#include "system/passwd.h"
#include "system/network.h"
#include "libcli/raw/smb.h"
-#include "auth/credentials/credentials.h"
-#include "auth/credentials/credentials_krb5.h"
-#include "libcli/security/dom_sid.h"
+#include "auth/session.h"
+#include "libcli/security/security.h"
#include "libcli/named_pipe_auth/npa_tstream.h"
struct named_pipe_socket {
char *client_name;
struct tsocket_address *server;
char *server_name;
- struct netr_SamInfo3 *info3;
- DATA_BLOB session_key;
- DATA_BLOB delegated_creds;
-
- union netr_Validation val;
- struct auth_serversupplied_info *server_info;
- struct auth_context *auth_context;
- uint32_t session_flags = 0;
- struct dom_sid *anonymous_sid;
+ struct auth_session_info_transport *session_info_transport;
const char *reason = NULL;
TALLOC_CTX *tmp_ctx;
- NTSTATUS status;
int error;
int ret;
}
ret = tstream_npa_accept_existing_recv(subreq, &error, tmp_ctx,
- &conn->tstream,
- &client,
- &client_name,
- &server,
- &server_name,
- &info3,
- &session_key,
- &delegated_creds);
+ &conn->tstream,
+ &client,
+ &client_name,
+ &server,
+ &server_name,
+ &session_info_transport);
TALLOC_FREE(subreq);
if (ret != 0) {
reason = talloc_asprintf(conn,
client_name, tsocket_address_string(client, tmp_ctx),
server_name, tsocket_address_string(server, tmp_ctx)));
- if (info3) {
- val.sam3 = info3;
-
- status = make_server_info_netlogon_validation(conn,
- val.sam3->base.account_name.string,
- 3, &val, &server_info);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "make_server_info_netlogon_validation "
- "returned: %s", nt_errstr(status));
- goto out;
- }
-
- status = auth_context_create(conn, conn->event.ctx,
- conn->msg_ctx, conn->lp_ctx,
- &auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "auth_context_create returned: %s",
- nt_errstr(status));
- goto out;
- }
-
- anonymous_sid = dom_sid_parse_talloc(auth_context,
- SID_NT_ANONYMOUS);
- if (anonymous_sid == NULL) {
- talloc_free(auth_context);
- reason = "Failed to parse Anonymous SID ";
- goto out;
- }
-
- session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (!dom_sid_equal(anonymous_sid, server_info->account_sid)) {
- session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
- }
-
-
- /* setup the session_info on the connection */
- status = auth_context->generate_session_info(conn,
- auth_context,
- server_info,
- session_flags,
- &conn->session_info);
- talloc_free(auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "auth_generate_session_info "
- "returned: %s", nt_errstr(status));
- goto out;
- }
- }
-
- if (session_key.length) {
- conn->session_info->session_key = session_key;
- talloc_steal(conn->session_info, session_key.data);
- }
-
- if (delegated_creds.length) {
- struct cli_credentials *creds;
- OM_uint32 minor_status;
- gss_buffer_desc cred_token;
- gss_cred_id_t cred_handle;
- const char *error_string;
-
- DEBUG(10, ("Delegated credentials supplied by client\n"));
-
- cred_token.value = delegated_creds.data;
- cred_token.length = delegated_creds.length;
-
- ret = gss_import_cred(&minor_status,
- &cred_token,
- &cred_handle);
- if (ret != GSS_S_COMPLETE) {
- reason = "Internal error in gss_import_cred()";
- goto out;
- }
-
- creds = cli_credentials_init(conn->session_info);
- if (!creds) {
- reason = "Out of memory in cli_credentials_init()";
- goto out;
- }
- conn->session_info->credentials = creds;
-
- cli_credentials_set_conf(creds, conn->lp_ctx);
- /* Just so we don't segfault trying to get at a username */
- cli_credentials_set_anonymous(creds);
-
- ret = cli_credentials_set_client_gss_creds(creds,
- conn->event.ctx,
- conn->lp_ctx,
- cred_handle,
- CRED_SPECIFIED,
- &error_string);
- if (ret) {
- reason = talloc_asprintf(conn,
- "Failed to set pipe forwarded"
- "creds: %s\n", error_string);
- goto out;
- }
-
- /* This credential handle isn't useful for password
- * authentication, so ensure nobody tries to do that */
- cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
-
+ conn->session_info = auth_session_info_from_transport(conn, session_info_transport,
+ conn->lp_ctx,
+ &reason);
+ if (!conn->session_info) {
+ goto out;
}
/*
.send_handler = named_pipe_send,
};
-NTSTATUS tstream_setup_named_pipe(struct tevent_context *event_context,
+NTSTATUS tstream_setup_named_pipe(TALLOC_CTX *mem_ctx,
+ struct tevent_context *event_context,
struct loadparm_context *lp_ctx,
const struct model_ops *model_ops,
const struct stream_server_ops *stream_ops,
struct named_pipe_socket *pipe_sock;
NTSTATUS status = NT_STATUS_NO_MEMORY;;
- pipe_sock = talloc(event_context, struct named_pipe_socket);
+ pipe_sock = talloc(mem_ctx, struct named_pipe_socket);
if (pipe_sock == NULL) {
goto fail;
}
/* remember the details about the pipe */
- pipe_sock->pipe_name = talloc_strdup(pipe_sock, pipe_name);
+ pipe_sock->pipe_name = strlower_talloc(pipe_sock, pipe_name);
if (pipe_sock->pipe_name == NULL) {
goto fail;
}
+ if (!directory_create_or_exist(lpcfg_ncalrpc_dir(lp_ctx), 0755)) {
+ status = map_nt_error_from_unix_common(errno);
+ DEBUG(0,(__location__ ": Failed to create ncalrpc pipe directory '%s' - %s\n",
+ lpcfg_ncalrpc_dir(lp_ctx), nt_errstr(status)));
+ goto fail;
+ }
+
dirname = talloc_asprintf(pipe_sock, "%s/np", lpcfg_ncalrpc_dir(lp_ctx));
if (dirname == NULL) {
goto fail;
}
- if (!directory_create_or_exist(dirname, geteuid(), 0700)) {
- status = map_nt_error_from_unix(errno);
- DEBUG(0,(__location__ ": Failed to create stream pipe directory %s - %s\n",
+ if (!directory_create_or_exist_strict(dirname, geteuid(), 0700)) {
+ status = map_nt_error_from_unix_common(errno);
+ DEBUG(0,(__location__ ": Failed to create stream pipe directory '%s' - %s\n",
dirname, nt_errstr(status)));
goto fail;
}
pipe_sock->ops = stream_ops;
pipe_sock->private_data = private_data;
- status = stream_setup_socket(event_context,
+ status = stream_setup_socket(pipe_sock,
+ event_context,
lp_ctx,
model_ops,
&named_pipe_stream_ops,