diff options
author | Volker Lendecke <vlendec@samba.org> | 2005-10-10 19:57:55 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:39:39 -0500 |
commit | d617556ef50863d6a03c81a04f0f6b05848a250e (patch) | |
tree | c5963dd3778e2cb2f6e3b4942649f1d9e3195677 /source4/winbind/wb_connect_lsa.c | |
parent | 3dfe8c22b835c34453b23b654cd5649d698da3cb (diff) | |
download | samba-d617556ef50863d6a03c81a04f0f6b05848a250e.tar.gz samba-d617556ef50863d6a03c81a04f0f6b05848a250e.tar.xz samba-d617556ef50863d6a03c81a04f0f6b05848a250e.zip |
r10878: Reply to some comments by tridge and metze:
* rename the composite helper functions from comp_* to composite_*
* Move the lsa initialization to wb_connect_lsa.c
* Equip smb_composite_connect with a fallback_to_anonymous
The latter two simplify wb_init_domain.c quite a bit.
Volker
(This used to be commit deb127e04ea01ae93394da5ebffb39d81caeb6d9)
Diffstat (limited to 'source4/winbind/wb_connect_lsa.c')
-rw-r--r-- | source4/winbind/wb_connect_lsa.c | 323 |
1 files changed, 323 insertions, 0 deletions
diff --git a/source4/winbind/wb_connect_lsa.c b/source4/winbind/wb_connect_lsa.c new file mode 100644 index 00000000000..ef7b525c2ab --- /dev/null +++ b/source4/winbind/wb_connect_lsa.c @@ -0,0 +1,323 @@ +/* + Unix SMB/CIFS implementation. + + Connect to the LSA pipe, given an smbcli_tree and possibly some + credentials. Try ntlmssp, schannel and anon in that order. + + Copyright (C) Volker Lendecke 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" +#include "libcli/composite/composite.h" +#include "libcli/smb_composite/smb_composite.h" +#include "winbind/wb_async_helpers.h" +#include "winbind/wb_server.h" +#include "smbd/service_stream.h" + +#include "librpc/gen_ndr/nbt.h" +#include "librpc/gen_ndr/samr.h" +#include "lib/messaging/irpc.h" +#include "librpc/gen_ndr/irpc.h" +#include "librpc/gen_ndr/ndr_irpc.h" +#include "libcli/raw/libcliraw.h" +#include "librpc/gen_ndr/ndr_netlogon.h" +#include "librpc/gen_ndr/ndr_lsa.h" +#include "libcli/auth/credentials.h" + + +/* Helper to initialize LSA with a specific auth methods. Verify by opening + * the LSA policy. */ + +struct init_lsa_state { + struct composite_context *ctx; + struct dcerpc_pipe *lsa_pipe; + + uint8_t auth_type; + struct cli_credentials *creds; + + struct lsa_ObjectAttribute objectattr; + struct lsa_OpenPolicy2 openpolicy; + struct policy_handle *handle; +}; + +static void init_lsa_recv_pipe(struct composite_context *ctx); +static void init_lsa_recv_openpol(struct rpc_request *req); + +static struct composite_context *wb_init_lsa_send(struct smbcli_tree *tree, + uint8_t auth_type, + struct cli_credentials *creds) +{ + struct composite_context *result, *ctx; + struct init_lsa_state *state; + + result = talloc(NULL, struct composite_context); + if (result == NULL) goto failed; + result->state = COMPOSITE_STATE_IN_PROGRESS; + result->event_ctx = tree->session->transport->socket->event.ctx; + + state = talloc(result, struct init_lsa_state); + if (state == NULL) goto failed; + state->ctx = result; + result->private_data = state; + + state->auth_type = auth_type; + state->creds = creds; + + state->lsa_pipe = dcerpc_pipe_init(state, result->event_ctx); + if (state->lsa_pipe == NULL) goto failed; + + ctx = dcerpc_pipe_open_smb_send(state->lsa_pipe->conn, tree, + "\\lsarpc"); + ctx->async.fn = init_lsa_recv_pipe; + ctx->async.private_data = state; + return result; + + failed: + talloc_free(result); + return NULL; +} + +static void init_lsa_recv_pipe(struct composite_context *ctx) +{ + struct init_lsa_state *state = + talloc_get_type(ctx->async.private_data, + struct init_lsa_state); + struct rpc_request *req; + + state->ctx->status = dcerpc_pipe_open_smb_recv(ctx); + if (!composite_is_ok(state->ctx)) return; + + switch (state->auth_type) { + case DCERPC_AUTH_TYPE_NONE: + state->ctx->status = + dcerpc_bind_auth_none(state->lsa_pipe, + DCERPC_LSARPC_UUID, + DCERPC_LSARPC_VERSION); + break; + case DCERPC_AUTH_TYPE_NTLMSSP: + case DCERPC_AUTH_TYPE_SCHANNEL: + if (state->creds == NULL) { + composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR); + return; + } + state->lsa_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL); + state->ctx->status = + dcerpc_bind_auth_password(state->lsa_pipe, + DCERPC_LSARPC_UUID, + DCERPC_LSARPC_VERSION, + state->creds, + state->auth_type, + NULL); + break; + default: + state->ctx->status = NT_STATUS_INTERNAL_ERROR; + + } + + state->handle = talloc(state, struct policy_handle); + if (composite_nomem(state->handle, state->ctx)) return; + + state->openpolicy.in.system_name = + talloc_asprintf(state, "\\\\%s", + dcerpc_server_name(state->lsa_pipe)); + ZERO_STRUCT(state->objectattr); + state->openpolicy.in.attr = &state->objectattr; + state->openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + state->openpolicy.out.handle = state->handle; + + req = dcerpc_lsa_OpenPolicy2_send(state->lsa_pipe, state, + &state->openpolicy); + composite_continue_rpc(state->ctx, req, init_lsa_recv_openpol, state); +} + +static void init_lsa_recv_openpol(struct rpc_request *req) +{ + struct init_lsa_state *state = + talloc_get_type(req->async.private, + struct init_lsa_state); + + state->ctx->status = dcerpc_ndr_request_recv(req); + if (!composite_is_ok(state->ctx)) return; + state->ctx->status = state->openpolicy.out.result; + if (!composite_is_ok(state->ctx)) return; + + composite_done(state->ctx); +} + +static NTSTATUS wb_init_lsa_recv(struct composite_context *c, + TALLOC_CTX *mem_ctx, + struct dcerpc_pipe **lsa_pipe, + struct policy_handle **lsa_policy) +{ + NTSTATUS status = composite_wait(c); + if (NT_STATUS_IS_OK(status)) { + struct init_lsa_state *state = + talloc_get_type(c->private_data, + struct init_lsa_state); + *lsa_pipe = talloc_steal(mem_ctx, state->lsa_pipe); + *lsa_policy = talloc_steal(mem_ctx, state->handle); + } + talloc_free(c); + return status; +} + + +/* + * Connect to LSA using the credentials, try NTLMSSP and SCHANNEL using the + * given credentials. If both fail or no credentials are available, fall back + * to an anonymous bind. + */ + +struct connect_lsa_state { + struct composite_context *ctx; + struct smbcli_tree *tree; + struct cli_credentials *credentials; + + uint8_t auth_type; + struct dcerpc_pipe *lsa_pipe; + struct policy_handle *lsa_policy; +}; + +static void connect_lsa_recv_ntlmssp(struct composite_context *ctx); +static void connect_lsa_recv_schannel(struct composite_context *ctx); +static void connect_lsa_recv_anon(struct composite_context *ctx); + +struct composite_context *wb_connect_lsa_send(struct smbcli_tree *tree, + struct cli_credentials *credentials) +{ + struct composite_context *result, *ctx; + struct connect_lsa_state *state; + + result = talloc(NULL, struct composite_context); + if (result == NULL) goto failed; + result->state = COMPOSITE_STATE_IN_PROGRESS; + result->event_ctx = tree->session->transport->socket->event.ctx; + + state = talloc(result, struct connect_lsa_state); + if (state == NULL) goto failed; + state->ctx = result; + result->private_data = state; + + state->tree = tree; + state->credentials = credentials; + + if (credentials == NULL) { + ctx = wb_init_lsa_send(tree, DCERPC_AUTH_TYPE_NONE, NULL); + if (ctx == NULL) goto failed; + ctx->async.fn = connect_lsa_recv_anon; + ctx->async.private_data = state; + return result; + } + + ctx = wb_init_lsa_send(tree, DCERPC_AUTH_TYPE_NTLMSSP, credentials); + if (ctx == NULL) goto failed; + ctx->async.fn = connect_lsa_recv_ntlmssp; + ctx->async.private_data = state; + return result; + + failed: + talloc_free(result); + return NULL; +} + +static void connect_lsa_recv_ntlmssp(struct composite_context *ctx) +{ + struct connect_lsa_state *state = + talloc_get_type(ctx->async.private_data, + struct connect_lsa_state); + + state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe, + &state->lsa_policy); + + if (NT_STATUS_IS_OK(state->ctx->status)) { + state->auth_type = DCERPC_AUTH_TYPE_NTLMSSP; + composite_done(state->ctx); + return; + } + + ctx = wb_init_lsa_send(state->tree, DCERPC_AUTH_TYPE_SCHANNEL, + state->credentials); + composite_continue(state->ctx, ctx, + connect_lsa_recv_schannel, state); +} + +static void connect_lsa_recv_schannel(struct composite_context *ctx) +{ + struct connect_lsa_state *state = + talloc_get_type(ctx->async.private_data, + struct connect_lsa_state); + + state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe, + &state->lsa_policy); + + if (NT_STATUS_IS_OK(state->ctx->status)) { + state->auth_type = DCERPC_AUTH_TYPE_SCHANNEL; + composite_done(state->ctx); + return; + } + + ctx = wb_init_lsa_send(state->tree, DCERPC_AUTH_TYPE_NONE, + state->credentials); + composite_continue(state->ctx, ctx, + connect_lsa_recv_anon, state); +} + +static void connect_lsa_recv_anon(struct composite_context *ctx) +{ + struct connect_lsa_state *state = + talloc_get_type(ctx->async.private_data, + struct connect_lsa_state); + + state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe, + &state->lsa_policy); + if (!composite_is_ok(state->ctx)) return; + + state->auth_type = DCERPC_AUTH_TYPE_NONE; + composite_done(state->ctx); +} + +NTSTATUS wb_connect_lsa_recv(struct composite_context *c, + TALLOC_CTX *mem_ctx, + uint8_t *auth_type, + struct dcerpc_pipe **lsa_pipe, + struct policy_handle **lsa_policy) +{ + NTSTATUS status = composite_wait(c); + if (NT_STATUS_IS_OK(status)) { + struct connect_lsa_state *state = + talloc_get_type(c->private_data, + struct connect_lsa_state); + *auth_type = state->auth_type; + *lsa_pipe = talloc_steal(mem_ctx, state->lsa_pipe); + *lsa_policy = talloc_steal(mem_ctx, state->lsa_policy); + } + talloc_free(c); + return status; +} + +NTSTATUS wb_connect_lsa(struct smbcli_tree *tree, + struct cli_credentials *credentials, + TALLOC_CTX *mem_ctx, + uint8_t *auth_type, + struct dcerpc_pipe **lsa_pipe, + struct policy_handle **lsa_policy) +{ + struct composite_context *c; + c = wb_connect_lsa_send(tree, credentials); + return wb_connect_lsa_recv(c, mem_ctx, auth_type, lsa_pipe, + lsa_policy); +} |