* Can't keep in sync with wire values as spnego wraps different auth methods.
*/
-enum pipe_auth_type { PIPE_AUTH_TYPE_NONE = 0, PIPE_AUTH_TYPE_NTLMSSP, PIPE_AUTH_TYPE_SCHANNEL,
- PIPE_AUTH_TYPE_SPNEGO_NTLMSSP, PIPE_AUTH_TYPE_KRB5, PIPE_AUTH_TYPE_SPNEGO_KRB5 };
+enum pipe_auth_type_spnego {
+ PIPE_AUTH_TYPE_SPNEGO_NONE = 0,
+ PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
+ PIPE_AUTH_TYPE_SPNEGO_KRB5
+};
/* auth state for krb5. */
struct kerberos_auth_struct {
/* auth state for all bind types. */
struct pipe_auth_data {
- enum pipe_auth_type auth_type; /* switch for union below. */
+ enum dcerpc_AuthType auth_type;
+ enum pipe_auth_type_spnego spnego_type;
enum dcerpc_AuthLevel auth_level;
union {
const struct ndr_syntax_id *syntax);
const char *get_pipe_name_from_syntax(TALLOC_CTX *mem_ctx,
const struct ndr_syntax_id *syntax);
-enum dcerpc_AuthType map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type);
struct tevent_req *rpc_api_pipe_req_send(TALLOC_CTX *mem_ctx,
struct event_context *ev,
NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
size_t pad_len, DATA_BLOB *rpc_out)
{
- enum dcerpc_AuthType auth_type;
char pad[CLIENT_NDR_PADDING_SIZE] = { 0, };
DATA_BLOB auth_info;
DATA_BLOB auth_blob;
NTSTATUS status;
- if (auth->auth_type == PIPE_AUTH_TYPE_NONE) {
+ if (auth->auth_type == DCERPC_AUTH_TYPE_NONE) {
return NT_STATUS_OK;
}
}
}
- auth_type = map_pipe_auth_type_to_rpc_auth_type(auth->auth_type);
-
/* marshall the dcerpc_auth with an actually empty auth_blob.
* This is needed because the ntmlssp signature includes the
* auth header. We will append the actual blob later. */
auth_blob = data_blob_null;
status = dcerpc_push_dcerpc_auth(rpc_out->data,
- auth_type,
+ auth->auth_type,
auth->auth_level,
pad_len,
1 /* context id. */,
/* Generate any auth sign/seal and add the auth footer. */
switch (auth->auth_type) {
- case PIPE_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_NONE:
status = NT_STATUS_OK;
break;
- case PIPE_AUTH_TYPE_NTLMSSP:
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ /* fall thorugh */
+ case DCERPC_AUTH_TYPE_NTLMSSP:
status = add_ntlmssp_auth_footer(auth->a_u.auth_ntlmssp_state,
auth->auth_level,
rpc_out);
break;
- case PIPE_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
status = add_schannel_auth_footer(auth->a_u.schannel_auth,
auth->auth_level,
rpc_out);
raw_pkt->length - auth_info.credentials.length);
switch (auth->auth_type) {
- case PIPE_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_NONE:
return NT_STATUS_OK;
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- case PIPE_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ DEBUG(0, ("Currently only NTLMSSP is supported "
+ "with SPNEGO\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ /* fall through */
+ case DCERPC_AUTH_TYPE_NTLMSSP:
DEBUG(10, ("NTLMSSP auth\n"));
}
break;
- case PIPE_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
DEBUG(10, ("SCHANNEL auth\n"));
return result;
}
-/********************************************************************
- Map internal value to wire value.
- ********************************************************************/
-
-enum dcerpc_AuthType map_pipe_auth_type_to_rpc_auth_type(enum pipe_auth_type auth_type)
-{
- switch (auth_type) {
-
- case PIPE_AUTH_TYPE_NONE:
- return DCERPC_AUTH_TYPE_NONE;
-
- case PIPE_AUTH_TYPE_NTLMSSP:
- return DCERPC_AUTH_TYPE_NTLMSSP;
-
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- case PIPE_AUTH_TYPE_SPNEGO_KRB5:
- return DCERPC_AUTH_TYPE_SPNEGO;
-
- case PIPE_AUTH_TYPE_SCHANNEL:
- return DCERPC_AUTH_TYPE_SCHANNEL;
-
- case PIPE_AUTH_TYPE_KRB5:
- return DCERPC_AUTH_TYPE_KRB5;
-
- default:
- DEBUG(0,("map_pipe_auth_type_to_rpc_type: unknown pipe "
- "auth type %u\n",
- (unsigned int)auth_type ));
- break;
- }
- return -1;
-}
-
NTSTATUS ret = NT_STATUS_OK;
switch (auth->auth_type) {
- case PIPE_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
ret = create_schannel_auth_rpc_bind_req(cli,
auth->auth_level,
&auth_info);
}
break;
- case PIPE_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
ret = create_ntlmssp_auth_rpc_bind_req(cli,
auth->auth_level,
&auth_info);
}
break;
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (auth->spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ /* "Can't" happen. */
+ return NT_STATUS_INVALID_INFO_CLASS;
+ }
ret = create_spnego_ntlmssp_auth_rpc_bind_req(cli,
auth->auth_level,
&auth_info);
}
break;
- case PIPE_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_KRB5:
ret = create_krb5_auth_bind_req(cli,
auth->auth_level,
&auth_info);
}
break;
- case PIPE_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_NONE:
break;
default:
#endif
switch (cli->auth->auth_level) {
- case DCERPC_AUTH_LEVEL_NONE:
- case DCERPC_AUTH_LEVEL_CONNECT:
- data_space = cli->max_xmit_frag - DCERPC_REQUEST_LENGTH;
- data_len = MIN(data_space, data_left);
- *p_ss_padding = 0;
- *p_auth_len = 0;
- *p_frag_len = DCERPC_REQUEST_LENGTH + data_len;
- return data_len;
-
- case DCERPC_AUTH_LEVEL_INTEGRITY:
- case DCERPC_AUTH_LEVEL_PRIVACY:
- /* Treat the same for all authenticated rpc requests. */
- switch(cli->auth->auth_type) {
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- case PIPE_AUTH_TYPE_NTLMSSP:
- *p_auth_len = NTLMSSP_SIG_SIZE;
- break;
- case PIPE_AUTH_TYPE_SCHANNEL:
- *p_auth_len = NL_AUTH_SIGNATURE_SIZE;
- break;
- default:
- smb_panic("bad auth type");
- break;
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_CONNECT:
+ data_space = cli->max_xmit_frag - DCERPC_REQUEST_LENGTH;
+ data_len = MIN(data_space, data_left);
+ *p_ss_padding = 0;
+ *p_auth_len = 0;
+ *p_frag_len = DCERPC_REQUEST_LENGTH + data_len;
+ return data_len;
+
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ /* Treat the same for all authenticated rpc requests. */
+ switch(cli->auth->auth_type) {
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ switch (cli->auth->spnego_type) {
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ *p_auth_len = NTLMSSP_SIG_SIZE;
+ break;
+ default:
+ smb_panic("bad auth type");
+ break;
}
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ *p_auth_len = NTLMSSP_SIG_SIZE;
+ break;
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+ *p_auth_len = NL_AUTH_SIGNATURE_SIZE;
+ break;
+ default:
+ smb_panic("bad auth type");
+ break;
+ }
- data_space = cli->max_xmit_frag
- - DCERPC_REQUEST_LENGTH
- - DCERPC_AUTH_TRAILER_LENGTH
- - *p_auth_len;
+ data_space = cli->max_xmit_frag
+ - DCERPC_REQUEST_LENGTH
+ - DCERPC_AUTH_TRAILER_LENGTH
+ - *p_auth_len;
- data_len = MIN(data_space, data_left);
- *p_ss_padding = 0;
- if (data_len % CLIENT_NDR_PADDING_SIZE) {
- *p_ss_padding = CLIENT_NDR_PADDING_SIZE - (data_len % CLIENT_NDR_PADDING_SIZE);
- }
- *p_frag_len = DCERPC_REQUEST_LENGTH
- + data_len + *p_ss_padding
- + DCERPC_AUTH_TRAILER_LENGTH
- + *p_auth_len;
- return data_len;
+ data_len = MIN(data_space, data_left);
+ *p_ss_padding = 0;
+ if (data_len % CLIENT_NDR_PADDING_SIZE) {
+ *p_ss_padding = CLIENT_NDR_PADDING_SIZE - (data_len % CLIENT_NDR_PADDING_SIZE);
+ }
+ *p_frag_len = DCERPC_REQUEST_LENGTH
+ + data_len + *p_ss_padding
+ + DCERPC_AUTH_TRAILER_LENGTH
+ + *p_auth_len;
+ return data_len;
- default:
- smb_panic("bad auth level");
- /* Notreached. */
- return 0;
+ default:
+ smb_panic("bad auth level");
+ /* Notreached. */
+ return 0;
}
}
static NTSTATUS create_rpc_bind_auth3(TALLOC_CTX *mem_ctx,
struct rpc_pipe_client *cli,
uint32 rpc_call_id,
- enum pipe_auth_type auth_type,
+ enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
DATA_BLOB *pauth_blob,
DATA_BLOB *rpc_out)
u.auth3._pad = 0;
status = dcerpc_push_dcerpc_auth(mem_ctx,
- map_pipe_auth_type_to_rpc_auth_type(auth_type),
+ auth_type,
auth_level,
0, /* auth_pad_length */
1, /* auth_context_id */
return NULL;
}
- DEBUG(5,("Bind RPC Pipe: %s auth_type %u, auth_level %u\n",
+ DEBUG(5,("Bind RPC Pipe: %s auth_type %u(%u), auth_level %u\n",
rpccli_pipe_txt(talloc_tos(), cli),
(unsigned int)auth->auth_type,
+ (unsigned int)auth->spnego_type,
(unsigned int)auth->auth_level ));
state->ev = ev;
/* Marshall the outgoing data. */
status = create_rpc_bind_req(state, cli,
- &cli->auth,
+ cli->auth,
state->rpc_call_id,
&cli->abstract_syntax,
&cli->transfer_syntax,
switch(state->cli->auth->auth_type) {
- case PIPE_AUTH_TYPE_NONE:
- case PIPE_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
/* Bind complete. */
tevent_req_done(req);
- break;
+ return;
- case PIPE_AUTH_TYPE_NTLMSSP:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
/* Need to send AUTH3 packet - no reply. */
status = rpc_finish_auth3_bind_send(req, state, pkt);
if (!NT_STATUS_IS_OK(status)) {
tevent_req_nterror(req, status);
}
- break;
+ return;
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (state->cli->auth->spnego_type !=
+ PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ break;
+ }
/* Need to send alter context request and reply. */
status = rpc_finish_spnego_ntlmssp_bind_send(req, state, pkt,
&reply_pdu);
if (!NT_STATUS_IS_OK(status)) {
tevent_req_nterror(req, status);
}
- break;
+ return;
- case PIPE_AUTH_TYPE_KRB5:
+ case DCERPC_AUTH_TYPE_KRB5:
/* */
+ break;
default:
- DEBUG(0,("cli_finish_bind_auth: unknown auth type %u\n",
- (unsigned int)state->cli->auth->auth_type));
- tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ break;
}
+
+ DEBUG(0,("cli_finish_bind_auth: unknown auth type %u(%u)\n",
+ (unsigned int)state->cli->auth->auth_type,
+ (unsigned int)state->cli->auth->spnego_type));
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
}
static NTSTATUS rpc_finish_auth3_bind_send(struct tevent_req *req,
{
struct cli_state *cli;
- if ((rpc_cli->auth->auth_type == PIPE_AUTH_TYPE_NTLMSSP)
- || (rpc_cli->auth->auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)) {
+ if ((rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_NTLMSSP)
+ || ((rpc_cli->auth->auth_type == DCERPC_AUTH_TYPE_SPNEGO
+ && rpc_cli->auth->spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
memcpy(nt_hash, auth_ntlmssp_get_nt_hash(rpc_cli->auth->a_u.auth_ntlmssp_state), 16);
return true;
}
return NT_STATUS_NO_MEMORY;
}
- result->auth_type = PIPE_AUTH_TYPE_NONE;
+ result->auth_type = DCERPC_AUTH_TYPE_NONE;
+ result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
result->auth_level = DCERPC_AUTH_LEVEL_NONE;
result->user_name = talloc_strdup(result, "");
}
static NTSTATUS rpccli_ntlmssp_bind_data(TALLOC_CTX *mem_ctx,
- enum pipe_auth_type auth_type,
+ enum dcerpc_AuthType auth_type,
+ enum pipe_auth_type_spnego spnego_type,
enum dcerpc_AuthLevel auth_level,
const char *domain,
const char *username,
}
result->auth_type = auth_type;
+ result->spnego_type = spnego_type;
result->auth_level = auth_level;
result->user_name = talloc_strdup(result, username);
return NT_STATUS_NO_MEMORY;
}
- result->auth_type = PIPE_AUTH_TYPE_SCHANNEL;
+ result->auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
+ result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
result->auth_level = auth_level;
result->user_name = talloc_strdup(result, "");
return NT_STATUS_NO_MEMORY;
}
- result->auth_type = PIPE_AUTH_TYPE_KRB5;
+ result->auth_type = DCERPC_AUTH_TYPE_KRB5;
+ result->spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
result->auth_level = auth_level;
/*
static NTSTATUS cli_rpc_pipe_open_ntlmssp_internal(struct cli_state *cli,
const struct ndr_syntax_id *interface,
enum dcerpc_transport_t transport,
- enum pipe_auth_type auth_type,
+ bool use_spnego,
enum dcerpc_AuthLevel auth_level,
const char *domain,
const char *username,
{
struct rpc_pipe_client *result;
struct pipe_auth_data *auth;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
+ enum pipe_auth_type_spnego spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
NTSTATUS status;
status = cli_rpc_pipe_open(cli, transport, interface, &result);
return status;
}
- status = rpccli_ntlmssp_bind_data(
- result, auth_type, auth_level, domain, username,
- password, &auth);
+ if (use_spnego) {
+ auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
+ }
+
+ status = rpccli_ntlmssp_bind_data(result,
+ auth_type, spnego_type, auth_level,
+ domain, username, password,
+ &auth);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("rpccli_ntlmssp_bind_data returned %s\n",
nt_errstr(status)));
return cli_rpc_pipe_open_ntlmssp_internal(cli,
interface,
transport,
- PIPE_AUTH_TYPE_NTLMSSP,
+ false,
auth_level,
domain,
username,
return cli_rpc_pipe_open_ntlmssp_internal(cli,
interface,
transport,
- PIPE_AUTH_TYPE_SPNEGO_NTLMSSP,
+ true,
auth_level,
domain,
username,
}
switch (cli->auth->auth_type) {
- case PIPE_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
sk = data_blob_const(a->a_u.schannel_auth->creds->session_key,
16);
break;
- case PIPE_AUTH_TYPE_NTLMSSP:
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ switch (cli->auth->spnego_type) {
+ case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ sk = auth_ntlmssp_get_session_key(
+ a->a_u.auth_ntlmssp_state);
+ break;
+ case PIPE_AUTH_TYPE_SPNEGO_KRB5:
+ sk = data_blob_const(
+ a->a_u.kerberos_auth->session_key.data,
+ a->a_u.kerberos_auth->session_key.length);
+ break;
+ default:
+ return NT_STATUS_NO_USER_SESSION_KEY;
+ }
+ break;
+ case DCERPC_AUTH_TYPE_NTLMSSP:
sk = auth_ntlmssp_get_session_key(a->a_u.auth_ntlmssp_state);
break;
- case PIPE_AUTH_TYPE_KRB5:
- case PIPE_AUTH_TYPE_SPNEGO_KRB5:
+ case DCERPC_AUTH_TYPE_KRB5:
sk = data_blob_const(a->a_u.kerberos_auth->session_key.data,
a->a_u.kerberos_auth->session_key.length);
break;
- case PIPE_AUTH_TYPE_NONE:
+ case DCERPC_AUTH_TYPE_NONE:
sk = data_blob_const(a->user_session_key.data,
a->user_session_key.length);
break;
if (lp_restrict_anonymous() > 0) {
/* schannel, so we must be ok */
- if (p->pipe_bound && (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL)) {
+ if (p->pipe_bound &&
+ (p->auth.auth_type == DCERPC_AUTH_TYPE_SCHANNEL)) {
return True;
}
struct lsa_LookupSids2 q;
/* No policy handle on this call. Restrict to crypto connections. */
- if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
struct lsa_LookupNames3 q;
/* No policy handle on this call. Restrict to crypto connections. */
- if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
const char *computer_name,
bool integrity, bool privacy)
{
- if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
+ if (auth_info && auth_info->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
if (!privacy && !integrity) {
return NT_STATUS_OK;
}
memcpy(pipe_session_key, creds->session_key, 16);
} else {
/* Get the pipe session key from the schannel. */
- if ((p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL)
+ if ((p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL)
|| (p->auth.a_u.schannel_auth == NULL)) {
return NT_STATUS_INVALID_HANDLE;
}
}
/* Only allow this if the pipe is protected. */
- if (p->auth.auth_type != PIPE_AUTH_TYPE_SCHANNEL) {
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
********************************************************************/
static bool create_next_packet(struct pipes_struct *p,
- enum dcerpc_AuthType auth_type,
- enum dcerpc_AuthLevel auth_level,
size_t auth_length,
size_t *_pad_len)
{
bool create_next_pdu(struct pipes_struct *p)
{
- enum dcerpc_AuthType auth_type =
- map_pipe_auth_type_to_rpc_auth_type(p->auth.auth_type);
size_t auth_len = 0;
size_t pad_len = 0;
NTSTATUS status;
case DCERPC_AUTH_LEVEL_PRIVACY:
switch(p->auth.auth_type) {
- case PIPE_AUTH_TYPE_NTLMSSP:
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ auth_len = NTLMSSP_SIG_SIZE;
+ break;
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (p->auth.spnego_type !=
+ PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ goto err_out;
+ }
auth_len = NTLMSSP_SIG_SIZE;
break;
- case PIPE_AUTH_TYPE_SCHANNEL:
+ case DCERPC_AUTH_TYPE_SCHANNEL:
auth_len = NL_AUTH_SIGNATURE_SIZE;
break;
goto err_out;
}
- ret = create_next_packet(p, auth_type,
- p->auth.auth_level,
- auth_len, &pad_len);
+ ret = create_next_packet(p, auth_len, &pad_len);
if (!ret) {
return false;
}
free_pipe_auth_data(&p->auth);
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
- p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
+ p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
p->pipe_bound = False;
return True;
return ret;
}
- if (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP && p->auth.a_u.auth_ntlmssp_state) {
- /* Free any previous auth type. */
- free_pipe_auth_data(&p->auth);
- }
+ /* Free any previous auth type. */
+ free_pipe_auth_data(&p->auth);
if (!got_kerberos_mechanism) {
/* Initialize the NTLM engine. */
p->auth.a_u.auth_ntlmssp_state = a;
p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
- p->auth.auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
data_blob_free(&secblob);
data_blob_free(&chal);
* NB. If we've negotiated down from krb5 to NTLMSSP we'll currently
* fail here as 'a' == NULL.
*/
- if (p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SPNEGO ||
+ p->auth.spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP || !a) {
DEBUG(0,("pipe_spnego_auth_bind_continue: not in NTLMSSP auth state.\n"));
goto err;
}
/* We're finished with this bind - no more packets. */
p->auth.auth_data_free_func = &free_pipe_schannel_auth_data;
- p->auth.auth_type = PIPE_AUTH_TYPE_SCHANNEL;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
p->pipe_bound = True;
p->auth.a_u.auth_ntlmssp_state = a;
p->auth.auth_data_free_func = &free_pipe_ntlmssp_auth_data;
- p->auth.auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
DEBUG(10,("pipe_ntlmssp_auth_bind: NTLMSSP auth started\n"));
if (auth_type == DCERPC_AUTH_TYPE_NONE) {
/* Unauthenticated bind request. */
/* We're finished - no more packets. */
- p->auth.auth_type = PIPE_AUTH_TYPE_NONE;
+ p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
+ p->auth.spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
/* We must set the pipe auth_level here also. */
p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
p->pipe_bound = True;
PIPE_RPC_FNS *pipe_fns;
if (p->pipe_bound &&
- ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
- (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
+ ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
+ ((p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO) &&
+ (p->auth.spnego_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)))) {
if(!become_authenticated_pipe_user(p)) {
data_blob_free(&p->out_data.rdata);
return False;
goto query;
}
- if (p->auth.auth_type != PIPE_AUTH_TYPE_NTLMSSP || p->auth.auth_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ if ((p->auth.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) ||
+ ((p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO) &&
+ (p->auth.spnego_type != PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
return NT_STATUS_ACCESS_DENIED;
}
struct dom_sid domain_sid;
-static enum pipe_auth_type pipe_default_auth_type = PIPE_AUTH_TYPE_NONE;
+static enum dcerpc_AuthType pipe_default_auth_type = DCERPC_AUTH_TYPE_NONE;
+static enum pipe_auth_type_spnego pipe_default_auth_spnego_type = 0;
static enum dcerpc_AuthLevel pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
static unsigned int timeout = 0;
static enum dcerpc_transport_t default_transport = NCACN_NP;
const char *type = "NTLMSSP";
pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
- pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
if (argc > 2) {
printf("Usage: %s [NTLMSSP|NTLMSSP_SPNEGO|SCHANNEL]\n", argv[0]);
if (argc == 2) {
type = argv[1];
if (strequal(type, "NTLMSSP")) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
} else if (strequal(type, "NTLMSSP_SPNEGO")) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
} else if (strequal(type, "SCHANNEL")) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_SCHANNEL;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
} else {
printf("unknown type %s\n", type);
printf("Usage: %s [NTLMSSP|NTLMSSP_SPNEGO|SCHANNEL]\n", argv[0]);
const char *type = "NTLMSSP";
pipe_default_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
- pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
if (argc > 2) {
printf("Usage: %s [NTLMSSP|NTLMSSP_SPNEGO|SCHANNEL]\n", argv[0]);
if (argc == 2) {
type = argv[1];
if (strequal(type, "NTLMSSP")) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
} else if (strequal(type, "NTLMSSP_SPNEGO")) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
} else if (strequal(type, "SCHANNEL")) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_SCHANNEL;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
} else {
printf("unknown type %s\n", type);
printf("Usage: %s [NTLMSSP|NTLMSSP_SPNEGO|SCHANNEL]\n", argv[0]);
int argc, const char **argv)
{
pipe_default_auth_level = DCERPC_AUTH_LEVEL_NONE;
- pipe_default_auth_type = PIPE_AUTH_TYPE_NONE;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_NONE;
+ pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_NONE;
return cmd_set_ss_level();
}
{
d_printf("Setting schannel - sign and seal\n");
pipe_default_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
- pipe_default_auth_type = PIPE_AUTH_TYPE_SCHANNEL;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
return cmd_set_ss_level();
}
{
d_printf("Setting schannel - sign only\n");
pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
- pipe_default_auth_type = PIPE_AUTH_TYPE_SCHANNEL;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
return cmd_set_ss_level();
}
if ((cmd_entry->interface != NULL) && (cmd_entry->rpc_pipe == NULL)) {
switch (pipe_default_auth_type) {
- case PIPE_AUTH_TYPE_NONE:
- ntresult = cli_rpc_pipe_open_noauth_transport(
- cli, default_transport,
- cmd_entry->interface,
- &cmd_entry->rpc_pipe);
- break;
- case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
- ntresult = cli_rpc_pipe_open_spnego_ntlmssp(
- cli, cmd_entry->interface,
- default_transport,
- pipe_default_auth_level,
- get_cmdline_auth_info_domain(auth_info),
- get_cmdline_auth_info_username(auth_info),
- get_cmdline_auth_info_password(auth_info),
- &cmd_entry->rpc_pipe);
- break;
- case PIPE_AUTH_TYPE_NTLMSSP:
- ntresult = cli_rpc_pipe_open_ntlmssp(
- cli, cmd_entry->interface,
- default_transport,
- pipe_default_auth_level,
- get_cmdline_auth_info_domain(auth_info),
- get_cmdline_auth_info_username(auth_info),
- get_cmdline_auth_info_password(auth_info),
- &cmd_entry->rpc_pipe);
- break;
- case PIPE_AUTH_TYPE_SCHANNEL:
- ntresult = cli_rpc_pipe_open_schannel(
- cli, cmd_entry->interface,
- default_transport,
- pipe_default_auth_level,
- get_cmdline_auth_info_domain(auth_info),
- &cmd_entry->rpc_pipe);
- break;
- default:
- DEBUG(0, ("Could not initialise %s. Invalid "
- "auth type %u\n",
+ case DCERPC_AUTH_TYPE_NONE:
+ ntresult = cli_rpc_pipe_open_noauth_transport(
+ cli, default_transport,
+ cmd_entry->interface,
+ &cmd_entry->rpc_pipe);
+ break;
+ case DCERPC_AUTH_TYPE_SPNEGO:
+ if (pipe_default_auth_spnego_type !=
+ PIPE_AUTH_TYPE_SPNEGO_NTLMSSP) {
+ DEBUG(0, ("Could not initialise %s. "
+ "Currently only NTLMSSP is "
+ "supported for SPNEGO\n",
get_pipe_name_from_syntax(
- talloc_tos(),
- cmd_entry->interface),
- pipe_default_auth_type ));
+ talloc_tos(),
+ cmd_entry->interface)));
return NT_STATUS_UNSUCCESSFUL;
+ }
+ ntresult = cli_rpc_pipe_open_spnego_ntlmssp(
+ cli, cmd_entry->interface,
+ default_transport,
+ pipe_default_auth_level,
+ get_cmdline_auth_info_domain(auth_info),
+ get_cmdline_auth_info_username(auth_info),
+ get_cmdline_auth_info_password(auth_info),
+ &cmd_entry->rpc_pipe);
+ break;
+ case DCERPC_AUTH_TYPE_NTLMSSP:
+ ntresult = cli_rpc_pipe_open_ntlmssp(
+ cli, cmd_entry->interface,
+ default_transport,
+ pipe_default_auth_level,
+ get_cmdline_auth_info_domain(auth_info),
+ get_cmdline_auth_info_username(auth_info),
+ get_cmdline_auth_info_password(auth_info),
+ &cmd_entry->rpc_pipe);
+ break;
+ case DCERPC_AUTH_TYPE_SCHANNEL:
+ ntresult = cli_rpc_pipe_open_schannel(
+ cli, cmd_entry->interface,
+ default_transport,
+ pipe_default_auth_level,
+ get_cmdline_auth_info_domain(auth_info),
+ &cmd_entry->rpc_pipe);
+ break;
+ default:
+ DEBUG(0, ("Could not initialise %s. Invalid "
+ "auth type %u\n",
+ get_pipe_name_from_syntax(
+ talloc_tos(),
+ cmd_entry->interface),
+ pipe_default_auth_type ));
+ return NT_STATUS_UNSUCCESSFUL;
}
if (!NT_STATUS_IS_OK(ntresult)) {
DEBUG(0, ("Could not initialise %s. Error was %s\n",
if (binding->flags & DCERPC_SIGN) {
pipe_default_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
- pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
if (binding->flags & DCERPC_SEAL) {
pipe_default_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
- pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
if (binding->flags & DCERPC_AUTH_SPNEGO) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_NTLMSSP;
}
if (binding->flags & DCERPC_AUTH_NTLM) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_NTLMSSP;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
}
if (binding->flags & DCERPC_AUTH_KRB5) {
- pipe_default_auth_type = PIPE_AUTH_TYPE_SPNEGO_KRB5;
+ pipe_default_auth_type = DCERPC_AUTH_TYPE_SPNEGO;
+ pipe_default_auth_spnego_type = PIPE_AUTH_TYPE_SPNEGO_KRB5;
}
if (get_cmdline_auth_info_use_kerberos(rpcclient_auth_info)) {