This ensures that gensec, and then the NTLM auth subsystem under it, always gets the
remote and local address pointers for potential logging.
The local address allows us to know which interface an authentication is on
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
user_info->client.domain_name = ntlmssp_state->domain;
user_info->workstation_name = ntlmssp_state->client.netbios_name;
user_info->remote_host = gensec_get_remote_address(gensec_security);
+ user_info->local_host = gensec_get_local_address(gensec_security);
user_info->service_description
= gensec_get_target_service_description(gensec_security);
user_info->auth_description = "NTLMSSP";
NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
struct gensec_security **gensec_security_out)
{
return nt_status;
}
+ nt_status = gensec_set_local_address(gensec_security,
+ local_address);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ TALLOC_FREE(tmp_ctx);
+ return nt_status;
+ }
+
nt_status = gensec_set_target_service_description(gensec_security,
service_description);
/* The following definitions come from auth/auth_generic.c */
NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_context_out);
-NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx, const struct tsocket_address *remote_address,
+NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
+ const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
struct gensec_security **gensec_security_out);
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
struct gensec_security **ctx)
{
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
- status = auth_generic_prepare(talloc_tos(), remote_address,
+ status = auth_generic_prepare(talloc_tos(),
+ remote_address,
+ local_address,
service_description,
&gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
struct gensec_security **ctx)
{
token_in,
token_out,
remote_address,
+ local_address,
service_description,
ctx);
unbecome_root();
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
const char *service_description,
struct gensec_security **ctx);
&auth_info->credentials,
response,
p->remote_address,
+ p->local_address,
service_description,
&gensec_security);
if (!NT_STATUS_IS_OK(status) &&
/* See if we can get an SPNEGO blob */
status = auth_generic_prepare(talloc_tos(),
xconn->remote_address,
+ xconn->local_address,
"SMB",
&gensec_security);
/*
- * There is no need to set a remote address or similar as we
- * are just interested in the SPNEGO blob, we never keep this
- * context.
+ * Despite including it above, there is no need to set a
+ * remote address or similar as we are just interested in the
+ * SPNEGO blob, we never keep this context.
*/
if (NT_STATUS_IS_OK(status)) {
******************************************************************************/
static NTSTATUS make_auth_gensec(const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
struct smb_trans_enc_state *es)
{
NTSTATUS status;
status = auth_generic_prepare(es, remote_address,
+ local_address,
"SMB encryption",
&es->gensec_security);
if (!NT_STATUS_IS_OK(status)) {
******************************************************************************/
static NTSTATUS make_srv_encryption_context(const struct tsocket_address *remote_address,
+ const struct tsocket_address *local_address,
struct smb_trans_enc_state **pp_es)
{
NTSTATUS status;
return NT_STATUS_NO_MEMORY;
}
status = make_auth_gensec(remote_address,
+ local_address,
es);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(es);
if (!partial_srv_trans_enc_ctx) {
/* This is the initial step. */
status = make_srv_encryption_context(conn->sconn->remote_address,
+ conn->sconn->local_address,
&partial_srv_trans_enc_ctx);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (auth->gensec == NULL) {
- status = auth_generic_prepare(session, xconn->remote_address,
+ status = auth_generic_prepare(session,
+ xconn->remote_address,
+ xconn->local_address,
"SMB",
&auth->gensec);
if (!NT_STATUS_IS_OK(status)) {
if (state->auth->gensec == NULL) {
status = auth_generic_prepare(state->auth,
state->smb2req->xconn->remote_address,
+ state->smb2req->xconn->local_address,
"SMB2",
&state->auth->gensec);
if (tevent_req_nterror(req, status)) {
static void sesssetup_old(struct smbsrv_request *req, union smb_sesssetup *sess)
{
struct auth_usersupplied_info *user_info = NULL;
- struct tsocket_address *remote_address;
+ struct tsocket_address *remote_address, *local_address;
const char *remote_machine = NULL;
struct tevent_req *subreq;
struct sesssetup_context *state;
if (!remote_machine) goto nomem;
}
+ local_address = socket_get_local_addr(req->smb_conn->connection->socket, req);
+ if (!local_address) goto nomem;
+
user_info = talloc_zero(req, struct auth_usersupplied_info);
if (!user_info) goto nomem;
user_info->client.account_name = sess->old.in.user;
user_info->client.domain_name = sess->old.in.domain;
user_info->workstation_name = remote_machine;
+
user_info->remote_host = talloc_steal(user_info, remote_address);
+ user_info->local_host = talloc_steal(user_info, local_address);
user_info->password_state = AUTH_PASSWORD_RESPONSE;
user_info->password.response.lanman = sess->old.in.password;
{
NTSTATUS status;
struct auth_usersupplied_info *user_info = NULL;
- struct tsocket_address *remote_address;
+ struct tsocket_address *remote_address, *local_address;
const char *remote_machine = NULL;
struct tevent_req *subreq;
struct sesssetup_context *state;
if (!remote_machine) goto nomem;
}
+ local_address = socket_get_local_addr(req->smb_conn->connection->socket, req);
+ if (!local_address) goto nomem;
+
user_info = talloc_zero(req, struct auth_usersupplied_info);
if (!user_info) goto nomem;
user_info->client.domain_name = sess->nt1.in.domain;
user_info->workstation_name = remote_machine;
user_info->remote_host = talloc_steal(user_info, remote_address);
+ user_info->local_host = talloc_steal(user_info, local_address);
user_info->password_state = AUTH_PASSWORD_RESPONSE;
user_info->password.response.lanman = sess->nt1.in.password1;
/* lookup an existing session */
if (vuid == 0) {
struct gensec_security *gensec_ctx;
-
+ struct tsocket_address *remote_address, *local_address;
status = samba_server_gensec_start(req,
req->smb_conn->connection->event.ctx,
req->smb_conn->connection->msg_ctx,
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
+ remote_address = socket_get_remote_addr(req->smb_conn->connection->socket,
+ req);
+ if (!remote_address) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ DBG_ERR("Failed to obtain remote address");
+ goto failed;
+ }
+
+ status = gensec_set_remote_address(gensec_ctx,
+ remote_address);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to set remote address");
+ goto failed;
+ }
+
+ local_address = socket_get_local_addr(req->smb_conn->connection->socket,
+ req);
+ if (!local_address) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ DBG_ERR("Failed to obtain local address");
+ goto failed;
+ }
+
+ status = gensec_set_local_address(gensec_ctx,
+ local_address);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to set local address");
+ goto failed;
+ }
+
+ status = gensec_set_target_service_description(gensec_ctx,
+ "SMB");
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to set service description");
+ goto failed;
+ }
+
status = gensec_start_mech_by_oid(gensec_ctx, req->smb_conn->negotiate.oid);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC %s server code: %s\n",
*/
if (vuid == 0) {
struct gensec_security *gensec_ctx;
+ struct tsocket_address *remote_address, *local_address;
status = samba_server_gensec_start(req,
req->smb_conn->connection->event.ctx,
gensec_want_feature(gensec_ctx, GENSEC_FEATURE_SESSION_KEY);
+ remote_address = socket_get_remote_addr(req->smb_conn->connection->socket,
+ req);
+ if (!remote_address) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ DBG_ERR("Failed to obtain remote address");
+ goto failed;
+ }
+
+ status = gensec_set_remote_address(gensec_ctx,
+ remote_address);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to set remote address");
+ goto failed;
+ }
+
+ local_address = socket_get_local_addr(req->smb_conn->connection->socket,
+ req);
+ if (!local_address) {
+ status = NT_STATUS_INTERNAL_ERROR;
+ DBG_ERR("Failed to obtain local address");
+ goto failed;
+ }
+
+ status = gensec_set_local_address(gensec_ctx,
+ local_address);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to set local address");
+ goto failed;
+ }
+
+ status = gensec_set_target_service_description(gensec_ctx,
+ "SMB2");
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_ERR("Failed to set service description");
+ goto failed;
+ }
+
status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to start GENSEC SPNEGO server code: %s\n", nt_errstr(status)));