1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

libcli/auth: add netlogon_creds_cli* infrastructure

This provides an abstraction to hide netlogon_creds_CredentialState,
which is stored in a node local tdb.

Where the global state (netlogon_creds_CredentialState) between client and
server was only kept in memory (on the client side), we now use
the abstracted netlogon_creds_cli_context.

We now use a node specific computer name in order to establish
individual netlogon sessions per node.

If the caller wants to use some netlogon calls with credential chain
(struct netr_Authenticator), netlogon_creds_cli_lock*() is used
to get the current netlogon_creds_CredentialState in a g_lock'ed
fashion, a talloc_free() will release the lock.

The locking is needed as there might be more than one process
(multiple winbindd child, cmdline tools) which want to talk
to a specific domain controller. The usage of netlogon_creds_CredentialState
needs to be serialized as it uses sequence numbers.

LogonSamLogonEx doesn't use the credential chain, but for some operations
it needs the global session in order to de/encrypt individual fields.
It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate()
functions, which just make sure the session hasn't changed between
get and validate.

This is prepares the proper fix for a large number of bugs:
https://bugzilla.samba.org/show_bug.cgi?id=6563
https://bugzilla.samba.org/show_bug.cgi?id=7944
https://bugzilla.samba.org/show_bug.cgi?id=7945
https://bugzilla.samba.org/show_bug.cgi?id=7568
https://bugzilla.samba.org/show_bug.cgi?id=8599

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2013-04-18 19:16:42 +02:00
parent 6b586c3cf6
commit 6e6d9f9f12
3 changed files with 2738 additions and 0 deletions

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,138 @@
/*
Unix SMB/CIFS implementation.
module to store/fetch session keys for the schannel client
Copyright (C) Stefan Metzmacher 2013
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef NETLOGON_CREDS_CLI_H
#define NETLOGON_CREDS_CLI_H
#include "librpc/gen_ndr/dcerpc.h"
#include "librpc/gen_ndr/schannel.h"
struct netlogon_creds_cli_context;
struct messaging_context;
struct dcerpc_binding_handle;
NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
struct messaging_context *msg_ctx,
const char *client_account,
enum netr_SchannelType type,
const char *server_computer,
const char *server_netbios_domain,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **_context);
NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
const char *client_account,
enum netr_SchannelType type,
enum dcerpc_AuthLevel auth_level,
uint32_t proposed_flags,
uint32_t required_flags,
const char *server_computer,
const char *server_netbios_domain,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **_context);
NTSTATUS netlogon_creds_cli_context_copy(
const struct netlogon_creds_cli_context *src,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_cli_context **_dst);
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
struct netlogon_creds_cli_context *context);
NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_CredentialState **_creds);
bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
const struct netlogon_creds_CredentialState *creds1);
NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
struct netlogon_creds_CredentialState **_creds);
NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
struct netlogon_creds_CredentialState **_creds);
struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context);
NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_CredentialState **creds);
NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
TALLOC_CTX *mem_ctx,
struct netlogon_creds_CredentialState **creds);
struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
struct samr_Password current_nt_hash,
const struct samr_Password *previous_nt_hash);
NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
struct samr_Password current_nt_hash,
const struct samr_Password *previous_nt_hash);
struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b);
NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b);
struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
const char *new_password,
const uint32_t *new_version);
NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
NTSTATUS netlogon_creds_cli_ServerPasswordSet(
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
const char *new_password,
const uint32_t *new_version);
struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
enum netr_LogonInfoClass logon_level,
const union netr_LogonLevel *logon,
uint32_t flags);
NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
uint16_t *validation_level,
union netr_Validation **validation,
uint8_t *authoritative,
uint32_t *flags);
NTSTATUS netlogon_creds_cli_LogonSamLogon(
struct netlogon_creds_cli_context *context,
struct dcerpc_binding_handle *b,
enum netr_LogonInfoClass logon_level,
const union netr_LogonLevel *logon,
TALLOC_CTX *mem_ctx,
uint16_t *validation_level,
union netr_Validation **validation,
uint8_t *authoritative,
uint32_t *flags);
#endif /* NETLOGON_CREDS_CLI_H */

View File

@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
)
bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
source='netlogon_creds_cli.c',
deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
)
bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
source='pam_errors.c',