2025-03-25 14:50:24 +03:00 · 2011-10-12 22:55:34 +11:00 · 2011-10-12 22:55:34 +11:00 · 5603dab647
commit 5603dab647
parent 43d84aa619
10 changed files with 83 additions and 27 deletions
--- a/libcli/auth/schannel_proto.h
+++ b/libcli/auth/schannel_proto.h
@ -26,7 +26,7 @@
 struct schannel_state;

 struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
-					     const char *private_dir);
+					     struct loadparm_context *lp_ctx);

 NTSTATUS netsec_incoming_packet(struct schannel_state *state,
 				bool do_unseal,
--- a/libcli/auth/schannel_state.h
+++ b/libcli/auth/schannel_state.h
@ -24,16 +24,16 @@
 #define _LIBCLI_AUTH_SCHANNEL_STATE_H__

 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
-				  const char *db_priv_dir,
+				  struct loadparm_context *lp_ctx,
 				  const char *computer_name,
 				  struct netlogon_creds_CredentialState **creds);

 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
-				   const char *db_priv_dir,
+				   struct loadparm_context *lp_ctx,
 				   struct netlogon_creds_CredentialState *creds);

 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
-				    const char *db_priv_dir,
+				    struct loadparm_context *lp_ctx,
 				    const char *computer_name,
 				    struct netr_Authenticator *received_authenticator,
 				    struct netr_Authenticator *return_authenticator,
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@ -25,6 +25,7 @@
 #include "system/filesys.h"
 #include "../lib/tdb_compat/tdb_compat.h"
 #include "../lib/util/util_tdb.h"
+#include "../lib/param/param.h"
 #include "../libcli/auth/schannel.h"
 #include "../librpc/gen_ndr/ndr_schannel.h"
 #include "lib/util/tdb_wrap.h"
@ -37,10 +38,10 @@
 *******************************************************************************/

 struct tdb_wrap *open_schannel_session_store(TALLOC_CTX *mem_ctx,
-					     const char *private_dir)
+					     struct loadparm_context *lp_ctx)
 {
 	struct tdb_wrap *tdb_sc = NULL;
-	char *fname = talloc_asprintf(mem_ctx, "%s/schannel_store.tdb", private_dir);
+	char *fname = lpcfg_private_path(mem_ctx, lp_ctx, "schannel_store.tdb");

 	if (!fname) {
 		return NULL;
@ -201,7 +202,7 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_wrap *tdb_sc,
 *******************************************************************************/

 NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
-				  const char *db_priv_dir,
+				  struct loadparm_context *lp_ctx,
 				  const char *computer_name,
 				  struct netlogon_creds_CredentialState **_creds)
 {
@ -215,7 +216,7 @@ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}

-	tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+	tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
 	if (!tdb_sc) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
@ -239,7 +240,7 @@ NTSTATUS schannel_get_creds_state(TALLOC_CTX *mem_ctx,
 *******************************************************************************/

 NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
-				   const char *db_priv_dir,
+				   struct loadparm_context *lp_ctx,
 				   struct netlogon_creds_CredentialState *creds)
 {
 	TALLOC_CTX *tmpctx;
@ -251,7 +252,7 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}

-	tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+	tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
 	if (!tdb_sc) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
@ -273,7 +274,7 @@ NTSTATUS schannel_save_creds_state(TALLOC_CTX *mem_ctx,
 ********************************************************************/

 NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
-				    const char *db_priv_dir,
+				    struct loadparm_context *lp_ctx,
 				    const char *computer_name,
 				    struct netr_Authenticator *received_authenticator,
 				    struct netr_Authenticator *return_authenticator,
@ -290,7 +291,7 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}

-	tdb_sc = open_schannel_session_store(tmpctx, db_priv_dir);
+	tdb_sc = open_schannel_session_store(tmpctx, lp_ctx);
 	if (!tdb_sc) {
 		status = NT_STATUS_ACCESS_DENIED;
 		goto done;
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@ -26,7 +26,7 @@ bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',

 bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
 	source='schannel_state_tdb.c schannel_sign.c',
-	deps='tdb-wrap UTIL_TDB'
+	deps='tdb-wrap UTIL_TDB samba-hostconfig'
 	)


--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@ -44,6 +44,7 @@
 #include "auth.h"
 #include "messages.h"
 #include "../lib/tsocket/tsocket.h"
+#include "lib/param/param.h"

 extern userdom_struct current_user_info;

@ -882,6 +883,7 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 	 * so use a copy to avoid destroying the client values. */
 	uint32_t in_neg_flags = *r->in.negotiate_flags;
 	const char *fn;
+	struct loadparm_context *lp_ctx;
 	struct dom_sid sid;
 	struct samr_Password mach_pwd;
 	struct netlogon_creds_CredentialState *creds;
@ -993,11 +995,20 @@ NTSTATUS _netr_ServerAuthenticate3(struct pipes_struct *p,
 		goto out;
 	}

+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(10, ("loadparm_init_s3 failed\n"));
+		status = NT_STATUS_INTERNAL_ERROR;
+		goto out;
+	}
+
 	/* Store off the state so we can continue after client disconnect. */
 	become_root();
-	status = schannel_save_creds_state(p->mem_ctx, lp_private_dir(), creds);
+	status = schannel_save_creds_state(p->mem_ctx, lp_ctx, creds);
 	unbecome_root();

+	talloc_unlink(p->mem_ctx, lp_ctx);
+
 	if (!NT_STATUS_IS_OK(status)) {
 		goto out;
 	}
@ -1078,6 +1089,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 {
 	NTSTATUS status;
 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+	struct loadparm_context *lp_ctx;

 	if (schannel_global_required) {
 		status = schannel_check_required(&p->auth,
@ -1088,10 +1100,16 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 		}
 	}

-	status = schannel_check_creds_state(mem_ctx, lp_private_dir(),
+	lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	status = schannel_check_creds_state(mem_ctx, lp_ctx,
 					    computer_name, received_authenticator,
 					    return_authenticator, creds_out);
-
+	talloc_unlink(mem_ctx, lp_ctx);
 	return status;
 }

@ -1731,6 +1749,7 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
 {
 	NTSTATUS status;
 	struct netlogon_creds_CredentialState *creds = NULL;
+	struct loadparm_context *lp_ctx;

 	*r->out.authoritative = true;

@ -1746,10 +1765,18 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
 		return NT_STATUS_INVALID_PARAMETER;
        }

+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
 	become_root();
-	status = schannel_get_creds_state(p->mem_ctx, lp_private_dir(),
+	status = schannel_get_creds_state(p->mem_ctx, lp_ctx,
 					  r->in.computer_name, &creds);
 	unbecome_root();
+	talloc_unlink(p->mem_ctx, lp_ctx);
+
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@ -2267,14 +2294,22 @@ NTSTATUS _netr_GetForestTrustInformation(struct pipes_struct *p,
 	NTSTATUS status;
 	struct netlogon_creds_CredentialState *creds;
 	struct lsa_ForestTrustInformation *info, **info_ptr;
+	struct loadparm_context *lp_ctx;

 	/* TODO: check server name */

-	status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	status = schannel_check_creds_state(p->mem_ctx, lp_ctx,
 					    r->in.computer_name,
 					    r->in.credential,
 					    r->out.return_authenticator,
 					    &creds);
+	talloc_unlink(p->mem_ctx, lp_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@ -2367,14 +2402,22 @@ NTSTATUS _netr_ServerGetTrustInfo(struct pipes_struct *p,
 	struct samr_Password *new_owf_enc;
 	struct samr_Password *old_owf_enc;
 	DATA_BLOB session_key;
+	struct loadparm_context *lp_ctx;
+
+	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_context());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}

 	/* TODO: check server name */

-	status = schannel_check_creds_state(p->mem_ctx, lp_private_dir(),
+	status = schannel_check_creds_state(p->mem_ctx, lp_ctx,
 					    r->in.computer_name,
 					    r->in.credential,
 					    r->out.return_authenticator,
 					    &creds);
+	talloc_unlink(p->mem_ctx, lp_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@ -43,6 +43,7 @@
 #include "ntdomain.h"
 #include "rpc_server/srv_pipe.h"
 #include "rpc_server/rpc_contexts.h"
+#include "lib/param/param.h"

 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@ -477,6 +478,7 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
 	struct netlogon_creds_CredentialState *creds;
 	enum ndr_err_code ndr_err;
 	struct schannel_state *schannel_auth;
+	struct loadparm_context *lp_ctx;

 	ndr_err = ndr_pull_struct_blob(
 			&auth_info->credentials, mem_ctx, &neg,
@ -495,6 +497,12 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
 		return false;
 	}

+	lp_ctx = loadparm_init_s3(p, loadparm_s3_context());
+	if (!lp_ctx) {
+		DEBUG(0,("pipe_schannel_auth_bind: loadparm_init_s3() failed!\n"));
+		return false;
+	}
+
 	/*
 	 * The neg.oem_netbios_computer.a key here must match the remote computer name
 	 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
@ -502,10 +510,11 @@ static bool pipe_schannel_auth_bind(struct pipes_struct *p,
 	 */

 	become_root();
-	status = schannel_get_creds_state(p, lp_private_dir(),
+	status = schannel_get_creds_state(p, lp_ctx,
 					    neg.oem_netbios_computer.a, &creds);
 	unbecome_root();
-
+	
+	talloc_unlink(p, lp_ctx);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
 		return False;
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@ -40,6 +40,7 @@
 #include "messages.h"
 #include "smbprofile.h"
 #include "lib/id_cache.h"
+#include "lib/param/param.h"

 extern void start_epmd(struct tevent_context *ev_ctx,
 		       struct messaging_context *msg_ctx);
@ -1150,10 +1151,12 @@ extern void build_options(bool screen);
 	}

 	if (lp_server_role() == ROLE_DOMAIN_BDC || lp_server_role() == ROLE_DOMAIN_PDC) {
-		if (!open_schannel_session_store(NULL, lp_private_dir())) {
+		struct loadparm_context *lp_ctx = loadparm_init_s3(NULL, loadparm_s3_context());
+		if (!open_schannel_session_store(NULL, lp_ctx)) {
 			DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
 			exit(1);
 		}
+		TALLOC_FREE(lp_ctx);
 	}

 	if(!get_global_sam_sid()) {
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@ -154,7 +154,7 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
 		}

 		status = schannel_get_creds_state(out_mem_ctx,
-						  lpcfg_private_dir(gensec_security->settings->lp_ctx),
+						  gensec_security->settings->lp_ctx,
 						  workstation, &creds);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@ -270,7 +270,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");

 	nt_status = schannel_save_creds_state(mem_ctx,
-					      lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+					      dce_call->conn->dce_ctx->lp_ctx,
 					      creds);

 	return nt_status;
@ -382,7 +382,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
 	}

 	nt_status = schannel_check_creds_state(mem_ctx,
-					       lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+					       dce_call->conn->dce_ctx->lp_ctx,
 					       computer_name,
 					       received_authenticator,
 					       return_authenticator,
@ -839,7 +839,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
 	}

 	nt_status = schannel_get_creds_state(mem_ctx,
-					     lpcfg_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+					     dce_call->conn->dce_ctx->lp_ctx,
 					     r->in.computer_name, &creds);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@ -393,7 +393,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
 	}

 	if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
-		if (!open_schannel_session_store(talloc_autofree_context(), lpcfg_private_dir(cmdline_lp_ctx))) {
+		if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) {
 			DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
 			exit(1);
 		}