mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
libcli/auth: add netlogon_creds_cli* infrastructure
This provides an abstraction to hide netlogon_creds_CredentialState, which is stored in a node local tdb. Where the global state (netlogon_creds_CredentialState) between client and server was only kept in memory (on the client side), we now use the abstracted netlogon_creds_cli_context. We now use a node specific computer name in order to establish individual netlogon sessions per node. If the caller wants to use some netlogon calls with credential chain (struct netr_Authenticator), netlogon_creds_cli_lock*() is used to get the current netlogon_creds_CredentialState in a g_lock'ed fashion, a talloc_free() will release the lock. The locking is needed as there might be more than one process (multiple winbindd child, cmdline tools) which want to talk to a specific domain controller. The usage of netlogon_creds_CredentialState needs to be serialized as it uses sequence numbers. LogonSamLogonEx doesn't use the credential chain, but for some operations it needs the global session in order to de/encrypt individual fields. It uses the lockless netlogon_creds_cli_get() and netlogon_creds_cli_validate() functions, which just make sure the session hasn't changed between get and validate. This is prepares the proper fix for a large number of bugs: https://bugzilla.samba.org/show_bug.cgi?id=6563 https://bugzilla.samba.org/show_bug.cgi?id=7944 https://bugzilla.samba.org/show_bug.cgi?id=7945 https://bugzilla.samba.org/show_bug.cgi?id=7568 https://bugzilla.samba.org/show_bug.cgi?id=8599 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
6b586c3cf6
commit
6e6d9f9f12
2596
libcli/auth/netlogon_creds_cli.c
Normal file
2596
libcli/auth/netlogon_creds_cli.c
Normal file
File diff suppressed because it is too large
Load Diff
138
libcli/auth/netlogon_creds_cli.h
Normal file
138
libcli/auth/netlogon_creds_cli.h
Normal file
@ -0,0 +1,138 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
module to store/fetch session keys for the schannel client
|
||||
|
||||
Copyright (C) Stefan Metzmacher 2013
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#ifndef NETLOGON_CREDS_CLI_H
|
||||
#define NETLOGON_CREDS_CLI_H
|
||||
|
||||
#include "librpc/gen_ndr/dcerpc.h"
|
||||
#include "librpc/gen_ndr/schannel.h"
|
||||
|
||||
struct netlogon_creds_cli_context;
|
||||
struct messaging_context;
|
||||
struct dcerpc_binding_handle;
|
||||
|
||||
NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
|
||||
|
||||
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
||||
struct messaging_context *msg_ctx,
|
||||
const char *client_account,
|
||||
enum netr_SchannelType type,
|
||||
const char *server_computer,
|
||||
const char *server_netbios_domain,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct netlogon_creds_cli_context **_context);
|
||||
NTSTATUS netlogon_creds_cli_context_tmp(const char *client_computer,
|
||||
const char *client_account,
|
||||
enum netr_SchannelType type,
|
||||
enum dcerpc_AuthLevel auth_level,
|
||||
uint32_t proposed_flags,
|
||||
uint32_t required_flags,
|
||||
const char *server_computer,
|
||||
const char *server_netbios_domain,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct netlogon_creds_cli_context **_context);
|
||||
NTSTATUS netlogon_creds_cli_context_copy(
|
||||
const struct netlogon_creds_cli_context *src,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct netlogon_creds_cli_context **_dst);
|
||||
|
||||
enum dcerpc_AuthLevel netlogon_creds_cli_auth_level(
|
||||
struct netlogon_creds_cli_context *context);
|
||||
|
||||
NTSTATUS netlogon_creds_cli_get(struct netlogon_creds_cli_context *context,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct netlogon_creds_CredentialState **_creds);
|
||||
bool netlogon_creds_cli_validate(struct netlogon_creds_cli_context *context,
|
||||
const struct netlogon_creds_CredentialState *creds1);
|
||||
|
||||
NTSTATUS netlogon_creds_cli_store(struct netlogon_creds_cli_context *context,
|
||||
struct netlogon_creds_CredentialState **_creds);
|
||||
NTSTATUS netlogon_creds_cli_delete(struct netlogon_creds_cli_context *context,
|
||||
struct netlogon_creds_CredentialState **_creds);
|
||||
|
||||
struct tevent_req *netlogon_creds_cli_lock_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
struct netlogon_creds_cli_context *context);
|
||||
NTSTATUS netlogon_creds_cli_lock_recv(struct tevent_req *req,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct netlogon_creds_CredentialState **creds);
|
||||
NTSTATUS netlogon_creds_cli_lock(struct netlogon_creds_cli_context *context,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct netlogon_creds_CredentialState **creds);
|
||||
|
||||
struct tevent_req *netlogon_creds_cli_auth_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
struct netlogon_creds_cli_context *context,
|
||||
struct dcerpc_binding_handle *b,
|
||||
struct samr_Password current_nt_hash,
|
||||
const struct samr_Password *previous_nt_hash);
|
||||
NTSTATUS netlogon_creds_cli_auth_recv(struct tevent_req *req);
|
||||
NTSTATUS netlogon_creds_cli_auth(struct netlogon_creds_cli_context *context,
|
||||
struct dcerpc_binding_handle *b,
|
||||
struct samr_Password current_nt_hash,
|
||||
const struct samr_Password *previous_nt_hash);
|
||||
|
||||
struct tevent_req *netlogon_creds_cli_check_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
struct netlogon_creds_cli_context *context,
|
||||
struct dcerpc_binding_handle *b);
|
||||
NTSTATUS netlogon_creds_cli_check_recv(struct tevent_req *req);
|
||||
NTSTATUS netlogon_creds_cli_check(struct netlogon_creds_cli_context *context,
|
||||
struct dcerpc_binding_handle *b);
|
||||
|
||||
struct tevent_req *netlogon_creds_cli_ServerPasswordSet_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
struct netlogon_creds_cli_context *context,
|
||||
struct dcerpc_binding_handle *b,
|
||||
const char *new_password,
|
||||
const uint32_t *new_version);
|
||||
NTSTATUS netlogon_creds_cli_ServerPasswordSet_recv(struct tevent_req *req);
|
||||
NTSTATUS netlogon_creds_cli_ServerPasswordSet(
|
||||
struct netlogon_creds_cli_context *context,
|
||||
struct dcerpc_binding_handle *b,
|
||||
const char *new_password,
|
||||
const uint32_t *new_version);
|
||||
|
||||
struct tevent_req *netlogon_creds_cli_LogonSamLogon_send(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *ev,
|
||||
struct netlogon_creds_cli_context *context,
|
||||
struct dcerpc_binding_handle *b,
|
||||
enum netr_LogonInfoClass logon_level,
|
||||
const union netr_LogonLevel *logon,
|
||||
uint32_t flags);
|
||||
NTSTATUS netlogon_creds_cli_LogonSamLogon_recv(struct tevent_req *req,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint16_t *validation_level,
|
||||
union netr_Validation **validation,
|
||||
uint8_t *authoritative,
|
||||
uint32_t *flags);
|
||||
NTSTATUS netlogon_creds_cli_LogonSamLogon(
|
||||
struct netlogon_creds_cli_context *context,
|
||||
struct dcerpc_binding_handle *b,
|
||||
enum netr_LogonInfoClass logon_level,
|
||||
const union netr_LogonLevel *logon,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
uint16_t *validation_level,
|
||||
union netr_Validation **validation,
|
||||
uint8_t *authoritative,
|
||||
uint32_t *flags);
|
||||
|
||||
#endif /* NETLOGON_CREDS_CLI_H */
|
@ -28,6 +28,10 @@ bld.SAMBA_SUBSYSTEM('COMMON_SCHANNEL',
|
||||
deps='dbwrap util_tdb samba-hostconfig NDR_NETLOGON'
|
||||
)
|
||||
|
||||
bld.SAMBA_SUBSYSTEM('NETLOGON_CREDS_CLI',
|
||||
source='netlogon_creds_cli.c',
|
||||
deps='dbwrap util_tdb tevent-util samba-hostconfig RPC_NDR_NETLOGON NDR_NETLOGON'
|
||||
)
|
||||
|
||||
bld.SAMBA_SUBSYSTEM('PAM_ERRORS',
|
||||
source='pam_errors.c',
|
||||
|
Loading…
Reference in New Issue
Block a user