diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2006-01-12 09:33:49 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:50:55 -0500 |
| commit | a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f (patch) | |
| tree | 71b27ab4d11e2fc537b0ccf5d4e9c75dcc9757eb /source4/winbind | |
| parent | 4c6b9c79ff5d35e1d03ad5eb543db4b6b906b5ce (diff) | |
| download | samba-a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f.tar.gz samba-a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f.tar.xz samba-a5a79e8b8cbdf24d5c2db45ece4110ed5d85e58f.zip | |
r12865: Upgrade the librpc and libnet code.
In librpc, always try SMB level authentication, even if trying
schannel, but allow fallback to anonymous. This should better
function with servers that set restrict anonymous.
There are too many parts of Samba that get, parse and modify the
binding parameters. Avoid the extra work, and add a binding element
to the struct dcerpc_pipe
The libnet vampire code has been refactored, to reduce extra layers
and to better conform with the standard argument pattern. Also, take
advantage of the new libnet_Lookup code, so we don't require the silly
'password server' smb.conf parameter.
To better support forcing traffic to be sealed for the vampire
operation, the dcerpc_bind_auth() function now takes an auth level
parameter.
Andrew Bartlett
(This used to be commit d65b354959842326fdd4bd7eb7fbeea0390f4afa)
Diffstat (limited to 'source4/winbind')
| -rw-r--r-- | source4/winbind/wb_connect_lsa.c | 14 | ||||
| -rw-r--r-- | source4/winbind/wb_connect_sam.c | 14 | ||||
| -rw-r--r-- | source4/winbind/wb_init_domain.c | 3 |
3 files changed, 24 insertions, 7 deletions
diff --git a/source4/winbind/wb_connect_lsa.c b/source4/winbind/wb_connect_lsa.c index 76f75eb0a4..1c9cb5f39a 100644 --- a/source4/winbind/wb_connect_lsa.c +++ b/source4/winbind/wb_connect_lsa.c @@ -95,24 +95,32 @@ static void init_lsa_recv_pipe(struct composite_context *ctx) switch (state->auth_type) { case DCERPC_AUTH_TYPE_NONE: ctx = dcerpc_bind_auth_none_send(state, state->lsa_pipe, - &dcerpc_table_lsarpc); + &dcerpc_table_lsarpc); composite_continue(state->ctx, ctx, init_lsa_recv_anon_bind, state); break; case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_SCHANNEL: + { + uint8_t auth_type; + if (lp_winbind_sealed_pipes()) { + auth_type = DCERPC_AUTH_LEVEL_PRIVACY; + } else { + auth_type = DCERPC_AUTH_LEVEL_INTEGRITY; + } if (state->creds == NULL) { composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); return; } - state->lsa_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); ctx = dcerpc_bind_auth_send(state, state->lsa_pipe, - &dcerpc_table_lsarpc, + &dcerpc_table_lsarpc, state->creds, state->auth_type, + auth_type, NULL); composite_continue(state->ctx, ctx, init_lsa_recv_auth_bind, state); break; + } default: composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); } diff --git a/source4/winbind/wb_connect_sam.c b/source4/winbind/wb_connect_sam.c index e3b9c82310..1817785508 100644 --- a/source4/winbind/wb_connect_sam.c +++ b/source4/winbind/wb_connect_sam.c @@ -102,24 +102,32 @@ static void connect_samr_recv_pipe(struct composite_context *ctx) switch (state->auth_type) { case DCERPC_AUTH_TYPE_NONE: ctx = dcerpc_bind_auth_none_send(state, state->samr_pipe, - &dcerpc_table_samr); + &dcerpc_table_samr); composite_continue(state->ctx, ctx, connect_samr_recv_anon_bind, state); break; case DCERPC_AUTH_TYPE_NTLMSSP: case DCERPC_AUTH_TYPE_SCHANNEL: + { + uint8_t auth_type; + if (lp_winbind_sealed_pipes()) { + auth_type = DCERPC_AUTH_LEVEL_PRIVACY; + } else { + auth_type = DCERPC_AUTH_LEVEL_INTEGRITY; + } if (state->creds == NULL) { composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); return; } - state->samr_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); ctx = dcerpc_bind_auth_send(state, state->samr_pipe, - &dcerpc_table_samr, + &dcerpc_table_samr, state->creds, state->auth_type, + auth_type, NULL); composite_continue(state->ctx, ctx, connect_samr_recv_auth_bind, state); break; + } default: composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); } diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c index c9d99ff0b9..b10b5458ba 100644 --- a/source4/winbind/wb_init_domain.c +++ b/source4/winbind/wb_init_domain.c @@ -205,9 +205,10 @@ static void init_domain_recv_netlogonpipe(struct composite_context *ctx) state->domain->netlogon_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); ctx = dcerpc_bind_auth_send(state, state->domain->netlogon_pipe, - &dcerpc_table_netlogon, + &dcerpc_table_netlogon, state->domain->schannel_creds, DCERPC_AUTH_TYPE_SCHANNEL, + DCERPC_AUTH_LEVEL_PRIVACY, NULL); composite_continue(state->ctx, ctx, init_domain_recv_schannel, state); } |