'authenticated' connections.
Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.
Andrew Bartlett
session_info->nt_user_token = NULL;
}
- session_info->session_key = data_blob_talloc(session_info->mem_ctx,
- gensec_krb5_state->session_key.data,
- gensec_krb5_state->session_key.length);
+ nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
session_info->workstation = NULL;
*session_info_out = session_info;
- return NT_STATUS_OK;
+ return nt_status;
}
return NT_STATUS_OK;
}
+static NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p,
+ DATA_BLOB *session_key)
+{
+ if (p->auth_state.session_info->session_key.length) {
+ *session_key = p->auth_state.session_info->session_key;
+ return NT_STATUS_OK;
+ }
+ return NT_STATUS_NO_USER_SESSION_KEY;
+}
+
+NTSTATUS dcesrv_generic_session_key(struct dcesrv_connection *p,
+ DATA_BLOB *session_key)
+{
+ /* this took quite a few CPU cycles to find ... */
+ session_key->data = "SystemLibraryDTC";
+ session_key->length = 16;
+ return NT_STATUS_OK;
+}
+
+/*
+ fetch the user session key - may be default (above) or the SMB session key
+*/
+NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p,
+ DATA_BLOB *session_key)
+{
+ return p->auth_state.session_key(p, session_key);
+}
+
+
/*
connect to a dcerpc endpoint
*/
(*p)->auth_state.auth_info = NULL;
(*p)->auth_state.gensec_security = NULL;
(*p)->auth_state.session_info = NULL;
+ (*p)->auth_state.session_key = dcesrv_generic_session_key;
(*p)->srv_conn = NULL;
return NT_STATUS_OK;
session_info->refcount++;
(*dce_conn_p)->auth_state.session_info = session_info;
- (*dce_conn_p)->transport_session_key = session_info->session_key;
+ (*dce_conn_p)->auth_state.session_key = dcesrv_inherited_session_key;
/* TODO: check security descriptor of the endpoint here
* if it's a smb named pipe
struct dcerpc_auth *auth_info;
struct gensec_security *gensec_security;
struct auth_session_info *session_info;
+ NTSTATUS (*session_key)(struct dcesrv_connection *, DATA_BLOB *session_key);
};
dcesrv_conn->srv_conn = conn;
- dcesrv_conn->transport_session_key = data_blob_talloc(dcesrv_conn, "SystemLibraryDTC", 16);
-
conn->private_data = dcesrv_conn;
/* TODO: this should to the generic code
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return False;
}
+
+ /* Now that we are authenticated, got back to the generic session key... */
+ dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return True;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
dce_conn->auth_state.auth_info->auth_pad_length = 0;
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return False;
}
+ /* Now that we are authenticated, got back to the generic session key... */
+ dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return True;
} else {
DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n",
struct ldb_message *msg,
struct samr_CryptPassword *pwbuf)
{
+ NTSTATUS nt_status;
char new_pass[512];
uint32_t new_pass_len;
DATA_BLOB session_key = data_blob(NULL, 0);
- session_key = dce_call->conn->transport_session_key;
-
- if (session_key.length == 0) {
- DEBUG(3,("Bad session key in samr_set_password\n"));
- return NT_STATUS_NO_USER_SESSION_KEY;
+ nt_status = dcesrv_fetch_session_key(dce_call->conn, &session_key);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
arcfour_crypt_blob(pwbuf->data, 516, &session_key);
struct ldb_message *msg,
struct samr_CryptPasswordEx *pwbuf)
{
+ NTSTATUS nt_status;
char new_pass[512];
uint32_t new_pass_len;
DATA_BLOB co_session_key;
DATA_BLOB session_key = data_blob(NULL, 0);
struct MD5Context ctx;
- session_key = dce_call->conn->transport_session_key;
-
- if (session_key.length == 0) {
- DEBUG(3,("Bad session key in samr_set_password\n"));
- return NT_STATUS_NO_USER_SESSION_KEY;
+ nt_status = dcesrv_fetch_session_key(dce_call->conn, &session_key);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
co_session_key = data_blob_talloc(mem_ctx, NULL, 16);