1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-27 03:21:53 +03:00
Commit Graph

627 Commits

Author SHA1 Message Date
Volker Lendecke
ad5aabf8a1 rpc_client: Use common "goto fail" for all error cases
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
2745f6ec74 rpc_client: Fix an error path memleak in rpc_pipe_open_ncalrpc()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Volker Lendecke
d51b4ac527 rpc_client: Error from rpc_pipe_open_ncalrpc() for path overflow
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-01-12 00:10:30 +00:00
Andreas Schneider
1298280a22 auth:creds: Rename CRED_USE_KERBEROS values
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2020-11-03 15:25:37 +00:00
Stefan Metzmacher
19ef9c40f1 s3:rpc_client: reverse rpccli_{is_connected,set_timeout}() and rpccli_bh_{is_connected,set_timeout}()
rpccli->transport should never be used directly,
everything should go via the binding handle.

Internal pipes don't have a transport, so p->transport is always
NULL. rpccli_is_connected() checks this and this causes all SAMR and LSA
requests for the local domain to be processed a second time by the triggered
retry logic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14457

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2020-08-08 09:36:28 +00:00
Stefan Metzmacher
1aaf32c327 s3:cli_pipe: remove unused cli_rpc_pipe_open_generic_auth()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-28 06:43:38 +00:00
Stefan Metzmacher
ee4eab14f1 s3:cli_pipe: improve debug messages in cli_rpc_pipe_open_with_creds()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-28 06:43:38 +00:00
Stefan Metzmacher
6e6e0bc638 s3:cli_pipe: remove unused 'use_kerberos' from cli_rpc_pipe_open_generic_auth()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2020-05-28 06:43:37 +00:00
Volker Lendecke
5d8493f5b4 rpc_client: Don't pass a NULL string to talloc_asprintf
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2019-10-02 08:01:40 +00:00
Noel Power
6831b6ba6f s3/rpc_client: clang: Fix 'Value stored during initialization is never read'
Fixes:

source3/rpc_client/cli_pipe.c:397:11: warning: Value stored to 'ret' during its initialization is never read <--[clang]
        NTSTATUS ret = NT_STATUS_OK;
                 ^~~   ~~~~~~~~~~~~

source3/rpc_client/cli_pipe.c🔢11: warning: Value stored to 'ret' during its initialization is never read <--[clang]
        NTSTATUS ret = NT_STATUS_OK;
                 ^~~   ~~~~~~~~~~~~

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-09-26 18:41:26 +00:00
Volker Lendecke
39bdd175e9 libsmb: Give namequery.c its own header
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2018-04-11 01:06:39 +02:00
Volker Lendecke
32e823e08d netlogon_creds_cli: Pass "capabilities" up from creds_cli_check
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:13 +02:00
Volker Lendecke
de2279df55 rpcclient3: Factor out cli_rpc_pipe_open_bind_schannel()
This will be used for the "fast path" to netlogon when we already have
credentials.

This slightly widens the area of code covered by the netlogon_creds
lock: cli_rpc_pipe_open is now also covered by the lock.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:13 +02:00
Volker Lendecke
f6e39450f5 netlogon_creds_cli: Protect netlogon_creds_cli_check by _lck
netlogon_creds_cli_lck provides the locking around the operation

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
4b97de8adb rpc_client3: Avoid "cli_credentials" in cli_rpc_pipe_open_schannel_with_creds
This provides cleaner data dependencies. A netlogon_creds_ctx contains
everything required to open an schannel, there is no good reason to
require cli_credentials here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
fa53617542 netlogon_creds_cli: Simplify netlogon_creds_cli_delete
Don't implicitly TALLOC_FREE(creds) in the pure delete routine

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-25 09:43:12 +02:00
Volker Lendecke
2591e320c0 rpc_client3: Fix a debug message
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-09-16 08:36:17 +02:00
Stefan Metzmacher
15a7f961da s3:cli_pipe: ask for GENSEC_FEATURE_SIGN_PKT_HEADER after the gensec_update() dance
Most features should be added before the update() dance, while
GENSEC_FEATURE_SIGN_PKT_HEADER needs to be after the dance on the client
side.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2017-05-21 21:05:09 +02:00
Andreas Schneider
8989725b67 s3-rpc_client: Pass NULL as no password
GENSEC expects NULL as no password.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 20 17:37:56 CET 2016 on sn-devel-144
2016-12-20 17:37:56 +01:00
Günther Deschner
bc0aa242c5 s3-rpc_cli: Support the use of the object_uuid in rpc_cli interfaces
Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-11-24 20:24:26 +01:00
Günther Deschner
77fde816c3 s3:cli_pipe: add support for DCERPC_AUTH_LEVEL_PACKET
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Guenther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:16 +02:00
Stefan Metzmacher
ab7868a964 s3:librpc: move NDR_PRINT_DEBUG() into the caller of dcerpc_pull_ncacn_packet()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:13 +02:00
Stefan Metzmacher
1bfba2c516 s3:librpc: remove bigendian argument from dcerpc_pull_ncacn_packet()
We should get this from the packet itself.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2016-10-26 11:20:13 +02:00
Stefan Metzmacher
d491c6c496 s3:rpc_client: remove unused rpc_pipe_client->max_recv_frag
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-06-24 14:09:01 +02:00
Stefan Metzmacher
7e0b9c2f4b CVE-2015-5370: s3:rpc_client: disconnect connection on protocol errors
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
f37f965e23 CVE-2015-5370: s3:rpc_client: verify auth_context_id in rpc_pipe_bind_step_one_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
f56428760a CVE-2015-5370: s3:rpc_client: make use of pipe_auth_data->auth_context_id
This is better than using hardcoded values.
We need to use auth_context_id = 1 for authenticated
connections, as old Samba server (before this patchset)
will use a hardcoded value of 1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
69236215a9 CVE-2015-5370: s3:rpc_client: pass struct pipe_auth_data to create_rpc_{bind_auth3,alter_context}()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:32 +02:00
Stefan Metzmacher
2e561921bc CVE-2015-5370: s3:rpc_client: verify auth_{type,level} in rpc_pipe_bind_step_one_done()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
574eca7655 CVE-2015-5370: s3:rpc_client: protect rpc_api_pipe_got_pdu() against too large payloads
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
a4811d325a CVE-2015-5370: s3:rpc_client: make use of dcerpc_verify_ncacn_packet_header() in cli_pipe_validate_current_pdu()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
712320489d CVE-2015-5370: s3:rpc_client: make use of dcerpc_pull_auth_trailer()
The does much more validation than dcerpc_pull_dcerpc_auth().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
642fe0aa16 CVE-2015-5370: s3:librpc/rpc: remove auth trailer and possible padding within dcerpc_check_auth()
This simplifies the callers a lot.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:31 +02:00
Stefan Metzmacher
8cba1c3550 CVE-2015-5370: s3:rpc_client: remove useless frag_length check in rpc_api_pipe_got_pdu()
dcerpc_pull_ncacn_packet() already verifies this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Stefan Metzmacher
6cef082193 CVE-2015-5370: s3:rpc_client: move AS/U hack to the top of cli_pipe_validate_current_pdu()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11344

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
2016-04-12 19:25:29 +02:00
Stefan Metzmacher
b2e042ad96 s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes()
The padding needs to be relative to the payload start not to the pdu start.
We also need align the padding to DCERPC_AUTH_PAD_ALIGNMENT (16 bytes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11061

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2015-06-23 14:38:53 +02:00
Volker Lendecke
d87fd39501 Use tevent_req_poll_ntstatus
Kill 41 lines ..

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-18 02:34:24 +02:00
Richard Sharpe
8bcdd677ce Convert all uses of uint32/16/8 to _t in source3/rpc_client.
Signed-off-by: Richard Sharpe <rsharpe@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-05-12 01:32:12 +02:00
Stefan Metzmacher
7d36141ba3 s3:rpc_client: remove unused cli_rpc_pipe_open_schannel_with_key()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
2015-03-12 17:13:43 +01:00
Stefan Metzmacher
fb42b02c9f s3:rpc_client: add cli_rpc_pipe_open_schannel_with_creds() helper function
This will simplify the callers and add potential support for SEC_CHAN_DNS_DOMAIN
as cli_credentials_get_realm() will return the correct value compared to
cli_credentials_get_domain().

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-12-19 13:15:13 +01:00
Andrew Bartlett
295b323b1c s3-librpc: Add cli_rpc_pipe_open_with_creds()
This provides a credentials-based interface.  In the long term, we
will want to change this not to reference the credentials, but for now
this suits the caller in winbindd_cm.c

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-17 12:57:07 +02:00
Andrew Bartlett
6f97237edb s3-rpc_client: Migrate to cli_rpc_pipe_open_generic_auth and remove cli_rpc_pipe_open_spnego
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Oct  8 03:36:52 CEST 2014 on sn-devel-104
2014-10-08 03:36:52 +02:00
Andrew Bartlett
8166ecaaa0 s3-rpc_client: Adapt cli_rpc_pipe_open_generic_auth to use enum credentials_kerberos_state
This allows us to pass this value in directly from the cli_credentials structure in winbindd, once we merge this with cli_rpc_pipe_open_spnego().

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Andrew Bartlett
74dcde5347 s3-rpc_client: Adapt cli_rpc_pipe_open_spnego to use enum credentials_kerberos_state
This allows us to pass this value in directly from the cli_credentials
structure in winbindd.

Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-10-08 01:09:51 +02:00
Andrew Bartlett
d0a0af3550 librpc: gensec is our security provider abstraction, remove a void *
Andrew Bartlett

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Andrew Bartlett
f8643b9f5f librpc: Remove user/domain from struct pipe_auth_data
This does require that we always fill in the gensec pointer, but the
simplification is worth the extra allocations.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2014-09-27 01:35:36 +02:00
Andrew Bartlett
8485cc9448 s3-rpc_client: Do not give NT_STATUS_NO_MEMORY when the source string was NULL
Change-Id: I25a4dcc2239267ee7c219e965693027ca2981983
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-By: Jelmer Vernooij <jelmer@samba.org>
2014-09-01 00:36:42 +02:00
Stefan Metzmacher
6a5cd1857f s3:rpc_client: Use gensec for NCALRPC_AS_SYSTEM.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
2ed1789e4d s3:rpc_client: pass everything to gensec by default
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2014-04-24 11:21:05 +02:00
Stefan Metzmacher
2103c373b4 auth/gensec: remove tevent_context argument from gensec_update()
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2014-03-27 00:36:32 +01:00