mirror of
https://github.com/samba-team/samba.git
synced 2025-01-06 13:18:07 +03:00
netlogon_creds_cli: Simplify netlogon_creds_cli_get
netlogon_creds_cli_get_internal almost does everything needed, only the invalidating for credential chain use is missing. Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
71fb0a89b4
commit
0463527e4e
@ -506,27 +506,20 @@ static void netlogon_creds_cli_fetch_parser(TDB_DATA key, TDB_DATA data,
|
|||||||
state->status = NT_STATUS_OK;
|
state->status = NT_STATUS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static NTSTATUS netlogon_creds_cli_get_internal(
|
||||||
|
struct netlogon_creds_cli_context *context,
|
||||||
|
TALLOC_CTX *mem_ctx, struct netlogon_creds_CredentialState **pcreds);
|
||||||
|
|
||||||
NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
|
NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
|
||||||
TALLOC_CTX *mem_ctx,
|
TALLOC_CTX *mem_ctx,
|
||||||
struct netlogon_creds_CredentialState **_creds)
|
struct netlogon_creds_CredentialState **_creds)
|
||||||
{
|
{
|
||||||
NTSTATUS status;
|
NTSTATUS status;
|
||||||
struct netlogon_creds_cli_fetch_state fstate = {
|
struct netlogon_creds_CredentialState *creds;
|
||||||
.mem_ctx = mem_ctx,
|
|
||||||
.status = NT_STATUS_INTERNAL_ERROR,
|
|
||||||
.required_flags = context->client.required_flags,
|
|
||||||
};
|
|
||||||
|
|
||||||
*_creds = NULL;
|
*_creds = NULL;
|
||||||
|
|
||||||
status = dbwrap_parse_record(context->db.ctx,
|
status = netlogon_creds_cli_get_internal(context, mem_ctx, &creds);
|
||||||
context->db.key_data,
|
|
||||||
netlogon_creds_cli_fetch_parser,
|
|
||||||
&fstate);
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
|
||||||
return status;
|
|
||||||
}
|
|
||||||
status = fstate.status;
|
|
||||||
if (!NT_STATUS_IS_OK(status)) {
|
if (!NT_STATUS_IS_OK(status)) {
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
@ -534,61 +527,12 @@ NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
|
|||||||
/*
|
/*
|
||||||
* mark it as invalid for step operations.
|
* mark it as invalid for step operations.
|
||||||
*/
|
*/
|
||||||
fstate.creds->sequence = 0;
|
creds->sequence = 0;
|
||||||
fstate.creds->seed = (struct netr_Credential) {{0}};
|
creds->seed = (struct netr_Credential) {{0}};
|
||||||
fstate.creds->client = (struct netr_Credential) {{0}};
|
creds->client = (struct netr_Credential) {{0}};
|
||||||
fstate.creds->server = (struct netr_Credential) {{0}};
|
creds->server = (struct netr_Credential) {{0}};
|
||||||
|
|
||||||
if (context->server.cached_flags == fstate.creds->negotiate_flags) {
|
*_creds = creds;
|
||||||
*_creds = fstate.creds;
|
|
||||||
return NT_STATUS_OK;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* It is really important to try SamLogonEx here,
|
|
||||||
* because multiple processes can talk to the same
|
|
||||||
* domain controller, without using the credential
|
|
||||||
* chain.
|
|
||||||
*
|
|
||||||
* With a normal SamLogon call, we must keep the
|
|
||||||
* credentials chain updated and intact between all
|
|
||||||
* users of the machine account (which would imply
|
|
||||||
* cross-node communication for every NTLM logon).
|
|
||||||
*
|
|
||||||
* The credentials chain is not per NETLOGON pipe
|
|
||||||
* connection, but globally on the server/client pair
|
|
||||||
* by computer name.
|
|
||||||
*
|
|
||||||
* It's also important to use NetlogonValidationSamInfo4 (6),
|
|
||||||
* because it relies on the rpc transport encryption
|
|
||||||
* and avoids using the global netlogon schannel
|
|
||||||
* session key to en/decrypt secret information
|
|
||||||
* like the user_session_key for network logons.
|
|
||||||
*
|
|
||||||
* [MS-APDS] 3.1.5.2 NTLM Network Logon
|
|
||||||
* says NETLOGON_NEG_CROSS_FOREST_TRUSTS and
|
|
||||||
* NETLOGON_NEG_AUTHENTICATED_RPC set together
|
|
||||||
* are the indication that the server supports
|
|
||||||
* NetlogonValidationSamInfo4 (6). And it must only
|
|
||||||
* be used if "SealSecureChannel" is used.
|
|
||||||
*
|
|
||||||
* The "SealSecureChannel" AUTH_TYPE_SCHANNEL/AUTH_LEVEL_PRIVACY
|
|
||||||
* check is done in netlogon_creds_cli_LogonSamLogon*().
|
|
||||||
*/
|
|
||||||
context->server.cached_flags = fstate.creds->negotiate_flags;
|
|
||||||
context->server.try_validation6 = true;
|
|
||||||
context->server.try_logon_ex = true;
|
|
||||||
context->server.try_logon_with = true;
|
|
||||||
|
|
||||||
if (!(context->server.cached_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
|
|
||||||
context->server.try_validation6 = false;
|
|
||||||
context->server.try_logon_ex = false;
|
|
||||||
}
|
|
||||||
if (!(context->server.cached_flags & NETLOGON_NEG_CROSS_FOREST_TRUSTS)) {
|
|
||||||
context->server.try_validation6 = false;
|
|
||||||
}
|
|
||||||
|
|
||||||
*_creds = fstate.creds;
|
|
||||||
return NT_STATUS_OK;
|
return NT_STATUS_OK;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -707,9 +651,6 @@ struct netlogon_creds_cli_lock_state {
|
|||||||
};
|
};
|
||||||
|
|
||||||
static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
|
static void netlogon_creds_cli_lock_done(struct tevent_req *subreq);
|
||||||
static NTSTATUS netlogon_creds_cli_get_internal(
|
|
||||||
struct netlogon_creds_cli_context *context,
|
|
||||||
TALLOC_CTX *mem_ctx, struct netlogon_creds_CredentialState **pcreds);
|
|
||||||
|
|
||||||
struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
|
struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
|
||||||
struct tevent_context *ev,
|
struct tevent_context *ev,
|
||||||
|
Loading…
Reference in New Issue
Block a user