2003-11-26 03:36:17 +00:00
/*
Unix SMB / CIFS implementation .
dcerpc utility functions
Copyright ( C ) Andrew Tridgell 2003
2004-10-18 15:18:05 +00:00
Copyright ( C ) Jelmer Vernooij 2004
r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2005-03-24 04:14:06 +00:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005
2003-11-26 03:36:17 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 2 of the License , or
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
along with this program ; if not , write to the Free Software
Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2004-11-01 22:48:25 +00:00
# include "system/network.h"
2004-11-01 10:30:34 +00:00
# include "librpc/gen_ndr/ndr_epmapper.h"
2005-07-28 00:27:28 +00:00
# include "librpc/gen_ndr/ndr_dcerpc.h"
# include "librpc/gen_ndr/ndr_misc.h"
2005-12-01 22:43:30 +00:00
# include "libcli/raw/libcliraw.h"
2005-12-06 08:58:21 +00:00
# include "libcli/composite/composite.h"
2005-12-01 22:43:30 +00:00
# include "libcli/smb_composite/smb_composite.h"
2004-10-24 16:31:00 +00:00
2003-11-27 07:28:46 +00:00
/*
find the pipe name for a local IDL interface
*/
2004-05-25 16:24:13 +00:00
const char * idl_pipe_name ( const char * uuid , uint32_t if_version )
2003-11-27 07:28:46 +00:00
{
2005-01-09 08:34:05 +00:00
const struct dcerpc_interface_list * l ;
for ( l = librpc_dcerpc_pipes ( ) ; l ; l = l - > next ) {
2004-11-16 21:07:08 +00:00
if ( strcasecmp ( l - > table - > uuid , uuid ) = = 0 & &
l - > table - > if_version = = if_version ) {
return l - > table - > name ;
2003-11-27 07:28:46 +00:00
}
}
return " UNKNOWN " ;
}
/*
find the number of calls defined by local IDL
*/
2004-05-25 16:24:13 +00:00
int idl_num_calls ( const char * uuid , uint32_t if_version )
2003-11-27 07:28:46 +00:00
{
2005-01-09 08:34:05 +00:00
const struct dcerpc_interface_list * l ;
for ( l = librpc_dcerpc_pipes ( ) ; l ; l = l - > next ) {
2004-11-16 21:07:08 +00:00
if ( strcasecmp ( l - > table - > uuid , uuid ) = = 0 & &
l - > table - > if_version = = if_version ) {
return l - > table - > num_calls ;
2003-11-27 07:28:46 +00:00
}
}
return - 1 ;
}
2003-11-28 08:51:09 +00:00
/*
find a dcerpc interface by name
*/
const struct dcerpc_interface_table * idl_iface_by_name ( const char * name )
{
2005-01-09 08:34:05 +00:00
const struct dcerpc_interface_list * l ;
for ( l = librpc_dcerpc_pipes ( ) ; l ; l = l - > next ) {
2004-11-16 21:07:08 +00:00
if ( strcasecmp ( l - > table - > name , name ) = = 0 ) {
return l - > table ;
2003-11-28 08:51:09 +00:00
}
}
return NULL ;
}
2003-12-14 01:09:10 +00:00
2003-12-15 03:29:55 +00:00
/*
find a dcerpc interface by uuid
*/
const struct dcerpc_interface_table * idl_iface_by_uuid ( const char * uuid )
{
2005-01-09 08:34:05 +00:00
const struct dcerpc_interface_list * l ;
for ( l = librpc_dcerpc_pipes ( ) ; l ; l = l - > next ) {
2004-11-16 21:07:08 +00:00
if ( strcasecmp ( l - > table - > uuid , uuid ) = = 0 ) {
return l - > table ;
2003-12-15 03:29:55 +00:00
}
}
return NULL ;
}
2005-07-02 11:12:33 +00:00
/*
find a dcerpc call on an interface by name
*/
const struct dcerpc_interface_call * dcerpc_iface_find_call ( const struct dcerpc_interface_table * iface ,
const char * name )
{
int i ;
for ( i = 0 ; i < iface - > num_calls ; i + + ) {
if ( strcmp ( iface - > calls [ i ] . name , name ) = = 0 ) {
return & iface - > calls [ i ] ;
}
}
return NULL ;
}
2003-12-14 01:09:10 +00:00
/*
2005-06-05 23:05:37 +00:00
push a ncacn_packet into a blob , potentially with auth info
2003-12-14 01:09:10 +00:00
*/
2005-06-05 23:39:00 +00:00
NTSTATUS ncacn_push_auth ( DATA_BLOB * blob , TALLOC_CTX * mem_ctx ,
2005-06-05 23:05:37 +00:00
struct ncacn_packet * pkt ,
2003-12-17 02:06:44 +00:00
struct dcerpc_auth * auth_info )
2003-12-14 01:09:10 +00:00
{
NTSTATUS status ;
struct ndr_push * ndr ;
ndr = ndr_push_init_ctx ( mem_ctx ) ;
if ( ! ndr ) {
return NT_STATUS_NO_MEMORY ;
}
2003-12-17 02:06:44 +00:00
if ( ! ( pkt - > drep [ 0 ] & DCERPC_DREP_LE ) ) {
2003-12-16 09:02:58 +00:00
ndr - > flags | = LIBNDR_FLAG_BIGENDIAN ;
}
2004-11-08 02:12:15 +00:00
if ( pkt - > pfc_flags & DCERPC_PFC_FLAG_ORPC ) {
ndr - > flags | = LIBNDR_FLAG_OBJECT_PRESENT ;
}
2003-12-14 01:09:10 +00:00
if ( auth_info ) {
pkt - > auth_length = auth_info - > credentials . length ;
} else {
pkt - > auth_length = 0 ;
}
2005-06-05 23:05:37 +00:00
status = ndr_push_ncacn_packet ( ndr , NDR_SCALARS | NDR_BUFFERS , pkt ) ;
2003-12-14 01:09:10 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
if ( auth_info ) {
status = ndr_push_dcerpc_auth ( ndr , NDR_SCALARS | NDR_BUFFERS , auth_info ) ;
}
* blob = ndr_push_blob ( ndr ) ;
/* fill in the frag length */
2003-12-16 09:02:58 +00:00
dcerpc_set_frag_length ( blob , blob - > length ) ;
2003-12-14 01:09:10 +00:00
return NT_STATUS_OK ;
}
2003-12-15 03:29:55 +00:00
2004-10-21 12:47:02 +00:00
# define MAX_PROTSEQ 10
2003-12-15 03:29:55 +00:00
2003-12-16 10:57:17 +00:00
static const struct {
const char * name ;
enum dcerpc_transport_t transport ;
2004-10-21 12:47:02 +00:00
int num_protocols ;
2005-01-05 02:01:19 +00:00
enum epm_protocol protseq [ MAX_PROTSEQ ] ;
2004-10-21 12:47:02 +00:00
} transports [ ] = {
{ " ncacn_np " , NCACN_NP , 3 ,
2004-10-24 13:00:51 +00:00
{ EPM_PROTOCOL_NCACN , EPM_PROTOCOL_SMB , EPM_PROTOCOL_NETBIOS } } ,
2004-10-21 12:47:02 +00:00
{ " ncacn_ip_tcp " , NCACN_IP_TCP , 3 ,
2004-10-24 13:00:51 +00:00
{ EPM_PROTOCOL_NCACN , EPM_PROTOCOL_TCP , EPM_PROTOCOL_IP } } ,
2004-10-24 13:22:58 +00:00
{ " ncacn_http " , NCACN_HTTP , 3 ,
{ EPM_PROTOCOL_NCACN , EPM_PROTOCOL_HTTP , EPM_PROTOCOL_IP } } ,
2004-10-21 12:47:02 +00:00
{ " ncadg_ip_udp " , NCACN_IP_UDP , 3 ,
2004-10-24 13:00:51 +00:00
{ EPM_PROTOCOL_NCADG , EPM_PROTOCOL_UDP , EPM_PROTOCOL_IP } } ,
2004-10-21 19:54:38 +00:00
{ " ncalrpc " , NCALRPC , 2 ,
{ EPM_PROTOCOL_NCALRPC , EPM_PROTOCOL_PIPE } } ,
2004-10-21 12:47:02 +00:00
{ " ncacn_unix_stream " , NCACN_UNIX_STREAM , 2 ,
{ EPM_PROTOCOL_NCACN , EPM_PROTOCOL_UNIX_DS } } ,
{ " ncadg_unix_dgram " , NCADG_UNIX_DGRAM , 2 ,
{ EPM_PROTOCOL_NCADG , EPM_PROTOCOL_UNIX_DS } } ,
{ " ncacn_at_dsp " , NCACN_AT_DSP , 3 ,
{ EPM_PROTOCOL_NCACN , EPM_PROTOCOL_APPLETALK , EPM_PROTOCOL_DSP } } ,
{ " ncadg_at_ddp " , NCADG_AT_DDP , 3 ,
{ EPM_PROTOCOL_NCADG , EPM_PROTOCOL_APPLETALK , EPM_PROTOCOL_DDP } } ,
{ " ncacn_vns_ssp " , NCACN_VNS_SPP , 3 ,
{ EPM_PROTOCOL_NCACN , EPM_PROTOCOL_STREETTALK , EPM_PROTOCOL_VINES_SPP } } ,
{ " ncacn_vns_ipc " , NCACN_VNS_IPC , 3 ,
{ EPM_PROTOCOL_NCACN , EPM_PROTOCOL_STREETTALK , EPM_PROTOCOL_VINES_IPC } , } ,
2004-10-31 18:35:47 +00:00
{ " ncadg_ipx " , NCADG_IPX , 2 ,
{ EPM_PROTOCOL_NCADG , EPM_PROTOCOL_IPX } ,
} ,
2005-03-22 01:35:12 +00:00
{ " ncacn_spx " , NCACN_SPX , 3 ,
2005-03-22 22:11:50 +00:00
/* I guess some MS programmer confused the identifier for
* EPM_PROTOCOL_UUID ( 0x0D or 13 ) with the one for
* EPM_PROTOCOL_SPX ( 0x13 ) here . - - jelmer */
2005-03-22 01:35:12 +00:00
{ EPM_PROTOCOL_NCACN , EPM_PROTOCOL_NCALRPC , EPM_PROTOCOL_UUID } ,
2004-10-31 18:35:47 +00:00
} ,
2003-12-16 10:57:17 +00:00
} ;
static const struct {
const char * name ;
2004-05-25 16:24:13 +00:00
uint32_t flag ;
2003-12-16 10:57:17 +00:00
} ncacn_options [ ] = {
{ " sign " , DCERPC_SIGN } ,
{ " seal " , DCERPC_SEAL } ,
2004-09-25 07:25:51 +00:00
{ " connect " , DCERPC_CONNECT } ,
2005-01-10 07:14:12 +00:00
{ " spnego " , DCERPC_AUTH_SPNEGO } ,
2005-01-24 14:44:15 +00:00
{ " krb5 " , DCERPC_AUTH_KRB5 } ,
2003-12-16 10:57:17 +00:00
{ " validate " , DCERPC_DEBUG_VALIDATE_BOTH } ,
2004-02-03 14:56:07 +00:00
{ " print " , DCERPC_DEBUG_PRINT_BOTH } ,
2004-09-02 10:45:58 +00:00
{ " padcheck " , DCERPC_DEBUG_PAD_CHECK } ,
2005-11-25 05:25:37 +00:00
{ " bigendian " , DCERPC_PUSH_BIGENDIAN } ,
{ " smb2 " , DCERPC_SMB2 }
2003-12-16 10:57:17 +00:00
} ;
2005-11-04 03:30:47 +00:00
const char * epm_floor_string ( TALLOC_CTX * mem_ctx , struct epm_floor * epm_floor )
2005-02-04 01:32:19 +00:00
{
struct GUID uuid ;
uint16_t if_version ;
NTSTATUS status ;
2005-11-04 03:30:47 +00:00
switch ( epm_floor - > lhs . protocol ) {
2005-02-04 01:32:19 +00:00
case EPM_PROTOCOL_UUID :
2005-11-04 03:30:47 +00:00
status = dcerpc_floor_get_lhs_data ( epm_floor , & uuid , & if_version ) ;
2005-02-04 01:32:19 +00:00
if ( NT_STATUS_IS_OK ( status ) ) {
/* lhs is used: UUID */
char * uuidstr ;
uuidstr = GUID_string ( mem_ctx , & uuid ) ;
if ( strcasecmp ( uuidstr , NDR_GUID ) = = 0 ) {
return " NDR " ;
}
return talloc_asprintf ( mem_ctx , " uuid %s/0x%02x " , uuidstr , if_version ) ;
} else { /* IPX */
return talloc_asprintf ( mem_ctx , " IPX:%s " ,
2005-11-04 03:30:47 +00:00
data_blob_hex_string ( mem_ctx , & epm_floor - > rhs . uuid . unknown ) ) ;
2005-02-04 01:32:19 +00:00
}
case EPM_PROTOCOL_NCACN :
return " RPC-C " ;
case EPM_PROTOCOL_NCADG :
return " RPC " ;
case EPM_PROTOCOL_NCALRPC :
return " NCALRPC " ;
case EPM_PROTOCOL_DNET_NSP :
return " DNET/NSP " ;
case EPM_PROTOCOL_IP :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " IP:%s " , epm_floor - > rhs . ip . ipaddr ) ;
2005-02-04 01:32:19 +00:00
case EPM_PROTOCOL_PIPE :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " PIPE:%s " , epm_floor - > rhs . pipe . path ) ;
2005-02-04 01:32:19 +00:00
case EPM_PROTOCOL_SMB :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " SMB:%s " , epm_floor - > rhs . smb . unc ) ;
2005-02-04 01:32:19 +00:00
case EPM_PROTOCOL_UNIX_DS :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " Unix:%s " , epm_floor - > rhs . unix_ds . path ) ;
2005-02-04 01:32:19 +00:00
case EPM_PROTOCOL_NETBIOS :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " NetBIOS:%s " , epm_floor - > rhs . netbios . name ) ;
2005-02-04 01:32:19 +00:00
case EPM_PROTOCOL_NETBEUI :
return " NETBeui " ;
case EPM_PROTOCOL_SPX :
return " SPX " ;
case EPM_PROTOCOL_NB_IPX :
return " NB_IPX " ;
case EPM_PROTOCOL_HTTP :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " HTTP:%d " , epm_floor - > rhs . http . port ) ;
2005-02-04 01:32:19 +00:00
case EPM_PROTOCOL_TCP :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " TCP:%d " , epm_floor - > rhs . tcp . port ) ;
2005-02-04 01:32:19 +00:00
case EPM_PROTOCOL_UDP :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " UDP:%d " , epm_floor - > rhs . udp . port ) ;
2005-02-04 01:32:19 +00:00
default :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " UNK(%02x) : " , epm_floor->lhs.protocol) ;
2005-02-04 01:32:19 +00:00
}
}
2004-10-21 19:54:38 +00:00
2003-12-16 10:57:17 +00:00
/*
form a binding string from a binding structure
*/
const char * dcerpc_binding_string ( TALLOC_CTX * mem_ctx , const struct dcerpc_binding * b )
{
2004-11-01 13:12:09 +00:00
char * s = talloc_strdup ( mem_ctx , " " ) ;
2003-12-16 10:57:17 +00:00
int i ;
const char * t_name = NULL ;
2004-10-21 12:47:02 +00:00
for ( i = 0 ; i < ARRAY_SIZE ( transports ) ; i + + ) {
if ( transports [ i ] . transport = = b - > transport ) {
t_name = transports [ i ] . name ;
2003-12-16 10:57:17 +00:00
}
}
if ( ! t_name ) {
return NULL ;
}
2004-11-25 20:03:46 +00:00
if ( ! GUID_all_zero ( & b - > object ) ) {
2004-11-01 13:12:09 +00:00
s = talloc_asprintf ( s , " %s@ " ,
GUID_string ( mem_ctx , & b - > object ) ) ;
2004-10-18 11:43:26 +00:00
}
2004-10-21 21:02:51 +00:00
s = talloc_asprintf_append ( s , " %s: " , t_name ) ;
2003-12-16 10:57:17 +00:00
if ( ! s ) return NULL ;
2004-10-21 21:02:51 +00:00
if ( b - > host ) {
s = talloc_asprintf_append ( s , " %s " , b - > host ) ;
}
2004-10-24 22:46:47 +00:00
if ( ! b - > endpoint & & ! b - > options & & ! b - > flags ) {
2004-10-21 19:54:38 +00:00
return s ;
}
s = talloc_asprintf_append ( s , " [ " ) ;
2004-10-24 22:46:47 +00:00
if ( b - > endpoint ) {
s = talloc_asprintf_append ( s , " %s " , b - > endpoint ) ;
}
2003-12-16 10:57:17 +00:00
/* this is a *really* inefficent way of dealing with strings,
but this is rarely called and the strings are always short ,
so I don ' t care */
2003-12-17 21:37:34 +00:00
for ( i = 0 ; b - > options & & b - > options [ i ] ; i + + ) {
2004-10-24 22:46:47 +00:00
s = talloc_asprintf_append ( s , " ,%s " , b - > options [ i ] ) ;
2003-12-16 10:57:17 +00:00
if ( ! s ) return NULL ;
}
2004-10-25 10:21:41 +00:00
2003-12-16 10:57:17 +00:00
for ( i = 0 ; i < ARRAY_SIZE ( ncacn_options ) ; i + + ) {
if ( b - > flags & ncacn_options [ i ] . flag ) {
2004-10-24 22:46:47 +00:00
s = talloc_asprintf_append ( s , " ,%s " , ncacn_options [ i ] . name ) ;
2003-12-16 10:57:17 +00:00
if ( ! s ) return NULL ;
}
}
2004-10-21 19:54:38 +00:00
s = talloc_asprintf_append ( s , " ] " ) ;
2003-12-16 10:57:17 +00:00
return s ;
}
2003-12-15 03:29:55 +00:00
/*
parse a binding string into a dcerpc_binding structure
*/
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
NTSTATUS dcerpc_parse_binding ( TALLOC_CTX * mem_ctx , const char * s , struct dcerpc_binding * * b_out )
2003-12-15 03:29:55 +00:00
{
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
struct dcerpc_binding * b ;
2004-10-18 11:43:26 +00:00
char * options , * type ;
2003-12-15 03:29:55 +00:00
char * p ;
int i , j , comma_count ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
b = talloc ( mem_ctx , struct dcerpc_binding ) ;
if ( ! b ) {
return NT_STATUS_NO_MEMORY ;
}
2005-03-22 00:26:27 +00:00
b - > authservice = NULL ;
2004-10-18 11:43:26 +00:00
p = strchr ( s , ' @ ' ) ;
if ( p & & PTR_DIFF ( p , s ) = = 36 ) { /* 36 is the length of a UUID */
NTSTATUS status ;
2004-10-21 21:57:30 +00:00
status = GUID_from_string ( s , & b - > object ) ;
2004-10-18 11:43:26 +00:00
if ( NT_STATUS_IS_ERR ( status ) ) {
DEBUG ( 0 , ( " Failed parsing UUID \n " ) ) ;
return status ;
}
s = p + 1 ;
} else {
2004-10-21 21:57:30 +00:00
ZERO_STRUCT ( b - > object ) ;
2003-12-15 03:29:55 +00:00
}
2004-10-22 10:52:57 +00:00
b - > object_version = 0 ;
2003-12-15 03:29:55 +00:00
p = strchr ( s , ' : ' ) ;
if ( ! p ) {
2004-10-18 11:43:26 +00:00
return NT_STATUS_INVALID_PARAMETER ;
2003-12-15 03:29:55 +00:00
}
2004-10-18 11:43:26 +00:00
type = talloc_strndup ( mem_ctx , s , PTR_DIFF ( p , s ) ) ;
if ( ! type ) {
2003-12-15 03:29:55 +00:00
return NT_STATUS_NO_MEMORY ;
}
2004-10-21 12:47:02 +00:00
for ( i = 0 ; i < ARRAY_SIZE ( transports ) ; i + + ) {
if ( strcasecmp ( type , transports [ i ] . name ) = = 0 ) {
b - > transport = transports [ i ] . transport ;
2003-12-15 03:29:55 +00:00
break ;
}
}
2004-10-21 12:47:02 +00:00
if ( i = = ARRAY_SIZE ( transports ) ) {
2004-10-18 11:43:26 +00:00
DEBUG ( 0 , ( " Unknown dcerpc transport '%s' \n " , type ) ) ;
2003-12-15 03:29:55 +00:00
return NT_STATUS_INVALID_PARAMETER ;
}
2004-10-18 11:43:26 +00:00
s = p + 1 ;
p = strchr ( s , ' [ ' ) ;
if ( p ) {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
b - > host = talloc_strndup ( b , s , PTR_DIFF ( p , s ) ) ;
2004-10-18 11:43:26 +00:00
options = talloc_strdup ( mem_ctx , p + 1 ) ;
if ( options [ strlen ( options ) - 1 ] ! = ' ] ' ) {
return NT_STATUS_INVALID_PARAMETER ;
}
options [ strlen ( options ) - 1 ] = 0 ;
} else {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
b - > host = talloc_strdup ( b , s ) ;
2004-10-18 11:43:26 +00:00
options = NULL ;
}
if ( ! b - > host ) {
return NT_STATUS_NO_MEMORY ;
}
2003-12-15 03:29:55 +00:00
b - > options = NULL ;
b - > flags = 0 ;
2004-10-24 22:46:47 +00:00
b - > endpoint = NULL ;
2003-12-15 03:29:55 +00:00
2004-10-18 11:43:26 +00:00
if ( ! options ) {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
* b_out = b ;
2003-12-15 03:29:55 +00:00
return NT_STATUS_OK ;
}
2004-10-18 11:43:26 +00:00
comma_count = count_chars ( options , ' , ' ) ;
2004-10-24 22:46:47 +00:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
b - > options = talloc_array ( b , const char * , comma_count + 2 ) ;
2003-12-15 03:29:55 +00:00
if ( ! b - > options ) {
return NT_STATUS_NO_MEMORY ;
}
2004-10-18 11:43:26 +00:00
for ( i = 0 ; ( p = strchr ( options , ' , ' ) ) ; i + + ) {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
b - > options [ i ] = talloc_strndup ( b , options , PTR_DIFF ( p , options ) ) ;
2003-12-15 03:29:55 +00:00
if ( ! b - > options [ i ] ) {
return NT_STATUS_NO_MEMORY ;
}
2004-10-18 11:43:26 +00:00
options = p + 1 ;
2003-12-15 03:29:55 +00:00
}
2004-10-18 11:43:26 +00:00
b - > options [ i ] = options ;
2003-12-15 03:29:55 +00:00
b - > options [ i + 1 ] = NULL ;
/* some options are pre-parsed for convenience */
for ( i = 0 ; b - > options [ i ] ; i + + ) {
2003-12-16 10:57:17 +00:00
for ( j = 0 ; j < ARRAY_SIZE ( ncacn_options ) ; j + + ) {
if ( strcasecmp ( ncacn_options [ j ] . name , b - > options [ i ] ) = = 0 ) {
2003-12-16 10:15:21 +00:00
int k ;
2003-12-16 10:57:17 +00:00
b - > flags | = ncacn_options [ j ] . flag ;
2003-12-16 10:15:21 +00:00
for ( k = i ; b - > options [ k ] ; k + + ) {
b - > options [ k ] = b - > options [ k + 1 ] ;
}
2003-12-19 04:26:26 +00:00
i - - ;
2003-12-15 03:29:55 +00:00
break ;
}
}
}
2004-10-24 22:46:47 +00:00
2004-10-25 10:21:41 +00:00
if ( b - > options [ 0 ] ) {
/* Endpoint is first option */
b - > endpoint = b - > options [ 0 ] ;
if ( strlen ( b - > endpoint ) = = 0 ) b - > endpoint = NULL ;
for ( i = 0 ; b - > options [ i ] ; i + + ) {
b - > options [ i ] = b - > options [ i + 1 ] ;
}
}
2004-10-24 22:46:47 +00:00
if ( b - > options [ 0 ] = = NULL )
b - > options = NULL ;
2003-12-15 03:29:55 +00:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
* b_out = b ;
2003-12-15 03:29:55 +00:00
return NT_STATUS_OK ;
}
2005-11-04 03:30:47 +00:00
NTSTATUS dcerpc_floor_get_lhs_data ( struct epm_floor * epm_floor , struct GUID * uuid , uint16_t * if_version )
2005-02-04 01:32:19 +00:00
{
TALLOC_CTX * mem_ctx = talloc_init ( " floor_get_lhs_data " ) ;
2005-11-04 03:30:47 +00:00
struct ndr_pull * ndr = ndr_pull_init_blob ( & epm_floor - > lhs . lhs_data , mem_ctx ) ;
2005-02-04 01:32:19 +00:00
NTSTATUS status ;
ndr - > flags | = LIBNDR_FLAG_NOALIGN ;
status = ndr_pull_GUID ( ndr , NDR_SCALARS | NDR_BUFFERS , uuid ) ;
if ( NT_STATUS_IS_ERR ( status ) ) {
talloc_free ( mem_ctx ) ;
return status ;
}
2005-02-09 21:10:23 +00:00
status = ndr_pull_uint16 ( ndr , NDR_SCALARS , if_version ) ;
2005-02-04 01:32:19 +00:00
talloc_free ( mem_ctx ) ;
return status ;
}
2005-05-15 20:16:26 +00:00
static DATA_BLOB dcerpc_floor_pack_lhs_data ( TALLOC_CTX * mem_ctx , struct GUID * uuid , uint32_t if_version )
2005-02-04 01:32:19 +00:00
{
struct ndr_push * ndr = ndr_push_init_ctx ( mem_ctx ) ;
ndr - > flags | = LIBNDR_FLAG_NOALIGN ;
ndr_push_GUID ( ndr , NDR_SCALARS | NDR_BUFFERS , uuid ) ;
2005-02-09 21:10:23 +00:00
ndr_push_uint16 ( ndr , NDR_SCALARS , if_version ) ;
2005-02-04 01:32:19 +00:00
return ndr_push_blob ( ndr ) ;
}
2005-11-04 03:30:47 +00:00
const char * dcerpc_floor_get_rhs_data ( TALLOC_CTX * mem_ctx , struct epm_floor * epm_floor )
2004-10-21 21:02:51 +00:00
{
2005-11-04 03:30:47 +00:00
switch ( epm_floor - > lhs . protocol ) {
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_TCP :
2005-11-04 03:30:47 +00:00
if ( epm_floor - > rhs . tcp . port = = 0 ) return NULL ;
return talloc_asprintf ( mem_ctx , " %d " , epm_floor - > rhs . tcp . port ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_UDP :
2005-11-04 03:30:47 +00:00
if ( epm_floor - > rhs . udp . port = = 0 ) return NULL ;
return talloc_asprintf ( mem_ctx , " %d " , epm_floor - > rhs . udp . port ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_HTTP :
2005-11-04 03:30:47 +00:00
if ( epm_floor - > rhs . http . port = = 0 ) return NULL ;
return talloc_asprintf ( mem_ctx , " %d " , epm_floor - > rhs . http . port ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_IP :
2005-11-04 03:30:47 +00:00
return talloc_strdup ( mem_ctx , epm_floor - > rhs . ip . ipaddr ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_NCACN :
return NULL ;
case EPM_PROTOCOL_NCADG :
return NULL ;
case EPM_PROTOCOL_SMB :
2005-11-04 03:30:47 +00:00
if ( strlen ( epm_floor - > rhs . smb . unc ) = = 0 ) return NULL ;
return talloc_strdup ( mem_ctx , epm_floor - > rhs . smb . unc ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_PIPE :
2005-11-04 03:30:47 +00:00
if ( strlen ( epm_floor - > rhs . pipe . path ) = = 0 ) return NULL ;
return talloc_strdup ( mem_ctx , epm_floor - > rhs . pipe . path ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_NETBIOS :
2005-11-04 03:30:47 +00:00
if ( strlen ( epm_floor - > rhs . netbios . name ) = = 0 ) return NULL ;
return talloc_strdup ( mem_ctx , epm_floor - > rhs . netbios . name ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_NCALRPC :
return NULL ;
case EPM_PROTOCOL_VINES_SPP :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " %d " , epm_floor - > rhs . vines_spp . port ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_VINES_IPC :
2005-11-04 03:30:47 +00:00
return talloc_asprintf ( mem_ctx , " %d " , epm_floor - > rhs . vines_ipc . port ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_STREETTALK :
2005-11-04 03:30:47 +00:00
return talloc_strdup ( mem_ctx , epm_floor - > rhs . streettalk . streettalk ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_UNIX_DS :
2005-11-04 03:30:47 +00:00
if ( strlen ( epm_floor - > rhs . unix_ds . path ) = = 0 ) return NULL ;
return talloc_strdup ( mem_ctx , epm_floor - > rhs . unix_ds . path ) ;
2004-10-21 21:02:51 +00:00
case EPM_PROTOCOL_NULL :
return NULL ;
2005-01-05 02:01:19 +00:00
default :
2005-11-04 03:30:47 +00:00
DEBUG ( 0 , ( " Unsupported lhs protocol %d \n " , epm_floor - > lhs . protocol ) ) ;
2005-01-05 02:01:19 +00:00
break ;
2004-10-21 21:02:51 +00:00
}
return NULL ;
}
2005-11-04 03:30:47 +00:00
static NTSTATUS dcerpc_floor_set_rhs_data ( TALLOC_CTX * mem_ctx , struct epm_floor * epm_floor , const char * data )
2004-10-21 19:54:38 +00:00
{
2005-11-04 03:30:47 +00:00
switch ( epm_floor - > lhs . protocol ) {
2004-10-21 19:54:38 +00:00
case EPM_PROTOCOL_TCP :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . tcp . port = atoi ( data ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_UDP :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . udp . port = atoi ( data ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_HTTP :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . http . port = atoi ( data ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_IP :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . ip . ipaddr = talloc_strdup ( mem_ctx , data ) ;
NT_STATUS_HAVE_NO_MEMORY ( epm_floor - > rhs . ip . ipaddr ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_NCACN :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . ncacn . minor_version = 0 ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_NCADG :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . ncadg . minor_version = 0 ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_SMB :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . smb . unc = talloc_strdup ( mem_ctx , data ) ;
NT_STATUS_HAVE_NO_MEMORY ( epm_floor - > rhs . smb . unc ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_PIPE :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . pipe . path = talloc_strdup ( mem_ctx , data ) ;
NT_STATUS_HAVE_NO_MEMORY ( epm_floor - > rhs . pipe . path ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_NETBIOS :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . netbios . name = talloc_strdup ( mem_ctx , data ) ;
NT_STATUS_HAVE_NO_MEMORY ( epm_floor - > rhs . netbios . name ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_NCALRPC :
return NT_STATUS_OK ;
case EPM_PROTOCOL_VINES_SPP :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . vines_spp . port = atoi ( data ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_VINES_IPC :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . vines_ipc . port = atoi ( data ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_STREETTALK :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . streettalk . streettalk = talloc_strdup ( mem_ctx , data ) ;
NT_STATUS_HAVE_NO_MEMORY ( epm_floor - > rhs . streettalk . streettalk ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_UNIX_DS :
2005-11-04 03:30:47 +00:00
epm_floor - > rhs . unix_ds . path = talloc_strdup ( mem_ctx , data ) ;
NT_STATUS_HAVE_NO_MEMORY ( epm_floor - > rhs . unix_ds . path ) ;
2004-10-21 19:54:38 +00:00
return NT_STATUS_OK ;
case EPM_PROTOCOL_NULL :
return NT_STATUS_OK ;
2005-01-05 02:01:19 +00:00
default :
2005-11-04 03:30:47 +00:00
DEBUG ( 0 , ( " Unsupported lhs protocol %d \n " , epm_floor - > lhs . protocol ) ) ;
2005-01-05 02:01:19 +00:00
break ;
2004-10-21 19:54:38 +00:00
}
return NT_STATUS_NOT_SUPPORTED ;
}
2004-11-07 19:28:18 +00:00
enum dcerpc_transport_t dcerpc_transport_by_endpoint_protocol ( int prot )
{
int i ;
/* Find a transport that has 'prot' as 4th protocol */
for ( i = 0 ; i < ARRAY_SIZE ( transports ) ; i + + ) {
if ( transports [ i ] . num_protocols > = 2 & &
transports [ i ] . protseq [ 1 ] = = prot ) {
return transports [ i ] . transport ;
}
}
/* Unknown transport */
return - 1 ;
}
2004-10-24 13:00:51 +00:00
enum dcerpc_transport_t dcerpc_transport_by_tower ( struct epm_tower * tower )
2004-10-21 21:02:51 +00:00
{
int i ;
/* Find a transport that matches this tower */
for ( i = 0 ; i < ARRAY_SIZE ( transports ) ; i + + ) {
int j ;
if ( transports [ i ] . num_protocols ! = tower - > num_floors - 2 ) {
continue ;
}
2004-10-24 13:00:51 +00:00
2004-10-21 21:02:51 +00:00
for ( j = 0 ; j < transports [ i ] . num_protocols ; j + + ) {
if ( transports [ i ] . protseq [ j ] ! = tower - > floors [ j + 2 ] . lhs . protocol ) {
break ;
}
}
if ( j = = transports [ i ] . num_protocols ) {
2004-10-24 13:00:51 +00:00
return transports [ i ] . transport ;
2004-10-21 21:02:51 +00:00
}
}
2004-10-24 13:00:51 +00:00
/* Unknown transport */
return - 1 ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
NTSTATUS dcerpc_binding_from_tower ( TALLOC_CTX * mem_ctx , struct epm_tower * tower , struct dcerpc_binding * * b_out )
2004-10-24 13:00:51 +00:00
{
2005-02-04 01:32:19 +00:00
NTSTATUS status ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
struct dcerpc_binding * binding ;
binding = talloc ( mem_ctx , struct dcerpc_binding ) ;
NT_STATUS_HAVE_NO_MEMORY ( binding ) ;
2005-02-04 01:32:19 +00:00
2004-10-24 13:00:51 +00:00
ZERO_STRUCT ( binding - > object ) ;
binding - > options = NULL ;
binding - > host = NULL ;
binding - > flags = 0 ;
binding - > transport = dcerpc_transport_by_tower ( tower ) ;
2004-10-21 21:02:51 +00:00
if ( binding - > transport = = - 1 ) {
return NT_STATUS_NOT_SUPPORTED ;
}
if ( tower - > num_floors < 1 ) {
return NT_STATUS_OK ;
}
/* Set object uuid */
2005-02-04 01:32:19 +00:00
status = dcerpc_floor_get_lhs_data ( & tower - > floors [ 0 ] , & binding - > object , & binding - > object_version ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 1 , ( " Error pulling object uuid and version: %s " , nt_errstr ( status ) ) ) ;
return status ;
}
2004-10-21 21:02:51 +00:00
/* Ignore floor 1, it contains the NDR version info */
2004-10-24 22:46:47 +00:00
binding - > options = NULL ;
2004-10-21 21:02:51 +00:00
/* Set endpoint */
2004-10-24 13:00:51 +00:00
if ( tower - > num_floors > = 4 ) {
2004-10-25 11:28:09 +00:00
binding - > endpoint = dcerpc_floor_get_rhs_data ( mem_ctx , & tower - > floors [ 3 ] ) ;
2004-10-21 21:02:51 +00:00
} else {
2004-10-24 22:46:47 +00:00
binding - > endpoint = NULL ;
2004-10-21 21:02:51 +00:00
}
/* Set network address */
2004-10-24 13:00:51 +00:00
if ( tower - > num_floors > = 5 ) {
2004-10-25 11:28:09 +00:00
binding - > host = dcerpc_floor_get_rhs_data ( mem_ctx , & tower - > floors [ 4 ] ) ;
2004-10-21 21:02:51 +00:00
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
* b_out = binding ;
2004-10-21 21:02:51 +00:00
return NT_STATUS_OK ;
}
2004-10-21 19:54:38 +00:00
2004-10-22 10:52:57 +00:00
NTSTATUS dcerpc_binding_build_tower ( TALLOC_CTX * mem_ctx , struct dcerpc_binding * binding , struct epm_tower * tower )
2004-10-21 19:54:38 +00:00
{
2005-01-05 02:01:19 +00:00
const enum epm_protocol * protseq = NULL ;
2004-10-21 19:54:38 +00:00
int num_protocols = - 1 , i ;
2005-02-04 01:32:19 +00:00
struct GUID ndr_guid ;
2004-10-21 19:54:38 +00:00
NTSTATUS status ;
/* Find transport */
for ( i = 0 ; i < ARRAY_SIZE ( transports ) ; i + + ) {
if ( transports [ i ] . transport = = binding - > transport ) {
protseq = transports [ i ] . protseq ;
num_protocols = transports [ i ] . num_protocols ;
break ;
}
}
if ( num_protocols = = - 1 ) {
DEBUG ( 0 , ( " Unable to find transport with id '%d' \n " , binding - > transport ) ) ;
return NT_STATUS_UNSUCCESSFUL ;
}
2004-10-22 10:52:57 +00:00
tower - > num_floors = 2 + num_protocols ;
2005-01-27 07:08:20 +00:00
tower - > floors = talloc_array ( mem_ctx , struct epm_floor , tower - > num_floors ) ;
2004-10-21 19:54:38 +00:00
/* Floor 0 */
2004-10-22 10:52:57 +00:00
tower - > floors [ 0 ] . lhs . protocol = EPM_PROTOCOL_UUID ;
2005-02-04 01:32:19 +00:00
tower - > floors [ 0 ] . lhs . lhs_data = dcerpc_floor_pack_lhs_data ( mem_ctx , & binding - > object , binding - > object_version ) ;
2005-02-10 01:19:26 +00:00
tower - > floors [ 0 ] . rhs . uuid . unknown = data_blob_talloc_zero ( mem_ctx , 2 ) ;
2004-10-21 19:54:38 +00:00
/* Floor 1 */
2004-10-22 10:52:57 +00:00
tower - > floors [ 1 ] . lhs . protocol = EPM_PROTOCOL_UUID ;
2005-02-04 01:32:19 +00:00
status = GUID_from_string ( NDR_GUID , & ndr_guid ) ;
2004-10-21 19:54:38 +00:00
if ( NT_STATUS_IS_ERR ( status ) ) {
return status ;
}
2005-02-04 01:32:19 +00:00
tower - > floors [ 1 ] . lhs . lhs_data = dcerpc_floor_pack_lhs_data ( mem_ctx , & ndr_guid , NDR_GUID_VERSION ) ;
2005-02-10 01:19:26 +00:00
tower - > floors [ 1 ] . rhs . uuid . unknown = data_blob_talloc_zero ( mem_ctx , 2 ) ;
2005-02-04 01:32:19 +00:00
2004-10-21 19:54:38 +00:00
/* Floor 2 to num_protocols */
for ( i = 0 ; i < num_protocols ; i + + ) {
2004-10-22 10:52:57 +00:00
tower - > floors [ 2 + i ] . lhs . protocol = protseq [ i ] ;
2005-02-04 01:32:19 +00:00
tower - > floors [ 2 + i ] . lhs . lhs_data = data_blob_talloc ( mem_ctx , NULL , 0 ) ;
2004-10-22 10:52:57 +00:00
ZERO_STRUCT ( tower - > floors [ 2 + i ] . rhs ) ;
2004-10-25 11:28:09 +00:00
dcerpc_floor_set_rhs_data ( mem_ctx , & tower - > floors [ 2 + i ] , " " ) ;
2004-10-21 19:54:38 +00:00
}
2004-10-24 13:00:51 +00:00
/* The 4th floor contains the endpoint */
2004-10-24 22:46:47 +00:00
if ( num_protocols > = 2 & & binding - > endpoint ) {
2004-10-25 11:28:09 +00:00
status = dcerpc_floor_set_rhs_data ( mem_ctx , & tower - > floors [ 3 ] , binding - > endpoint ) ;
2004-10-21 19:54:38 +00:00
if ( NT_STATUS_IS_ERR ( status ) ) {
return status ;
}
}
2004-10-24 14:57:16 +00:00
2004-10-24 13:00:51 +00:00
/* The 5th contains the network address */
if ( num_protocols > = 3 & & binding - > host ) {
2005-09-20 22:52:54 +00:00
if ( is_ipaddress ( binding - > host ) ) {
status = dcerpc_floor_set_rhs_data ( mem_ctx , & tower - > floors [ 4 ] ,
binding - > host ) ;
} else {
/* note that we don't attempt to resolve the
name here - when we get a hostname here we
are in the client code , and want to put in
a wildcard all - zeros IP for the server to
fill in */
status = dcerpc_floor_set_rhs_data ( mem_ctx , & tower - > floors [ 4 ] ,
" 0.0.0.0 " ) ;
}
2004-10-21 19:54:38 +00:00
if ( NT_STATUS_IS_ERR ( status ) ) {
return status ;
}
}
return NT_STATUS_OK ;
}
2004-10-24 23:12:13 +00:00
NTSTATUS dcerpc_epm_map_binding ( TALLOC_CTX * mem_ctx , struct dcerpc_binding * binding ,
2005-12-27 14:28:01 +00:00
const struct dcerpc_interface_table * table , struct event_context * ev )
2004-10-24 22:46:47 +00:00
{
struct dcerpc_pipe * p ;
NTSTATUS status ;
struct epm_Map r ;
struct policy_handle handle ;
struct GUID guid ;
struct epm_twr_t twr , * twr_r ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
struct dcerpc_binding * epmapper_binding ;
2004-11-04 01:25:56 +00:00
int i ;
2005-03-22 08:00:45 +00:00
struct cli_credentials * anon_creds
= cli_credentials_init ( mem_ctx ) ;
2005-04-10 10:13:57 +00:00
cli_credentials_set_conf ( anon_creds ) ;
2005-03-22 08:00:45 +00:00
cli_credentials_set_anonymous ( anon_creds ) ;
2004-11-04 01:25:56 +00:00
/* First, check if there is a default endpoint specified in the IDL */
2004-10-24 22:46:47 +00:00
2004-11-04 01:25:56 +00:00
if ( table ) {
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
struct dcerpc_binding * default_binding ;
2005-03-01 16:08:36 +00:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
binding - > authservice = talloc_strdup ( binding , table - > authservices - > names [ 0 ] ) ;
2005-03-01 16:08:36 +00:00
2004-11-04 01:25:56 +00:00
/* Find one of the default pipes for this interface */
for ( i = 0 ; i < table - > endpoints - > count ; i + + ) {
status = dcerpc_parse_binding ( mem_ctx , table - > endpoints - > names [ i ] , & default_binding ) ;
2004-10-24 22:46:47 +00:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
if ( NT_STATUS_IS_OK ( status ) ) {
if ( default_binding - > transport = = binding - > transport & & default_binding - > endpoint ) {
binding - > endpoint = talloc_reference ( binding , default_binding - > endpoint ) ;
talloc_free ( default_binding ) ;
return NT_STATUS_OK ;
} else {
talloc_free ( default_binding ) ;
}
2004-11-04 01:25:56 +00:00
}
2004-10-24 22:46:47 +00:00
}
}
2004-11-04 01:25:56 +00:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
epmapper_binding = talloc_zero ( mem_ctx , struct dcerpc_binding ) ;
if ( ! epmapper_binding ) {
return NT_STATUS_NO_MEMORY ;
}
2004-10-24 22:46:47 +00:00
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
epmapper_binding - > transport = binding - > transport ;
epmapper_binding - > host = talloc_reference ( epmapper_binding ,
binding - > host ) ;
epmapper_binding - > options = NULL ;
epmapper_binding - > flags = 0 ;
epmapper_binding - > endpoint = NULL ;
epmapper_binding - > authservice = NULL ;
2004-10-24 22:46:47 +00:00
2005-03-22 08:00:45 +00:00
status = dcerpc_pipe_connect_b ( mem_ctx ,
& p ,
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
epmapper_binding ,
2005-12-27 14:28:01 +00:00
& dcerpc_table_epmapper ,
2005-06-16 11:36:09 +00:00
anon_creds , ev ) ;
2004-10-24 22:46:47 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
return status ;
}
ZERO_STRUCT ( handle ) ;
ZERO_STRUCT ( guid ) ;
2005-12-27 14:28:01 +00:00
status = GUID_from_string ( table - > uuid , & binding - > object ) ;
2004-10-24 22:46:47 +00:00
if ( NT_STATUS_IS_ERR ( status ) ) {
return status ;
}
2005-12-27 14:28:01 +00:00
binding - > object_version = table - > if_version ;
2004-10-24 22:46:47 +00:00
status = dcerpc_binding_build_tower ( p , binding , & twr . tower ) ;
if ( NT_STATUS_IS_ERR ( status ) ) {
return status ;
}
/* with some nice pretty paper around it of course */
r . in . object = & guid ;
r . in . map_tower = & twr ;
r . in . entry_handle = & handle ;
r . in . max_towers = 1 ;
r . out . entry_handle = & handle ;
status = dcerpc_epm_Map ( p , p , & r ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-22 08:00:45 +00:00
talloc_free ( p ) ;
2004-10-24 22:46:47 +00:00
return status ;
}
if ( r . out . result ! = 0 | | r . out . num_towers ! = 1 ) {
2005-03-22 08:00:45 +00:00
talloc_free ( p ) ;
2004-10-24 22:46:47 +00:00
return NT_STATUS_PORT_UNREACHABLE ;
}
twr_r = r . out . towers [ 0 ] . twr ;
if ( ! twr_r ) {
2005-03-22 08:00:45 +00:00
talloc_free ( p ) ;
2004-10-24 22:46:47 +00:00
return NT_STATUS_PORT_UNREACHABLE ;
}
if ( twr_r - > tower . num_floors ! = twr . tower . num_floors | |
twr_r - > tower . floors [ 3 ] . lhs . protocol ! = twr . tower . floors [ 3 ] . lhs . protocol ) {
2005-03-22 08:00:45 +00:00
talloc_free ( p ) ;
2004-10-24 22:46:47 +00:00
return NT_STATUS_PORT_UNREACHABLE ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
binding - > endpoint = talloc_reference ( binding , dcerpc_floor_get_rhs_data ( mem_ctx , & twr_r - > tower . floors [ 3 ] ) ) ;
2004-10-24 22:46:47 +00:00
2005-03-22 08:00:45 +00:00
talloc_free ( p ) ;
2004-10-24 22:46:47 +00:00
return NT_STATUS_OK ;
}
2003-12-15 03:29:55 +00:00
2005-01-10 07:14:12 +00:00
/*
perform an authenticated bind if needed
*/
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
NTSTATUS dcerpc_pipe_auth ( struct dcerpc_pipe * p ,
struct dcerpc_binding * binding ,
2005-12-27 14:28:01 +00:00
const struct dcerpc_interface_table * table ,
2005-03-21 21:22:07 +00:00
struct cli_credentials * credentials )
2005-01-10 07:14:12 +00:00
{
NTSTATUS status ;
2005-03-22 08:00:45 +00:00
TALLOC_CTX * tmp_ctx ;
tmp_ctx = talloc_new ( p ) ;
2005-01-10 07:14:12 +00:00
p - > conn - > flags = binding - > flags ;
/* remember the binding string for possible secondary connections */
p - > conn - > binding_string = dcerpc_binding_string ( p , binding ) ;
2005-03-21 23:35:58 +00:00
if ( ! cli_credentials_is_anonymous ( credentials ) & &
2005-05-01 19:29:00 +00:00
( binding - > flags & DCERPC_SCHANNEL ) & &
r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2005-03-24 04:14:06 +00:00
! cli_credentials_get_netlogon_creds ( credentials ) ) {
/* If we don't already have netlogon credentials for
* the schannel bind , then we have to get these
* first */
2005-12-27 14:28:01 +00:00
status = dcerpc_bind_auth_schannel ( tmp_ctx , p , table , credentials ) ;
2005-04-02 06:10:45 +00:00
} else if ( ! cli_credentials_is_anonymous ( credentials ) & &
! ( binding - > transport = = NCACN_NP & &
! ( binding - > flags & DCERPC_SIGN ) & &
2005-04-10 10:13:57 +00:00
! ( binding - > flags & DCERPC_SEAL ) ) ) {
/* Perform an authenticated DCE-RPC bind, except where
* we ask for a connection on NCACN_NP , and that
* connection is not signed or sealed . For that case
* we rely on the already authenicated CIFS connection
*/
2005-01-10 10:48:19 +00:00
uint8_t auth_type ;
2005-11-21 02:52:33 +00:00
if ( ( p - > conn - > flags & ( DCERPC_SIGN | DCERPC_SEAL ) ) = = 0 ) {
/*
we are doing an authenticated connection ,
but not using sign or seal . We must force
the CONNECT dcerpc auth type as a NONE auth
type doesn ' t allow authentication
information to be passed .
*/
p - > conn - > flags | = DCERPC_CONNECT ;
}
2005-01-10 10:48:19 +00:00
if ( binding - > flags & DCERPC_AUTH_SPNEGO ) {
auth_type = DCERPC_AUTH_TYPE_SPNEGO ;
2005-01-24 14:44:15 +00:00
} else if ( binding - > flags & DCERPC_AUTH_KRB5 ) {
auth_type = DCERPC_AUTH_TYPE_KRB5 ;
2005-05-01 19:29:00 +00:00
} else if ( binding - > flags & DCERPC_SCHANNEL ) {
r6028: A MAJOR update to intergrate the new credentails system fully with
GENSEC, and to pull SCHANNEL into GENSEC, by making it less 'special'.
GENSEC now no longer has it's own handling of 'set username' etc,
instead it uses cli_credentials calls.
In order to link the credentails code right though Samba, a lot of
interfaces have changed to remove 'username, domain, password'
arguments, and these have been replaced with a single 'struct
cli_credentials'.
In the session setup code, a new parameter 'workgroup' contains the
client/server current workgroup, which seems unrelated to the
authentication exchange (it was being filled in from the auth info).
This allows in particular kerberos to only call back for passwords
when it actually needs to perform the kinit.
The kerberos code has been modified not to use the SPNEGO provided
'principal name' (in the mechListMIC), but to instead use the name the
host was connected to as. This better matches Microsoft behaviour,
is more secure and allows better use of standard kerberos functions.
To achieve this, I made changes to our socket code so that the
hostname (before name resolution) is now recorded on the socket.
In schannel, most of the code from librpc/rpc/dcerpc_schannel.c is now
in libcli/auth/schannel.c, and it looks much more like a standard
GENSEC module. The actual sign/seal code moved to
libcli/auth/schannel_sign.c in a previous commit.
The schannel credentails structure is now merged with the rest of the
credentails, as many of the values (username, workstation, domain)
where already present there. This makes handling this in a generic
manner much easier, as there is no longer a custom entry-point.
The auth_domain module continues to be developed, but is now just as
functional as auth_winbind. The changes here are consequential to the
schannel changes.
The only removed function at this point is the RPC-LOGIN test
(simulating the load of a WinXP login), which needs much more work to
clean it up (it contains copies of too much code from all over the
torture suite, and I havn't been able to penetrate its 'structure').
Andrew Bartlett
(This used to be commit 2301a4b38a21aa60917973451687063d83d18d66)
2005-03-24 04:14:06 +00:00
auth_type = DCERPC_AUTH_TYPE_SCHANNEL ;
2005-01-10 10:48:19 +00:00
} else {
auth_type = DCERPC_AUTH_TYPE_NTLMSSP ;
}
2005-12-27 14:28:01 +00:00
status = dcerpc_bind_auth ( p , table ,
2005-11-20 16:28:39 +00:00
credentials , auth_type ,
binding - > authservice ) ;
2005-03-01 16:08:36 +00:00
} else {
2005-12-27 14:28:01 +00:00
status = dcerpc_bind_auth_none ( p , table ) ;
2005-01-10 07:14:12 +00:00
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-12-27 14:28:01 +00:00
DEBUG ( 0 , ( " Failed to bind to uuid %s - %s \n " , table - > uuid , nt_errstr ( status ) ) ) ;
2005-01-10 07:14:12 +00:00
}
2005-03-22 08:00:45 +00:00
talloc_free ( tmp_ctx ) ;
2005-01-10 07:14:12 +00:00
return status ;
}
2005-11-25 05:25:37 +00:00
/* open a rpc connection to a rpc pipe on SMB using the binding
structure to determine the endpoint and options */
static NTSTATUS dcerpc_pipe_connect_ncacn_np ( TALLOC_CTX * tmp_ctx ,
2005-12-06 08:58:21 +00:00
struct dcerpc_pipe_connect * io )
2005-11-25 05:25:37 +00:00
{
2005-12-06 08:58:21 +00:00
if ( io - > binding - > flags & DCERPC_SMB2 ) {
2005-12-09 00:04:38 +00:00
return dcerpc_pipe_connect_ncacn_np_smb2 ( tmp_ctx , io ) ;
2005-11-25 05:25:37 +00:00
}
2005-12-06 08:58:21 +00:00
return dcerpc_pipe_connect_ncacn_np_smb ( tmp_ctx , io ) ;
2005-11-25 05:25:37 +00:00
}
2005-12-09 00:04:38 +00:00
2004-10-24 14:57:16 +00:00
/* open a rpc connection to a rpc pipe on SMP using the binding
structure to determine the endpoint and options */
2005-03-22 08:00:45 +00:00
static NTSTATUS dcerpc_pipe_connect_ncalrpc ( TALLOC_CTX * tmp_ctx ,
struct dcerpc_pipe * p ,
2005-01-09 08:34:05 +00:00
struct dcerpc_binding * binding ,
2005-12-27 14:28:01 +00:00
const struct dcerpc_interface_table * table )
2004-10-24 14:57:16 +00:00
{
NTSTATUS status ;
2005-01-09 08:34:05 +00:00
status = dcerpc_pipe_open_pipe ( p - > conn , binding - > endpoint ) ;
2004-10-24 14:57:16 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-01-09 08:34:05 +00:00
DEBUG ( 0 , ( " Failed to open ncalrpc pipe '%s' - %s \n " ,
binding - > endpoint , nt_errstr ( status ) ) ) ;
2004-10-24 16:31:00 +00:00
return status ;
2005-01-09 08:34:05 +00:00
}
2004-10-24 14:57:16 +00:00
2005-01-09 08:34:05 +00:00
return status ;
2004-10-24 14:57:16 +00:00
}
/* open a rpc connection to a rpc pipe on SMP using the binding
structure to determine the endpoint and options */
2005-03-22 08:00:45 +00:00
static NTSTATUS dcerpc_pipe_connect_ncacn_unix_stream ( TALLOC_CTX * tmp_ctx ,
struct dcerpc_pipe * p ,
2005-01-09 08:34:05 +00:00
struct dcerpc_binding * binding ,
2005-12-27 14:28:01 +00:00
const struct dcerpc_interface_table * table )
2004-10-24 14:57:16 +00:00
{
NTSTATUS status ;
2004-10-24 22:46:47 +00:00
if ( ! binding - > endpoint ) {
2004-10-24 14:57:16 +00:00
DEBUG ( 0 , ( " Path to unix socket not specified \n " ) ) ;
return NT_STATUS_INVALID_PARAMETER ;
}
2005-01-09 08:34:05 +00:00
status = dcerpc_pipe_open_unix_stream ( p - > conn , binding - > endpoint ) ;
2004-10-24 14:57:16 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2004-10-27 03:15:42 +00:00
DEBUG ( 0 , ( " Failed to open unix socket %s - %s \n " ,
binding - > endpoint , nt_errstr ( status ) ) ) ;
2005-01-09 08:34:05 +00:00
talloc_free ( p ) ;
2005-12-27 14:28:01 +00:00
return status ;
2004-10-27 03:15:42 +00:00
}
2004-10-24 14:57:16 +00:00
2005-01-09 08:34:05 +00:00
return status ;
2004-10-24 14:57:16 +00:00
}
2003-12-15 03:29:55 +00:00
2005-03-22 08:00:45 +00:00
/* open a rpc connection to a rpc pipe on TCP/IP sockets using the binding
2003-12-15 03:29:55 +00:00
structure to determine the endpoint and options */
2005-03-22 08:00:45 +00:00
static NTSTATUS dcerpc_pipe_connect_ncacn_ip_tcp ( TALLOC_CTX * tmp_ctx ,
struct dcerpc_pipe * p ,
2003-12-15 03:29:55 +00:00
struct dcerpc_binding * binding ,
2005-12-27 14:28:01 +00:00
const struct dcerpc_interface_table * table )
2003-12-15 03:29:55 +00:00
{
NTSTATUS status ;
2004-05-25 16:24:13 +00:00
uint32_t port = 0 ;
2003-12-15 03:29:55 +00:00
2004-10-24 22:46:47 +00:00
port = atoi ( binding - > endpoint ) ;
2005-01-09 08:34:05 +00:00
status = dcerpc_pipe_open_tcp ( p - > conn , binding - > host , port ) ;
2003-12-15 03:29:55 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2004-11-17 00:31:56 +00:00
DEBUG ( 0 , ( " Failed to connect to %s:%d - %s \n " ,
binding - > host , port , nt_errstr ( status ) ) ) ;
2003-12-15 03:29:55 +00:00
return status ;
}
return status ;
}
/* open a rpc connection to a rpc pipe, using the specified
binding structure to determine the endpoint and options */
2005-03-22 08:00:45 +00:00
NTSTATUS dcerpc_pipe_connect_b ( TALLOC_CTX * parent_ctx ,
struct dcerpc_pipe * * pp ,
2003-12-15 03:29:55 +00:00
struct dcerpc_binding * binding ,
2005-12-27 14:28:01 +00:00
const struct dcerpc_interface_table * table ,
2005-06-16 11:36:09 +00:00
struct cli_credentials * credentials ,
struct event_context * ev )
2003-12-15 03:29:55 +00:00
{
NTSTATUS status = NT_STATUS_INVALID_PARAMETER ;
2005-03-22 08:00:45 +00:00
struct dcerpc_pipe * p ;
2005-12-06 08:58:21 +00:00
struct dcerpc_pipe_connect pc ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
2005-03-22 08:00:45 +00:00
TALLOC_CTX * tmp_ctx ;
( * pp ) = NULL ;
2005-06-16 11:36:09 +00:00
p = dcerpc_pipe_init ( parent_ctx , ev ) ;
2005-03-22 08:00:45 +00:00
if ( p = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
tmp_ctx = talloc_named ( p , 0 , " dcerpc_pipe_connect_b tmp_ctx " ) ;
2005-07-28 04:46:11 +00:00
switch ( binding - > transport ) {
case NCACN_NP :
case NCACN_IP_TCP :
case NCALRPC :
if ( ! binding - > endpoint ) {
2005-12-27 14:28:01 +00:00
status = dcerpc_epm_map_binding ( tmp_ctx , binding , table ,
2005-07-28 04:46:11 +00:00
p - > conn - > event_ctx ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
DEBUG ( 0 , ( " Failed to map DCERPC endpoint for '%s' - %s \n " ,
2005-12-27 14:28:01 +00:00
table - > uuid , nt_errstr ( status ) ) ) ;
2005-07-28 04:46:11 +00:00
return status ;
}
DEBUG ( 2 , ( " Mapped to DCERPC endpoint %s \n " , binding - > endpoint ) ) ;
}
2005-09-12 21:37:18 +00:00
break ;
/* Fall through to next switch statement */
default :
break ;
2005-07-28 04:46:11 +00:00
}
2005-12-06 08:58:21 +00:00
pc . pipe = p ;
pc . binding = binding ;
2005-12-27 14:28:01 +00:00
pc . interface = table ;
2005-12-06 08:58:21 +00:00
pc . creds = credentials ;
2003-12-15 03:29:55 +00:00
switch ( binding - > transport ) {
case NCACN_NP :
2005-12-06 08:58:21 +00:00
status = dcerpc_pipe_connect_ncacn_np ( tmp_ctx , & pc ) ;
2003-12-15 03:29:55 +00:00
break ;
2005-12-06 08:58:21 +00:00
2003-12-15 03:29:55 +00:00
case NCACN_IP_TCP :
2005-03-22 08:00:45 +00:00
status = dcerpc_pipe_connect_ncacn_ip_tcp ( tmp_ctx ,
2005-12-27 14:28:01 +00:00
p , binding , table ) ;
2003-12-15 03:29:55 +00:00
break ;
2004-10-24 14:57:16 +00:00
case NCACN_UNIX_STREAM :
2005-03-22 08:00:45 +00:00
status = dcerpc_pipe_connect_ncacn_unix_stream ( tmp_ctx ,
2005-12-27 14:28:01 +00:00
p , binding , table ) ;
2004-10-24 14:57:16 +00:00
break ;
case NCALRPC :
2005-03-22 08:00:45 +00:00
status = dcerpc_pipe_connect_ncalrpc ( tmp_ctx ,
2005-12-27 14:28:01 +00:00
p , binding , table ) ;
2004-10-24 14:57:16 +00:00
break ;
2004-10-21 12:47:02 +00:00
default :
return NT_STATUS_NOT_SUPPORTED ;
2003-12-15 03:29:55 +00:00
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-22 08:00:45 +00:00
talloc_free ( p ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
return status ;
}
2005-12-27 14:28:01 +00:00
status = dcerpc_pipe_auth ( p , binding , table , credentials ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-03-22 08:00:45 +00:00
talloc_free ( p ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
return status ;
}
2005-03-22 08:00:45 +00:00
* pp = p ;
talloc_free ( tmp_ctx ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
2003-12-15 03:29:55 +00:00
return status ;
}
/* open a rpc connection to a rpc pipe, using the specified string
binding to determine the endpoint and options */
2005-03-22 08:00:45 +00:00
NTSTATUS dcerpc_pipe_connect ( TALLOC_CTX * parent_ctx ,
struct dcerpc_pipe * * pp ,
2005-12-27 14:28:01 +00:00
const char * binding ,
const struct dcerpc_interface_table * table ,
2005-06-16 11:36:09 +00:00
struct cli_credentials * credentials ,
struct event_context * ev )
2003-12-15 03:29:55 +00:00
{
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
struct dcerpc_binding * b ;
2003-12-15 03:29:55 +00:00
NTSTATUS status ;
2005-01-09 08:34:05 +00:00
TALLOC_CTX * tmp_ctx ;
2003-12-15 03:29:55 +00:00
2005-03-22 08:00:45 +00:00
tmp_ctx = talloc_named ( parent_ctx , 0 , " dcerpc_pipe_connect tmp_ctx " ) ;
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
if ( ! tmp_ctx ) {
return NT_STATUS_NO_MEMORY ;
}
2003-12-15 03:29:55 +00:00
2005-01-09 08:34:05 +00:00
status = dcerpc_parse_binding ( tmp_ctx , binding , & b ) ;
2003-12-15 03:29:55 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
2003-12-15 03:41:08 +00:00
DEBUG ( 0 , ( " Failed to parse dcerpc binding '%s' \n " , binding ) ) ;
2005-01-09 08:34:05 +00:00
talloc_free ( tmp_ctx ) ;
2003-12-15 03:29:55 +00:00
return status ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
DEBUG ( 3 , ( " Using binding %s \n " , dcerpc_binding_string ( tmp_ctx , b ) ) ) ;
2003-12-16 10:57:17 +00:00
2005-12-27 14:28:01 +00:00
status = dcerpc_pipe_connect_b ( tmp_ctx , pp , b , table , credentials , ev ) ;
2005-01-09 08:34:05 +00:00
2005-03-22 08:00:45 +00:00
if ( NT_STATUS_IS_OK ( status ) ) {
2005-07-28 04:46:11 +00:00
* pp = talloc_steal ( parent_ctx , * pp ) ;
2005-03-22 08:00:45 +00:00
}
2005-01-09 08:34:05 +00:00
talloc_free ( tmp_ctx ) ;
2003-12-15 03:29:55 +00:00
return status ;
}
2004-01-20 06:07:09 +00:00
/*
2004-06-06 07:14:10 +00:00
create a secondary dcerpc connection from a primary connection
2004-06-05 05:01:38 +00:00
2004-06-06 07:14:10 +00:00
if the primary is a SMB connection then the secondary connection
will be on the same SMB connection , but use a new fnum
2004-01-20 06:07:09 +00:00
*/
2004-06-06 07:14:10 +00:00
NTSTATUS dcerpc_secondary_connection ( struct dcerpc_pipe * p , struct dcerpc_pipe * * p2 ,
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
struct dcerpc_binding * b )
2004-01-20 06:07:09 +00:00
{
2004-08-04 13:23:35 +00:00
struct smbcli_tree * tree ;
2004-06-06 07:14:10 +00:00
NTSTATUS status = NT_STATUS_INVALID_PARAMETER ;
2004-01-20 06:07:09 +00:00
2005-06-16 11:36:09 +00:00
( * p2 ) = dcerpc_pipe_init ( p , p - > conn - > event_ctx ) ;
2005-01-09 08:34:05 +00:00
if ( * p2 = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
switch ( p - > conn - > transport . transport ) {
2004-06-06 07:14:10 +00:00
case NCACN_NP :
2005-01-09 08:34:05 +00:00
tree = dcerpc_smb_tree ( p - > conn ) ;
2004-06-06 07:14:10 +00:00
if ( ! tree ) {
return NT_STATUS_INVALID_PARAMETER ;
}
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
status = dcerpc_pipe_open_smb ( ( * p2 ) - > conn , tree , b - > endpoint ) ;
2004-06-06 07:14:10 +00:00
break ;
case NCACN_IP_TCP :
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
status = dcerpc_pipe_open_tcp ( ( * p2 ) - > conn , b - > host , atoi ( b - > endpoint ) ) ;
2004-06-06 07:14:10 +00:00
break ;
2004-10-30 11:48:08 +00:00
case NCALRPC :
r5902: A rather large change...
I wanted to add a simple 'workstation' argument to the DCERPC
authenticated binding calls, but this patch kind of grew from there.
With SCHANNEL, the 'workstation' name (the netbios name of the client)
matters, as this is what ties the session between the NETLOGON ops and
the SCHANNEL bind. This changes a lot of files, and these will again
be changed when jelmer does the credentials work.
I also correct some schannel IDL to distinguish between workstation
names and account names. The distinction matters for domain trust
accounts.
Issues in handling this (issues with lifetime of talloc pointers)
caused me to change the 'creds_CredentialsState' and 'struct
dcerpc_binding' pointers to always be talloc()ed pointers.
In the schannel DB, we now store both the domain and computername, and
query on both. This should ensure we fault correctly when the domain
is specified incorrectly in the SCHANNEL bind.
In the RPC-SCHANNEL test, I finally fixed a bug that vl pointed out,
where the comment claimed we re-used a connection, but in fact we made
a new connection.
This was achived by breaking apart some of the
dcerpc_secondary_connection() logic.
The addition of workstation handling was also propogated to NTLMSSP
and GENSEC, for completeness.
The RPC-SAMSYNC test has been cleaned up a little, using a loop over
usernames/passwords rather than manually expanded tests. This will be
expanded further (the code in #if 0 in this patch) to use a newly
created user account for testing.
In making this test pass test_rpc.sh, I found a bug in the RPC-ECHO
server, caused by the removal of [ref] and the assoicated pointer from
the IDL. This has been re-added, until the underlying pidl issues are
solved.
(This used to be commit 824289dcc20908ddec957a4a892a103eec2da9b9)
2005-03-19 08:34:43 +00:00
status = dcerpc_pipe_open_pipe ( ( * p2 ) - > conn , b - > endpoint ) ;
2004-10-30 11:48:08 +00:00
break ;
2004-10-21 12:47:02 +00:00
default :
return NT_STATUS_NOT_SUPPORTED ;
2004-01-20 06:07:09 +00:00
}
if ( ! NT_STATUS_IS_OK ( status ) ) {
2005-01-09 08:34:05 +00:00
talloc_free ( * p2 ) ;
2004-06-06 07:14:10 +00:00
return status ;
}
2005-01-09 08:34:05 +00:00
( * p2 ) - > conn - > flags = p - > conn - > flags ;
2004-01-20 06:07:09 +00:00
return NT_STATUS_OK ;
}
2004-04-07 07:20:53 +00:00
2005-01-09 08:34:05 +00:00
NTSTATUS dcerpc_generic_session_key ( struct dcerpc_connection * c ,
2004-09-25 12:48:56 +00:00
DATA_BLOB * session_key )
2004-09-11 15:11:36 +00:00
{
/* this took quite a few CPU cycles to find ... */
2004-10-21 19:54:38 +00:00
session_key - > data = discard_const_p ( unsigned char , " SystemLibraryDTC " ) ;
2004-09-11 15:11:36 +00:00
session_key - > length = 16 ;
return NT_STATUS_OK ;
}
2004-04-07 07:20:53 +00:00
/*
2004-09-11 15:11:36 +00:00
fetch the user session key - may be default ( above ) or the SMB session key
2004-04-07 07:20:53 +00:00
*/
NTSTATUS dcerpc_fetch_session_key ( struct dcerpc_pipe * p ,
2004-05-09 12:42:18 +00:00
DATA_BLOB * session_key )
2004-04-07 07:20:53 +00:00
{
2005-01-09 08:34:05 +00:00
return p - > conn - > security_state . session_key ( p - > conn , session_key ) ;
2004-04-07 07:20:53 +00:00
}
2004-06-14 08:12:50 +00:00
/*
log a rpc packet in a format suitable for ndrdump . This is especially useful
for sealed packets , where ethereal cannot easily see the contents
this triggers on a debug level of > = 10
*/
void dcerpc_log_packet ( const struct dcerpc_interface_table * ndr ,
uint32_t opnum , uint32_t flags , DATA_BLOB * pkt )
{
const int num_examples = 20 ;
int i ;
if ( DEBUGLEVEL < 10 ) return ;
for ( i = 0 ; i < num_examples ; i + + ) {
char * name = NULL ;
asprintf ( & name , " %s/rpclog/%s-%u.%d.%s " ,
lp_lockdir ( ) , ndr - > name , opnum , i ,
( flags & NDR_IN ) ? " in " : " out " ) ;
if ( name = = NULL ) {
return ;
}
2005-02-10 06:36:30 +00:00
if ( ! file_exist ( name ) ) {
2004-06-14 08:12:50 +00:00
if ( file_save ( name , pkt - > data , pkt - > length ) ) {
DEBUG ( 10 , ( " Logged rpc packet to %s \n " , name ) ) ;
}
free ( name ) ;
break ;
}
free ( name ) ;
}
}
2005-01-09 09:38:16 +00:00
/*
create a secondary context from a primary connection
this uses dcerpc_alter_context ( ) to create a new dcerpc context_id
*/
2005-01-09 11:32:12 +00:00
NTSTATUS dcerpc_secondary_context ( struct dcerpc_pipe * p ,
struct dcerpc_pipe * * pp2 ,
2005-12-27 14:28:01 +00:00
const struct dcerpc_interface_table * table )
2005-01-09 09:38:16 +00:00
{
NTSTATUS status ;
struct dcerpc_pipe * p2 ;
p2 = talloc_zero ( p , struct dcerpc_pipe ) ;
if ( p2 = = NULL ) {
return NT_STATUS_NO_MEMORY ;
}
p2 - > conn = talloc_reference ( p2 , p - > conn ) ;
2005-06-12 02:42:40 +00:00
p2 - > request_timeout = p - > request_timeout ;
2005-01-09 09:38:16 +00:00
2005-01-09 11:32:12 +00:00
p2 - > context_id = + + p - > conn - > next_context_id ;
2005-01-09 09:38:16 +00:00
2005-12-27 14:28:01 +00:00
status = GUID_from_string ( table - > uuid , & p2 - > syntax . uuid ) ;
2005-01-09 09:38:16 +00:00
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( p2 ) ;
return status ;
}
2005-12-27 14:28:01 +00:00
p2 - > syntax . if_version = table - > if_version ;
2005-01-09 09:38:16 +00:00
status = GUID_from_string ( NDR_GUID , & p2 - > transfer_syntax . uuid ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( p2 ) ;
return status ;
}
p2 - > transfer_syntax . if_version = NDR_GUID_VERSION ;
status = dcerpc_alter_context ( p2 , p2 , & p2 - > syntax , & p2 - > transfer_syntax ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
talloc_free ( p2 ) ;
return status ;
}
* pp2 = p2 ;
return status ;
}
