2003-11-26 04:16:41 +03:00
/*
Unix SMB / CIFS implementation .
2004-06-20 04:58:09 +04:00
Generic Authentication Interface
2003-11-26 04:16:41 +03:00
Copyright ( C ) Andrew Tridgell 2003
r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2005-03-24 07:14:06 +03:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2004 - 2005
2005-01-10 13:48:19 +03:00
Copyright ( C ) Stefan Metzmacher 2004
2003-11-26 04:16:41 +03:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2003-11-26 04:16:41 +03:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2003-11-26 04:16:41 +03:00
*/
# include "includes.h"
2012-03-13 17:52:40 +04:00
# include <tevent.h>
2005-11-20 01:31:26 +03:00
# include "libcli/composite/composite.h"
2005-12-28 18:38:36 +03:00
# include "auth/gensec/gensec.h"
2006-03-18 18:42:57 +03:00
# include "librpc/rpc/dcerpc.h"
2008-04-02 06:53:27 +04:00
# include "librpc/rpc/dcerpc_proto.h"
2007-12-03 19:41:50 +03:00
# include "param/param.h"
2003-11-26 04:16:41 +03:00
2006-10-24 12:08:03 +04:00
/*
return the rpc syntax and transfer syntax given the pipe uuid and version
*/
2007-08-20 00:46:45 +04:00
static NTSTATUS dcerpc_init_syntaxes ( const struct ndr_interface_table * table ,
2009-09-17 20:09:48 +04:00
uint32_t pipe_flags ,
struct ndr_syntax_id * syntax ,
struct ndr_syntax_id * transfer_syntax )
2006-10-24 12:08:03 +04:00
{
syntax - > uuid = table - > syntax_id . uuid ;
syntax - > if_version = table - > syntax_id . if_version ;
2009-09-17 20:09:48 +04:00
if ( pipe_flags & DCERPC_NDR64 ) {
2012-03-18 19:46:57 +04:00
* transfer_syntax = ndr_transfer_syntax_ndr64 ;
2009-09-17 20:09:48 +04:00
} else {
2012-03-18 19:46:57 +04:00
* transfer_syntax = ndr_transfer_syntax_ndr ;
2009-09-17 20:09:48 +04:00
}
2006-10-24 12:08:03 +04:00
return NT_STATUS_OK ;
}
2006-04-11 02:03:26 +04:00
2003-11-26 04:16:41 +03:00
/*
2006-04-11 02:03:26 +04:00
Send request to do a non - authenticated dcerpc bind
2003-11-26 04:16:41 +03:00
*/
2012-03-13 17:52:40 +04:00
static void dcerpc_bind_auth_none_done ( struct tevent_req * subreq ) ;
2005-11-20 01:31:26 +03:00
struct composite_context * dcerpc_bind_auth_none_send ( TALLOC_CTX * mem_ctx ,
struct dcerpc_pipe * p ,
2007-08-20 00:46:45 +04:00
const struct ndr_interface_table * table )
2003-11-26 04:16:41 +03:00
{
2007-08-18 10:57:49 +04:00
struct ndr_syntax_id syntax ;
struct ndr_syntax_id transfer_syntax ;
2005-11-20 01:31:26 +03:00
struct composite_context * c ;
2012-03-13 17:52:40 +04:00
struct tevent_req * subreq ;
2003-11-26 04:16:41 +03:00
2006-07-30 21:55:09 +04:00
c = composite_create ( mem_ctx , p - > conn - > event_ctx ) ;
2005-11-20 01:31:26 +03:00
if ( c = = NULL ) return NULL ;
2003-11-26 04:16:41 +03:00
2009-09-17 20:09:48 +04:00
c - > status = dcerpc_init_syntaxes ( table , p - > conn - > flags ,
2005-11-20 19:28:39 +03:00
& syntax , & transfer_syntax ) ;
2005-11-20 01:31:26 +03:00
if ( ! NT_STATUS_IS_OK ( c - > status ) ) {
DEBUG ( 2 , ( " Invalid uuid string in "
" dcerpc_bind_auth_none_send \n " ) ) ;
2005-12-08 04:13:45 +03:00
composite_error ( c , c - > status ) ;
2005-11-20 01:36:19 +03:00
return c ;
2005-11-20 01:31:26 +03:00
}
2012-03-13 17:52:40 +04:00
subreq = dcerpc_bind_send ( mem_ctx , p - > conn - > event_ctx , p ,
& syntax , & transfer_syntax ) ;
if ( composite_nomem ( subreq , c ) ) return c ;
tevent_req_set_callback ( subreq , dcerpc_bind_auth_none_done , c ) ;
2005-11-20 01:31:26 +03:00
2012-03-13 17:52:40 +04:00
return c ;
2005-11-20 01:31:26 +03:00
}
2012-03-13 17:52:40 +04:00
static void dcerpc_bind_auth_none_done ( struct tevent_req * subreq )
{
struct composite_context * ctx =
tevent_req_callback_data ( subreq ,
struct composite_context ) ;
ctx - > status = dcerpc_bind_recv ( subreq ) ;
TALLOC_FREE ( subreq ) ;
if ( ! composite_is_ok ( ctx ) ) return ;
composite_done ( ctx ) ;
}
2006-04-11 02:03:26 +04:00
/*
Receive result of a non - authenticated dcerpc bind
*/
2005-11-20 01:31:26 +03:00
NTSTATUS dcerpc_bind_auth_none_recv ( struct composite_context * ctx )
{
2012-03-13 17:52:40 +04:00
NTSTATUS result = composite_wait ( ctx ) ;
TALLOC_FREE ( ctx ) ;
return result ;
2005-11-20 01:31:26 +03:00
}
2006-04-11 02:03:26 +04:00
/*
Perform sync non - authenticated dcerpc bind
*/
2008-04-02 06:53:27 +04:00
_PUBLIC_ NTSTATUS dcerpc_bind_auth_none ( struct dcerpc_pipe * p ,
2007-08-20 00:46:45 +04:00
const struct ndr_interface_table * table )
2005-11-20 01:31:26 +03:00
{
struct composite_context * ctx ;
2006-04-11 02:03:26 +04:00
2005-12-27 17:28:01 +03:00
ctx = dcerpc_bind_auth_none_send ( p , p , table ) ;
2005-11-20 01:31:26 +03:00
return dcerpc_bind_auth_none_recv ( ctx ) ;
2003-11-26 04:16:41 +03:00
}
2004-06-07 16:30:22 +04:00
2006-04-11 02:03:26 +04:00
2005-11-20 19:28:39 +03:00
struct bind_auth_state {
struct dcerpc_pipe * pipe ;
2004-06-07 16:30:22 +04:00
DATA_BLOB credentials ;
2007-09-25 20:05:08 +04:00
bool more_processing ; /* Is there anything more to do after the
2005-11-21 22:43:06 +03:00
* first bind itself received ? */
2005-11-20 19:28:39 +03:00
} ;
2004-06-07 16:30:22 +04:00
2012-03-13 18:37:49 +04:00
static void bind_auth_recv_alter ( struct tevent_req * subreq ) ;
2005-08-23 09:29:37 +04:00
2005-11-20 19:28:39 +03:00
static void bind_auth_next_step ( struct composite_context * c )
{
2006-04-11 02:03:26 +04:00
struct bind_auth_state * state ;
2011-03-13 15:49:41 +03:00
struct dcecli_security * sec ;
2012-03-13 18:37:49 +04:00
struct tevent_req * subreq ;
2007-09-25 20:05:08 +04:00
bool more_processing = false ;
2005-11-20 19:28:39 +03:00
2006-04-11 02:03:26 +04:00
state = talloc_get_type ( c - > private_data , struct bind_auth_state ) ;
sec = & state - > pipe - > conn - > security_state ;
2005-11-21 22:43:06 +03:00
/* The status value here, from GENSEC is vital to the security
* of the system . Even if the other end accepts , if GENSEC
* claims ' MORE_PROCESSING_REQUIRED ' then you must keep
* feeding it blobs , or else the remote host / attacker might
* avoid mutal authentication requirements .
*
* Likewise , you must not feed GENSEC too much ( after the OK ) ,
* it doesn ' t like that either
*/
2012-07-09 08:37:28 +04:00
state - > pipe - > inhibit_timeout_processing = true ;
state - > pipe - > timed_out = false ;
2005-11-20 19:28:39 +03:00
c - > status = gensec_update ( sec - > generic_state , state ,
2011-10-17 11:22:33 +04:00
state - > pipe - > conn - > event_ctx ,
2005-11-20 19:28:39 +03:00
sec - > auth_info - > credentials ,
& state - > credentials ) ;
2012-07-09 08:37:28 +04:00
if ( state - > pipe - > timed_out ) {
composite_error ( c , NT_STATUS_IO_TIMEOUT ) ;
return ;
}
state - > pipe - > inhibit_timeout_processing = false ;
2008-09-13 20:49:03 +04:00
data_blob_free ( & sec - > auth_info - > credentials ) ;
2005-11-20 19:28:39 +03:00
if ( NT_STATUS_EQUAL ( c - > status , NT_STATUS_MORE_PROCESSING_REQUIRED ) ) {
2007-09-25 20:05:08 +04:00
more_processing = true ;
2005-11-20 19:28:39 +03:00
c - > status = NT_STATUS_OK ;
}
if ( ! composite_is_ok ( c ) ) return ;
2004-06-20 04:58:09 +04:00
2005-11-20 19:28:39 +03:00
if ( state - > credentials . length = = 0 ) {
composite_done ( c ) ;
return ;
2004-06-07 16:30:22 +04:00
}
2005-11-20 19:28:39 +03:00
sec - > auth_info - > credentials = state - > credentials ;
if ( ! more_processing ) {
/* NO reply expected, so just send it */
2008-08-06 23:34:00 +04:00
c - > status = dcerpc_auth3 ( state - > pipe , state ) ;
2008-09-13 20:49:03 +04:00
data_blob_free ( & state - > credentials ) ;
sec - > auth_info - > credentials = data_blob ( NULL , 0 ) ;
2005-11-20 19:28:39 +03:00
if ( ! composite_is_ok ( c ) ) return ;
2006-04-11 02:03:26 +04:00
2005-11-20 19:28:39 +03:00
composite_done ( c ) ;
return ;
2004-06-07 16:30:22 +04:00
}
2005-11-21 22:43:06 +03:00
/* We are demanding a reply, so use a request that will get us one */
2012-03-13 18:37:49 +04:00
subreq = dcerpc_alter_context_send ( state , state - > pipe - > conn - > event_ctx ,
state - > pipe ,
& state - > pipe - > syntax ,
& state - > pipe - > transfer_syntax ) ;
2008-09-13 20:49:03 +04:00
data_blob_free ( & state - > credentials ) ;
sec - > auth_info - > credentials = data_blob ( NULL , 0 ) ;
2012-03-13 18:37:49 +04:00
if ( composite_nomem ( subreq , c ) ) return ;
tevent_req_set_callback ( subreq , bind_auth_recv_alter , c ) ;
2005-11-20 19:28:39 +03:00
}
2004-06-07 16:30:22 +04:00
2006-04-11 02:03:26 +04:00
2012-03-13 18:37:49 +04:00
static void bind_auth_recv_alter ( struct tevent_req * subreq )
2005-11-20 19:28:39 +03:00
{
2012-03-13 18:37:49 +04:00
struct composite_context * c =
tevent_req_callback_data ( subreq ,
struct composite_context ) ;
2005-01-10 10:14:12 +03:00
2012-03-13 18:37:49 +04:00
c - > status = dcerpc_alter_context_recv ( subreq ) ;
TALLOC_FREE ( subreq ) ;
2005-11-20 19:28:39 +03:00
if ( ! composite_is_ok ( c ) ) return ;
2005-01-10 10:14:12 +03:00
2005-11-20 19:28:39 +03:00
bind_auth_next_step ( c ) ;
}
2004-06-07 16:30:22 +04:00
2006-04-11 02:03:26 +04:00
2012-03-13 17:52:40 +04:00
static void bind_auth_recv_bindreply ( struct tevent_req * subreq )
2005-11-20 19:28:39 +03:00
{
2012-03-13 17:52:40 +04:00
struct composite_context * c =
tevent_req_callback_data ( subreq ,
struct composite_context ) ;
2006-04-11 02:03:26 +04:00
struct bind_auth_state * state = talloc_get_type ( c - > private_data ,
struct bind_auth_state ) ;
2005-11-20 19:28:39 +03:00
2012-03-13 17:52:40 +04:00
c - > status = dcerpc_bind_recv ( subreq ) ;
TALLOC_FREE ( subreq ) ;
2005-11-20 19:28:39 +03:00
if ( ! composite_is_ok ( c ) ) return ;
2014-01-03 11:35:27 +04:00
if ( state - > pipe - > conn - > flags & DCERPC_HEADER_SIGNING ) {
struct dcecli_security * sec = & state - > pipe - > conn - > security_state ;
gensec_want_feature ( sec - > generic_state , GENSEC_FEATURE_SIGN_PKT_HEADER ) ;
}
2005-11-20 19:28:39 +03:00
if ( ! state - > more_processing ) {
2005-11-21 22:43:06 +03:00
/* The first gensec_update has not requested a second run, so
* we ' re done here . */
2005-11-20 19:28:39 +03:00
composite_done ( c ) ;
return ;
2004-06-07 16:30:22 +04:00
}
2005-11-20 19:28:39 +03:00
bind_auth_next_step ( c ) ;
2004-06-07 16:30:22 +04:00
}
2005-01-10 10:14:12 +03:00
2006-04-11 02:03:26 +04:00
2006-02-04 10:56:30 +03:00
/**
2006-04-11 02:03:26 +04:00
Bind to a DCE / RPC pipe , send async request
2006-02-04 10:56:30 +03:00
@ param mem_ctx TALLOC_CTX for the allocation of the composite_context
@ param p The dcerpc_pipe to bind ( must already be connected )
@ param table The interface table to use ( the DCE / RPC bind both selects and interface and authenticates )
@ param credentials The credentials of the account to connect with
@ param auth_type Select the authentication scheme to use
@ param auth_level Chooses between unprotected ( connect ) , signed or sealed
@ param service The service ( used by Kerberos to select the service principal to contact )
@ retval A composite context describing the partial state of the bind
*/
2005-11-20 20:34:56 +03:00
struct composite_context * dcerpc_bind_auth_send ( TALLOC_CTX * mem_ctx ,
struct dcerpc_pipe * p ,
2007-08-20 00:46:45 +04:00
const struct ndr_interface_table * table ,
2005-11-20 20:34:56 +03:00
struct cli_credentials * credentials ,
2008-11-02 04:05:48 +03:00
struct gensec_settings * gensec_settings ,
2006-01-12 12:33:49 +03:00
uint8_t auth_type , uint8_t auth_level ,
2005-11-20 20:34:56 +03:00
const char * service )
2005-01-10 13:48:19 +03:00
{
2012-03-13 17:52:40 +04:00
struct composite_context * c ;
2005-11-20 19:28:39 +03:00
struct bind_auth_state * state ;
2011-03-13 15:49:41 +03:00
struct dcecli_security * sec ;
2012-03-13 17:52:40 +04:00
struct tevent_req * subreq ;
2005-11-20 19:28:39 +03:00
2007-08-18 10:57:49 +04:00
struct ndr_syntax_id syntax , transfer_syntax ;
2005-11-20 19:28:39 +03:00
2006-04-11 02:03:26 +04:00
/* composite context allocation and setup */
2006-07-30 21:55:09 +04:00
c = composite_create ( mem_ctx , p - > conn - > event_ctx ) ;
2005-11-20 19:28:39 +03:00
if ( c = = NULL ) return NULL ;
2005-01-10 13:48:19 +03:00
2005-11-20 19:28:39 +03:00
state = talloc ( c , struct bind_auth_state ) ;
2006-04-11 02:03:26 +04:00
if ( composite_nomem ( state , c ) ) return c ;
2005-11-20 19:28:39 +03:00
c - > private_data = state ;
state - > pipe = p ;
2009-09-17 20:09:48 +04:00
c - > status = dcerpc_init_syntaxes ( table , p - > conn - > flags ,
2005-11-20 19:28:39 +03:00
& syntax ,
& transfer_syntax ) ;
2006-07-30 21:55:09 +04:00
if ( ! composite_is_ok ( c ) ) return c ;
2005-11-20 19:28:39 +03:00
sec = & p - > conn - > security_state ;
c - > status = gensec_client_start ( p , & sec - > generic_state ,
2008-11-02 04:05:48 +03:00
gensec_settings ) ;
2005-11-20 19:28:39 +03:00
if ( ! NT_STATUS_IS_OK ( c - > status ) ) {
DEBUG ( 1 , ( " Failed to start GENSEC client mode: %s \n " ,
nt_errstr ( c - > status ) ) ) ;
2006-07-30 21:55:09 +04:00
composite_error ( c , c - > status ) ;
return c ;
2005-01-10 13:48:19 +03:00
}
2005-11-20 19:28:39 +03:00
c - > status = gensec_set_credentials ( sec - > generic_state , credentials ) ;
if ( ! NT_STATUS_IS_OK ( c - > status ) ) {
2007-12-02 21:31:14 +03:00
DEBUG ( 1 , ( " Failed to set GENSEC client credentials: %s \n " ,
2005-11-20 19:28:39 +03:00
nt_errstr ( c - > status ) ) ) ;
2006-07-30 21:55:09 +04:00
composite_error ( c , c - > status ) ;
return c ;
2005-01-10 13:48:19 +03:00
}
2006-07-30 21:55:09 +04:00
c - > status = gensec_set_target_hostname ( sec - > generic_state ,
2013-09-23 15:54:38 +04:00
dcerpc_server_name ( p ) ) ;
2005-11-20 19:28:39 +03:00
if ( ! NT_STATUS_IS_OK ( c - > status ) ) {
DEBUG ( 1 , ( " Failed to set GENSEC target hostname: %s \n " ,
nt_errstr ( c - > status ) ) ) ;
2006-07-30 21:55:09 +04:00
composite_error ( c , c - > status ) ;
return c ;
2005-01-10 13:48:19 +03:00
}
2005-11-20 19:28:39 +03:00
if ( service ! = NULL ) {
c - > status = gensec_set_target_service ( sec - > generic_state ,
service ) ;
if ( ! NT_STATUS_IS_OK ( c - > status ) ) {
DEBUG ( 1 , ( " Failed to set GENSEC target service: %s \n " ,
nt_errstr ( c - > status ) ) ) ;
2006-07-30 21:55:09 +04:00
composite_error ( c , c - > status ) ;
return c ;
2005-03-01 19:08:36 +03:00
}
}
2010-10-02 06:05:30 +04:00
if ( p - > binding & & p - > binding - > target_principal ) {
c - > status = gensec_set_target_principal ( sec - > generic_state ,
p - > binding - > target_principal ) ;
if ( ! NT_STATUS_IS_OK ( c - > status ) ) {
DEBUG ( 1 , ( " Failed to set GENSEC target principal to %s: %s \n " ,
p - > binding - > target_principal , nt_errstr ( c - > status ) ) ) ;
composite_error ( c , c - > status ) ;
return c ;
}
}
2005-11-20 19:28:39 +03:00
c - > status = gensec_start_mech_by_authtype ( sec - > generic_state ,
2006-01-12 12:33:49 +03:00
auth_type , auth_level ) ;
2005-11-20 19:28:39 +03:00
if ( ! NT_STATUS_IS_OK ( c - > status ) ) {
DEBUG ( 1 , ( " Failed to start GENSEC client mechanism %s: %s \n " ,
2008-11-03 01:58:49 +03:00
gensec_get_name_by_authtype ( sec - > generic_state , auth_type ) ,
2005-11-20 19:28:39 +03:00
nt_errstr ( c - > status ) ) ) ;
2006-07-30 21:55:09 +04:00
composite_error ( c , c - > status ) ;
return c ;
2005-11-20 19:28:39 +03:00
}
sec - > auth_info = talloc ( p , struct dcerpc_auth ) ;
2006-04-11 02:03:26 +04:00
if ( composite_nomem ( sec - > auth_info , c ) ) return c ;
2005-11-20 19:28:39 +03:00
sec - > auth_info - > auth_type = auth_type ;
2006-01-12 12:33:49 +03:00
sec - > auth_info - > auth_level = auth_level ,
2005-11-20 19:28:39 +03:00
sec - > auth_info - > auth_pad_length = 0 ;
sec - > auth_info - > auth_reserved = 0 ;
sec - > auth_info - > auth_context_id = random ( ) ;
sec - > auth_info - > credentials = data_blob ( NULL , 0 ) ;
2005-11-21 22:43:06 +03:00
/* The status value here, from GENSEC is vital to the security
* of the system . Even if the other end accepts , if GENSEC
* claims ' MORE_PROCESSING_REQUIRED ' then you must keep
* feeding it blobs , or else the remote host / attacker might
* avoid mutal authentication requirements .
*
* Likewise , you must not feed GENSEC too much ( after the OK ) ,
* it doesn ' t like that either
*/
2012-07-09 08:37:28 +04:00
state - > pipe - > inhibit_timeout_processing = true ;
state - > pipe - > timed_out = false ;
2005-11-20 19:28:39 +03:00
c - > status = gensec_update ( sec - > generic_state , state ,
2011-10-17 11:22:33 +04:00
p - > conn - > event_ctx ,
2005-11-20 19:28:39 +03:00
sec - > auth_info - > credentials ,
& state - > credentials ) ;
2012-07-09 08:37:28 +04:00
if ( state - > pipe - > timed_out ) {
composite_error ( c , NT_STATUS_IO_TIMEOUT ) ;
return c ;
}
state - > pipe - > inhibit_timeout_processing = false ;
2005-11-20 19:28:39 +03:00
if ( ! NT_STATUS_IS_OK ( c - > status ) & &
! NT_STATUS_EQUAL ( c - > status , NT_STATUS_MORE_PROCESSING_REQUIRED ) ) {
2006-07-30 21:55:09 +04:00
composite_error ( c , c - > status ) ;
return c ;
2005-11-20 19:28:39 +03:00
}
2006-07-30 21:55:09 +04:00
state - > more_processing = NT_STATUS_EQUAL ( c - > status ,
NT_STATUS_MORE_PROCESSING_REQUIRED ) ;
2005-11-20 19:28:39 +03:00
if ( state - > credentials . length = = 0 ) {
2005-12-08 04:13:45 +03:00
composite_done ( c ) ;
2005-11-20 19:28:39 +03:00
return c ;
2005-01-10 13:48:19 +03:00
}
2005-11-20 19:28:39 +03:00
sec - > auth_info - > credentials = state - > credentials ;
2014-01-03 11:35:27 +04:00
if ( gensec_have_feature ( sec - > generic_state , GENSEC_FEATURE_SIGN_PKT_HEADER ) ) {
state - > pipe - > conn - > flags | = DCERPC_PROPOSE_HEADER_SIGNING ;
}
2005-11-21 22:43:06 +03:00
/* The first request always is a dcerpc_bind. The subsequent ones
* depend on gensec results */
2012-03-13 17:52:40 +04:00
subreq = dcerpc_bind_send ( state , p - > conn - > event_ctx , p ,
& syntax , & transfer_syntax ) ;
2008-09-13 20:49:03 +04:00
data_blob_free ( & state - > credentials ) ;
sec - > auth_info - > credentials = data_blob ( NULL , 0 ) ;
2012-03-13 17:52:40 +04:00
if ( composite_nomem ( subreq , c ) ) return c ;
tevent_req_set_callback ( subreq , bind_auth_recv_bindreply , c ) ;
2005-01-10 13:48:19 +03:00
2005-11-20 19:28:39 +03:00
return c ;
}
2006-04-11 02:03:26 +04:00
/**
Bind to a DCE / RPC pipe , receive result
@ param creq A composite context describing state of async call
@ retval NTSTATUS code
*/
2005-11-20 20:34:56 +03:00
NTSTATUS dcerpc_bind_auth_recv ( struct composite_context * creq )
2005-11-20 19:28:39 +03:00
{
NTSTATUS result = composite_wait ( creq ) ;
2006-04-11 02:03:26 +04:00
struct bind_auth_state * state = talloc_get_type ( creq - > private_data ,
struct bind_auth_state ) ;
2005-11-21 07:09:36 +03:00
if ( NT_STATUS_IS_OK ( result ) ) {
/*
after a successful authenticated bind the session
key reverts to the generic session key
*/
state - > pipe - > conn - > security_state . session_key = dcerpc_generic_session_key ;
}
2005-11-20 19:28:39 +03:00
talloc_free ( creq ) ;
return result ;
}
2006-04-11 02:03:26 +04:00
2006-02-04 10:56:30 +03:00
/**
Perform a GENSEC authenticated bind to a DCE / RPC pipe , sync
@ param p The dcerpc_pipe to bind ( must already be connected )
@ param table The interface table to use ( the DCE / RPC bind both selects and interface and authenticates )
@ param credentials The credentials of the account to connect with
@ param auth_type Select the authentication scheme to use
@ param auth_level Chooses between unprotected ( connect ) , signed or sealed
@ param service The service ( used by Kerberos to select the service principal to contact )
@ retval NTSTATUS status code
2005-11-20 19:28:39 +03:00
*/
2006-04-11 02:03:26 +04:00
2008-04-02 06:53:27 +04:00
_PUBLIC_ NTSTATUS dcerpc_bind_auth ( struct dcerpc_pipe * p ,
2007-08-20 00:46:45 +04:00
const struct ndr_interface_table * table ,
2005-11-20 19:28:39 +03:00
struct cli_credentials * credentials ,
2008-11-02 04:05:48 +03:00
struct gensec_settings * gensec_settings ,
2006-01-12 12:33:49 +03:00
uint8_t auth_type , uint8_t auth_level ,
2005-11-20 19:28:39 +03:00
const char * service )
{
struct composite_context * creq ;
2008-11-02 04:05:48 +03:00
creq = dcerpc_bind_auth_send ( p , p , table , credentials , gensec_settings ,
2006-01-12 12:33:49 +03:00
auth_type , auth_level , service ) ;
2005-11-20 19:28:39 +03:00
return dcerpc_bind_auth_recv ( creq ) ;
2005-01-10 13:48:19 +03:00
}
