DEBUG(0,("cli_pipe_verify_ntlmssp: failed to unseal "
"packet from remote machine %s on pipe %s "
"fnum 0x%x. Error was %s.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum,
nt_errstr(status) ));
DEBUG(0,("cli_pipe_verify_ntlmssp: check signing failed on "
"packet from remote machine %s on pipe %s "
"fnum 0x%x. Error was %s.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum,
nt_errstr(status) ));
DEBUG(3,("cli_pipe_verify_schannel: failed to decode PDU "
"Connection to remote machine %s "
"pipe %s fnum 0x%x.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum ));
return NT_STATUS_INVALID_PARAMETER;
if (prhdr->auth_len) {
DEBUG(3, ("cli_pipe_validate_rpc_response: Connection to remote machine %s "
"pipe %s fnum 0x%x - got non-zero auth len %u.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum,
(unsigned int)prhdr->auth_len ));
default:
DEBUG(3, ("cli_pipe_validate_rpc_response: Connection to remote machine %s "
"pipe %s fnum %x - unknown internal auth type %u.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum,
cli->auth.auth_type ));
case RPC_BINDNACK:
DEBUG(1, ("cli_pipe_validate_current_pdu: Bind NACK received from remote machine %s "
"pipe %s fnum 0x%x!\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum));
/* Use this for now... */
DEBUG(1, ("cli_pipe_validate_current_pdu: RPC fault code %s received from remote machine %s "
"pipe %s fnum 0x%x!\n",
dcerpc_errstr(NT_STATUS_V(fault_resp.status)),
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum));
if (NT_STATUS_IS_OK(fault_resp.status)) {
DEBUG(0, ("cli_pipe_validate_current_pdu: unknown packet type %u received "
"from remote machine %s pipe %s fnum 0x%x!\n",
(unsigned int)prhdr->pkt_type,
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum));
return NT_STATUS_INVALID_INFO_CLASS;
DEBUG(3, ("cli_pipe_validate_current_pdu: Connection to remote machine %s "
"pipe %s fnum %x got an unexpected RPC packet "
"type - %u, not %u\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum,
prhdr->pkt_type,
/* Common case. */
if (current_pdu_len == (uint32)prhdr->frag_len) {
prs_mem_free(current_pdu);
- prs_init(current_pdu, 0, prs_get_mem_context(current_pdu), UNMARSHALL);
+ prs_init_empty(current_pdu, prs_get_mem_context(current_pdu), UNMARSHALL);
/* Make current_pdu dynamic with no memory. */
prs_give_memory(current_pdu, 0, 0, True);
return NT_STATUS_OK;
#endif
/* Set up the current pdu parse struct. */
- prs_init(¤t_pdu, 0, prs_get_mem_context(rbuf), UNMARSHALL);
+ prs_init_empty(¤t_pdu, prs_get_mem_context(rbuf), UNMARSHALL);
/* Create setup parameters - must be in native byte order. */
setup[0] = TRANSACT_DCERPCCMD;
setup[1] = cli->fnum; /* Pipe file handle. */
DEBUG(5,("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum ));
{
DEBUG(0, ("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x "
"returned critical error. Error was %s\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum,
cli_errstr(cli->cli)));
if (prdata == NULL) {
DEBUG(3,("rpc_api_pipe: Remote machine %s pipe %s "
"fnum 0x%x failed to return data.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum));
/* Yes - some calls can truely return no data... */
/* Set the data type correctly for big-endian data on the first packet. */
DEBUG(10,("rpc_api_pipe: On machine %s pipe %s fnum 0x%x "
"PDU data format is big-endian.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum));
}
DEBUG(10,("rpc_api_pipe: Remote machine %s pipe %s fnum 0x%x returned %u bytes.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum,
(unsigned int)prs_data_size(rbuf) ));
/* Use lp_workgroup() if domain not specified */
if (!cli->domain || !cli->domain[0]) {
- cli->domain = lp_workgroup();
+ cli->domain = talloc_strdup(cli, lp_workgroup());
+ if (cli->domain == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
}
init_rpc_auth_schannel_neg(&schannel_neg, cli->domain, global_myname());
static NTSTATUS create_bind_or_alt_ctx_internal(enum RPC_PKT_TYPE pkt_type,
prs_struct *rpc_out,
uint32 rpc_call_id,
- RPC_IFACE *abstract,
- RPC_IFACE *transfer,
+ const RPC_IFACE *abstract,
+ const RPC_IFACE *transfer,
RPC_HDR_AUTH *phdr_auth,
prs_struct *pauth_info)
{
static NTSTATUS create_rpc_bind_req(struct rpc_pipe_client *cli,
prs_struct *rpc_out,
uint32 rpc_call_id,
- RPC_IFACE *abstract, RPC_IFACE *transfer,
+ const RPC_IFACE *abstract,
+ const RPC_IFACE *transfer,
enum pipe_auth_type auth_type,
enum pipe_auth_level auth_level)
{
NTSTATUS ret = NT_STATUS_OK;
ZERO_STRUCT(hdr_auth);
- prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL);
+ if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
+ return NT_STATUS_NO_MEMORY;
switch (auth_type) {
case PIPE_AUTH_TYPE_SCHANNEL:
return NT_STATUS_INVALID_PARAMETER;
}
- prs_init(&outgoing_pdu, cli->max_xmit_frag, prs_get_mem_context(in_data), MARSHALL);
+ if (!prs_init(&outgoing_pdu, cli->max_xmit_frag, prs_get_mem_context(in_data), MARSHALL))
+ return NT_STATUS_NO_MEMORY;
while (1) {
RPC_HDR hdr;
char *dump_name = NULL;
/* Also capture received data */
if (asprintf(&dump_name, "%s/reply_%s_%d",
- dyn_LOGFILEBASE, cli->pipe_name,
+ get_dyn_LOGFILEBASE(), cli->pipe_name,
op_num) > 0) {
prs_dump(dump_name, op_num, out_data);
SAFE_FREE(dump_name);
Check the rpc bind acknowledge response.
****************************************************************************/
-static bool valid_pipe_name(const int pipe_idx, RPC_IFACE *abstract, RPC_IFACE *transfer)
-{
- if ( pipe_idx >= PI_MAX_PIPES ) {
- DEBUG(0,("valid_pipe_name: Programmer error! Invalid pipe index [%d]\n",
- pipe_idx));
- return False;
- }
-
- DEBUG(5,("Bind Abstract Syntax: "));
- dump_data(5, (uint8 *)&pipe_names[pipe_idx].abstr_syntax,
- sizeof(pipe_names[pipe_idx].abstr_syntax));
- DEBUG(5,("Bind Transfer Syntax: "));
- dump_data(5, (uint8 *)&pipe_names[pipe_idx].trans_syntax,
- sizeof(pipe_names[pipe_idx].trans_syntax));
-
- /* copy the required syntaxes out so we can do the right bind */
-
- *transfer = pipe_names[pipe_idx].trans_syntax;
- *abstract = pipe_names[pipe_idx].abstr_syntax;
-
- return True;
-}
-
-/****************************************************************************
- Check the rpc bind acknowledge response.
-****************************************************************************/
-
-static bool check_bind_response(RPC_HDR_BA *hdr_ba, const int pipe_idx, RPC_IFACE *transfer)
+static bool check_bind_response(RPC_HDR_BA *hdr_ba, const RPC_IFACE *transfer)
{
if ( hdr_ba->addr.len == 0) {
DEBUG(4,("Ignoring length check -- ASU bug (server didn't fill in the pipe name correctly)"));
}
-# if 0 /* JERRY -- apparently ASU forgets to fill in the server pipe name sometimes */
- if ( !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].client_pipe) &&
- !strequal(hdr_ba->addr.str, pipe_names[pipe_idx].server_pipe) )
- {
- DEBUG(4,("bind_rpc_pipe: pipe_name %s != expected pipe %s. oh well!\n",
- pipe_names[i].server_pipe ,hdr_ba->addr.str));
- return False;
- }
-
- DEBUG(5,("bind_rpc_pipe: server pipe_name found: %s\n", pipe_names[i].server_pipe ));
-
- if (pipe_names[pipe_idx].server_pipe == NULL) {
- DEBUG(2,("bind_rpc_pipe: pipe name %s unsupported\n", hdr_ba->addr.str));
- return False;
- }
-#endif /* JERRY */
-
/* check the transfer syntax */
- if ((hdr_ba->transfer.version != transfer->version) ||
+ if ((hdr_ba->transfer.if_version != transfer->if_version) ||
(memcmp(&hdr_ba->transfer.uuid, &transfer->uuid, sizeof(transfer->uuid)) !=0)) {
DEBUG(2,("bind_rpc_pipe: transfer syntax differs\n"));
return False;
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0,("rpc_finish_auth3_bind: NTLMSSP update using server blob failed.\n"));
+ data_blob_free(&server_response);
return nt_status;
}
- prs_init(&rpc_out, 0, prs_get_mem_context(rbuf), MARSHALL);
+ prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
nt_status = create_rpc_bind_auth3(cli, rpc_call_id,
auth_type, auth_level,
DEBUG(5,("rpc_send_auth_auth3: Remote machine %s pipe %s "
"fnum 0x%x sent auth3 response ok.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum));
********************************************************************/
static NTSTATUS create_rpc_alter_context(uint32 rpc_call_id,
- RPC_IFACE *abstract,
- RPC_IFACE *transfer,
+ const RPC_IFACE *abstract,
+ const RPC_IFACE *transfer,
enum pipe_auth_level auth_level,
const DATA_BLOB *pauth_blob, /* spnego auth blob already created. */
prs_struct *rpc_out)
NTSTATUS ret = NT_STATUS_OK;
ZERO_STRUCT(hdr_auth);
- prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL);
+ if (!prs_init(&auth_info, RPC_HDR_AUTH_LEN, prs_get_mem_context(rpc_out), MARSHALL))
+ return NT_STATUS_NO_MEMORY;
/* We may change the pad length before marshalling. */
init_rpc_hdr_auth(&hdr_auth, RPC_SPNEGO_AUTH_TYPE, (int)auth_level, 0, 1);
RPC_HDR *phdr,
prs_struct *rbuf,
uint32 rpc_call_id,
- RPC_IFACE *abstract,
- RPC_IFACE *transfer,
+ const RPC_IFACE *abstract,
+ const RPC_IFACE *transfer,
enum pipe_auth_type auth_type,
enum pipe_auth_level auth_level)
{
tmp_blob = data_blob_null; /* Ensure it's safe to free this just in case. */
/* Now prepare the alter context pdu. */
- prs_init(&rpc_out, 0, prs_get_mem_context(rbuf), MARSHALL);
+ prs_init_empty(&rpc_out, prs_get_mem_context(rbuf), MARSHALL);
nt_status = create_rpc_alter_context(rpc_call_id,
abstract,
/* Initialize the returning data struct. */
prs_mem_free(rbuf);
- prs_init(rbuf, 0, cli->cli->mem_ctx, UNMARSHALL);
+ prs_init_empty(rbuf, talloc_tos(), UNMARSHALL);
nt_status = rpc_api_pipe(cli, &rpc_out, rbuf, RPC_ALTCONTRESP);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(5,("rpc_finish_spnego_ntlmssp_bind: alter context request to "
"remote machine %s pipe %s fnum 0x%x.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum));
{
RPC_HDR hdr;
RPC_HDR_BA hdr_ba;
- RPC_IFACE abstract;
- RPC_IFACE transfer;
prs_struct rpc_out;
prs_struct rbuf;
uint32 rpc_call_id;
(unsigned int)auth_type,
(unsigned int)auth_level ));
- if (!valid_pipe_name(cli->pipe_idx, &abstract, &transfer)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- prs_init(&rpc_out, 0, cli->cli->mem_ctx, MARSHALL);
+ prs_init_empty(&rpc_out, talloc_tos(), MARSHALL);
rpc_call_id = get_rpc_call_id();
/* Marshall the outgoing data. */
status = create_rpc_bind_req(cli, &rpc_out, rpc_call_id,
- &abstract, &transfer,
+ cli->abstract_syntax,
+ cli->transfer_syntax,
auth_type,
auth_level);
}
/* Initialize the incoming data struct. */
- prs_init(&rbuf, 0, cli->cli->mem_ctx, UNMARSHALL);
+ prs_init_empty(&rbuf, talloc_tos(), UNMARSHALL);
/* send data on \PIPE\. receive a response */
status = rpc_api_pipe(cli, &rpc_out, &rbuf, RPC_BINDACK);
DEBUG(3,("rpc_pipe_bind: Remote machine %s pipe %s "
"fnum 0x%x bind request returned ok.\n",
- cli->cli->desthost,
+ cli->desthost,
cli->pipe_name,
(unsigned int)cli->fnum));
return NT_STATUS_BUFFER_TOO_SMALL;
}
- if(!check_bind_response(&hdr_ba, cli->pipe_idx, &transfer)) {
+ if(!check_bind_response(&hdr_ba, cli->transfer_syntax)) {
DEBUG(2,("rpc_pipe_bind: check_bind_response failed.\n"));
prs_mem_free(&rbuf);
return NT_STATUS_BUFFER_TOO_SMALL;
case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
/* Need to send alter context request and reply. */
status = rpc_finish_spnego_ntlmssp_bind(cli, &hdr, &rbuf, rpc_call_id,
- &abstract, &transfer,
+ cli->abstract_syntax,
+ cli->transfer_syntax,
auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
prs_mem_free(&rbuf);
return NT_STATUS_OK;
}
+unsigned int rpccli_set_timeout(struct rpc_pipe_client *cli,
+ unsigned int timeout)
+{
+ return cli_set_timeout(cli->cli, timeout);
+}
+
+bool rpccli_is_pipe_idx(struct rpc_pipe_client *cli, int pipe_idx)
+{
+ return (cli->abstract_syntax == pipe_names[pipe_idx].abstr_syntax);
+}
+
+static int rpc_pipe_destructor(struct rpc_pipe_client *p)
+{
+ bool ret;
+
+ ret = cli_close(p->cli, p->fnum);
+ if (!ret) {
+ DEBUG(1, ("rpc_pipe_destructor: cli_close failed on pipe %s, "
+ "fnum 0x%x to machine %s. Error was %s\n",
+ p->pipe_name, (int) p->fnum,
+ p->desthost, cli_errstr(p->cli)));
+ }
+
+ if (p->auth.cli_auth_data_free_func) {
+ (*p->auth.cli_auth_data_free_func)(&p->auth);
+ }
+
+ DEBUG(10, ("rpc_pipe_destructor: closed pipe %s to machine %s\n",
+ p->pipe_name, p->desthost ));
+
+ DLIST_REMOVE(p->cli->pipe_list, p);
+
+ return ret ? -1 : 0;
+}
+
/****************************************************************************
Open a named pipe over SMB to a remote server.
*
static struct rpc_pipe_client *cli_rpc_pipe_open(struct cli_state *cli, int pipe_idx, NTSTATUS *perr)
{
- TALLOC_CTX *mem_ctx;
struct rpc_pipe_client *result;
int fnum;
/* The pipe name index must fall within our array */
SMB_ASSERT((pipe_idx >= 0) && (pipe_idx < PI_MAX_PIPES));
- mem_ctx = talloc_init("struct rpc_pipe_client");
- if (mem_ctx == NULL) {
+ result = TALLOC_ZERO_P(NULL, struct rpc_pipe_client);
+ if (result == NULL) {
+ *perr = NT_STATUS_NO_MEMORY;
return NULL;
}
- result = TALLOC_ZERO_P(mem_ctx, struct rpc_pipe_client);
- if (result == NULL) {
+ result->pipe_name = cli_get_pipe_name(pipe_idx);
+
+ result->cli = cli;
+ result->abstract_syntax = pipe_names[pipe_idx].abstr_syntax;
+ result->transfer_syntax = pipe_names[pipe_idx].trans_syntax;
+ result->auth.auth_type = PIPE_AUTH_TYPE_NONE;
+ result->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
+
+ result->domain = talloc_strdup(result, cli->domain);
+ result->user_name = talloc_strdup(result, cli->user_name);
+ result->desthost = talloc_strdup(result, cli->desthost);
+ result->srv_name_slash = talloc_asprintf_strupper_m(
+ result, "\\\\%s", result->desthost);
+
+ if ((result->domain == NULL)
+ || (result->user_name == NULL)
+ || (result->desthost == NULL)
+ || (result->srv_name_slash == NULL)) {
+ *perr = NT_STATUS_NO_MEMORY;
+ TALLOC_FREE(result);
return NULL;
}
- result->mem_ctx = mem_ctx;
-
- result->pipe_name = cli_get_pipe_name(pipe_idx);
+ if (pipe_idx == PI_NETLOGON) {
+ /* Set up a netlogon credential chain for a netlogon pipe. */
+ result->dc = TALLOC_ZERO_P(result, struct dcinfo);
+ if (result->dc == NULL) {
+ *perr = NT_STATUS_NO_MEMORY;
+ TALLOC_FREE(result);
+ return NULL;
+ }
+ }
fnum = cli_nt_create(cli, result->pipe_name, DESIRED_ACCESS_PIPE);
-
if (fnum == -1) {
DEBUG(1,("cli_rpc_pipe_open: cli_nt_create failed on pipe %s "
"to machine %s. Error was %s\n",
result->pipe_name, cli->desthost,
cli_errstr(cli)));
*perr = cli_get_nt_error(cli);
- talloc_destroy(result->mem_ctx);
+ talloc_destroy(result);
return NULL;
}
result->fnum = fnum;
- result->cli = cli;
- result->pipe_idx = pipe_idx;
- result->auth.auth_type = PIPE_AUTH_TYPE_NONE;
- result->auth.auth_level = PIPE_AUTH_LEVEL_NONE;
-
- if (pipe_idx == PI_NETLOGON) {
- /* Set up a netlogon credential chain for a netlogon pipe. */
- result->dc = TALLOC_ZERO_P(mem_ctx, struct dcinfo);
- if (result->dc == NULL) {
- talloc_destroy(result->mem_ctx);
- return NULL;
- }
- }
DLIST_ADD(cli->pipe_list, result);
+ talloc_set_destructor(result, rpc_pipe_destructor);
+
*perr = NT_STATUS_OK;
return result;
*perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_NONE, PIPE_AUTH_LEVEL_NONE);
if (!NT_STATUS_IS_OK(*perr)) {
int lvl = 0;
- if (pipe_idx == PI_LSARPC_DS) {
+ if (rpccli_is_pipe_idx(result, PI_DSSETUP)) {
/* non AD domains just don't have this pipe, avoid
* level 0 statement in that case - gd */
lvl = 3;
}
DEBUG(lvl, ("cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe %s failed with error %s\n",
cli_get_pipe_name(pipe_idx), nt_errstr(*perr) ));
- cli_rpc_pipe_close(result);
+ TALLOC_FREE(result);
return NULL;
}
result->auth.cli_auth_data_free_func = cli_ntlmssp_auth_free;
- result->domain = domain;
- result->user_name = username;
+ TALLOC_FREE(result->domain);
+ TALLOC_FREE(result->user_name);
+
+ result->domain = talloc_strdup(result, domain);
+ result->user_name = talloc_strdup(result, username);
+
+ if ((result->domain == NULL) || (result->user_name == NULL)) {
+ *perr = NT_STATUS_NO_MEMORY;
+ goto err;
+ }
+
pwd_set_cleartext(&result->pwd, password);
*perr = ntlmssp_client_start(&ntlmssp_state);
result->auth.a_u.ntlmssp_state = ntlmssp_state;
- *perr = ntlmssp_set_username(ntlmssp_state, cli->user_name);
+ *perr = ntlmssp_set_username(ntlmssp_state, username);
if (!NT_STATUS_IS_OK(*perr)) {
goto err;
}
- *perr = ntlmssp_set_domain(ntlmssp_state, cli->domain);
+ *perr = ntlmssp_set_domain(ntlmssp_state, domain);
if (!NT_STATUS_IS_OK(*perr)) {
goto err;
}
goto err;
}
- DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to machine %s and"
- "bound NTLMSSP as user %s\\%s.\n",
+ DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
+ "machine %s and bound NTLMSSP as user %s\\%s.\n",
result->pipe_name, cli->desthost,
domain, username ));
err:
- cli_rpc_pipe_close(result);
+ TALLOC_FREE(result);
return NULL;
}
}
/****************************************************************************
- Open a netlogon pipe and get the schannel session key.
- Now exposed to external callers.
+ Get a the schannel session key out of an already opened netlogon pipe.
****************************************************************************/
-
-struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
- const char *domain,
- uint32 *pneg_flags,
- NTSTATUS *perr)
+static bool get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
+ struct cli_state *cli,
+ const char *domain,
+ uint32 *pneg_flags,
+ NTSTATUS *perr)
{
- struct rpc_pipe_client *netlogon_pipe = NULL;
uint32 sec_chan_type = 0;
unsigned char machine_pwd[16];
- fstring machine_account;
-
- netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
- if (!netlogon_pipe) {
- return NULL;
- }
+ const char *machine_account;
/* Get the machine account credentials from secrets.tdb. */
- if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+ if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
+ &sec_chan_type))
+ {
DEBUG(0, ("get_schannel_session_key: could not fetch "
"trust account password for domain '%s'\n",
domain));
- cli_rpc_pipe_close(netlogon_pipe);
*perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- return NULL;
+ return false;
}
- /* A DC should use DOMAIN$ as its account name.
- A member server can only use it's machine name since it
- does not have an account in a trusted domain.
-
- We don't check the domain against lp_workgroup() here since
- 'net ads join' has to continue to work with only the realm
- specified in smb.conf. -- jerry */
-
- if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
- fstrcpy( machine_account, lp_workgroup() );
- } else {
- fstrcpy(machine_account, global_myname());
- }
-
*perr = rpccli_netlogon_setup_creds(netlogon_pipe,
cli->desthost, /* server name */
domain, /* domain */
pneg_flags);
if (!NT_STATUS_IS_OK(*perr)) {
- DEBUG(3,("get_schannel_session_key: rpccli_netlogon_setup_creds "
+ DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
"failed with result %s to server %s, domain %s, machine account %s.\n",
nt_errstr(*perr), cli->desthost, domain, machine_account ));
- cli_rpc_pipe_close(netlogon_pipe);
- return NULL;
+ return false;
}
if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
cli->desthost));
- cli_rpc_pipe_close(netlogon_pipe);
*perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ return false;
+ }
+
+ return true;
+}
+
+/****************************************************************************
+ Open a netlogon pipe and get the schannel session key.
+ Now exposed to external callers.
+ ****************************************************************************/
+
+
+struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
+ const char *domain,
+ uint32 *pneg_flags,
+ NTSTATUS *perr)
+{
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+
+ netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
+ if (!netlogon_pipe) {
+ return NULL;
+ }
+
+ if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+ pneg_flags, perr))
+ {
+ TALLOC_FREE(netlogon_pipe);
return NULL;
}
return NULL;
}
- result->auth.a_u.schannel_auth = TALLOC_ZERO_P(result->mem_ctx, struct schannel_auth_struct);
+ result->auth.a_u.schannel_auth = TALLOC_ZERO_P(
+ result, struct schannel_auth_struct);
if (!result->auth.a_u.schannel_auth) {
- cli_rpc_pipe_close(result);
+ TALLOC_FREE(result);
+ *perr = NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
+
+ TALLOC_FREE(result->domain);
+ result->domain = talloc_strdup(result, domain);
+ if (result->domain == NULL) {
+ TALLOC_FREE(result);
*perr = NT_STATUS_NO_MEMORY;
return NULL;
}
- result->domain = domain;
memcpy(result->auth.a_u.schannel_auth->sess_key, pdc->sess_key, 16);
*perr = rpc_pipe_bind(result, PIPE_AUTH_TYPE_SCHANNEL, auth_level);
if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(0, ("cli_rpc_pipe_open_schannel_with_key: cli_rpc_pipe_bind failed with error %s\n",
nt_errstr(*perr) ));
- cli_rpc_pipe_close(result);
+ TALLOC_FREE(result);
return NULL;
}
NTSTATUS *perr)
{
struct rpc_pipe_client *netlogon_pipe = NULL;
- uint32 sec_chan_type = 0;
- unsigned char machine_pwd[16];
- fstring machine_account;
netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
if (!netlogon_pipe) {
return NULL;
}
- /* Get the machine account credentials from secrets.tdb. */
- if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
- DEBUG(0, ("get_schannel_session_key_auth_ntlmssp: could not fetch "
- "trust account password for domain '%s'\n",
- domain));
- cli_rpc_pipe_close(netlogon_pipe);
- *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
- return NULL;
- }
-
- /* if we are a DC and this is a trusted domain, then we need to use our
- domain name in the net_req_auth2() request */
-
- if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
- fstrcpy( machine_account, lp_workgroup() );
- } else {
- /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
- if (strequal(domain, lp_workgroup())) {
- fstrcpy(machine_account, global_myname());
- } else {
- fstrcpy(machine_account, domain);
- }
- }
-
- *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
- cli->desthost, /* server name */
- domain, /* domain */
- global_myname(), /* client name */
- machine_account, /* machine account name */
- machine_pwd,
- sec_chan_type,
- pneg_flags);
-
- if (!NT_STATUS_IS_OK(*perr)) {
- DEBUG(3,("get_schannel_session_key_auth_ntlmssp: rpccli_netlogon_setup_creds "
- "failed with result %s\n",
- nt_errstr(*perr) ));
- cli_rpc_pipe_close(netlogon_pipe);
- return NULL;
- }
-
- if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
- DEBUG(3, ("get_schannel_session_key_auth_ntlmssp: Server %s did not offer schannel\n",
- cli->desthost));
- cli_rpc_pipe_close(netlogon_pipe);
- *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
+ if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+ pneg_flags, perr))
+ {
+ TALLOC_FREE(netlogon_pipe);
return NULL;
}
const char *password,
NTSTATUS *perr)
{
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct rpc_pipe_client *netlogon_pipe = NULL;
struct rpc_pipe_client *result = NULL;
domain, netlogon_pipe->dc, perr);
/* Now we've bound using the session key we can close the netlog pipe. */
- cli_rpc_pipe_close(netlogon_pipe);
+ TALLOC_FREE(netlogon_pipe);
return result;
}
const char *domain,
NTSTATUS *perr)
{
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+ uint32_t neg_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
struct rpc_pipe_client *netlogon_pipe = NULL;
struct rpc_pipe_client *result = NULL;
domain, netlogon_pipe->dc, perr);
/* Now we've bound using the session key we can close the netlog pipe. */
- cli_rpc_pipe_close(netlogon_pipe);
+ TALLOC_FREE(netlogon_pipe);
return result;
}
/* Default service principal is "desthost$@realm" */
if (!service_princ) {
- service_princ = talloc_asprintf(result->mem_ctx, "%s$@%s",
- cli->desthost, lp_realm() );
+ service_princ = talloc_asprintf(result, "%s$@%s",
+ cli->desthost, lp_realm() );
if (!service_princ) {
- cli_rpc_pipe_close(result);
+ TALLOC_FREE(result);
return NULL;
}
}
if (username && password) {
int ret = kerberos_kinit_password(username, password, 0, NULL);
if (ret) {
- cli_rpc_pipe_close(result);
+ TALLOC_FREE(result);
return NULL;
}
}
- result->auth.a_u.kerberos_auth = TALLOC_ZERO_P(cli->mem_ctx, struct kerberos_auth_struct);
+ result->auth.a_u.kerberos_auth = TALLOC_ZERO_P(
+ result, struct kerberos_auth_struct);
if (!result->auth.a_u.kerberos_auth) {
- cli_rpc_pipe_close(result);
+ TALLOC_FREE(result);
*perr = NT_STATUS_NO_MEMORY;
return NULL;
}
if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(0, ("cli_rpc_pipe_open_krb5: cli_rpc_pipe_bind failed with error %s\n",
nt_errstr(*perr) ));
- cli_rpc_pipe_close(result);
+ TALLOC_FREE(result);
return NULL;
}
return NULL;
#endif
}
-
-#if 0 /* Moved to libsmb/clientgen.c */
-/****************************************************************************
- External interface.
- Close an open named pipe over SMB. Free any authentication data.
- ****************************************************************************/
-
- void cli_rpc_pipe_close(struct rpc_pipe_client *cli)
-{
- if (!cli_close(cli->cli, cli->fnum)) {
- DEBUG(0,("cli_rpc_pipe_close: cli_close failed on pipe %s "
- "to machine %s. Error was %s\n",
- cli->pipe_name),
- cli->cli->desthost,
- cli_errstr(cli->cli)));
- }
-
- if (cli->auth.cli_auth_data_free_func) {
- (*cli->auth.cli_auth_data_free_func)(&cli->auth);
- }
- DEBUG(10,("cli_rpc_pipe_close: closed pipe %s to machine %s\n",
- cli->pipe_name, cli->cli->desthost ));
-
- DLIST_REMOVE(cli->cli->pipe_list, cli);
- talloc_destroy(cli->mem_ctx);
-}
-#endif