r10878: Reply to some comments by tridge and metze:
[samba.git] / source4 / winbind / wb_connect_lsa.c
1 /* 
2    Unix SMB/CIFS implementation.
3
4    Connect to the LSA pipe, given an smbcli_tree and possibly some
5    credentials. Try ntlmssp, schannel and anon in that order.
6
7    Copyright (C) Volker Lendecke 2005
8    
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 2 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "libcli/composite/composite.h"
26 #include "libcli/smb_composite/smb_composite.h"
27 #include "winbind/wb_async_helpers.h"
28 #include "winbind/wb_server.h"
29 #include "smbd/service_stream.h"
30
31 #include "librpc/gen_ndr/nbt.h"
32 #include "librpc/gen_ndr/samr.h"
33 #include "lib/messaging/irpc.h"
34 #include "librpc/gen_ndr/irpc.h"
35 #include "librpc/gen_ndr/ndr_irpc.h"
36 #include "libcli/raw/libcliraw.h"
37 #include "librpc/gen_ndr/ndr_netlogon.h"
38 #include "librpc/gen_ndr/ndr_lsa.h"
39 #include "libcli/auth/credentials.h"
40
41
42 /* Helper to initialize LSA with a specific auth methods. Verify by opening
43  * the LSA policy. */
44
45 struct init_lsa_state {
46         struct composite_context *ctx;
47         struct dcerpc_pipe *lsa_pipe;
48
49         uint8_t auth_type;
50         struct cli_credentials *creds;
51
52         struct lsa_ObjectAttribute objectattr;
53         struct lsa_OpenPolicy2 openpolicy;
54         struct policy_handle *handle;
55 };
56
57 static void init_lsa_recv_pipe(struct composite_context *ctx);
58 static void init_lsa_recv_openpol(struct rpc_request *req);
59
60 static struct composite_context *wb_init_lsa_send(struct smbcli_tree *tree,
61                                                   uint8_t auth_type,
62                                                   struct cli_credentials *creds)
63 {
64         struct composite_context *result, *ctx;
65         struct init_lsa_state *state;
66
67         result = talloc(NULL, struct composite_context);
68         if (result == NULL) goto failed;
69         result->state = COMPOSITE_STATE_IN_PROGRESS;
70         result->event_ctx = tree->session->transport->socket->event.ctx;
71
72         state = talloc(result, struct init_lsa_state);
73         if (state == NULL) goto failed;
74         state->ctx = result;
75         result->private_data = state;
76
77         state->auth_type = auth_type;
78         state->creds = creds;
79
80         state->lsa_pipe = dcerpc_pipe_init(state, result->event_ctx);
81         if (state->lsa_pipe == NULL) goto failed;
82
83         ctx = dcerpc_pipe_open_smb_send(state->lsa_pipe->conn, tree,
84                                         "\\lsarpc");
85         ctx->async.fn = init_lsa_recv_pipe;
86         ctx->async.private_data = state;
87         return result;
88         
89  failed:
90         talloc_free(result);
91         return NULL;
92 }
93
94 static void init_lsa_recv_pipe(struct composite_context *ctx)
95 {
96         struct init_lsa_state *state =
97                 talloc_get_type(ctx->async.private_data,
98                                 struct init_lsa_state);
99         struct rpc_request *req;
100
101         state->ctx->status = dcerpc_pipe_open_smb_recv(ctx);
102         if (!composite_is_ok(state->ctx)) return;
103
104         switch (state->auth_type) {
105         case DCERPC_AUTH_TYPE_NONE:
106                 state->ctx->status =
107                         dcerpc_bind_auth_none(state->lsa_pipe,
108                                               DCERPC_LSARPC_UUID,
109                                               DCERPC_LSARPC_VERSION);
110                 break;
111         case DCERPC_AUTH_TYPE_NTLMSSP:
112         case DCERPC_AUTH_TYPE_SCHANNEL:
113                 if (state->creds == NULL) {
114                         composite_error(state->ctx, NT_STATUS_INTERNAL_ERROR);
115                         return;
116                 }
117                 state->lsa_pipe->conn->flags |= (DCERPC_SIGN | DCERPC_SEAL);
118                 state->ctx->status =
119                         dcerpc_bind_auth_password(state->lsa_pipe,
120                                                   DCERPC_LSARPC_UUID,
121                                                   DCERPC_LSARPC_VERSION,
122                                                   state->creds,
123                                                   state->auth_type,
124                                                   NULL);
125                 break;
126         default:
127                 state->ctx->status = NT_STATUS_INTERNAL_ERROR;
128                 
129         }
130                         
131         state->handle = talloc(state, struct policy_handle);
132         if (composite_nomem(state->handle, state->ctx)) return;
133
134         state->openpolicy.in.system_name =
135                 talloc_asprintf(state, "\\\\%s",
136                                 dcerpc_server_name(state->lsa_pipe));
137         ZERO_STRUCT(state->objectattr);
138         state->openpolicy.in.attr = &state->objectattr;
139         state->openpolicy.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
140         state->openpolicy.out.handle = state->handle;
141
142         req = dcerpc_lsa_OpenPolicy2_send(state->lsa_pipe, state,
143                                           &state->openpolicy);
144         composite_continue_rpc(state->ctx, req, init_lsa_recv_openpol, state);
145 }
146
147 static void init_lsa_recv_openpol(struct rpc_request *req)
148 {
149         struct init_lsa_state *state =
150                 talloc_get_type(req->async.private,
151                                 struct init_lsa_state);
152
153         state->ctx->status = dcerpc_ndr_request_recv(req);
154         if (!composite_is_ok(state->ctx)) return;
155         state->ctx->status = state->openpolicy.out.result;
156         if (!composite_is_ok(state->ctx)) return;
157
158         composite_done(state->ctx);
159 }
160
161 static NTSTATUS wb_init_lsa_recv(struct composite_context *c,
162                                  TALLOC_CTX *mem_ctx,
163                                  struct dcerpc_pipe **lsa_pipe,
164                                  struct policy_handle **lsa_policy)
165 {
166         NTSTATUS status = composite_wait(c);
167         if (NT_STATUS_IS_OK(status)) {
168                 struct init_lsa_state *state =
169                         talloc_get_type(c->private_data,
170                                         struct init_lsa_state);
171                 *lsa_pipe = talloc_steal(mem_ctx, state->lsa_pipe);
172                 *lsa_policy = talloc_steal(mem_ctx, state->handle);
173         }
174         talloc_free(c);
175         return status;
176 }
177
178
179 /*
180  * Connect to LSA using the credentials, try NTLMSSP and SCHANNEL using the
181  * given credentials. If both fail or no credentials are available, fall back
182  * to an anonymous bind.
183  */
184
185 struct connect_lsa_state {
186         struct composite_context *ctx;
187         struct smbcli_tree *tree;
188         struct cli_credentials *credentials;
189
190         uint8_t auth_type;
191         struct dcerpc_pipe *lsa_pipe;
192         struct policy_handle *lsa_policy;
193 };
194
195 static void connect_lsa_recv_ntlmssp(struct composite_context *ctx);
196 static void connect_lsa_recv_schannel(struct composite_context *ctx);
197 static void connect_lsa_recv_anon(struct composite_context *ctx);
198
199 struct composite_context *wb_connect_lsa_send(struct smbcli_tree *tree,
200                                               struct cli_credentials *credentials)
201 {
202         struct composite_context *result, *ctx;
203         struct connect_lsa_state *state;
204
205         result = talloc(NULL, struct composite_context);
206         if (result == NULL) goto failed;
207         result->state = COMPOSITE_STATE_IN_PROGRESS;
208         result->event_ctx = tree->session->transport->socket->event.ctx;
209
210         state = talloc(result, struct connect_lsa_state);
211         if (state == NULL) goto failed;
212         state->ctx = result;
213         result->private_data = state;
214
215         state->tree = tree;
216         state->credentials = credentials;
217
218         if (credentials == NULL) {
219                 ctx = wb_init_lsa_send(tree, DCERPC_AUTH_TYPE_NONE, NULL);
220                 if (ctx == NULL) goto failed;
221                 ctx->async.fn = connect_lsa_recv_anon;
222                 ctx->async.private_data = state;
223                 return result;
224         }
225
226         ctx = wb_init_lsa_send(tree, DCERPC_AUTH_TYPE_NTLMSSP, credentials);
227         if (ctx == NULL) goto failed;
228         ctx->async.fn = connect_lsa_recv_ntlmssp;
229         ctx->async.private_data = state;
230         return result;
231
232  failed:
233         talloc_free(result);
234         return NULL;
235 }
236
237 static void connect_lsa_recv_ntlmssp(struct composite_context *ctx)
238 {
239         struct connect_lsa_state *state =
240                 talloc_get_type(ctx->async.private_data,
241                                 struct connect_lsa_state);
242
243         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
244                                               &state->lsa_policy);
245
246         if (NT_STATUS_IS_OK(state->ctx->status)) {
247                 state->auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
248                 composite_done(state->ctx);
249                 return;
250         }
251
252         ctx = wb_init_lsa_send(state->tree, DCERPC_AUTH_TYPE_SCHANNEL,
253                                state->credentials);
254         composite_continue(state->ctx, ctx,
255                            connect_lsa_recv_schannel, state);
256 }
257
258 static void connect_lsa_recv_schannel(struct composite_context *ctx)
259 {
260         struct connect_lsa_state *state =
261                 talloc_get_type(ctx->async.private_data,
262                                 struct connect_lsa_state);
263
264         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
265                                               &state->lsa_policy);
266
267         if (NT_STATUS_IS_OK(state->ctx->status)) {
268                 state->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
269                 composite_done(state->ctx);
270                 return;
271         }
272
273         ctx = wb_init_lsa_send(state->tree, DCERPC_AUTH_TYPE_NONE,
274                                state->credentials);
275         composite_continue(state->ctx, ctx,
276                            connect_lsa_recv_anon, state);
277 }
278
279 static void connect_lsa_recv_anon(struct composite_context *ctx)
280 {
281         struct connect_lsa_state *state =
282                 talloc_get_type(ctx->async.private_data,
283                                 struct connect_lsa_state);
284
285         state->ctx->status = wb_init_lsa_recv(ctx, state, &state->lsa_pipe,
286                                               &state->lsa_policy);
287         if (!composite_is_ok(state->ctx)) return;
288
289         state->auth_type = DCERPC_AUTH_TYPE_NONE;
290         composite_done(state->ctx);
291 }
292
293 NTSTATUS wb_connect_lsa_recv(struct composite_context *c,
294                              TALLOC_CTX *mem_ctx,
295                              uint8_t *auth_type,
296                              struct dcerpc_pipe **lsa_pipe,
297                              struct policy_handle **lsa_policy)
298 {
299         NTSTATUS status = composite_wait(c);
300         if (NT_STATUS_IS_OK(status)) {
301                 struct connect_lsa_state *state =
302                         talloc_get_type(c->private_data,
303                                         struct connect_lsa_state);
304                 *auth_type = state->auth_type;
305                 *lsa_pipe = talloc_steal(mem_ctx, state->lsa_pipe);
306                 *lsa_policy = talloc_steal(mem_ctx, state->lsa_policy);
307         }
308         talloc_free(c);
309         return status;
310 }
311
312 NTSTATUS wb_connect_lsa(struct smbcli_tree *tree,
313                         struct cli_credentials *credentials,
314                         TALLOC_CTX *mem_ctx,
315                         uint8_t *auth_type,
316                         struct dcerpc_pipe **lsa_pipe,
317                         struct policy_handle **lsa_policy)
318 {
319         struct composite_context *c;
320         c = wb_connect_lsa_send(tree, credentials);
321         return wb_connect_lsa_recv(c, mem_ctx, auth_type, lsa_pipe,
322                                    lsa_policy);
323 }