From 295b323b1c65cd8387b3977a189f81253c139b43 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 23 Sep 2014 09:12:20 -0700 Subject: [PATCH] s3-librpc: Add cli_rpc_pipe_open_with_creds() This provides a credentials-based interface. In the long term, we will want to change this not to reference the credentials, but for now this suits the caller in winbindd_cm.c Andrew Bartlett Signed-off-by: Andrew Bartlett Reviewed-by: Stefan Metzmacher --- source3/include/auth_generic.h | 2 + source3/libsmb/auth_generic.c | 8 +++ source3/rpc_client/cli_pipe.c | 116 +++++++++++++++++++++++++++++++++ source3/rpc_client/cli_pipe.h | 15 +++++ 4 files changed, 141 insertions(+) diff --git a/source3/include/auth_generic.h b/source3/include/auth_generic.h index 96b07cd8f77..07df62af43a 100644 --- a/source3/include/auth_generic.h +++ b/source3/include/auth_generic.h @@ -37,6 +37,8 @@ NTSTATUS auth_generic_set_domain(struct auth_generic_state *ans, const char *domain); NTSTATUS auth_generic_set_password(struct auth_generic_state *ans, const char *password); +NTSTATUS auth_generic_set_creds(struct auth_generic_state *ans, + struct cli_credentials *creds); NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **_ans); NTSTATUS auth_generic_client_start(struct auth_generic_state *ans, const char *oid); diff --git a/source3/libsmb/auth_generic.c b/source3/libsmb/auth_generic.c index 1f6c681a6e5..68d14516f39 100644 --- a/source3/libsmb/auth_generic.c +++ b/source3/libsmb/auth_generic.c @@ -48,6 +48,14 @@ NTSTATUS auth_generic_set_password(struct auth_generic_state *ans, return NT_STATUS_OK; } +NTSTATUS auth_generic_set_creds(struct auth_generic_state *ans, + struct cli_credentials *creds) +{ + talloc_unlink(ans->credentials, creds); + ans->credentials = creds; + return NT_STATUS_OK; +} + NTSTATUS auth_generic_client_prepare(TALLOC_CTX *mem_ctx, struct auth_generic_state **auth_generic_state) { struct auth_generic_state *ans; diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 43ce719f4cc..fcb8b61751c 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -2407,6 +2407,63 @@ static NTSTATUS rpccli_generic_bind_data(TALLOC_CTX *mem_ctx, return status; } +/* This routine steals the creds pointer that is passed in */ +static NTSTATUS rpccli_generic_bind_data_from_creds(TALLOC_CTX *mem_ctx, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *server, + const char *target_service, + struct cli_credentials *creds, + struct pipe_auth_data **presult) +{ + struct auth_generic_state *auth_generic_ctx; + struct pipe_auth_data *result; + NTSTATUS status; + + result = talloc_zero(mem_ctx, struct pipe_auth_data); + if (result == NULL) { + return NT_STATUS_NO_MEMORY; + } + + result->auth_type = auth_type; + result->auth_level = auth_level; + + status = auth_generic_client_prepare(result, + &auth_generic_ctx); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = auth_generic_set_creds(auth_generic_ctx, creds); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = gensec_set_target_service(auth_generic_ctx->gensec_security, target_service); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = gensec_set_target_hostname(auth_generic_ctx->gensec_security, server); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + status = auth_generic_client_start_by_authtype(auth_generic_ctx, auth_type, auth_level); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + result->auth_ctx = talloc_move(result, &auth_generic_ctx->gensec_security); + talloc_free(auth_generic_ctx); + *presult = result; + return NT_STATUS_OK; + + fail: + TALLOC_FREE(result); + return status; +} + NTSTATUS rpccli_ncalrpc_bind_data(TALLOC_CTX *mem_ctx, struct pipe_auth_data **presult) { @@ -2940,6 +2997,65 @@ NTSTATUS cli_rpc_pipe_open_noauth(struct cli_state *cli, /**************************************************************************** Open a named pipe to an SMB server and bind using the mech specified + + This routine references the creds pointer that is passed in + ****************************************************************************/ + +NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, + const struct ndr_interface_table *table, + enum dcerpc_transport_t transport, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *server, + struct cli_credentials *creds, + struct rpc_pipe_client **presult) +{ + struct rpc_pipe_client *result; + struct pipe_auth_data *auth = NULL; + const char *target_service = table->authservices->names[0]; + + NTSTATUS status; + + status = cli_rpc_pipe_open(cli, transport, table, &result); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = rpccli_generic_bind_data_from_creds(result, + auth_type, auth_level, + server, target_service, + creds, + &auth); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("rpccli_generic_bind_data returned %s\n", + nt_errstr(status))); + goto err; + } + + status = rpc_pipe_bind(result, auth); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("cli_rpc_pipe_open_generic_auth: cli_rpc_pipe_bind failed with error %s\n", + nt_errstr(status) )); + goto err; + } + + DEBUG(10,("cli_rpc_pipe_open_generic_auth: opened pipe %s to " + "machine %s and bound as user %s.\n", table->name, + result->desthost, cli_credentials_get_unparsed_name(creds, talloc_tos()))); + + *presult = result; + return NT_STATUS_OK; + + err: + + TALLOC_FREE(result); + return status; +} + +/**************************************************************************** + Open a named pipe to an SMB server and bind using the mech specified + + This routine steals the creds pointer that is passed in ****************************************************************************/ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli, diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h index 34e79d1fa22..0c1e6921380 100644 --- a/source3/rpc_client/cli_pipe.h +++ b/source3/rpc_client/cli_pipe.h @@ -72,6 +72,21 @@ NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, const struct ndr_interface_table *table, struct rpc_pipe_client **presult); +/**************************************************************************** + Open a named pipe to an SMB server and bind using the mech specified + + This routine steals the creds pointer that is passed in + ****************************************************************************/ + +NTSTATUS cli_rpc_pipe_open_with_creds(struct cli_state *cli, + const struct ndr_interface_table *table, + enum dcerpc_transport_t transport, + enum dcerpc_AuthType auth_type, + enum dcerpc_AuthLevel auth_level, + const char *server, + struct cli_credentials *creds, + struct rpc_pipe_client **presult); + NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli, const struct ndr_interface_table *table, enum dcerpc_transport_t transport,