source4/winbind/wb_connect_lsa.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Connect to the LSA pipe, given an smbcli_tree and possibly some
   5    credentials. Try ntlmssp, schannel and anon in that order.
   6
   7    Copyright (C) Volker Lendecke 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "libcli/composite/composite.h"
  26
  27 #include "libcli/raw/libcliraw.h"
  28 #include "librpc/gen_ndr/ndr_lsa_c.h"
  29
  30 /* Helper to initialize LSA with a specific auth methods. Verify by opening
  31  * the LSA policy. */
  32
  33 struct init_lsa_state {
  34         struct composite_context *ctx;
  35         struct dcerpc_pipe *lsa_pipe;
  36
  37         uint8_t auth_type;
  38         struct cli_credentials *creds;
  39
  40         struct lsa_ObjectAttribute objectattr;
  41         struct lsa_OpenPolicy2 openpolicy;
  42         struct policy_handle *handle;
  43 };
  44
  45 static void init_lsa_recv_pipe(struct composite_context *ctx);
  46 static void init_lsa_recv_anon_bind(struct composite_context *ctx);
  47 static void init_lsa_recv_auth_bind(struct composite_context *ctx);
  48 static void init_lsa_recv_openpol(struct rpc_request *req);
  49
  50 struct composite_context *wb_init_lsa_send(TALLOC_CTX *mem_ctx,
  51                                            struct smbcli_tree *tree,
  52                                            uint8_t auth_type,
  53                                            struct cli_credentials *creds)
  54 {
  55         struct composite_context *result, *ctx;
  56         struct init_lsa_state *state;
  57
  58         result = composite_create(mem_ctx, tree->session->transport->socket->event.ctx);
  59         if (result == NULL) goto failed;
  60
  61         state = talloc(result, struct init_lsa_state);
  62         if (state == NULL) goto failed;
  63         state->ctx = result;
  64         result->private_data = state;
  65
  66         state->auth_type = auth_type;
  67         state->creds = creds;
  68
  69         state->lsa_pipe = dcerpc_pipe_init(state, result->event_ctx);
  70         if (state->lsa_pipe == NULL) goto failed;
  71
  72         ctx = dcerpc_pipe_open_smb_send(state->lsa_pipe, tree,
  73                                         "\\lsarpc");
  74         ctx->async.fn = init_lsa_recv_pipe;
  75         ctx->async.private_data = state;
  76         return result;
  77
  78  failed:
  79         talloc_free(result);
  80         return NULL;
  81 }
  82
  83 static void init_lsa_recv_pipe(struct composite_context *ctx)
  84 {
  85         struct init_lsa_state *state =
  86                 talloc_get_type(ctx->async.private_data,
  87                                 struct init_lsa_state);
  88
  89         state->ctx->status = dcerpc_pipe_open_smb_recv(ctx);
  90         if (!composite_is_ok(state->ctx)) return;
  91
  92         switch (state->auth_type) {
  93         case DCERPC_AUTH_TYPE_NONE:
  94                 ctx = dcerpc_bind_auth_none_send(state, state->lsa_pipe,
  95                                                  &dcerpc_table_lsarpc);
  96                 composite_continue(state->ctx, ctx, init_lsa_recv_anon_bind,
  97                                    state);
  98                 break;
  99         case DCERPC_AUTH_TYPE_NTLMSSP:
 100         case DCERPC_AUTH_TYPE_SCHANNEL:
 101         {
 102                 uint8_t auth_type;
 103                 if (lp_winbind_sealed_pipes()) {
 104                         auth_type = DCERPC_AUTH_LEVEL_PRIVACY;
 105                 } else {
 106                         auth_type = DCERPC_AUTH_LEVEL_INTEGRITY;
 107                 }
 108                 if (state->creds == NULL) {
 109                         composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
 110                         return;
 111                 }
 112                 ctx = dcerpc_bind_auth_send(state, state->lsa_pipe,
 113                                             &dcerpc_table_lsarpc,
 114                                             state->creds, state->auth_type,
 115                                             auth_type,
 116                                             NULL);
 117                 composite_continue(state->ctx, ctx, init_lsa_recv_auth_bind,
 118                                    state);
 119                 break;
 120         }
 121         default:
 122                 composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
 123         }
 124 }
 125
 126 static void init_lsa_recv_anon_bind(struct composite_context *ctx)
 127 {
 128         struct init_lsa_state *state =
 129                 talloc_get_type(ctx->async.private_data,
 130                                 struct init_lsa_state);
 131         struct rpc_request *req;
 132
 133         state->ctx->status = dcerpc_bind_auth_none_recv(ctx);
 134         if (!composite_is_ok(state->ctx)) return;
 135
 136         state->handle = talloc(state, struct policy_handle);
 137         if (composite_nomem(state->handle, state->ctx)) return;
 138
 139         state->openpolicy.in.system_name =
 140                 talloc_asprintf(state, "\\\\%s",
 141                                 dcerpc_server_name(state->lsa_pipe));
 142         ZERO_STRUCT(state->objectattr);
 143         state->openpolicy.in.attr = &state->objectattr;
 144         state->openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 145         state->openpolicy.out.handle = state->handle;
 146
 147         req = dcerpc_lsa_OpenPolicy2_send(state->lsa_pipe, state,
 148                                           &state->openpolicy);
 149         composite_continue_rpc(state->ctx, req, init_lsa_recv_openpol, state);
 150 }
 151
 152 static void init_lsa_recv_auth_bind(struct composite_context *ctx)
 153 {
 154         struct init_lsa_state *state =
 155                 talloc_get_type(ctx->async.private_data,
 156                                 struct init_lsa_state);
 157         struct rpc_request *req;
 158
 159         state->ctx->status = dcerpc_bind_auth_recv(ctx);
 160         if (!composite_is_ok(state->ctx)) return;
 161
 162         state->handle = talloc(state, struct policy_handle);
 163         if (composite_nomem(state->handle, state->ctx)) return;
 164
 165         state->openpolicy.in.system_name =
 166                 talloc_asprintf(state, "\\\\%s",
 167                                 dcerpc_server_name(state->lsa_pipe));
 168         ZERO_STRUCT(state->objectattr);
 169         state->openpolicy.in.attr = &state->objectattr;
 170         state->openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 171         state->openpolicy.out.handle = state->handle;
 172
 173         req = dcerpc_lsa_OpenPolicy2_send(state->lsa_pipe, state,
 174                                           &state->openpolicy);
 175         composite_continue_rpc(state->ctx, req, init_lsa_recv_openpol, state);
 176 }
 177
 178 static void init_lsa_recv_openpol(struct rpc_request *req)
 179 {
 180         struct init_lsa_state *state =
 181                 talloc_get_type(req->async.private_data,
 182                                 struct init_lsa_state);
 183
 184         state->ctx->status = dcerpc_ndr_request_recv(req);
 185         if (!composite_is_ok(state->ctx)) return;
 186         state->ctx->status = state->openpolicy.out.result;
 187         if (!composite_is_ok(state->ctx)) return;
 188
 189         composite_done(state->ctx);
 190 }
 191
 192 NTSTATUS wb_init_lsa_recv(struct composite_context *c,
 193                           TALLOC_CTX *mem_ctx,
 194                           struct dcerpc_pipe **lsa_pipe,
 195                           struct policy_handle **lsa_policy)
 196 {
 197         NTSTATUS status = composite_wait(c);
 198         if (NT_STATUS_IS_OK(status)) {
 199                 struct init_lsa_state *state =
 200                         talloc_get_type(c->private_data,
 201                                         struct init_lsa_state);
 202                 *lsa_pipe = talloc_steal(mem_ctx, state->lsa_pipe);
 203                 *lsa_policy = talloc_steal(mem_ctx, state->handle);
 204         }
 205         talloc_free(c);
 206         return status;
 207 }
 208
 209
 210 /*
 211  * Connect to LSA using the credentials, try NTLMSSP and SCHANNEL using the
 212  * given credentials. If both fail or no credentials are available, fall back
 213  * to an anonymous bind.
 214  */
 215
 216 struct connect_lsa_state {
 217         struct composite_context *ctx;
 218         struct smbcli_tree *tree;
 219         struct cli_credentials *credentials;
 220
 221         uint8_t auth_type;
 222         struct dcerpc_pipe *lsa_pipe;
 223         struct policy_handle *lsa_policy;
 224 };
 225
 226 static void connect_lsa_recv_ntlmssp(struct composite_context *ctx);
 227 static void connect_lsa_recv_schannel(struct composite_context *ctx);
 228 static void connect_lsa_recv_anon(struct composite_context *ctx);
 229
 230 struct composite_context *wb_connect_lsa_send(TALLOC_CTX *mem_ctx,
 231                                               struct smbcli_tree *tree,
 232                                               struct cli_credentials *credentials)
 233 {
 234         struct composite_context *result, *ctx;
 235         struct connect_lsa_state *state;
 236
 237         result = composite_create(mem_ctx, tree->session->transport->socket->event.ctx);
 238         if (result == NULL) goto failed;
 239
 240         state = talloc(result, struct connect_lsa_state);
 241         if (state == NULL) goto failed;
 242         state->ctx = result;
 243         result->private_data = state;
 244
 245         state->tree = tree;
 246         state->credentials = credentials;
 247
 248         if (credentials == NULL) {
 249                 ctx = wb_init_lsa_send(state, tree, DCERPC_AUTH_TYPE_NONE,
 250                                        NULL);
 251                 if (ctx == NULL) goto failed;
 252                 ctx->async.fn = connect_lsa_recv_anon;
 253                 ctx->async.private_data = state;
 254                 return result;
 255         }
 256
 257         ctx = wb_init_lsa_send(state, tree, DCERPC_AUTH_TYPE_NTLMSSP,
 258                                credentials);
 259         if (ctx == NULL) goto failed;
 260         ctx->async.fn = connect_lsa_recv_ntlmssp;
 261         ctx->async.private_data = state;
 262         return result;
 263
 264  failed:
 265         talloc_free(result);
 266         return NULL;
 267 }
 268
 269 static void connect_lsa_recv_ntlmssp(struct composite_context *ctx)
 270 {
 271         struct connect_lsa_state *state =
 272                 talloc_get_type(ctx->async.private_data,
 273                                 struct connect_lsa_state);
 274
 275         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
 276                                               &state->lsa_policy);
 277
 278         if (NT_STATUS_IS_OK(state->ctx->status)) {
 279                 state->auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
 280                 composite_done(state->ctx);
 281                 return;
 282         }
 283
 284         ctx = wb_init_lsa_send(state, state->tree, DCERPC_AUTH_TYPE_SCHANNEL,
 285                                state->credentials);
 286         composite_continue(state->ctx, ctx,
 287                            connect_lsa_recv_schannel, state);
 288 }
 289
 290 static void connect_lsa_recv_schannel(struct composite_context *ctx)
 291 {
 292         struct connect_lsa_state *state =
 293                 talloc_get_type(ctx->async.private_data,
 294                                 struct connect_lsa_state);
 295
 296         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
 297                                               &state->lsa_policy);
 298
 299         if (NT_STATUS_IS_OK(state->ctx->status)) {
 300                 state->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 301                 composite_done(state->ctx);
 302                 return;
 303         }
 304
 305         ctx = wb_init_lsa_send(state, state->tree, DCERPC_AUTH_TYPE_NONE,
 306                                state->credentials);
 307         composite_continue(state->ctx, ctx,
 308                            connect_lsa_recv_anon, state);
 309 }
 310
 311 static void connect_lsa_recv_anon(struct composite_context *ctx)
 312 {
 313         struct connect_lsa_state *state =
 314                 talloc_get_type(ctx->async.private_data,
 315                                 struct connect_lsa_state);
 316
 317         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
 318                                               &state->lsa_policy);
 319         if (!composite_is_ok(state->ctx)) return;
 320
 321         state->auth_type = DCERPC_AUTH_TYPE_NONE;
 322         composite_done(state->ctx);
 323 }
 324
 325 NTSTATUS wb_connect_lsa_recv(struct composite_context *c,
 326                              TALLOC_CTX *mem_ctx,
 327                              uint8_t *auth_type,
 328                              struct dcerpc_pipe **lsa_pipe,
 329                              struct policy_handle **lsa_policy)
 330 {
 331         NTSTATUS status = composite_wait(c);
 332         if (NT_STATUS_IS_OK(status)) {
 333                 struct connect_lsa_state *state =
 334                         talloc_get_type(c->private_data,
 335                                         struct connect_lsa_state);
 336                 *auth_type = state->auth_type;
 337                 *lsa_pipe = talloc_steal(mem_ctx, state->lsa_pipe);
 338                 *lsa_policy = talloc_steal(mem_ctx, state->lsa_policy);
 339         }
 340         talloc_free(c);
 341         return status;
 342 }
 343
 344 NTSTATUS wb_connect_lsa(TALLOC_CTX *mem_ctx,
 345                         struct smbcli_tree *tree,
 346                         struct cli_credentials *credentials,
 347                         uint8_t *auth_type,
 348                         struct dcerpc_pipe **lsa_pipe,
 349                         struct policy_handle **lsa_policy)
 350 {
 351         struct composite_context *c;
 352         c = wb_connect_lsa_send(mem_ctx, tree, credentials);
 353         return wb_connect_lsa_recv(c, mem_ctx, auth_type, lsa_pipe,
 354                                    lsa_policy);
 355 }