addr, port, host_name);
if (c == NULL) {
return NT_STATUS_NO_MEMORY;
}
return False;
}
- sock->hostname = name;
-
- status = smbcli_sock_connect(sock, address, port);
+ status = smbcli_sock_connect(sock, address, port, name);
return NT_STATUS_IS_OK(status);
}
*/
NTSTATUS smbcli_tree_full_connection(TALLOC_CTX *parent_ctx,
struct smbcli_tree **ret_tree,
- const char *my_name,
const char *dest_host, int port,
const char *service, const char *service_type,
struct cli_credentials *credentials)
io.in.dest_host = dest_host;
io.in.port = port;
io.in.called_name = strupper_talloc(parent_ctx, dest_host);
- io.in.calling_name = strupper_talloc(parent_ctx, my_name);
io.in.service = service;
io.in.service_type = service_type;
- io.in.domain = cli_credentials_get_domain(credentials);
- io.in.user = cli_credentials_get_username(credentials);
- io.in.password = cli_credentials_get_password(credentials);
+ io.in.credentials = credentials;
+ io.in.workgroup = lp_workgroup();
status = smb_composite_connect(&io, parent_ctx);
if (NT_STATUS_IS_OK(status)) {
librpc/rpc/dcerpc.o
ADD_OBJ_FILES = \
librpc/rpc/dcerpc_auth.o \
+ librpc/rpc/dcerpc_schannel.o \
librpc/rpc/dcerpc_util.o \
librpc/rpc/dcerpc_error.o \
- librpc/rpc/dcerpc_schannel.o \
librpc/rpc/dcerpc_smb.o \
librpc/rpc/dcerpc_sock.o
REQUIRED_SUBSYSTEMS = SOCKET
Generic Authentication Interface
Copyright (C) Andrew Tridgell 2003
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
Copyright (C) Stefan Metzmacher 2004
This program is free software; you can redistribute it and/or modify
return status;
}
- status = gensec_set_workstation(p->conn->security_state.generic_state,
- cli_credentials_get_workstation(credentials));
+ status = gensec_set_credentials(p->conn->security_state.generic_state,
+ credentials);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client workstation name to %s: %s\n",
- cli_credentials_get_workstation(credentials), nt_errstr(status)));
- return status;
- }
-
- status = gensec_set_domain(p->conn->security_state.generic_state,
- cli_credentials_get_domain(credentials));
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client domain to %s: %s\n",
- cli_credentials_get_domain(credentials), nt_errstr(status)));
- return status;
- }
-
- status = gensec_set_username(p->conn->security_state.generic_state,
- cli_credentials_get_username(credentials));
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client username to %s: %s\n",
- cli_credentials_get_username(credentials), nt_errstr(status)));
- return status;
- }
-
- status = gensec_set_password(p->conn->security_state.generic_state,
- cli_credentials_get_password(credentials));
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start set GENSEC client password: %s\n",
+ DEBUG(1, ("Failed to start set GENSEC client credentails: %s\n",
nt_errstr(status)));
return status;
}
dcerpc schannel operations
Copyright (C) Andrew Tridgell 2004
-
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2005
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
#include "librpc/gen_ndr/ndr_schannel.h"
#include "auth/auth.h"
-enum schannel_position {
- DCERPC_SCHANNEL_STATE_START = 0,
- DCERPC_SCHANNEL_STATE_UPDATE_1
-};
-
-struct dcerpc_schannel_state {
- enum schannel_position state;
- struct schannel_state *schannel_state;
- struct creds_CredentialState *creds;
-};
-
-/*
- wrappers for the schannel_*() functions
-
- These will become static again, when we get dynamic registration, and
- decrpc_schannel_security_ops come back here.
-*/
-static NTSTATUS dcerpc_schannel_unseal_packet(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
- DATA_BLOB *sig)
-{
- struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-
- return schannel_unseal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
-}
-
-static NTSTATUS dcerpc_schannel_check_packet(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- const uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
- const DATA_BLOB *sig)
-{
- struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-
- return schannel_check_packet(dce_schan_state->schannel_state, data, length, sig);
-}
-
-static NTSTATUS dcerpc_schannel_seal_packet(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
- DATA_BLOB *sig)
-{
- struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-
- return schannel_seal_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
-}
-
-static NTSTATUS dcerpc_schannel_sign_packet(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- const uint8_t *data, size_t length,
- const uint8_t *whole_pdu, size_t pdu_length,
- DATA_BLOB *sig)
-{
- struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-
- return schannel_sign_packet(dce_schan_state->schannel_state, mem_ctx, data, length, sig);
-}
-
-static size_t dcerpc_schannel_sig_size(struct gensec_security *gensec_security)
-{
- return 32;
-}
-
-static NTSTATUS dcerpc_schannel_session_key(struct gensec_security *gensec_security,
- DATA_BLOB *session_key)
-{
- return NT_STATUS_NOT_IMPLEMENTED;
-}
-
-static NTSTATUS dcerpc_schannel_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx,
- const DATA_BLOB in, DATA_BLOB *out)
-{
- struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
- NTSTATUS status;
- struct schannel_bind bind_schannel;
- struct schannel_bind_ack bind_schannel_ack;
- const char *workstation;
- const char *domain;
- *out = data_blob(NULL, 0);
-
- switch (gensec_security->gensec_role) {
- case GENSEC_CLIENT:
- if (dce_schan_state->state != DCERPC_SCHANNEL_STATE_START) {
- /* we could parse the bind ack, but we don't know what it is yet */
- return NT_STATUS_OK;
- }
-
- status = schannel_start(dce_schan_state,
- &dce_schan_state->schannel_state,
- dce_schan_state->creds->session_key,
- True);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start schannel client\n"));
- return status;
- }
- talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
-
- bind_schannel.unknown1 = 0;
-#if 0
- /* to support this we'd need to have access to the full domain name */
- bind_schannel.bind_type = 23;
- bind_schannel.u.info23.domain = gensec_security->user.domain;
- bind_schannel.u.info23.account_name = gensec_security->user.name;
- bind_schannel.u.info23.dnsdomain = str_format_nbt_domain(out_mem_ctx, fulldomainname);
- bind_schannel.u.info23.workstation = str_format_nbt_domain(out_mem_ctx, gensec_get_workstation(gensec_security));
-#else
- bind_schannel.bind_type = 3;
- bind_schannel.u.info3.domain = gensec_security->user.domain;
- bind_schannel.u.info3.workstation = gensec_get_workstation(gensec_security);
-#endif
-
- status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel,
- (ndr_push_flags_fn_t)ndr_push_schannel_bind);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("Could not create schannel bind: %s\n",
- nt_errstr(status)));
- return status;
- }
-
- dce_schan_state->state = DCERPC_SCHANNEL_STATE_UPDATE_1;
-
- return NT_STATUS_MORE_PROCESSING_REQUIRED;
- case GENSEC_SERVER:
-
- if (dce_schan_state->state != DCERPC_SCHANNEL_STATE_START) {
- /* no third leg on this protocol */
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- /* parse the schannel startup blob */
- status = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
- (ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- if (bind_schannel.bind_type == 23) {
- workstation = bind_schannel.u.info23.workstation;
- domain = bind_schannel.u.info23.domain;
- } else {
- workstation = bind_schannel.u.info3.workstation;
- domain = bind_schannel.u.info3.domain;
- }
-
- /* pull the session key for this client */
- status = schannel_fetch_session_key(out_mem_ctx, workstation,
- domain, &dce_schan_state->creds);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
- workstation, nt_errstr(status)));
- return status;
- }
-
- /* start up the schannel server code */
- status = schannel_start(dce_schan_state,
- &dce_schan_state->schannel_state,
- dce_schan_state->creds->session_key, False);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("Could not initialise schannel state from client %s: %s\n",
- workstation, nt_errstr(status)));
- return status;
- }
- talloc_steal(dce_schan_state, dce_schan_state->schannel_state);
-
- bind_schannel_ack.unknown1 = 1;
- bind_schannel_ack.unknown2 = 0;
- bind_schannel_ack.unknown3 = 0x6c0000;
-
- status = ndr_push_struct_blob(out, out_mem_ctx, &bind_schannel_ack,
- (ndr_push_flags_fn_t)ndr_push_schannel_bind_ack);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(3, ("Could not return schannel bind ack for client %s: %s\n",
- workstation, nt_errstr(status)));
- return status;
- }
-
- dce_schan_state->state = DCERPC_SCHANNEL_STATE_UPDATE_1;
-
- return NT_STATUS_OK;
- }
- return NT_STATUS_INVALID_PARAMETER;
-}
-
-/**
- * Return the credentials of a logged on user, including session keys
- * etc.
- *
- * Only valid after a successful authentication
- *
- * May only be called once per authentication.
- *
- */
-
-NTSTATUS dcerpc_schannel_session_info(struct gensec_security *gensec_security,
- struct auth_session_info **session_info)
-{
- (*session_info) = talloc(gensec_security, struct auth_session_info);
- NT_STATUS_HAVE_NO_MEMORY(*session_info);
-
- ZERO_STRUCTP(*session_info);
-
- return NT_STATUS_OK;
-}
-
-/**
- * Return the struct creds_CredentialState.
- *
- * Make sure not to call this unless gensec is using schannel...
- */
-
-NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- struct creds_CredentialState **creds)
-{
- struct dcerpc_schannel_state *dce_schan_state = gensec_security->private_data;
-
- *creds = talloc_reference(mem_ctx, dce_schan_state->creds);
- if (!*creds) {
- return NT_STATUS_NO_MEMORY;
- }
- return NT_STATUS_OK;
-}
-
-
-static NTSTATUS dcerpc_schannel_start(struct gensec_security *gensec_security)
-{
- struct dcerpc_schannel_state *dce_schan_state;
-
- dce_schan_state = talloc(gensec_security, struct dcerpc_schannel_state);
- if (!dce_schan_state) {
- return NT_STATUS_NO_MEMORY;
- }
-
- dce_schan_state->state = DCERPC_SCHANNEL_STATE_START;
- gensec_security->private_data = dce_schan_state;
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS dcerpc_schannel_server_start(struct gensec_security *gensec_security)
-{
- NTSTATUS status;
-
- status = dcerpc_schannel_start(gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- return NT_STATUS_OK;
-}
-
-static NTSTATUS dcerpc_schannel_client_start(struct gensec_security *gensec_security)
-{
- NTSTATUS status;
-
- status = dcerpc_schannel_start(gensec_security);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- return NT_STATUS_OK;
-}
-
-
/*
get a schannel key using a netlogon challenge on a secondary pipe
*/
static NTSTATUS dcerpc_schannel_key(TALLOC_CTX *tmp_ctx,
struct dcerpc_pipe *p,
struct cli_credentials *credentials,
- int chan_type,
- struct creds_CredentialState *creds)
+ int chan_type)
{
NTSTATUS status;
struct dcerpc_binding *b;
struct netr_ServerAuthenticate2 a;
struct netr_Credential credentials1, credentials2, credentials3;
struct samr_Password mach_pwd;
- const char *workgroup;
uint32_t negotiate_flags;
+ struct creds_CredentialState *creds;
+ creds = talloc(tmp_ctx, struct creds_CredentialState);
+ if (!creds) {
+ return NT_STATUS_NO_MEMORY;
+ }
if (p->conn->flags & DCERPC_SCHANNEL_128) {
negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
negotiate_flags = NETLOGON_NEG_AUTH2_FLAGS;
}
- workgroup = cli_credentials_get_domain(credentials);
-
/*
step 1 - establish a netlogon connection, with no authentication
*/
*/
E_md4hash(cli_credentials_get_password(credentials), mach_pwd.hash);
creds_client_init(creds, &credentials1, &credentials2,
- cli_credentials_get_workstation(credentials),
- cli_credentials_get_domain(credentials),
- cli_credentials_get_username(credentials),
&mach_pwd, &credentials3,
negotiate_flags);
return NT_STATUS_UNSUCCESSFUL;
}
+ cli_credentials_set_netlogon_creds(credentials, creds);
+
/*
the schannel session key is now in creds.session_key
return NT_STATUS_OK;
}
-/*
- do a schannel style bind on a dcerpc pipe. The username is usually
- of the form HOSTNAME$ and the password is the domain trust password
-*/
-NTSTATUS dcerpc_bind_auth_schannel_withkey(struct dcerpc_pipe *p,
- const char *uuid, uint_t version,
- struct creds_CredentialState *creds)
-{
- NTSTATUS status;
- struct dcerpc_schannel_state *dce_schan_state;
-
- status = gensec_client_start(p, &p->conn->security_state.generic_state);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- status = gensec_set_workstation(p->conn->security_state.generic_state, creds->computer_name);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to set schannel workstation to %s: %s\n",
- creds->computer_name, nt_errstr(status)));
- talloc_free(p->conn->security_state.generic_state);
- p->conn->security_state.generic_state = NULL;
- return status;
- }
-
- status = gensec_set_username(p->conn->security_state.generic_state, creds->account_name);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to set schannel username to %s: %s\n",
- creds->account_name, nt_errstr(status)));
- talloc_free(p->conn->security_state.generic_state);
- p->conn->security_state.generic_state = NULL;
- return status;
- }
-
- status = gensec_set_domain(p->conn->security_state.generic_state, creds->domain);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to set schannel domain to %s: %s\n",
- creds->domain, nt_errstr(status)));
- talloc_free(p->conn->security_state.generic_state);
- p->conn->security_state.generic_state = NULL;
- return status;
- }
-
- status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state,
- DCERPC_AUTH_TYPE_SCHANNEL,
- dcerpc_auth_level(p->conn));
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to start SCHANNEL GENSEC backend: %s\n", nt_errstr(status)));
- talloc_free(p->conn->security_state.generic_state);
- p->conn->security_state.generic_state = NULL;
- return status;
- }
-
- dce_schan_state = p->conn->security_state.generic_state->private_data;
- dce_schan_state->creds = talloc_reference(dce_schan_state, creds);
-
- status = dcerpc_bind_auth(p, DCERPC_AUTH_TYPE_SCHANNEL, dcerpc_auth_level(p->conn),
- uuid, version);
-
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to bind to pipe with SCHANNEL: %s\n", nt_errstr(status)));
- talloc_free(p->conn->security_state.generic_state);
- p->conn->security_state.generic_state = NULL;
- return status;
- }
-
- return NT_STATUS_OK;
-}
-
NTSTATUS dcerpc_bind_auth_schannel(TALLOC_CTX *tmp_ctx,
struct dcerpc_pipe *p,
const char *uuid, uint_t version,
{
NTSTATUS status;
int chan_type = 0;
- struct creds_CredentialState *creds;
- creds = talloc(tmp_ctx, struct creds_CredentialState);
- if (!creds) {
- return NT_STATUS_NO_MEMORY;
- }
if (p->conn->flags & DCERPC_SCHANNEL_BDC) {
chan_type = SEC_CHAN_BDC;
chan_type = SEC_CHAN_DOMAIN;
}
+ /* Fills in NETLOGON credentials */
status = dcerpc_schannel_key(tmp_ctx,
p, credentials,
- chan_type,
- creds);
+ chan_type);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to fetch schannel session key: %s\n",
+ DEBUG(1, ("Failed to setup credentials for account %s: %s\n",
+ cli_credentials_get_username(credentials),
nt_errstr(status)));
return status;
}
- return dcerpc_bind_auth_schannel_withkey(p, uuid, version, creds);
+ return dcerpc_bind_auth_password(p, uuid, version,
+ credentials, DCERPC_AUTH_TYPE_SCHANNEL,
+ NULL);
}
-static BOOL dcerpc_schannel_have_feature(struct gensec_security *gensec_security,
- uint32_t feature)
-{
- if (feature & (GENSEC_FEATURE_SESSION_KEY |
- GENSEC_FEATURE_SIGN |
- GENSEC_FEATURE_SEAL)) {
- return True;
- }
- return False;
-}
-
-
-static const struct gensec_security_ops gensec_dcerpc_schannel_security_ops = {
- .name = "dcerpc_schannel",
- .auth_type = DCERPC_AUTH_TYPE_SCHANNEL,
- .client_start = dcerpc_schannel_client_start,
- .server_start = dcerpc_schannel_server_start,
- .update = dcerpc_schannel_update,
- .seal_packet = dcerpc_schannel_seal_packet,
- .sign_packet = dcerpc_schannel_sign_packet,
- .check_packet = dcerpc_schannel_check_packet,
- .unseal_packet = dcerpc_schannel_unseal_packet,
- .session_key = dcerpc_schannel_session_key,
- .session_info = dcerpc_schannel_session_info,
- .sig_size = dcerpc_schannel_sig_size,
- .have_feature = dcerpc_schannel_have_feature,
- .enabled = True
-};
-
-NTSTATUS gensec_dcerpc_schannel_init(void)
-{
- NTSTATUS ret;
- ret = gensec_register(&gensec_dcerpc_schannel_security_ops);
- if (!NT_STATUS_IS_OK(ret)) {
- DEBUG(0,("Failed to register '%s' gensec backend!\n",
- gensec_dcerpc_schannel_security_ops.name));
- return ret;
- }
-
- return ret;
-}
Copyright (C) Andrew Tridgell 2003
Copyright (C) Jelmer Vernooij 2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
p->conn->binding_string = dcerpc_binding_string(p, binding);
if (!cli_credentials_is_anonymous(credentials) &&
- (binding->flags & DCERPC_SCHANNEL_ANY)) {
+ (binding->flags & DCERPC_SCHANNEL_ANY) &&
+ !cli_credentials_get_netlogon_creds(credentials)) {
+
+ /* If we don't already have netlogon credentials for
+ * the schannel bind, then we have to get these
+ * first */
status = dcerpc_bind_auth_schannel(tmp_ctx,
p, pipe_uuid, pipe_version,
credentials);
auth_type = DCERPC_AUTH_TYPE_SPNEGO;
} else if (binding->flags & DCERPC_AUTH_KRB5) {
auth_type = DCERPC_AUTH_TYPE_KRB5;
+ } else if (binding->flags & DCERPC_SCHANNEL_ANY) {
+ auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
} else {
auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
cli_credentials_set_anonymous(anon_creds);
cli_credentials_guess(anon_creds);
status = smbcli_full_connection(p->conn, &cli,
- cli_credentials_get_workstation(credentials),
binding->host,
"IPC$", NULL,
anon_creds);
} else {
status = smbcli_full_connection(p->conn, &cli,
- cli_credentials_get_workstation(credentials),
binding->host,
"IPC$", NULL,
credentials);
struct composite_context *creq;
struct fd_event *fde;
+ struct cli_credentials *credentials;
+
/* Here we need to determine which server to connect to.
* For now we use parametric options, type cifs.
* Later we will use security=server and auth_server.c.
ntvfs->private_data = private;
+ credentials = cli_credentials_init(private);
+ cli_credentials_set_username(credentials, user, CRED_SPECIFIED);
+ cli_credentials_set_domain(credentials, domain, CRED_SPECIFIED);
+ cli_credentials_set_password(credentials, pass, CRED_SPECIFIED);
+ cli_credentials_set_workstation(credentials, "vfs_cifs", CRED_SPECIFIED);
+
/* connect to the server, using the smbd event context */
io.in.dest_host = host;
io.in.port = 0;
io.in.called_name = host;
- io.in.calling_name = "vfs_cifs";
+ io.in.credentials = credentials;
+ io.in.workgroup = lp_workgroup();
io.in.service = remote_share;
io.in.service_type = "?????";
- io.in.domain = domain;
- io.in.user = user;
- io.in.password = pass;
creq = smb_composite_connect_send(&io, tcon->smb_conn->connection->event.ctx);
status = smb_composite_connect_recv(creq, private);
}
p += blob_len;
- p += req_pull_string(req, &sess.spnego.in.os, p, -1, STR_TERMINATE);
- p += req_pull_string(req, &sess.spnego.in.lanman, p, -1, STR_TERMINATE);
- p += req_pull_string(req, &sess.spnego.in.domain, p, -1, STR_TERMINATE);
+ p += req_pull_string(req, &sess.spnego.in.os, p, -1, STR_TERMINATE);
+ p += req_pull_string(req, &sess.spnego.in.lanman, p, -1, STR_TERMINATE);
+ p += req_pull_string(req, &sess.spnego.in.workgroup, p, -1, STR_TERMINATE);
/* call the generic handler */
status = sesssetup_backend(req, &sess);
SSVAL(req->out.hdr, HDR_UID, sess.spnego.out.vuid);
memcpy(req->out.data, sess.spnego.out.secblob.data, sess.spnego.out.secblob.length);
- req_push_str(req, NULL, sess.spnego.out.os, -1, STR_TERMINATE);
- req_push_str(req, NULL, sess.spnego.out.lanman, -1, STR_TERMINATE);
- req_push_str(req, NULL, sess.spnego.out.domain, -1, STR_TERMINATE);
+ req_push_str(req, NULL, sess.spnego.out.os, -1, STR_TERMINATE);
+ req_push_str(req, NULL, sess.spnego.out.lanman, -1, STR_TERMINATE);
+ req_push_str(req, NULL, sess.spnego.out.workgroup, -1, STR_TERMINATE);
chain_reply(req);
}
sesssetup_common_strings(req,
&sess->spnego.out.os,
&sess->spnego.out.lanman,
- &sess->spnego.out.domain);
+ &sess->spnego.out.workgroup);
return status;
}
session = smbcli_session_init(cli->transport, cli, False);
setup.in.sesskey = cli->transport->negotiate.sesskey;
setup.in.capabilities = cli->transport->negotiate.capabilities;
- setup.in.password = "INVALID-PASSWORD";
- setup.in.user = "INVALID-USERNAME";
- setup.in.domain = "INVALID-DOMAIN";
+ setup.in.workgroup = lp_workgroup();
+
+ setup.in.credentials = cli_credentials_init(NULL);
+ cli_credentials_set_conf(setup.in.credentials);
+ cli_credentials_set_domain(setup.in.credentials, "INVALID-DOMAIN", CRED_SPECIFIED);
+ cli_credentials_set_username(setup.in.credentials, "INVALID-USERNAME", CRED_SPECIFIED);
+ cli_credentials_set_password(setup.in.credentials, "INVALID-PASSWORD", CRED_SPECIFIED);
status = smb_composite_sesssetup(session, &setup);
talloc_free(session);
servers[i].server_name, servers[i].share_name,
servers[i].credentials->username, j);
+ cli_credentials_set_workstation(servers[i].credentials,
+ "gentest", CRED_SPECIFIED);
+
status = smbcli_full_connection(NULL, &servers[i].cli[j],
- "gentest",
servers[i].server_name,
servers[i].share_name, NULL,
servers[i].credentials);
return ret;
}
-BOOL test_bind_sasl(struct ldap_connection *conn, const char *username, const char *domain, const char *password)
+BOOL test_bind_sasl(struct ldap_connection *conn, struct cli_credentials *creds)
{
NTSTATUS status;
BOOL ret = True;
printf("Testing sasl bind as user\n");
- status = torture_ldap_bind_sasl(conn, username, domain, password);
+ status = torture_ldap_bind_sasl(conn, creds);
if (!NT_STATUS_IS_OK(status)) {
ret = False;
}
TALLOC_CTX *mem_ctx;
BOOL ret = True;
const char *host = lp_parm_string(-1, "torture", "host");
- const char *username = cli_credentials_get_username(cmdline_credentials);
- const char *domain = cli_credentials_get_domain(cmdline_credentials);
- const char *password = cli_credentials_get_password(cmdline_credentials);
const char *userdn = lp_parm_string(-1, "torture", "ldap_userdn");
/*const char *basedn = lp_parm_string(-1, "torture", "ldap_basedn");*/
const char *secret = lp_parm_string(-1, "torture", "ldap_secret");
ret = False;
}
- if (!test_bind_sasl(conn, username, domain, password)) {
+ if (!test_bind_sasl(conn, cmdline_credentials)) {
ret = False;
}
return NT_STATUS_OK;
}
-NTSTATUS torture_ldap_bind_sasl(struct ldap_connection *conn, const char *username, const char *domain, const char *password)
+NTSTATUS torture_ldap_bind_sasl(struct ldap_connection *conn,
+ struct cli_credentials *creds)
{
NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
int result;
return status;
}
- result = ldap_bind_sasl(conn, username, domain, password);
+ result = ldap_bind_sasl(conn, creds);
if (result != LDAP_SUCCESS) {
printf("Failed to bind with provided credentials and SASL mechanism\n");
/* FIXME: what abut actually implementing an ldap_connection_free() function ?
share++;
slprintf(myname,sizeof(myname), "lock-%u-%u", getpid(), snum);
+ cli_credentials_set_workstation(servers[snum], myname, CRED_SPECIFIED);
do {
- status = smbcli_full_connection(NULL, &c, myname,
+ status = smbcli_full_connection(NULL, &c,
server,
share, NULL,
servers[snum]);
*share = 0;
share++;
- status = smbcli_full_connection(NULL, &c, "masktest",
+ cli_credentials_set_workstation(credentials, "masktest", CRED_SPECIFIED);
+
+ status = smbcli_full_connection(NULL, &c,
server,
share, NULL,
credentials);
io2.in.dest_host = lp_parm_string(-1, "torture", "host");
io2.in.port = 0;
io2.in.called_name = lp_parm_string(-1, "torture", "host");
- io2.in.calling_name = lp_netbios_name();
io2.in.service = lp_parm_string(-1, "torture", "share");
io2.in.service_type = "A:";
- io2.in.user = cli_credentials_get_username(cmdline_credentials);
- io2.in.domain = cli_credentials_get_domain(cmdline_credentials);
- io2.in.password = cli_credentials_get_password(cmdline_credentials);
+ io2.in.credentials = cmdline_credentials;
+ io2.in.workgroup = lp_workgroup();
io2.in.filename = fname;
printf("testing parallel fetchfile with %d ops\n", torture_numops);
setup.in.sesskey = cli->transport->negotiate.sesskey;
setup.in.capabilities = cli->transport->negotiate.capabilities; /* ignored in secondary session setup, except by our libs, which care about the extended security bit */
- setup.in.password = cli_credentials_get_password(cmdline_credentials);
- setup.in.user = cli_credentials_get_username(cmdline_credentials);
- setup.in.domain = cli_credentials_get_domain(cmdline_credentials);
+ setup.in.workgroup = lp_workgroup();
+
+ setup.in.credentials = cmdline_credentials;
status = smb_composite_sesssetup(session, &setup);
CHECK_STATUS(status, NT_STATUS_OK);
session2->vuid = session->vuid;
setup.in.sesskey = cli->transport->negotiate.sesskey;
setup.in.capabilities = cli->transport->negotiate.capabilities; /* ignored in secondary session setup, except by our libs, which care about the extended security bit */
+ setup.in.workgroup = lp_workgroup();
- setup.in.password = cli_credentials_get_password(cmdline_credentials);
- setup.in.user = cli_credentials_get_username(cmdline_credentials);
- setup.in.domain = cli_credentials_get_domain(cmdline_credentials);
+ setup.in.credentials = cmdline_credentials;
status = smb_composite_sesssetup(session2, &setup);
CHECK_STATUS(status, NT_STATUS_OK);
session3->vuid = session->vuid;
setup.in.sesskey = cli->transport->negotiate.sesskey;
setup.in.capabilities = 0; /* force a non extended security login (should fail) */
-
-
- setup.in.password = cli_credentials_get_password(cmdline_credentials);
- setup.in.user = cli_credentials_get_username(cmdline_credentials);
- setup.in.domain = cli_credentials_get_domain(cmdline_credentials);
+ setup.in.workgroup = lp_workgroup();
+
+ setup.in.credentials = cmdline_credentials;
+
status = smb_composite_sesssetup(session3, &setup);
CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
a.out.credentials = &credentials3;
creds_client_init(creds, &credentials1, &credentials2,
- machine_name,
- lp_workgroup(),
- a.in.account_name,
&mach_password, &credentials3,
0);
a.out.credentials = &credentials3;
creds_client_init(creds, &credentials1, &credentials2,
- machine_name,
- lp_workgroup(),
- a.in.account_name,
&mach_password, &credentials3,
negotiate_flags);
a.out.rid = &rid;
creds_client_init(creds, &credentials1, &credentials2,
- machine_name,
- lp_workgroup(),
- a.in.account_name,
&mach_password, &credentials3,
negotiate_flags);
goto failed;
}
- status = dcerpc_bind_auth_schannel_withkey(p_netlogon,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
- creds);
+ status = dcerpc_bind_auth_password(p_netlogon,
+ DCERPC_NETLOGON_UUID,
+ DCERPC_NETLOGON_VERSION,
+ credentials, DCERPC_AUTH_TYPE_SCHANNEL,
+ NULL);
if (!NT_STATUS_IS_OK(status)) {
goto failed;
/* prepare a session setup to establish a security context */
setup.in.sesskey = transport->negotiate.sesskey;
setup.in.capabilities = transport->negotiate.capabilities;
- setup.in.password = NULL;
- setup.in.user = "";
- setup.in.domain = "";
setup.in.capabilities &= ~CAP_EXTENDED_SECURITY;
+ setup.in.credentials = cli_credentials_init(mem_ctx);
+ cli_credentials_set_anonymous(setup.in.credentials);
+
status = smb_composite_sesssetup(session, &setup);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(session);
a.out.credentials = &credentials3;
creds_client_init(creds, &credentials1, &credentials2,
- machine_name,
- domain,
- a.in.account_name,
&mach_password, &credentials3,
negotiate_flags);
return status;
}
+#if 0
static BOOL xp_login(const char *dcname, const char *wksname,
const char *domain, const char *wkspwd,
const char *user1name, const char *user1pw,
netlogon_schannel_pipe->conn->flags |= DCERPC_SEAL;
- status = dcerpc_bind_auth_schannel_withkey(netlogon_schannel_pipe,
- DCERPC_NETLOGON_UUID,
- DCERPC_NETLOGON_VERSION,
- netlogon_creds);
+ status = dcerpc_bind_auth_password(netlogon_schannel_pipe,
+ DCERPC_NETLOGON_UUID,
+ DCERPC_NETLOGON_VERSION,
+ creds, NULL);
if (!NT_STATUS_IS_OK(status))
return False;
return True;
}
+#endif
+
struct user_pw {
const char *username;
const char *password;
users[useridx1].username,
users[useridx2].username);
+#if 0
return xp_login(pdcname, machines[machidx].username,
domainname, machines[machidx].password,
users[useridx1].username,
users[useridx1].password,
users[useridx2].username,
users[useridx2].password);
+#endif
+ return False;
}
NTSTATUS status;
status = smbcli_full_connection(NULL,
- c, lp_netbios_name(),
- hostname,
+ c, hostname,
sharename, NULL,
cmdline_credentials);
if (!NT_STATUS_IS_OK(status)) {
const char *share = lp_parm_string(-1, "torture", "share");
status = smbcli_full_connection(NULL,
- &cli1, lp_netbios_name(),
- host,
+ &cli1, host,
share, NULL,
cmdline_credentials);
typedef void (*stdio_helper_function)(enum stdio_helper_mode stdio_helper_mode,
char *buf, int length, void **private,
- unsigned int mux_id);
+ unsigned int mux_id, void **private2);
static void manage_squid_basic_request (enum stdio_helper_mode stdio_helper_mode,
char *buf, int length, void **private,
- unsigned int mux_id);
+ unsigned int mux_id, void **private2);
static void manage_gensec_request (enum stdio_helper_mode stdio_helper_mode,
char *buf, int length, void **private,
- unsigned int mux_id);
+ unsigned int mux_id, void **private2);
static void manage_ntlm_server_1_request (enum stdio_helper_mode stdio_helper_mode,
char *buf, int length, void **private,
- unsigned int mux_id);
+ unsigned int mux_id, void **private2);
static void manage_squid_request(enum stdio_helper_mode helper_mode,
- stdio_helper_function fn);
+ stdio_helper_function fn, void **private2);
static const struct {
enum stdio_helper_mode mode;
static void manage_squid_basic_request(enum stdio_helper_mode stdio_helper_mode,
char *buf, int length, void **private,
- unsigned int mux_id)
+ unsigned int mux_id, void **private2)
{
char *user, *pass;
user=buf;
static void manage_gensec_get_pw_request(enum stdio_helper_mode stdio_helper_mode,
char *buf, int length, void **private,
- unsigned int mux_id)
+ unsigned int mux_id, void **password)
{
DATA_BLOB in;
- struct gensec_security **gensec_state = (struct gensec_security **)private;
if (strlen(buf) < 2) {
DEBUG(1, ("query [%s] invalid", buf));
mux_printf(mux_id, "BH\n");
if (strncmp(buf, "PW ", 3) == 0) {
- (*gensec_state)->password_callback_private = talloc_strndup((*gensec_state),
- (const char *)in.data, in.length);
+ *password = talloc_strndup(*private /* hopefully the right gensec context, useful to use for talloc */,
+ (const char *)in.data, in.length);
- if ((*gensec_state)->password_callback_private == NULL) {
+ if (*password == NULL) {
DEBUG(1, ("Out of memory\n"));
mux_printf(mux_id, "BH\n");
data_blob_free(&in);
data_blob_free(&in);
}
-/*
- * Callback for gensec, to ask the calling application for a password. Uses the above function
- * for the stdio part of this.
+/**
+ * Callback for password credentails. This is not async, and when
+ * GENSEC and the credentails code is made async, it will look rather
+ * different.
*/
-static NTSTATUS get_password(struct gensec_security *gensec_security,
- TALLOC_CTX *mem_ctx,
- char **password)
+static const char *get_password(struct cli_credentials *credentials)
{
- *password = NULL;
+ char *password = NULL;
/* Ask for a password */
- mux_printf((unsigned int)gensec_security->password_callback_private, "PW\n");
- gensec_security->password_callback_private = NULL;
+ mux_printf((unsigned int)credentials->priv_data, "PW\n");
+ credentials->priv_data = NULL;
- manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request);
- *password = (char *)gensec_security->password_callback_private;
- if (*password) {
- return NT_STATUS_OK;
- } else {
- return NT_STATUS_INVALID_PARAMETER;
- }
+ manage_squid_request(NUM_HELPER_MODES /* bogus */, manage_gensec_get_pw_request, (void **)&password);
+ return password;
}
static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
char *buf, int length, void **private,
- unsigned int mux_id)
+ unsigned int mux_id, void **private2)
{
DATA_BLOB in;
DATA_BLOB out = data_blob(NULL, 0);
NTSTATUS nt_status;
BOOL first = False;
const char *reply_code;
+ struct cli_credentials *creds;
if (strlen(buf) < 2) {
DEBUG(1, ("query [%s] invalid", buf));
if (!NT_STATUS_IS_OK(gensec_client_start(NULL, gensec_state))) {
exit(1);
}
- gensec_set_username(*gensec_state, opt_username);
- gensec_set_domain(*gensec_state, opt_domain);
+
+ creds = cli_credentials_init(*gensec_state);
+ cli_credentials_set_conf(creds);
+ if (opt_username) {
+ cli_credentials_set_username(creds, opt_username, CRED_SPECIFIED);
+ }
+ if (opt_domain) {
+ cli_credentials_set_domain(creds, opt_domain, CRED_SPECIFIED);
+ }
if (opt_password) {
- if (!NT_STATUS_IS_OK(gensec_set_password(*gensec_state, opt_password))) {
- DEBUG(1, ("Out of memory\n"));
- mux_printf(mux_id, "BH\n");
- data_blob_free(&in);
- return;
- }
+ cli_credentials_set_password(creds, opt_password, CRED_SPECIFIED);
} else {
- gensec_set_password_callback(*gensec_state, get_password, (void*)mux_id);
+ creds->password_obtained = CRED_CALLBACK;
+ creds->password_cb = get_password;
+ creds->priv_data = (void*)mux_id;
}
-
+
+ gensec_set_credentials(*gensec_state, creds);
+
break;
case GSS_SPNEGO_SERVER:
case SQUID_2_5_NTLMSSP:
}
if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(1, ("SPNEGO login failed to initialise: %s\n", nt_errstr(nt_status)));
+ DEBUG(1, ("GENSEC mech failed to start: %s\n", nt_errstr(nt_status)));
mux_printf(mux_id, "BH\n");
return;
}
if (strncmp(buf, "PW ", 3) == 0) {
- if (!NT_STATUS_IS_OK(gensec_set_password(*gensec_state,
- talloc_strndup((*gensec_state),
- (const char *)in.data,
- in.length)))) {
- DEBUG(1, ("gensec_set_password failed: %s\n", nt_errstr(nt_status)));
- mux_printf(mux_id, "BH %s\n", nt_errstr(nt_status));
- data_blob_free(&in);
- return;
- }
-
+ cli_credentials_set_password((*gensec_state)->credentials,
+ talloc_strndup((*gensec_state),
+ (const char *)in.data,
+ in.length),
+ CRED_SPECIFIED);
mux_printf(mux_id, "OK\n");
data_blob_free(&in);
return;
static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mode,
char *buf, int length, void **private,
- unsigned int mux_id)
+ unsigned int mux_id, void **private2)
{
char *request, *parameter;
static DATA_BLOB challenge;
}
static void manage_squid_request(enum stdio_helper_mode helper_mode,
- stdio_helper_function fn)
+ stdio_helper_function fn, void **private2)
{
char buf[SQUID_BUFFER_SIZE+1];
unsigned int mux_id;
mux_private->private_pointers = NULL;
}
- c=memchr(buf,' ',sizeof(buf)-1);
+ c=strchr(buf,' ');
+ if (!c) {
+ DEBUG(0, ("Invalid Request - no data after multiplex id\n"));
+ x_fprintf(x_stdout, "ERR\n");
+ return;
+ }
c++;
if (mux_id >= mux_private->max_mux) {
unsigned int prev_max = mux_private->max_mux;
private = &normal_private;
}
- fn(helper_mode, c, length, private, mux_id);
+ fn(helper_mode, c, length, private, mux_id, private2);
}
static void squid_stream(enum stdio_helper_mode stdio_mode,
x_setbuf(x_stdout, NULL);
x_setbuf(x_stderr, NULL);
while(1) {
- manage_squid_request(stdio_mode, fn);
+ manage_squid_request(stdio_mode, fn, NULL);
}
}
git.samba.org / samba.git / commitdiff