rpc_client3: Avoid "cli_credentials" in cli_rpc_pipe_open_schannel_with_creds

This provides cleaner data dependencies. A netlogon_creds_ctx contains
everything required to open an schannel, there is no good reason to
require cli_credentials here.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 25f14316dc2a2987faba9266eb2dbb31c835f320..3209f6cf871a6c385a4d048372ccb1fffd2e1dcd 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -474,6 +474,7 @@ NTSTATUS netlogon_creds_bind_cli_credentials(
                TALLOC_FREE(cli_creds);
                return status;
        }
+       cli_credentials_set_netlogon_creds(cli_creds, ncreds);
 
        *pcli_creds = cli_creds;
        return NT_STATUS_OK;

diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 5880913a39f4bcba6905deabe2d53c0a6bf21a24..eb6b894908f4575019294505bce66d36200b136f 100644 (file)
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -1662,7 +1662,6 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx,
 
        status = cli_rpc_pipe_open_schannel_with_creds(
                cli, &ndr_table_netlogon, NCACN_NP,
-               cli_creds,
                netlogon_creds, &netlogon_pipe);
 
        TALLOC_FREE(netlogon_pipe);

diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c
index 07476c745fe20faec53f6a6bd00c5a71f079fcd3..5e87bad46a2c251b2f6e96c3ffa443ba8696c8e0 100644 (file)
--- a/source3/rpc_client/cli_pipe.c
+++ b/source3/rpc_client/cli_pipe.c
@@ -3275,7 +3275,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
 NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli,
                                               const struct ndr_interface_table *table,
                                               enum dcerpc_transport_t transport,
-                                              struct cli_credentials *cli_creds,
                                               struct netlogon_creds_cli_context *netlogon_creds,
                                               struct rpc_pipe_client **_rpccli)
 {
@@ -3283,6 +3282,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli,
        struct pipe_auth_data *rpcauth;
        const char *target_service = table->authservices->names[0];
        struct netlogon_creds_CredentialState *ncreds = NULL;
+       struct cli_credentials *cli_creds;
        enum dcerpc_AuthLevel auth_level;
        NTSTATUS status;
        int rpc_pipe_bind_dbglvl = 0;
@@ -3302,7 +3302,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli,
 
        auth_level = netlogon_creds_cli_auth_level(netlogon_creds);
 
-       cli_credentials_set_netlogon_creds(cli_creds, ncreds);
+       status = netlogon_creds_bind_cli_credentials(
+               netlogon_creds, rpccli, &cli_creds);
+       if (!NT_STATUS_IS_OK(status)) {
+               DBG_DEBUG("netlogon_creds_bind_cli_credentials failed: %s\n",
+                         nt_errstr(status));
+               TALLOC_FREE(rpccli);
+               return status;
+       }
 
        status = rpccli_generic_bind_data_from_creds(rpccli,
                                                     DCERPC_AUTH_TYPE_SCHANNEL,
@@ -3319,7 +3326,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli,
        }
 
        status = rpc_pipe_bind(rpccli, rpcauth);
-       cli_credentials_set_netlogon_creds(cli_creds, NULL);
+
+       /* No TALLOC_FREE, gensec takes references */
+       talloc_unlink(rpccli, cli_creds);
+       cli_creds = NULL;
+
        if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) {
                rpc_pipe_bind_dbglvl = 1;
                netlogon_creds_cli_delete(netlogon_creds, ncreds);

diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h
index 2290d62b49d864fb711798bcfd968b3d6c8ed8dc..5df43c57e952e45b1706ebbf6041a62dd215da7a 100644 (file)
--- a/source3/rpc_client/cli_pipe.h
+++ b/source3/rpc_client/cli_pipe.h
@@ -102,7 +102,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli,
 NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli,
                                               const struct ndr_interface_table *table,
                                               enum dcerpc_transport_t transport,
-                                              struct cli_credentials *cli_creds,
                                               struct netlogon_creds_cli_context *netlogon_creds,
                                               struct rpc_pipe_client **_rpccli);
 

diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c
index a94429538c75d73b6e36d2df1e490f7bd93f8659..8a8177be2e550802a3ae5642413f99f0e24d3414 100644 (file)
--- a/source3/rpc_client/cli_pipe_schannel.c
+++ b/source3/rpc_client/cli_pipe_schannel.c
@@ -93,7 +93,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli,
        if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
                status = cli_rpc_pipe_open_schannel_with_creds(cli, table,
                                                               transport,
-                                                              cli_creds,
                                                               netlogon_creds,
                                                               &result);
                if (!NT_STATUS_IS_OK(status)) {

diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index afde0c87b7ab924e8c3079d1a604b6923ca3e445..a5e5ab3f4e35879618d27c48aa2ea09e5c3e2934 100644 (file)
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2771,9 +2771,9 @@ retry:
                           nt_errstr(result)));
                goto anonymous;
        }
-       status = cli_rpc_pipe_open_schannel_with_creds
-               (conn->cli, &ndr_table_samr, NCACN_NP,
-                creds, p_creds, &conn->samr_pipe);
+       status = cli_rpc_pipe_open_schannel_with_creds(
+               conn->cli, &ndr_table_samr, NCACN_NP, p_creds,
+               &conn->samr_pipe);
 
        if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)
            && !retry) {
@@ -2950,7 +2950,6 @@ static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain,
        status = cli_rpc_pipe_open_schannel_with_creds(conn->cli,
                                                       &ndr_table_lsarpc,
                                                       NCACN_IP_TCP,
-                                                      creds,
                                                       p_creds,
                                                       &conn->lsa_pipe_tcp);
        if (!NT_STATUS_IS_OK(status)) {
@@ -3077,9 +3076,9 @@ retry:
                           nt_errstr(result)));
                goto anonymous;
        }
-       result = cli_rpc_pipe_open_schannel_with_creds
-               (conn->cli, &ndr_table_lsarpc, NCACN_NP,
-                creds, p_creds, &conn->lsa_pipe);
+       result = cli_rpc_pipe_open_schannel_with_creds(
+               conn->cli, &ndr_table_lsarpc, NCACN_NP, p_creds,
+               &conn->lsa_pipe);
 
        if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED)
            && !retry) {
@@ -3343,7 +3342,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain,
 
        result = cli_rpc_pipe_open_schannel_with_creds(
                conn->cli, &ndr_table_netlogon, transport,
-               creds,
                conn->netlogon_creds_ctx,
                &conn->netlogon_pipe);
        if (!NT_STATUS_IS_OK(result)) {