/* Look for the first module to provide a start_gensec hook, and set that if provided */
for (method = (*auth_context)->auth_method_list; method; method = method->next) {
- if (method->prepare_gensec && method->gensec_start_mech_by_oid) {
+ if (method->prepare_gensec) {
(*auth_context)->prepare_gensec = method->prepare_gensec;
(*auth_context)->gensec_start_mech_by_oid = method->gensec_start_mech_by_oid;
+ (*auth_context)->gensec_start_mech_by_authtype = method->gensec_start_mech_by_authtype;
break;
}
}
#include "../librpc/gen_ndr/netlogon.h"
#include "../lib/tsocket/tsocket.h"
#include "auth/gensec/gensec.h"
+#include "librpc/rpc/dcerpc.h"
NTSTATUS auth_ntlmssp_session_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
return NT_STATUS_OK;
}
+NTSTATUS auth_generic_authtype_start(struct auth_ntlmssp_state *auth_ntlmssp_state,
+ uint8_t auth_type, uint8_t auth_level)
+{
+ if (auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype) {
+ return auth_ntlmssp_state->auth_context->gensec_start_mech_by_authtype(auth_ntlmssp_state->gensec_security,
+ auth_type, auth_level);
+ }
+
+ if (auth_type != DCERPC_AUTH_TYPE_NTLMSSP) {
+ /* The caller will then free the auth_ntlmssp_state,
+ * undoing what was done in auth_ntlmssp_prepare().
+ *
+ * We can't do that logic here, as
+ * auth_ntlmssp_want_feature() may have been called in
+ * between.
+ */
+ return NT_STATUS_NOT_IMPLEMENTED;
+ }
+
+ if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ auth_ntlmssp_want_feature(auth_ntlmssp_state, NTLMSSP_FEATURE_SIGN);
+ } else if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ /* Always implies both sign and seal for ntlmssp */
+ auth_ntlmssp_want_feature(auth_ntlmssp_state, NTLMSSP_FEATURE_SEAL);
+ } else if (auth_level == DCERPC_AUTH_LEVEL_CONNECT) {
+ /* Default features */
+ } else {
+ DEBUG(2,("auth_level %d not supported in DCE/RPC authentication\n",
+ auth_level));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ return NT_STATUS_OK;
+}
+
NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state)
{
return auth_generic_start(auth_ntlmssp_state, GENSEC_OID_NTLMSSP);
result->auth = check_samba4_security;
result->prepare_gensec = prepare_gensec;
result->gensec_start_mech_by_oid = gensec_start_mech_by_oid;
+ result->gensec_start_mech_by_authtype = gensec_start_mech_by_authtype;
*auth_method = result;
return NT_STATUS_OK;
struct auth_ntlmssp_state **auth_ntlmssp_state);
NTSTATUS auth_ntlmssp_start(struct auth_ntlmssp_state *auth_ntlmssp_state);
NTSTATUS auth_generic_start(struct auth_ntlmssp_state *auth_ntlmssp_state, const char *oid);
+NTSTATUS auth_generic_authtype_start(struct auth_ntlmssp_state *auth_ntlmssp_state,
+ uint8_t auth_type, uint8_t auth_level);
/* The following definitions come from auth/auth_sam.c */
NTSTATUS (*prepare_gensec)(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_context);
NTSTATUS (*gensec_start_mech_by_oid)(struct gensec_security *gensec_context, const char *oid_string);
+ NTSTATUS (*gensec_start_mech_by_authtype)(struct gensec_security *gensec_context, uint8_t auth_type, uint8_t auth_level);
};
typedef struct auth_methods
NTSTATUS (*prepare_gensec)(TALLOC_CTX *mem_ctx,
struct gensec_security **gensec_context);
NTSTATUS (*gensec_start_mech_by_oid)(struct gensec_security *gensec_context, const char *oid_string);
+ NTSTATUS (*gensec_start_mech_by_authtype)(struct gensec_security *gensec_context, uint8_t auth_type, uint8_t auth_level);
/* Used to keep tabs on things like the cli for SMB server authentication */
void *private_data;
struct pipe_auth_data {
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
+
+ bool gensec_hook;
void *auth_ctx;
#Plugin S4 DC tests (confirms named pipe auth forwarding). This can be expanded once kerberos is supported in the plugin DC
#
for bindoptions in ["seal,padcheck"] + validate_list + ["bigendian"]:
- for t in [ "rpc.lsalookup", "rpc.lsa.secrets", "rpc.lsa-getuser", "rpc.handles", "rpc.asyncbind", "rpc.authcontext", "rpc.lsa"]:
+ for t in ncacn_np_tests:
env = "plugin_s4_dc"
transport = "ncacn_np"
plantestsuite_loadlist("samba4.%s with %s" % (t, bindoptions), env, [valgrindify(smb4torture), "$LISTOPT", "%s:$SERVER[%s]" % (transport, bindoptions), '-U$USERNAME%$PASSWORD', '-W', '$DOMAIN', '-k', 'no', t])
git.samba.org / samba.git / commitdiff