r4962: add infrastructure to use raw krb5 auth in dcerpc client code

Note this doesn't work currently because the gensec_modules are not ready for that yet

metze
(This used to be commit 7b09a3f725baca5d4483b7ec24a9cb6151557bb5)

diff --git a/prog_guide.txt b/prog_guide.txt
index 9a80d757f096fd4b08727e3d5623ce2e8df52145..3ed51e986ccdc1329c852d85b7d7ae4b2512bd80 100644 (file)
--- a/prog_guide.txt
+++ b/prog_guide.txt
@@ -542,6 +542,7 @@ other recognised flags are:
   sign      : enable ntlmssp signing
   seal      : enable ntlmssp sealing
   spnego    : use SPNEGO instead of NTLMSSP authentication
+  krb5      : use KRB5 instead of NTLMSSP authentication
   connect   : enable rpc connect level auth (auth, but no sign or seal)
   validate  : enable the NDR validator
   print     : enable debugging of the packets

diff --git a/source4/librpc/idl/dcerpc.idl b/source4/librpc/idl/dcerpc.idl
index d4fb026c8cc91cf41d535f3c05520e7ad5cfaf75..b5f9fbf466890cb077c27a9c6e95cd58a144fb5f 100644 (file)
--- a/source4/librpc/idl/dcerpc.idl
+++ b/source4/librpc/idl/dcerpc.idl
@@ -110,18 +110,19 @@ interface dcerpc
                uint32 status;
        } dcerpc_fault;
 
-
+       /* the auth types we know about
        const uint8 DCERPC_AUTH_TYPE_NONE     = 0;
-       const uint8 DCERPC_AUTH_TYPE_KRB5     = 1;
+       /* this seems to be not krb5! */
+       const uint8 DCERPC_AUTH_TYPE_KRB5_1   = 1;
        const uint8 DCERPC_AUTH_TYPE_SPNEGO   = 9;
        const uint8 DCERPC_AUTH_TYPE_NTLMSSP  = 10;
        /* I'm not 100% sure but type 16(0x10)
         * seems to be raw krb5 --metze
         */
-       const uint8 DCERPC_AUTH_TYPE_KRB5_16  = 16;
+       const uint8 DCERPC_AUTH_TYPE_KRB5     = 16;
        const uint8 DCERPC_AUTH_TYPE_SCHANNEL = 68;
-       const uint8 DCERPC_AUTH_TYPE_MSMQ         = 100;
-       
+       const uint8 DCERPC_AUTH_TYPE_MSMQ     = 100;
+
        const uint8 DCERPC_AUTH_LEVEL_DEFAULT   = DCERPC_AUTH_LEVEL_CONNECT;
        const uint8 DCERPC_AUTH_LEVEL_NONE      = 1;
        const uint8 DCERPC_AUTH_LEVEL_CONNECT   = 2;

diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 4e58c3c75f4eff775f91dd42b43bf08f2d7b2720..4e0172b6f3165d324ced1688d76a82a8c5c5568a 100644 (file)
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -129,11 +129,14 @@ struct dcerpc_pipe {
 /* set LIBNDR_FLAG_REF_ALLOC flag when decoding NDR */
 #define DCERPC_NDR_REF_ALLOC           (1<<14)
 
-#define DCERPC_AUTH_OPTIONS    (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL_ANY|DCERPC_AUTH_SPNEGO)
+#define DCERPC_AUTH_OPTIONS    (DCERPC_SEAL|DCERPC_SIGN|DCERPC_SCHANNEL_ANY|DCERPC_AUTH_SPNEGO|DCERPC_AUTH_KRB5)
 
 /* enable spnego auth */
 #define DCERPC_AUTH_SPNEGO             (1<<15)
 
+/* enable krb5 auth */
+#define DCERPC_AUTH_KRB5               (1<<16)
+
 /*
   this is used to find pointers to calls
 */

diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index 8b974df0fdc163afe459077acfc810428a6116d2..7307b44cb821b5e27bcadb6650c0afb00a943b97 100644 (file)
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -177,6 +177,7 @@ static const struct {
        {"seal", DCERPC_SEAL},
        {"connect", DCERPC_CONNECT},
        {"spnego", DCERPC_AUTH_SPNEGO},
+       {"krb5", DCERPC_AUTH_KRB5},
        {"validate", DCERPC_DEBUG_VALIDATE_BOTH},
        {"print", DCERPC_DEBUG_PRINT_BOTH},
        {"padcheck", DCERPC_DEBUG_PAD_CHECK},
@@ -797,6 +798,8 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
                uint8_t auth_type;
                if (binding->flags & DCERPC_AUTH_SPNEGO) {
                        auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+               } else if (binding->flags & DCERPC_AUTH_KRB5) {
+                       auth_type = DCERPC_AUTH_TYPE_KRB5;
                } else {
                        auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
                }