Changeset 124 for branches/samba-3.0/source/rpc_client

Timestamp:

Mar 12, 2008, 9:08:18 AM (18 years ago)

Author:

Paul Smedley

Message:

Update source to 3.0.28a

File:

• branches/samba-3.0/source/rpc_client/cli_pipe.c (modified) (9 diffs)

branches/samba-3.0/source/rpc_client/cli_pipe.c

@@ -1807 +1807 @@
         if (!NT_STATUS_IS_OK(nt_status)) {
                 DEBUG(0,("rpc_finish_auth3_bind: NTLMSSP update using server blob failed.\n"));
+                data_blob_free(&server_response);
                 return nt_status;
         }
@@ -2364 +2365 @@
         }
 
-        DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to machine %s and"
-                "bound NTLMSSP as user %s\\%s.\n",
+        DEBUG(10,("cli_rpc_pipe_open_ntlmssp_internal: opened pipe %s to "
+                "machine %s and bound NTLMSSP as user %s\\%s.\n",
                 result->pipe_name, cli->desthost,
                 domain, username ));
@@ -2424 +2425 @@
 
 /****************************************************************************
- Open a netlogon pipe and get the schannel session key.
- Now exposed to external callers.
+  Get a the schannel session key out of an already opened netlogon pipe.
  ****************************************************************************/
-
-struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
-                                                        const char *domain,
-                                                        uint32 *pneg_flags,
-                                                        NTSTATUS *perr)
-{
-        struct rpc_pipe_client *netlogon_pipe = NULL;
+static BOOL get_schannel_session_key_common(struct rpc_pipe_client *netlogon_pipe,
+                                            struct cli_state *cli,
+                                            const char *domain,
+                                            uint32 *pneg_flags,
+                                            NTSTATUS *perr)
+{
         uint32 sec_chan_type = 0;
         unsigned char machine_pwd[16];
-        fstring machine_account;
-
-        netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
-        if (!netlogon_pipe) {
-                return NULL;
-        }
+        const char *machine_account;
 
         /* Get the machine account credentials from secrets.tdb. */
-        if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
+        if (!get_trust_pw_hash(domain, machine_pwd, &machine_account,
+                               &sec_chan_type))
+        {
                 DEBUG(0, ("get_schannel_session_key: could not fetch "
                         "trust account password for domain '%s'\n",
                         domain));
-                cli_rpc_pipe_close(netlogon_pipe);
                 *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-                return NULL;
-        }
-
-        /* A DC should use DOMAIN$ as its account name.
-           A member server can only use it's machine name since it
-           does not have an account in a trusted domain.
-
-           We don't check the domain against lp_workgroup() here since
-           'net ads join' has to continue to work with only the realm
-           specified in smb.conf.  -- jerry */
-
-        if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
-                fstrcpy( machine_account, lp_workgroup() );
-        } else {
-                fstrcpy(machine_account, global_myname());
-        }
+                return False;
+        }
 
         *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
@@ -2477 +2458 @@
 
         if (!NT_STATUS_IS_OK(*perr)) {
-                DEBUG(3,("get_schannel_session_key: rpccli_netlogon_setup_creds "
+                DEBUG(3,("get_schannel_session_key_common: rpccli_netlogon_setup_creds "
                         "failed with result %s to server %s, domain %s, machine account %s.\n",
                         nt_errstr(*perr), cli->desthost, domain, machine_account ));
-                cli_rpc_pipe_close(netlogon_pipe);
-                return NULL;
+                return False;
         }
 
@@ -2487 +2467 @@
                 DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
                         cli->desthost));
+                *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
+                return False;
+        }
+
+        return True;
+}
+
+/****************************************************************************
+ Open a netlogon pipe and get the schannel session key.
+ Now exposed to external callers.
+ ****************************************************************************/
+
+
+struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
+                                                        const char *domain,
+                                                        uint32 *pneg_flags,
+                                                        NTSTATUS *perr)
+{
+        struct rpc_pipe_client *netlogon_pipe = NULL;
+
+        netlogon_pipe = cli_rpc_pipe_open_noauth(cli, PI_NETLOGON, perr);
+        if (!netlogon_pipe) {
+                return NULL;
+        }
+
+        if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+                                             pneg_flags, perr))
+        {
                 cli_rpc_pipe_close(netlogon_pipe);
-                *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
                 return NULL;
         }
@@ -2560 +2567 @@
 {
         struct rpc_pipe_client *netlogon_pipe = NULL;
-        uint32 sec_chan_type = 0;
-        unsigned char machine_pwd[16];
-        fstring machine_account;
 
         netlogon_pipe = cli_rpc_pipe_open_spnego_ntlmssp(cli, PI_NETLOGON, PIPE_AUTH_LEVEL_PRIVACY, domain, username, password, perr);
@@ -2569 +2573 @@
         }
 
-        /* Get the machine account credentials from secrets.tdb. */
-        if (!get_trust_pw(domain, machine_pwd, &sec_chan_type)) {
-                DEBUG(0, ("get_schannel_session_key_auth_ntlmssp: could not fetch "
-                        "trust account password for domain '%s'\n",
-                        domain));
+        if (!get_schannel_session_key_common(netlogon_pipe, cli, domain,
+                                             pneg_flags, perr))
+        {
                 cli_rpc_pipe_close(netlogon_pipe);
-                *perr = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-                return NULL;
-        }
-
-        /* if we are a DC and this is a trusted domain, then we need to use our
-           domain name in the net_req_auth2() request */
-
-        if ( IS_DC && !strequal(domain, lp_workgroup()) && lp_allow_trusted_domains()) {
-                fstrcpy( machine_account, lp_workgroup() );
-        } else {
-                /* Hmmm. Is this correct for trusted domains when we're a member server ? JRA. */
-                if (strequal(domain, lp_workgroup())) {
-                        fstrcpy(machine_account, global_myname());
-                } else {
-                        fstrcpy(machine_account, domain);
-                }
-        }
-
-        *perr = rpccli_netlogon_setup_creds(netlogon_pipe,
-                                        cli->desthost,     /* server name */
-                                        domain,            /* domain */
-                                        global_myname(),   /* client name */
-                                        machine_account,   /* machine account name */
-                                        machine_pwd,
-                                        sec_chan_type,
-                                        pneg_flags);
-
-        if (!NT_STATUS_IS_OK(*perr)) {
-                DEBUG(3,("get_schannel_session_key_auth_ntlmssp: rpccli_netlogon_setup_creds "
-                        "failed with result %s\n",
-                        nt_errstr(*perr) ));
-                cli_rpc_pipe_close(netlogon_pipe);
-                return NULL;
-        }
-
-        if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
-                DEBUG(3, ("get_schannel_session_key_auth_ntlmssp: Server %s did not offer schannel\n",
-                        cli->desthost));
-                cli_rpc_pipe_close(netlogon_pipe);
-                *perr = NT_STATUS_INVALID_NETWORK_RESPONSE;
                 return NULL;
         }
@@ -2635 +2597 @@
                                                 NTSTATUS *perr)
 {
-        uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+        uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
         struct rpc_pipe_client *netlogon_pipe = NULL;
         struct rpc_pipe_client *result = NULL;
@@ -2669 +2631 @@
                                                 NTSTATUS *perr)
 {
-        uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
+        uint32 neg_flags = NETLOGON_NEG_SELECT_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
         struct rpc_pipe_client *netlogon_pipe = NULL;
         struct rpc_pipe_client *result = NULL;