svn commit: samba r2290 - in branches/SAMBA_4_0/source: libcli/auth
rpc_server rpc_server/samr
abartlet at samba.org
abartlet at samba.org
Sun Sep 12 03:18:24 GMT 2004
Author: abartlet
Date: 2004-09-12 03:18:24 +0000 (Sun, 12 Sep 2004)
New Revision: 2290
WebSVN: http://websvn.samba.org/websvn/changeset.php?rep=samba&path=/branches/SAMBA_4_0/source&rev=2290&nolog=1
Log:
Fix 'lsakey' for the server-side, it is static for
'authenticated' connections.
Fix kerberos session key issues - we need to call the
routine for extracting the session key, not just read the cache.
Andrew Bartlett
Modified:
branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
branches/SAMBA_4_0/source/rpc_server/dcerpc_server.c
branches/SAMBA_4_0/source/rpc_server/dcerpc_server.h
branches/SAMBA_4_0/source/rpc_server/dcerpc_tcp.c
branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c
branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c
Changeset:
Modified: branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c
===================================================================
--- branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-09-12 02:37:15 UTC (rev 2289)
+++ branches/SAMBA_4_0/source/libcli/auth/gensec_krb5.c 2004-09-12 03:18:24 UTC (rev 2290)
@@ -682,15 +682,13 @@
session_info->nt_user_token = NULL;
}
- session_info->session_key = data_blob_talloc(session_info->mem_ctx,
- gensec_krb5_state->session_key.data,
- gensec_krb5_state->session_key.length);
+ nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
session_info->workstation = NULL;
*session_info_out = session_info;
- return NT_STATUS_OK;
+ return nt_status;
}
Modified: branches/SAMBA_4_0/source/rpc_server/dcerpc_server.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/dcerpc_server.c 2004-09-12 02:37:15 UTC (rev 2289)
+++ branches/SAMBA_4_0/source/rpc_server/dcerpc_server.c 2004-09-12 03:18:24 UTC (rev 2290)
@@ -239,7 +239,36 @@
return NT_STATUS_OK;
}
+static NTSTATUS dcesrv_inherited_session_key(struct dcesrv_connection *p,
+ DATA_BLOB *session_key)
+{
+ if (p->auth_state.session_info->session_key.length) {
+ *session_key = p->auth_state.session_info->session_key;
+ return NT_STATUS_OK;
+ }
+ return NT_STATUS_NO_USER_SESSION_KEY;
+}
+
+NTSTATUS dcesrv_generic_session_key(struct dcesrv_connection *p,
+ DATA_BLOB *session_key)
+{
+ /* this took quite a few CPU cycles to find ... */
+ session_key->data = "SystemLibraryDTC";
+ session_key->length = 16;
+ return NT_STATUS_OK;
+}
+
/*
+ fetch the user session key - may be default (above) or the SMB session key
+*/
+NTSTATUS dcesrv_fetch_session_key(struct dcesrv_connection *p,
+ DATA_BLOB *session_key)
+{
+ return p->auth_state.session_key(p, session_key);
+}
+
+
+/*
connect to a dcerpc endpoint
*/
NTSTATUS dcesrv_endpoint_connect(struct dcesrv_context *dce_ctx,
@@ -271,6 +300,7 @@
(*p)->auth_state.auth_info = NULL;
(*p)->auth_state.gensec_security = NULL;
(*p)->auth_state.session_info = NULL;
+ (*p)->auth_state.session_key = dcesrv_generic_session_key;
(*p)->srv_conn = NULL;
return NT_STATUS_OK;
@@ -300,7 +330,7 @@
session_info->refcount++;
(*dce_conn_p)->auth_state.session_info = session_info;
- (*dce_conn_p)->transport_session_key = session_info->session_key;
+ (*dce_conn_p)->auth_state.session_key = dcesrv_inherited_session_key;
/* TODO: check security descriptor of the endpoint here
* if it's a smb named pipe
Modified: branches/SAMBA_4_0/source/rpc_server/dcerpc_server.h
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/dcerpc_server.h 2004-09-12 02:37:15 UTC (rev 2289)
+++ branches/SAMBA_4_0/source/rpc_server/dcerpc_server.h 2004-09-12 03:18:24 UTC (rev 2290)
@@ -99,6 +99,7 @@
struct dcerpc_auth *auth_info;
struct gensec_security *gensec_security;
struct auth_session_info *session_info;
+ NTSTATUS (*session_key)(struct dcesrv_connection *, DATA_BLOB *session_key);
};
Modified: branches/SAMBA_4_0/source/rpc_server/dcerpc_tcp.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/dcerpc_tcp.c 2004-09-12 02:37:15 UTC (rev 2289)
+++ branches/SAMBA_4_0/source/rpc_server/dcerpc_tcp.c 2004-09-12 03:18:24 UTC (rev 2290)
@@ -133,8 +133,6 @@
dcesrv_conn->srv_conn = conn;
- dcesrv_conn->transport_session_key = data_blob_talloc(dcesrv_conn, "SystemLibraryDTC", 16);
-
conn->private_data = dcesrv_conn;
/* TODO: this should to the generic code
Modified: branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c 2004-09-12 02:37:15 UTC (rev 2289)
+++ branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c 2004-09-12 03:18:24 UTC (rev 2290)
@@ -128,6 +128,9 @@
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return False;
}
+
+ /* Now that we are authenticated, got back to the generic session key... */
+ dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return True;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
dce_conn->auth_state.auth_info->auth_pad_length = 0;
@@ -176,6 +179,8 @@
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
return False;
}
+ /* Now that we are authenticated, got back to the generic session key... */
+ dce_conn->auth_state.session_key = dcesrv_generic_session_key;
return True;
} else {
DEBUG(4, ("dcesrv_auth_auth3: failed to authenticate: %s\n",
Modified: branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c 2004-09-12 02:37:15 UTC (rev 2289)
+++ branches/SAMBA_4_0/source/rpc_server/samr/samr_password.c 2004-09-12 03:18:24 UTC (rev 2290)
@@ -679,15 +679,14 @@
struct ldb_message *msg,
struct samr_CryptPassword *pwbuf)
{
+ NTSTATUS nt_status;
char new_pass[512];
uint32_t new_pass_len;
DATA_BLOB session_key = data_blob(NULL, 0);
- session_key = dce_call->conn->transport_session_key;
-
- if (session_key.length == 0) {
- DEBUG(3,("Bad session key in samr_set_password\n"));
- return NT_STATUS_NO_USER_SESSION_KEY;
+ nt_status = dcesrv_fetch_session_key(dce_call->conn, &session_key);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
arcfour_crypt_blob(pwbuf->data, 516, &session_key);
@@ -721,17 +720,16 @@
struct ldb_message *msg,
struct samr_CryptPasswordEx *pwbuf)
{
+ NTSTATUS nt_status;
char new_pass[512];
uint32_t new_pass_len;
DATA_BLOB co_session_key;
DATA_BLOB session_key = data_blob(NULL, 0);
struct MD5Context ctx;
- session_key = dce_call->conn->transport_session_key;
-
- if (session_key.length == 0) {
- DEBUG(3,("Bad session key in samr_set_password\n"));
- return NT_STATUS_NO_USER_SESSION_KEY;
+ nt_status = dcesrv_fetch_session_key(dce_call->conn, &session_key);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
co_session_key = data_blob_talloc(mem_ctx, NULL, 16);
More information about the samba-cvs
mailing list