source4/winbind/wb_connect_lsa.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Connect to the LSA pipe, given an smbcli_tree and possibly some
   5    credentials. Try ntlmssp, schannel and anon in that order.
   6
   7    Copyright (C) Volker Lendecke 2005
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 2 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program; if not, write to the Free Software
  21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
  22 */
  23
  24 #include "includes.h"
  25 #include "libcli/composite/composite.h"
  26
  27 #include "libcli/raw/libcliraw.h"
  28 #include "librpc/gen_ndr/ndr_lsa.h"
  29
  30 /* Helper to initialize LSA with a specific auth methods. Verify by opening
  31  * the LSA policy. */
  32
  33 struct init_lsa_state {
  34         struct composite_context *ctx;
  35         struct dcerpc_pipe *lsa_pipe;
  36
  37         uint8_t auth_type;
  38         struct cli_credentials *creds;
  39
  40         struct lsa_ObjectAttribute objectattr;
  41         struct lsa_OpenPolicy2 openpolicy;
  42         struct policy_handle *handle;
  43 };
  44
  45 static void init_lsa_recv_pipe(struct composite_context *ctx);
  46 static void init_lsa_recv_openpol(struct rpc_request *req);
  47
  48 static struct composite_context *wb_init_lsa_send(struct smbcli_tree *tree,
  49                                                   uint8_t auth_type,
  50                                                   struct cli_credentials *creds)
  51 {
  52         struct composite_context *result, *ctx;
  53         struct init_lsa_state *state;
  54
  55         result = talloc(NULL, struct composite_context);
  56         if (result == NULL) goto failed;
  57         result->state = COMPOSITE_STATE_IN_PROGRESS;
  58         result->async.fn = NULL;
  59         result->event_ctx = tree->session->transport->socket->event.ctx;
  60
  61         state = talloc(result, struct init_lsa_state);
  62         if (state == NULL) goto failed;
  63         state->ctx = result;
  64         result->private_data = state;
  65
  66         state->auth_type = auth_type;
  67         state->creds = creds;
  68
  69         state->lsa_pipe = dcerpc_pipe_init(state, result->event_ctx);
  70         if (state->lsa_pipe == NULL) goto failed;
  71
  72         ctx = dcerpc_pipe_open_smb_send(state->lsa_pipe->conn, tree,
  73                                         "\\lsarpc");
  74         ctx->async.fn = init_lsa_recv_pipe;
  75         ctx->async.private_data = state;
  76         return result;
  77
  78  failed:
  79         talloc_free(result);
  80         return NULL;
  81 }
  82
  83 static void init_lsa_recv_pipe(struct composite_context *ctx)
  84 {
  85         struct init_lsa_state *state =
  86                 talloc_get_type(ctx->async.private_data,
  87                                 struct init_lsa_state);
  88         struct rpc_request *req;
  89
  90         state->ctx->status = dcerpc_pipe_open_smb_recv(ctx);
  91         if (!composite_is_ok(state->ctx)) return;
  92
  93         switch (state->auth_type) {
  94         case DCERPC_AUTH_TYPE_NONE:
  95                 state->ctx->status =
  96                         dcerpc_bind_auth_none(state->lsa_pipe,
  97                                               DCERPC_LSARPC_UUID,
  98                                               DCERPC_LSARPC_VERSION);
  99                 break;
 100         case DCERPC_AUTH_TYPE_NTLMSSP:
 101         case DCERPC_AUTH_TYPE_SCHANNEL:
 102                 if (state->creds == NULL) {
 103                         composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
 104                         return;
 105                 }
 106                 state->lsa_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL);
 107                 state->ctx->status =
 108                         dcerpc_bind_auth_password(state->lsa_pipe,
 109                                                   DCERPC_LSARPC_UUID,
 110                                                   DCERPC_LSARPC_VERSION,
 111                                                   state->creds,
 112                                                   state->auth_type,
 113                                                   NULL);
 114                 break;
 115         default:
 116                 state->ctx->status = NT_STATUS_INTERNAL_ERROR;
 117
 118         }
 119
 120         state->handle = talloc(state, struct policy_handle);
 121         if (composite_nomem(state->handle, state->ctx)) return;
 122
 123         state->openpolicy.in.system_name =
 124                 talloc_asprintf(state, "\\\\%s",
 125                                 dcerpc_server_name(state->lsa_pipe));
 126         ZERO_STRUCT(state->objectattr);
 127         state->openpolicy.in.attr = &state->objectattr;
 128         state->openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
 129         state->openpolicy.out.handle = state->handle;
 130
 131         req = dcerpc_lsa_OpenPolicy2_send(state->lsa_pipe, state,
 132                                           &state->openpolicy);
 133         composite_continue_rpc(state->ctx, req, init_lsa_recv_openpol, state);
 134 }
 135
 136 static void init_lsa_recv_openpol(struct rpc_request *req)
 137 {
 138         struct init_lsa_state *state =
 139                 talloc_get_type(req->async.private,
 140                                 struct init_lsa_state);
 141
 142         state->ctx->status = dcerpc_ndr_request_recv(req);
 143         if (!composite_is_ok(state->ctx)) return;
 144         state->ctx->status = state->openpolicy.out.result;
 145         if (!composite_is_ok(state->ctx)) return;
 146
 147         composite_done(state->ctx);
 148 }
 149
 150 static NTSTATUS wb_init_lsa_recv(struct composite_context *c,
 151                                  TALLOC_CTX *mem_ctx,
 152                                  struct dcerpc_pipe **lsa_pipe,
 153                                  struct policy_handle **lsa_policy)
 154 {
 155         NTSTATUS status = composite_wait(c);
 156         if (NT_STATUS_IS_OK(status)) {
 157                 struct init_lsa_state *state =
 158                         talloc_get_type(c->private_data,
 159                                         struct init_lsa_state);
 160                 *lsa_pipe = talloc_steal(mem_ctx, state->lsa_pipe);
 161                 *lsa_policy = talloc_steal(mem_ctx, state->handle);
 162         }
 163         talloc_free(c);
 164         return status;
 165 }
 166
 167
 168 /*
 169  * Connect to LSA using the credentials, try NTLMSSP and SCHANNEL using the
 170  * given credentials. If both fail or no credentials are available, fall back
 171  * to an anonymous bind.
 172  */
 173
 174 struct connect_lsa_state {
 175         struct composite_context *ctx;
 176         struct smbcli_tree *tree;
 177         struct cli_credentials *credentials;
 178
 179         uint8_t auth_type;
 180         struct dcerpc_pipe *lsa_pipe;
 181         struct policy_handle *lsa_policy;
 182 };
 183
 184 static void connect_lsa_recv_ntlmssp(struct composite_context *ctx);
 185 static void connect_lsa_recv_schannel(struct composite_context *ctx);
 186 static void connect_lsa_recv_anon(struct composite_context *ctx);
 187
 188 struct composite_context *wb_connect_lsa_send(struct smbcli_tree *tree,
 189                                               struct cli_credentials *credentials)
 190 {
 191         struct composite_context *result, *ctx;
 192         struct connect_lsa_state *state;
 193
 194         result = talloc(NULL, struct composite_context);
 195         if (result == NULL) goto failed;
 196         result->state = COMPOSITE_STATE_IN_PROGRESS;
 197         result->async.fn = NULL;
 198         result->event_ctx = tree->session->transport->socket->event.ctx;
 199
 200         state = talloc(result, struct connect_lsa_state);
 201         if (state == NULL) goto failed;
 202         state->ctx = result;
 203         result->private_data = state;
 204
 205         state->tree = tree;
 206         state->credentials = credentials;
 207
 208         if (credentials == NULL) {
 209                 ctx = wb_init_lsa_send(tree, DCERPC_AUTH_TYPE_NONE, NULL);
 210                 if (ctx == NULL) goto failed;
 211                 ctx->async.fn = connect_lsa_recv_anon;
 212                 ctx->async.private_data = state;
 213                 return result;
 214         }
 215
 216         ctx = wb_init_lsa_send(tree, DCERPC_AUTH_TYPE_NTLMSSP, credentials);
 217         if (ctx == NULL) goto failed;
 218         ctx->async.fn = connect_lsa_recv_ntlmssp;
 219         ctx->async.private_data = state;
 220         return result;
 221
 222  failed:
 223         talloc_free(result);
 224         return NULL;
 225 }
 226
 227 static void connect_lsa_recv_ntlmssp(struct composite_context *ctx)
 228 {
 229         struct connect_lsa_state *state =
 230                 talloc_get_type(ctx->async.private_data,
 231                                 struct connect_lsa_state);
 232
 233         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
 234                                               &state->lsa_policy);
 235
 236         if (NT_STATUS_IS_OK(state->ctx->status)) {
 237                 state->auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
 238                 composite_done(state->ctx);
 239                 return;
 240         }
 241
 242         ctx = wb_init_lsa_send(state->tree, DCERPC_AUTH_TYPE_SCHANNEL,
 243                                state->credentials);
 244         composite_continue(state->ctx, ctx,
 245                            connect_lsa_recv_schannel, state);
 246 }
 247
 248 static void connect_lsa_recv_schannel(struct composite_context *ctx)
 249 {
 250         struct connect_lsa_state *state =
 251                 talloc_get_type(ctx->async.private_data,
 252                                 struct connect_lsa_state);
 253
 254         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
 255                                               &state->lsa_policy);
 256
 257         if (NT_STATUS_IS_OK(state->ctx->status)) {
 258                 state->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
 259                 composite_done(state->ctx);
 260                 return;
 261         }
 262
 263         ctx = wb_init_lsa_send(state->tree, DCERPC_AUTH_TYPE_NONE,
 264                                state->credentials);
 265         composite_continue(state->ctx, ctx,
 266                            connect_lsa_recv_anon, state);
 267 }
 268
 269 static void connect_lsa_recv_anon(struct composite_context *ctx)
 270 {
 271         struct connect_lsa_state *state =
 272                 talloc_get_type(ctx->async.private_data,
 273                                 struct connect_lsa_state);
 274
 275         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
 276                                               &state->lsa_policy);
 277         if (!composite_is_ok(state->ctx)) return;
 278
 279         state->auth_type = DCERPC_AUTH_TYPE_NONE;
 280         composite_done(state->ctx);
 281 }
 282
 283 NTSTATUS wb_connect_lsa_recv(struct composite_context *c,
 284                              TALLOC_CTX *mem_ctx,
 285                              uint8_t *auth_type,
 286                              struct dcerpc_pipe **lsa_pipe,
 287                              struct policy_handle **lsa_policy)
 288 {
 289         NTSTATUS status = composite_wait(c);
 290         if (NT_STATUS_IS_OK(status)) {
 291                 struct connect_lsa_state *state =
 292                         talloc_get_type(c->private_data,
 293                                         struct connect_lsa_state);
 294                 *auth_type = state->auth_type;
 295                 *lsa_pipe = talloc_steal(mem_ctx, state->lsa_pipe);
 296                 *lsa_policy = talloc_steal(mem_ctx, state->lsa_policy);
 297         }
 298         talloc_free(c);
 299         return status;
 300 }
 301
 302 NTSTATUS wb_connect_lsa(struct smbcli_tree *tree,
 303                         struct cli_credentials *credentials,
 304                         TALLOC_CTX *mem_ctx,
 305                         uint8_t *auth_type,
 306                         struct dcerpc_pipe **lsa_pipe,
 307                         struct policy_handle **lsa_policy)
 308 {
 309         struct composite_context *c;
 310         c = wb_connect_lsa_send(tree, credentials);
 311         return wb_connect_lsa_recv(c, mem_ctx, auth_type, lsa_pipe,
 312                                    lsa_policy);
 313 }