mirror of
https://github.com/samba-team/samba.git
synced 2025-02-24 13:57:43 +03:00
r4641: Push a few more details into the schannel ldb, and into the
credentials struct it maintains. Clearly much of this will be replaced with some system to pass and store the session_info, as that is the 'right way' to handle this. Andrew Bartlett (This used to be commit c6fcb33a887fbf0c0b42c3bc331df942a985128c)
This commit is contained in:
Andrew Bartlett
Gerald (Jerry) Carter
parent
577218b2ad
commit
e8c06b9221
@ -299,6 +299,10 @@ NTSTATUS creds_server_step_check(struct creds_CredentialState *creds,
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
if (!creds) {
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
/* TODO: this may allow the a replay attack on a non-signed
|
||||
connection. Should we check that this is increasing? */
|
||||
creds->sequence = received_authenticator->timestamp;
|
||||
|
||||
@ -27,6 +27,9 @@ struct creds_CredentialState {
|
||||
struct netr_Credential seed;
|
||||
struct netr_Credential client;
|
||||
struct netr_Credential server;
|
||||
uint16_t secure_channel_type;
|
||||
char *computer_name;
|
||||
char *account_name;
|
||||
};
|
||||
|
||||
|
||||
|
||||
@ -32,11 +32,6 @@
|
||||
struct server_pipe_state {
|
||||
struct netr_Credential client_challenge;
|
||||
struct netr_Credential server_challenge;
|
||||
BOOL authenticated;
|
||||
char *account_name;
|
||||
char *computer_name; /* for logging only */
|
||||
uint32_t acct_flags;
|
||||
uint16_t sec_chan_type;
|
||||
struct creds_CredentialState *creds;
|
||||
};
|
||||
|
||||
@ -55,7 +50,6 @@ static NTSTATUS netlogon_schannel_setup(struct dcesrv_call_state *dce_call)
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
ZERO_STRUCTP(state);
|
||||
state->authenticated = True;
|
||||
|
||||
if (dce_call->conn->auth_state.session_info == NULL) {
|
||||
talloc_free(state);
|
||||
@ -102,16 +96,7 @@ static NTSTATUS netlogon_bind(struct dcesrv_call_state *dce_call, const struct d
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/* this function is called when the client disconnects the endpoint */
|
||||
static void netlogon_unbind(struct dcesrv_connection_context *context, const struct dcesrv_interface *di)
|
||||
{
|
||||
struct server_pipe_state *pipe_state = context->private;
|
||||
talloc_free(pipe_state);
|
||||
context->private = NULL;
|
||||
}
|
||||
|
||||
#define DCESRV_INTERFACE_NETLOGON_BIND netlogon_bind
|
||||
#define DCESRV_INTERFACE_NETLOGON_UNBIND netlogon_unbind
|
||||
|
||||
static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
||||
struct netr_ServerReqChallenge *r)
|
||||
@ -132,10 +117,7 @@ static NTSTATUS netr_ServerReqChallenge(struct dcesrv_call_state *dce_call, TALL
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
pipe_state->authenticated = False;
|
||||
pipe_state->creds = NULL;
|
||||
pipe_state->account_name = NULL;
|
||||
pipe_state->computer_name = NULL;
|
||||
|
||||
pipe_state->client_challenge = *r->in.credentials;
|
||||
|
||||
@ -220,8 +202,6 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
pipe_state->acct_flags = acct_flags;
|
||||
pipe_state->sec_chan_type = r->in.secure_channel_type;
|
||||
|
||||
*r->out.rid = samdb_result_rid_from_sid(mem_ctx, msgs[0], "objectSid", 0);
|
||||
|
||||
@ -230,12 +210,13 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
if (!pipe_state->creds) {
|
||||
if (pipe_state->creds) {
|
||||
talloc_free(pipe_state->creds);
|
||||
}
|
||||
pipe_state->creds = talloc_p(pipe_state, struct creds_CredentialState);
|
||||
if (!pipe_state->creds) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
}
|
||||
|
||||
creds_server_init(pipe_state->creds, &pipe_state->client_challenge,
|
||||
&pipe_state->server_challenge, mach_pwd,
|
||||
@ -243,27 +224,19 @@ static NTSTATUS netr_ServerAuthenticate3(struct dcesrv_call_state *dce_call, TAL
|
||||
*r->in.negotiate_flags);
|
||||
|
||||
if (!creds_server_check(pipe_state->creds, r->in.credentials)) {
|
||||
talloc_free(pipe_state->creds);
|
||||
pipe_state->creds = NULL;
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
pipe_state->authenticated = True;
|
||||
pipe_state->creds->account_name = talloc_reference(pipe_state->creds, r->in.account_name);
|
||||
|
||||
if (pipe_state->account_name) {
|
||||
/* We don't want a memory leak on this long-lived talloc context */
|
||||
talloc_free(pipe_state->account_name);
|
||||
}
|
||||
pipe_state->creds->computer_name = talloc_reference(pipe_state->creds, r->in.computer_name);
|
||||
|
||||
pipe_state->account_name = talloc_strdup(pipe_state, r->in.account_name);
|
||||
|
||||
if (pipe_state->computer_name) {
|
||||
/* We don't want a memory leak on this long-lived talloc context */
|
||||
talloc_free(pipe_state->computer_name);
|
||||
}
|
||||
|
||||
pipe_state->computer_name = talloc_strdup(pipe_state, r->in.computer_name);
|
||||
pipe_state->creds->secure_channel_type = r->in.secure_channel_type;
|
||||
|
||||
/* remember this session key state */
|
||||
nt_status = schannel_store_session_key(mem_ctx, pipe_state->computer_name, pipe_state->creds);
|
||||
nt_status = schannel_store_session_key(mem_ctx, pipe_state->creds);
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
@ -323,9 +296,6 @@ static NTSTATUS netr_creds_server_step_check(struct server_pipe_state *pipe_stat
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
if (!pipe_state->authenticated) {
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
return creds_server_step_check(pipe_state->creds,
|
||||
received_authenticator,
|
||||
return_authenticator);
|
||||
@ -365,17 +335,17 @@ static NTSTATUS netr_ServerPasswordSet(struct dcesrv_call_state *dce_call, TALLO
|
||||
/* pull the user attributes */
|
||||
num_records = samdb_search(sam_ctx, mem_ctx, NULL, &msgs, attrs,
|
||||
"(&(sAMAccountName=%s)(objectclass=user))",
|
||||
pipe_state->account_name);
|
||||
pipe_state->creds->account_name);
|
||||
|
||||
if (num_records == 0) {
|
||||
DEBUG(3,("Couldn't find user [%s] in samdb.\n",
|
||||
pipe_state->account_name));
|
||||
pipe_state->creds->account_name));
|
||||
return NT_STATUS_NO_SUCH_USER;
|
||||
}
|
||||
|
||||
if (num_records > 1) {
|
||||
DEBUG(0,("Found %d records matching user [%s]\n", num_records,
|
||||
pipe_state->account_name));
|
||||
pipe_state->creds->account_name));
|
||||
return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
||||
}
|
||||
|
||||
@ -643,6 +613,9 @@ static NTSTATUS netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_
|
||||
|
||||
r->out.authoritative = 1;
|
||||
|
||||
/* TODO: Describe and deal with these flags */
|
||||
r->out.flags = 0;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
@ -681,6 +654,7 @@ static NTSTATUS netr_LogonSamLogonWithFlags(struct dcesrv_call_state *dce_call,
|
||||
|
||||
r->out.validation = r2.out.validation;
|
||||
r->out.authoritative = r2.out.authoritative;
|
||||
r->out.flags = r2.out.flags;
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
@ -55,7 +55,6 @@ static struct ldb_wrap *schannel_db_connect(TALLOC_CTX *mem_ctx)
|
||||
use a simple ldb structure
|
||||
*/
|
||||
NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
|
||||
const char *computer_name,
|
||||
struct creds_CredentialState *creds)
|
||||
{
|
||||
struct ldb_wrap *ldb;
|
||||
@ -63,6 +62,7 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_val val, seed;
|
||||
char *s;
|
||||
char *f;
|
||||
char *sct;
|
||||
time_t expiry = time(NULL) + SCHANNEL_CREDENTIALS_EXPIRY;
|
||||
int ret;
|
||||
|
||||
@ -85,13 +85,20 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
sct = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->secure_channel_type);
|
||||
|
||||
if (sct == NULL) {
|
||||
talloc_free(ldb);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
msg = ldb_msg_new(mem_ctx);
|
||||
if (msg == NULL) {
|
||||
talloc_free(ldb);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
msg->dn = talloc_strdup(msg, computer_name);
|
||||
msg->dn = talloc_asprintf(msg, "computerName=%s", creds->computer_name);
|
||||
if (msg->dn == NULL) {
|
||||
talloc_free(ldb);
|
||||
talloc_free(msg);
|
||||
@ -108,6 +115,9 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx,
|
||||
ldb_msg_add_value(ldb->ldb, msg, "seed", &seed);
|
||||
ldb_msg_add_string(ldb->ldb, msg, "expiry", s);
|
||||
ldb_msg_add_string(ldb->ldb, msg, "negotiateFlags", f);
|
||||
ldb_msg_add_string(ldb->ldb, msg, "secureChannelType", sct);
|
||||
ldb_msg_add_string(ldb->ldb, msg, "accountName", creds->account_name);
|
||||
ldb_msg_add_string(ldb->ldb, msg, "computerName", creds->computer_name);
|
||||
|
||||
ldb_delete(ldb->ldb, msg->dn);
|
||||
|
||||
@ -154,7 +164,7 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
expr = talloc_asprintf(mem_ctx, "(dn=%s)", computer_name);
|
||||
expr = talloc_asprintf(mem_ctx, "(dn=computerName=%s)", computer_name);
|
||||
if (expr == NULL) {
|
||||
talloc_free(ldb);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
@ -191,6 +201,12 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx,
|
||||
|
||||
(*creds)->negotiate_flags = ldb_msg_find_int(res[0], "negotiateFlags", 0);
|
||||
|
||||
(*creds)->secure_channel_type = ldb_msg_find_int(res[0], "secureChannelType", 0);
|
||||
|
||||
(*creds)->account_name = talloc_reference(*creds, ldb_msg_find_string(res[0], "accountName", NULL));
|
||||
|
||||
(*creds)->computer_name = talloc_reference(*creds, ldb_msg_find_string(res[0], "computerName", NULL));
|
||||
|
||||
talloc_free(ldb);
|
||||
|
||||
return NT_STATUS_OK;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user