diff options
author | Stefan Metzmacher <metze@samba.org> | 2014-09-21 09:20:26 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2014-09-23 01:34:05 +0200 |
commit | f65c1f0e2f6a8c23a94003f61b0b98d963b2424b (patch) | |
tree | f2cecce7bcc0f1318bf20176321a0adb6c960fbe /source4 | |
parent | 3b18dea1310cfe9e9b4ec0f2b3b5b14ac4771c83 (diff) | |
download | samba-f65c1f0e2f6a8c23a94003f61b0b98d963b2424b.tar.gz samba-f65c1f0e2f6a8c23a94003f61b0b98d963b2424b.tar.xz samba-f65c1f0e2f6a8c23a94003f61b0b98d963b2424b.zip |
s4:librpc: use authenticated epmapping for ncacn_http
We need to authenticate against the RpcProxy.
In future we could have a way to specify alternative credentials
for the RpcProxy and HttpProxy.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Sep 23 01:34:05 CEST 2014 on sn-devel-104
Diffstat (limited to 'source4')
-rw-r--r-- | source4/libnet/libnet_rpc.c | 10 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_connect.c | 12 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_schannel.c | 7 | ||||
-rw-r--r-- | source4/librpc/rpc/dcerpc_util.c | 20 |
4 files changed, 38 insertions, 11 deletions
diff --git a/source4/libnet/libnet_rpc.c b/source4/libnet/libnet_rpc.c index 19838d4fe3..ec1931795b 100644 --- a/source4/libnet/libnet_rpc.c +++ b/source4/libnet/libnet_rpc.c @@ -25,7 +25,7 @@ #include "librpc/rpc/dcerpc_proto.h" #include "librpc/gen_ndr/ndr_lsa_c.h" #include "librpc/gen_ndr/ndr_samr.h" - +#include "auth/credentials/credentials.h" struct rpc_connect_srv_state { struct libnet_context *ctx; @@ -783,13 +783,19 @@ static void continue_epm_map_binding_send(struct composite_context *c) { struct rpc_connect_dci_state *s; struct composite_context *epm_map_req; + struct cli_credentials *epm_creds = NULL; + s = talloc_get_type(c->private_data, struct rpc_connect_dci_state); /* prepare to get endpoint mapping for the requested interface */ s->final_binding = dcerpc_binding_dup(s, s->lsa_pipe->binding); if (composite_nomem(s->final_binding, c)) return; - + + epm_creds = cli_credentials_init_anon(s); + if (composite_nomem(epm_creds, c)) return; + epm_map_req = dcerpc_epm_map_binding_send(c, s->final_binding, s->r.in.dcerpc_iface, + epm_creds, s->ctx->event_ctx, s->ctx->lp_ctx); if (composite_nomem(epm_map_req, c)) return; diff --git a/source4/librpc/rpc/dcerpc_connect.c b/source4/librpc/rpc/dcerpc_connect.c index fe3a0c8a62..9c5dbebcc1 100644 --- a/source4/librpc/rpc/dcerpc_connect.c +++ b/source4/librpc/rpc/dcerpc_connect.c @@ -1005,6 +1005,7 @@ _PUBLIC_ struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent struct pipe_connect_state *s; enum dcerpc_transport_t transport; const char *endpoint = NULL; + struct cli_credentials *epm_creds = NULL; /* composite context allocation and setup */ c = composite_create(parent_ctx, ev); @@ -1042,9 +1043,17 @@ _PUBLIC_ struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent switch (transport) { case NCACN_NP: case NCACN_IP_TCP: - case NCACN_HTTP: case NCALRPC: endpoint = dcerpc_binding_get_string_option(s->binding, "endpoint"); + + /* anonymous credentials for rpc connection used to get endpoint mapping */ + epm_creds = cli_credentials_init_anon(s); + if (composite_nomem(epm_creds, c)) return c; + + break; + case NCACN_HTTP: + endpoint = dcerpc_binding_get_string_option(s->binding, "endpoint"); + epm_creds = credentials; break; default: break; @@ -1054,6 +1063,7 @@ _PUBLIC_ struct composite_context* dcerpc_pipe_connect_b_send(TALLOC_CTX *parent struct composite_context *binding_req; binding_req = dcerpc_epm_map_binding_send(c, s->binding, s->table, + epm_creds, s->pipe->conn->event_ctx, s->lp_ctx); composite_continue(c, binding_req, continue_map_binding, c); diff --git a/source4/librpc/rpc/dcerpc_schannel.c b/source4/librpc/rpc/dcerpc_schannel.c index 9ce36774da..9ff39ebd2d 100644 --- a/source4/librpc/rpc/dcerpc_schannel.c +++ b/source4/librpc/rpc/dcerpc_schannel.c @@ -312,7 +312,8 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, struct schannel_key_state *s; struct composite_context *epm_map_req; enum netr_SchannelType schannel_type = cli_credentials_get_secure_channel_type(credentials); - + struct cli_credentials *epm_creds = NULL; + /* composite context allocation and setup */ c = composite_create(mem_ctx, p->conn->event_ctx); if (c == NULL) return NULL; @@ -345,6 +346,9 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, s->local_negotiate_flags |= NETLOGON_NEG_RODC_PASSTHROUGH; } + epm_creds = cli_credentials_init_anon(s); + if (composite_nomem(epm_creds, c)) return c; + /* allocate binding structure */ s->binding = dcerpc_binding_dup(s, s->pipe->binding); if (composite_nomem(s->binding, c)) return c; @@ -352,6 +356,7 @@ static struct composite_context *dcerpc_schannel_key_send(TALLOC_CTX *mem_ctx, /* request the netlogon endpoint mapping */ epm_map_req = dcerpc_epm_map_binding_send(c, s->binding, &ndr_table_netlogon, + epm_creds, s->pipe->conn->event_ctx, lp_ctx); if (composite_nomem(epm_map_req, c)) return c; diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index a9eaccb70b..de960b246b 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -222,13 +222,13 @@ static void continue_epm_map(struct tevent_req *subreq) struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx, struct dcerpc_binding *binding, const struct ndr_interface_table *table, + struct cli_credentials *creds, struct tevent_context *ev, struct loadparm_context *lp_ctx) { struct composite_context *c; struct epm_map_binding_state *s; struct composite_context *pipe_connect_req; - struct cli_credentials *anon_creds; NTSTATUS status; struct dcerpc_binding *epmapper_binding; int i; @@ -308,10 +308,6 @@ struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx, return c; } - /* anonymous credentials for rpc connection used to get endpoint mapping */ - anon_creds = cli_credentials_init_anon(s); - if (composite_nomem(anon_creds, c)) return c; - epmapper_binding = dcerpc_binding_dup(s, binding); if (composite_nomem(epmapper_binding, c)) return c; @@ -337,7 +333,7 @@ struct composite_context *dcerpc_epm_map_binding_send(TALLOC_CTX *mem_ctx, /* initiate rpc pipe connection */ pipe_connect_req = dcerpc_pipe_connect_b_send(s, epmapper_binding, &ndr_table_epmapper, - anon_creds, c->event_ctx, + creds, c->event_ctx, lp_ctx); if (composite_nomem(pipe_connect_req, c)) return c; @@ -366,8 +362,18 @@ _PUBLIC_ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_bind struct loadparm_context *lp_ctx) { struct composite_context *c; + struct cli_credentials *epm_creds; - c = dcerpc_epm_map_binding_send(mem_ctx, binding, table, ev, lp_ctx); + epm_creds = cli_credentials_init_anon(mem_ctx); + if (epm_creds == NULL) { + return NT_STATUS_NO_MEMORY; + } + c = dcerpc_epm_map_binding_send(mem_ctx, binding, table, epm_creds, ev, lp_ctx); + if (c == NULL) { + talloc_free(epm_creds); + return NT_STATUS_NO_MEMORY; + } + talloc_steal(c, epm_creds); return dcerpc_epm_map_binding_recv(c); } |