This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
user_info->client.domain_name,
user_info->workstation_name,
user_info->remote_host,
+ user_info->local_host,
user_info->service_description,
user_info->password.response.lanman.data ? &user_info->password.response.lanman : NULL,
user_info->password.response.nt.data ? &user_info->password.response.nt : NULL,
const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
const DATA_BLOB *lm_pwd,
const DATA_BLOB *nt_pwd,
result = make_user_info(mem_ctx, user_info, smb_name, internal_username,
client_domain, domain, workstation_name,
- remote_address, service_description,
- lm_pwd, nt_pwd,
+ remote_address, local_address,
+ service_description, lm_pwd, nt_pwd,
lm_interactive_pwd, nt_interactive_pwd,
plaintext, password_state);
if (NT_STATUS_IS_OK(result)) {
const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
uint32_t logon_parameters,
const uchar *lm_network_pwd,
int lm_pwd_len,
smb_name, client_domain,
workstation_name,
remote_address,
+ local_address,
"SamLogon",
lm_pwd_len ? &lm_blob : NULL,
nt_pwd_len ? &nt_blob : NULL,
const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
uint32_t logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
user_info,
smb_name, client_domain, workstation_name,
remote_address,
+ local_address,
"SamLogon",
lm_interactive_pwd ? &local_lm_blob : NULL,
nt_interactive_pwd ? &local_nt_blob : NULL,
const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
const uint8_t chal[8],
DATA_BLOB plaintext_password)
user_info, smb_name, smb_name, client_domain, client_domain,
get_remote_machine_name(),
remote_address,
+ local_address,
service_description,
local_lm_blob.data ? &local_lm_blob : NULL,
local_nt_blob.data ? &local_nt_blob : NULL,
const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
return make_user_info(mem_ctx,
user_info, smb_name, smb_name,
- client_domain, client_domain,
+ client_domain, client_domain,
get_remote_machine_name(),
remote_address,
+ local_address,
service_description,
lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
bool make_user_info_guest(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
struct auth_usersupplied_info **user_info)
{
"","",
"",
remote_address,
+ local_address,
service_description,
NULL, NULL,
NULL, NULL,
const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
const DATA_BLOB *lm_pwd,
const DATA_BLOB *nt_pwd,
const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
uint32_t logon_parameters,
const uchar *lm_network_pwd,
int lm_pwd_len,
const char *client_domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
uint32_t logon_parameters,
const uchar chal[8],
const uchar lm_interactive_pwd[16],
const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
const uint8_t chal[8],
DATA_BLOB plaintext_password);
const char *smb_name,
const char *client_domain,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
DATA_BLOB lm_resp, DATA_BLOB nt_resp);
bool make_user_info_guest(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
struct auth_usersupplied_info **user_info);
const char *domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
const DATA_BLOB *lm_pwd,
const DATA_BLOB *nt_pwd,
const char *domain,
const char *workstation_name,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
const DATA_BLOB *lm_pwd,
const DATA_BLOB *nt_pwd,
return NT_STATUS_NO_MEMORY;
}
+ if (local_address != NULL) {
+ user_info->local_host = tsocket_address_copy(local_address,
+ user_info);
+ if (user_info->local_host == NULL) {
+ TALLOC_FREE(user_info);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
user_info->service_description = talloc_strdup(user_info, service_description);
if (user_info->service_description == NULL) {
TALLOC_FREE(user_info);
status = rpcint_binding_handle(tmp_ctx,
&ndr_table_epmapper,
local,
+ NULL,
get_session_info_system(),
msg_ctx,
&h);
&ndr_table_winreg,
session_info,
NULL,
+ NULL,
msg_ctx,
&winreg_pipe);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
fsp->conn->session_info,
fsp->conn->sconn->remote_address,
+ fsp->conn->sconn->local_address,
fsp->conn->sconn->msg_ctx,
&fsp->conn->spoolss_pipe);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&conn->spoolss_pipe);
if (!NT_STATUS_IS_OK(status)) {
status = rpcint_binding_handle(mem_ctx,
&ndr_table_winreg,
local,
+ NULL,
session_info,
msg_ctx,
&binding_handle);
status = rpcint_binding_handle(p->mem_ctx,
&ndr_table_lsarpc,
p->remote_address,
+ p->local_address,
p->session_info,
p->msg_ctx,
&h);
status = rpcint_binding_handle(mem_ctx,
&ndr_table_samr,
local,
+ NULL,
session_info,
msg_ctx,
&h);
status = rpcint_binding_handle(mem_ctx,
&ndr_table_samr,
local,
+ NULL,
session_info,
msg_ctx,
&h);
nt_username, nt_domain,
wksname,
p->remote_address,
+ p->local_address,
logon->network->identity_info.parameter_control,
logon->network->lm.data,
logon->network->lm.length,
nt_username, nt_domain,
nt_workstation,
p->remote_address,
+ p->local_address,
logon->password->identity_info.parameter_control,
chal,
logon->password->lmpassword.hash,
struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
const struct ndr_syntax_id *syntax,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const struct auth_session_info *session_info,
struct messaging_context *msg_ctx)
{
ret = make_base_pipes_struct(mem_ctx, msg_ctx, pipe_name,
NCALRPC, RPC_LITTLE_ENDIAN,
- remote_address, NULL, &p);
+ remote_address, local_address, &p);
if (ret) {
DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
return NULL;
const struct ndr_syntax_id *abstract_syntax,
const struct ndr_interface_table *ndr_table,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const struct auth_session_info *session_info,
struct messaging_context *msg_ctx,
struct dcerpc_binding_handle **binding_handle)
hs->p = make_internal_rpc_pipe_p(hs,
abstract_syntax,
remote_address,
+ local_address,
session_info,
msg_ctx);
if (hs->p == NULL) {
NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
const struct ndr_interface_table *ndr_table,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const struct auth_session_info *session_info,
struct messaging_context *msg_ctx,
struct dcerpc_binding_handle **binding_handle)
{
return rpcint_binding_handle_ex(mem_ctx, NULL, ndr_table, remote_address,
- session_info, msg_ctx, binding_handle);
+ local_address, session_info,
+ msg_ctx, binding_handle);
}
/**
const struct ndr_interface_table *ndr_table,
const struct auth_session_info *session_info,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
struct messaging_context *msg_ctx,
struct rpc_pipe_client **presult)
{
status = rpcint_binding_handle(result,
ndr_table,
remote_address,
+ local_address,
session_info,
msg_ctx,
&result->binding_handle);
const struct ndr_interface_table *table,
const struct auth_session_info *session_info,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
struct messaging_context *msg_ctx,
struct rpc_pipe_client **cli_pipe)
{
case RPC_SERVICE_MODE_EMBEDDED:
status = rpc_pipe_open_internal(tmp_ctx,
table, session_info,
- remote_address, msg_ctx,
+ remote_address, local_address,
+ msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
goto done;
struct pipes_struct *make_internal_rpc_pipe_p(TALLOC_CTX *mem_ctx,
const struct ndr_syntax_id *syntax,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const struct auth_session_info *session_info,
struct messaging_context *msg_ctx);
struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
NTSTATUS rpcint_binding_handle(TALLOC_CTX *mem_ctx,
const struct ndr_interface_table *ndr_table,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const struct auth_session_info *session_info,
struct messaging_context *msg_ctx,
struct dcerpc_binding_handle **binding_handle);
const struct ndr_interface_table *table,
const struct auth_session_info *session_info,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
struct messaging_context *msg_ctx,
struct rpc_pipe_client **cli_pipe);
const struct ndr_interface_table *ndr_table,
const struct auth_session_info *session_info,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
struct messaging_context *msg_ctx,
struct rpc_pipe_client **presult);
struct dcerpc_ncacn_listen_state *state =
talloc_get_type_abort(private_data,
struct dcerpc_ncacn_listen_state);
- struct tsocket_address *cli_addr = NULL;
+ struct tsocket_address *cli_addr = NULL, *srv_addr = NULL;
struct sockaddr_un sunaddr;
struct sockaddr *addr = (struct sockaddr *)(void *)&sunaddr;
socklen_t len = sizeof(sunaddr);
+ struct sockaddr_un sunaddr_server;
+ struct sockaddr *addr_server = (struct sockaddr *)(void *)&sunaddr_server;
+ socklen_t len_server = sizeof(sunaddr_server);
int sd = -1;
int rc;
ZERO_STRUCT(sunaddr);
+ ZERO_STRUCT(sunaddr_server);
sd = accept(state->fd, addr, &len);
if (sd == -1) {
return;
}
- DEBUG(10, ("Accepted ncalrpc socket %d\n", sd));
+ rc = getsockname(sd, addr_server, &len_server);
+ if (rc < 0) {
+ close(sd);
+ return;
+ }
+
+ rc = tsocket_address_bsd_from_sockaddr(state,
+ addr_server,
+ len_server,
+ &srv_addr);
+ if (rc < 0) {
+ close(sd);
+ return;
+ }
+
+ DEBUG(10, ("Accepted ncalrpc socket %s (fd: %d)\n",
+ sunaddr.sun_path, sd));
dcerpc_ncacn_accept(state->ev_ctx,
state->msg_ctx,
NCALRPC,
state->ep.name,
- cli_addr, NULL, sd,
+ cli_addr, srv_addr, sd,
state->disconnect_fn);
}
ncacn_conn);
}
if (ncacn_conn->client_name == NULL) {
- DEBUG(0, ("Out of memory!\n"));
+ DEBUG(0, ("Out of memory obtaining remote socket address as a string!\n"));
talloc_free(ncacn_conn);
close(s);
return;
if (srv_addr != NULL) {
ncacn_conn->server = talloc_move(ncacn_conn, &srv_addr);
- ncacn_conn->server_name =
- tsocket_address_inet_addr_string(ncacn_conn->server,
- ncacn_conn);
+ if (tsocket_address_is_inet(ncacn_conn->server, "ip")) {
+ ncacn_conn->server_name =
+ tsocket_address_inet_addr_string(ncacn_conn->server,
+ ncacn_conn);
+ } else {
+ ncacn_conn->server_name =
+ tsocket_address_unix_path(ncacn_conn->server,
+ ncacn_conn);
+ }
if (ncacn_conn->server_name == NULL) {
- DEBUG(0, ("Out of memory!\n"));
+ DEBUG(0, ("Out of memory obtaining local socket address as a string!\n"));
talloc_free(ncacn_conn);
close(s);
return;
"/root/ncalrpc_as_system",
&ncacn_conn->client);
if (rc < 0) {
- DEBUG(0, ("Out of memory!\n"));
+ DEBUG(0, ("Out of memory building magic ncalrpc_as_system path!\n"));
talloc_free(ncacn_conn);
close(s);
return;
ncacn_conn->client_name = tsocket_address_unix_path(ncacn_conn->client,
ncacn_conn);
if (ncacn_conn->client == NULL) {
- DEBUG(0, ("Out of memory!\n"));
+ DEBUG(0, ("Out of memory getting magic ncalrpc_as_system string!\n"));
talloc_free(ncacn_conn);
close(s);
return;
ncacn_conn->send_queue = tevent_queue_create(ncacn_conn,
"dcerpc send queue");
if (ncacn_conn->send_queue == NULL) {
- DEBUG(0, ("Out of memory!\n"));
+ DEBUG(0, ("Out of memory building dcerpc send queue!\n"));
talloc_free(ncacn_conn);
return;
}
status = rpcint_binding_handle(mem_ctx,
&ndr_table_winreg,
local,
+ NULL,
session_info,
msg_ctx,
winreg_binding_handle);
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
status = rpc_pipe_open_interface(
talloc_tos(), &ndr_table_samr,
conn->session_info, conn->sconn->remote_address,
- conn->sconn->msg_ctx, &samr_pipe);
+ conn->sconn->local_address, conn->sconn->msg_ctx, &samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("api_RNetUserEnum: Could not connect to samr: %s\n",
nt_errstr(status)));
status = rpc_pipe_open_interface(
talloc_tos(), &ndr_table_samr,
conn->session_info, conn->sconn->remote_address,
- conn->sconn->msg_ctx, &samr_pipe);
+ conn->sconn->local_address, conn->sconn->msg_ctx, &samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("api_RNetUserEnum: Could not connect to samr: %s\n",
nt_errstr(status)));
status = rpc_pipe_open_interface(
talloc_tos(), &ndr_table_samr,
conn->session_info, conn->sconn->remote_address,
- conn->sconn->msg_ctx, &samr_pipe);
+ conn->sconn->local_address, conn->sconn->msg_ctx, &samr_pipe);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("api_RNetUserEnum: Could not connect to samr: %s\n",
nt_errstr(status)));
status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
status = rpc_pipe_open_interface(mem_ctx, &ndr_table_srvsvc,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
status = rpc_pipe_open_interface(mem_ctx, &ndr_table_samr,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_srvsvc,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
&ndr_table_spoolss,
conn->session_info,
conn->sconn->remote_address,
+ conn->sconn->local_address,
conn->sconn->msg_ctx,
&cli);
if (!NT_STATUS_IS_OK(status)) {
****************************************************************************/
static NTSTATUS check_guest_password(const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
auth_context->get_ntlm_challenge(auth_context,
chal);
- if (!make_user_info_guest(talloc_tos(), remote_address, "SMB",
- &user_info)) {
+ if (!make_user_info_guest(talloc_tos(), remote_address, local_address,
+ "SMB", &user_info)) {
TALLOC_FREE(auth_context);
return NT_STATUS_NO_MEMORY;
}
if (!*user) {
- nt_status = check_guest_password(sconn->remote_address, req, &session_info);
+ nt_status = check_guest_password(sconn->remote_address,
+ sconn->local_address,
+ req, &session_info);
} else if (doencrypt) {
struct auth4_context *negprot_auth_context = NULL;
&user_info, user,
domain,
sconn->remote_address,
+ sconn->local_address,
"SMB",
lm_resp, nt_resp);
user_info->auth_description = "bare-NTLM";
&user_info,
user, domain,
sconn->remote_address,
+ sconn->local_address,
"SMB",
chal,
plaintext_password)) {
struct auth_context *auth_context;
static const uint8_t challenge_8[8] = {1, 2, 3, 4, 5, 6, 7, 8};
DATA_BLOB challenge = data_blob_const(challenge_8, sizeof(challenge_8));
- struct tsocket_address *tsocket_address;
+ struct tsocket_address *remote_address;
+ struct tsocket_address *local_address;
unsigned char local_nt_response[24];
DATA_BLOB nt_resp = data_blob_const(local_nt_response, sizeof(local_nt_response));
unsigned char local_nt_session_key[16];
local_nt_response);
SMBsesskeygen_ntv1(pdb_get_nt_passwd(pdb_entry), local_nt_session_key);
- if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0, &tsocket_address) != 0) {
+ if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0, &remote_address) != 0) {
return False;
}
-
+
+ if (tsocket_address_inet_from_strings(NULL, "ip", NULL, 0, &local_address) != 0) {
+ return False;
+ }
+
status = make_user_info(mem_ctx,
&user_info, pdb_get_username(pdb_entry), pdb_get_username(pdb_entry),
- pdb_get_domain(pdb_entry), pdb_get_domain(pdb_entry), lp_netbios_name(),
- tsocket_address, "pdbtest",
+ pdb_get_domain(pdb_entry), pdb_get_domain(pdb_entry), lp_netbios_name(),
+ remote_address,local_address, "pdbtest",
NULL, &nt_resp, NULL, NULL, NULL,
AUTH_PASSWORD_RESPONSE);
if (!NT_STATUS_IS_OK(status)) {
table,
session_info,
NULL,
+ NULL,
winbind_messaging_context(),
&cli);
} else {
table,
session_info,
NULL,
+ NULL,
winbind_messaging_context(),
&cli);
}
* here.
*/
status = make_user_info(frame, &user_info, user, user, domain, domain,
- lp_netbios_name(), local,
+ lp_netbios_name(), local, local,
"winbind",
lm_resp, nt_resp, NULL, NULL,
NULL, AUTH_PASSWORD_RESPONSE);
}
}
+ if (call->conn->local_address != NULL) {
+ status = gensec_set_local_address(auth->gensec_security,
+ call->conn->local_address);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to call gensec_set_local_address() %s\n",
+ nt_errstr(status)));
+ return false;
+ }
+ }
+
status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_type,
auth->auth_level);
if (!NT_STATUS_IS_OK(status)) {