sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-04 17:47:26 +03:00
Code

r13641: Finish fix for #3510. Don't use client schannel when told

Browse Source 
not to, cope with a server that doesn't offer schannel also.
Jeremy
(This used to be commit 68005f6bdb70883eace0d9067c76c3360a803023)
This commit is contained in:
Jeremy Allison 2006-02-22 21:18:23 +00:00 committed by Gerald (Jerry) Carter
parent fd5ecef41c
commit 202bc164ca
2 changed files with 52 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
source3/rpc_client/cli_pipe.c
View File

@ -2393,13 +2393,14 @@ struct rpc_pipe_client *cli_rpc_pipe_open_spnego_ntlmssp(struct cli_state *cli,
/**************************************************************************** /****************************************************************************
Open a netlogon pipe and get the schannel session key. Open a netlogon pipe and get the schannel session key.
Now exposed to external callers.
****************************************************************************/ ****************************************************************************/
static struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli, struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
const char *domain, const char *domain,
uint32 *pneg_flags,
NTSTATUS *perr) NTSTATUS *perr)
{ {
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct rpc_pipe_client *netlogon_pipe = NULL; struct rpc_pipe_client *netlogon_pipe = NULL;
uint32 sec_chan_type = 0; uint32 sec_chan_type = 0;
unsigned char machine_pwd[16]; unsigned char machine_pwd[16];
@ -2438,7 +2439,7 @@ static struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
machine_account, /* machine account name */ machine_account, /* machine account name */
machine_pwd, machine_pwd,
sec_chan_type, sec_chan_type,
&neg_flags); pneg_flags);
if (!NT_STATUS_IS_OK(*perr)) { if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(3,("get_schannel_session_key: rpccli_netlogon_setup_creds " DEBUG(3,("get_schannel_session_key: rpccli_netlogon_setup_creds "
@ -2448,7 +2449,7 @@ static struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
return NULL; return NULL;
} }
if ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0) { if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n", DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
cli->desthost)); cli->desthost));
cli_rpc_pipe_close(netlogon_pipe); cli_rpc_pipe_close(netlogon_pipe);
@ -2520,9 +2521,9 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
const char *domain, const char *domain,
const char *username, const char *username,
const char *password, const char *password,
uint32 *pneg_flags,
NTSTATUS *perr) NTSTATUS *perr)
{ {
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct rpc_pipe_client *netlogon_pipe = NULL; struct rpc_pipe_client *netlogon_pipe = NULL;
uint32 sec_chan_type = 0; uint32 sec_chan_type = 0;
unsigned char machine_pwd[16]; unsigned char machine_pwd[16];
@ -2564,7 +2565,7 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
machine_account, /* machine account name */ machine_account, /* machine account name */
machine_pwd, machine_pwd,
sec_chan_type, sec_chan_type,
&neg_flags); pneg_flags);
if (!NT_STATUS_IS_OK(*perr)) { if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(3,("get_schannel_session_key_auth_ntlmssp: rpccli_netlogon_setup_creds " DEBUG(3,("get_schannel_session_key_auth_ntlmssp: rpccli_netlogon_setup_creds "
@ -2574,7 +2575,7 @@ static struct rpc_pipe_client *get_schannel_session_key_auth_ntlmssp(struct cli_
return NULL; return NULL;
} }
if ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0) { if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
DEBUG(3, ("get_schannel_session_key_auth_ntlmssp: Server %s did not offer schannel\n", DEBUG(3, ("get_schannel_session_key_auth_ntlmssp: Server %s did not offer schannel\n",
cli->desthost)); cli->desthost));
cli_rpc_pipe_close(netlogon_pipe); cli_rpc_pipe_close(netlogon_pipe);
@ -2599,10 +2600,12 @@ struct rpc_pipe_client *cli_rpc_pipe_open_ntlmssp_auth_schannel(struct cli_state
const char *password, const char *password,
NTSTATUS *perr) NTSTATUS *perr)
{ {
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct rpc_pipe_client *netlogon_pipe = NULL; struct rpc_pipe_client *netlogon_pipe = NULL;
struct rpc_pipe_client *result = NULL; struct rpc_pipe_client *result = NULL;
netlogon_pipe = get_schannel_session_key_auth_ntlmssp(cli, domain, username, password, perr); netlogon_pipe = get_schannel_session_key_auth_ntlmssp(cli, domain, username,
password, &neg_flags, perr);
if (!netlogon_pipe) { if (!netlogon_pipe) {
DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session " DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
"key from server %s for domain %s.\n", "key from server %s for domain %s.\n",
@ -2631,10 +2634,11 @@ struct rpc_pipe_client *cli_rpc_pipe_open_schannel(struct cli_state *cli,
const char *domain, const char *domain,
NTSTATUS *perr) NTSTATUS *perr)
{ {
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct rpc_pipe_client *netlogon_pipe = NULL; struct rpc_pipe_client *netlogon_pipe = NULL;
struct rpc_pipe_client *result = NULL; struct rpc_pipe_client *result = NULL;
netlogon_pipe = get_schannel_session_key(cli, domain, perr); netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, perr);
if (!netlogon_pipe) { if (!netlogon_pipe) {
DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session " DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
"key from server %s for domain %s.\n", "key from server %s for domain %s.\n",

52
source3/utils/net_rpc_join.c
View File

@ -43,31 +43,57 @@
**/ **/
static int net_rpc_join_ok(const char *domain) static int net_rpc_join_ok(const char *domain)
{ {
uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct cli_state *cli = NULL; struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL; struct rpc_pipe_client *pipe_hnd = NULL;
int retval = 1; struct rpc_pipe_client *netlogon_pipe = NULL;
NTSTATUS ret; NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
/* Connect to remote machine */ /* Connect to remote machine */
if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) { if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) {
return 1; return -1;
} }
pipe_hnd = cli_rpc_pipe_open_schannel(cli, PI_NETLOGON, /* Setup the creds as though we're going to do schannel... */
PIPE_AUTH_LEVEL_PRIVACY, netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, &ntret);
domain, &ret);
/* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing
to negotiate schannel, but the creds were set up ok. That'll have to do. */
if (!netlogon_pipe) {
if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
cli_shutdown(cli);
return 0;
} else {
DEBUG(0,("net_rpc_join_ok: failed to get schannel session "
"key from server %s for domain %s. Error was %s\n",
cli->desthost, domain, nt_errstr(ntret) ));
cli_shutdown(cli);
return -1;
}
}
/* Only do the rest of the schannel test if the client is allowed to do this. */
if (!lp_client_schannel()) {
cli_shutdown(cli);
/* We're good... */
return 0;
}
pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON,
PIPE_AUTH_LEVEL_PRIVACY,
domain, netlogon_pipe->dc, &ntret);
if (!pipe_hnd) { if (!pipe_hnd) {
DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n", nt_errstr(ret) )); DEBUG(0,("net_rpc_join_ok: failed to open schannel session "
goto done; "on netlogon pipe to server %s for domain %s. Error was %s\n",
cli->desthost, domain, nt_errstr(ntret) ));
cli_shutdown(cli);
return -1;
} }
retval = 0; /* Success! */
done:
cli_shutdown(cli); cli_shutdown(cli);
return retval; return 0;
} }
/** /**