svn commit: samba r13640 - in trunk/source: rpc_client utils
jra at samba.org
jra at samba.org
Wed Feb 22 21:18:19 GMT 2006
Author: jra
Date: 2006-02-22 21:18:18 +0000 (Wed, 22 Feb 2006)
New Revision: 13640
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13640
Log:
Finish fix for #3510. Don't use client schannel when told
not to, cope with a server that doesn't offer schannel also.
Jeremy
Modified:
trunk/source/rpc_client/cli_pipe.c
trunk/source/utils/net_rpc_join.c
Changeset:
Modified: trunk/source/rpc_client/cli_pipe.c
===================================================================
--- trunk/source/rpc_client/cli_pipe.c 2006-02-22 20:40:24 UTC (rev 13639)
+++ trunk/source/rpc_client/cli_pipe.c 2006-02-22 21:18:18 UTC (rev 13640)
@@ -2393,13 +2393,14 @@
/****************************************************************************
Open a netlogon pipe and get the schannel session key.
+ Now exposed to external callers.
****************************************************************************/
-static struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
+struct rpc_pipe_client *get_schannel_session_key(struct cli_state *cli,
const char *domain,
+ uint32 *pneg_flags,
NTSTATUS *perr)
{
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct rpc_pipe_client *netlogon_pipe = NULL;
uint32 sec_chan_type = 0;
unsigned char machine_pwd[16];
@@ -2438,7 +2439,7 @@
machine_account, /* machine account name */
machine_pwd,
sec_chan_type,
- &neg_flags);
+ pneg_flags);
if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(3,("get_schannel_session_key: rpccli_netlogon_setup_creds "
@@ -2448,7 +2449,7 @@
return NULL;
}
- if ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0) {
+ if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
DEBUG(3, ("get_schannel_session_key: Server %s did not offer schannel\n",
cli->desthost));
cli_rpc_pipe_close(netlogon_pipe);
@@ -2520,9 +2521,9 @@
const char *domain,
const char *username,
const char *password,
+ uint32 *pneg_flags,
NTSTATUS *perr)
{
- uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct rpc_pipe_client *netlogon_pipe = NULL;
uint32 sec_chan_type = 0;
unsigned char machine_pwd[16];
@@ -2564,7 +2565,7 @@
machine_account, /* machine account name */
machine_pwd,
sec_chan_type,
- &neg_flags);
+ pneg_flags);
if (!NT_STATUS_IS_OK(*perr)) {
DEBUG(3,("get_schannel_session_key_auth_ntlmssp: rpccli_netlogon_setup_creds "
@@ -2574,7 +2575,7 @@
return NULL;
}
- if ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0) {
+ if (((*pneg_flags) & NETLOGON_NEG_SCHANNEL) == 0) {
DEBUG(3, ("get_schannel_session_key_auth_ntlmssp: Server %s did not offer schannel\n",
cli->desthost));
cli_rpc_pipe_close(netlogon_pipe);
@@ -2599,10 +2600,12 @@
const char *password,
NTSTATUS *perr)
{
+ uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct rpc_pipe_client *netlogon_pipe = NULL;
struct rpc_pipe_client *result = NULL;
- netlogon_pipe = get_schannel_session_key_auth_ntlmssp(cli, domain, username, password, perr);
+ netlogon_pipe = get_schannel_session_key_auth_ntlmssp(cli, domain, username,
+ password, &neg_flags, perr);
if (!netlogon_pipe) {
DEBUG(0,("cli_rpc_pipe_open_ntlmssp_auth_schannel: failed to get schannel session "
"key from server %s for domain %s.\n",
@@ -2631,10 +2634,11 @@
const char *domain,
NTSTATUS *perr)
{
+ uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct rpc_pipe_client *netlogon_pipe = NULL;
struct rpc_pipe_client *result = NULL;
- netlogon_pipe = get_schannel_session_key(cli, domain, perr);
+ netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, perr);
if (!netlogon_pipe) {
DEBUG(0,("cli_rpc_pipe_open_schannel: failed to get schannel session "
"key from server %s for domain %s.\n",
Modified: trunk/source/utils/net_rpc_join.c
===================================================================
--- trunk/source/utils/net_rpc_join.c 2006-02-22 20:40:24 UTC (rev 13639)
+++ trunk/source/utils/net_rpc_join.c 2006-02-22 21:18:18 UTC (rev 13640)
@@ -43,31 +43,57 @@
**/
static int net_rpc_join_ok(const char *domain)
{
+ uint32 neg_flags = NETLOGON_NEG_AUTH2_FLAGS|NETLOGON_NEG_SCHANNEL;
struct cli_state *cli = NULL;
struct rpc_pipe_client *pipe_hnd = NULL;
- int retval = 1;
- NTSTATUS ret;
+ struct rpc_pipe_client *netlogon_pipe = NULL;
+ NTSTATUS ntret = NT_STATUS_UNSUCCESSFUL;
/* Connect to remote machine */
if (!(cli = net_make_ipc_connection(NET_FLAGS_ANONYMOUS | NET_FLAGS_PDC))) {
- return 1;
+ return -1;
}
- pipe_hnd = cli_rpc_pipe_open_schannel(cli, PI_NETLOGON,
- PIPE_AUTH_LEVEL_PRIVACY,
- domain, &ret);
+ /* Setup the creds as though we're going to do schannel... */
+ netlogon_pipe = get_schannel_session_key(cli, domain, &neg_flags, &ntret);
+ /* We return NT_STATUS_INVALID_NETWORK_RESPONSE if the server is refusing
+ to negotiate schannel, but the creds were set up ok. That'll have to do. */
+
+ if (!netlogon_pipe) {
+ if (NT_STATUS_EQUAL(ntret, NT_STATUS_INVALID_NETWORK_RESPONSE)) {
+ cli_shutdown(cli);
+ return 0;
+ } else {
+ DEBUG(0,("net_rpc_join_ok: failed to get schannel session "
+ "key from server %s for domain %s. Error was %s\n",
+ cli->desthost, domain, nt_errstr(ntret) ));
+ cli_shutdown(cli);
+ return -1;
+ }
+ }
+
+ /* Only do the rest of the schannel test if the client is allowed to do this. */
+ if (!lp_client_schannel()) {
+ cli_shutdown(cli);
+ /* We're good... */
+ return 0;
+ }
+
+ pipe_hnd = cli_rpc_pipe_open_schannel_with_key(cli, PI_NETLOGON,
+ PIPE_AUTH_LEVEL_PRIVACY,
+ domain, netlogon_pipe->dc, &ntret);
+
if (!pipe_hnd) {
- DEBUG(0,("Error connecting to NETLOGON pipe. Error was %s\n", nt_errstr(ret) ));
- goto done;
+ DEBUG(0,("net_rpc_join_ok: failed to open schannel session "
+ "on netlogon pipe to server %s for domain %s. Error was %s\n",
+ cli->desthost, domain, nt_errstr(ntret) ));
+ cli_shutdown(cli);
+ return -1;
}
- retval = 0; /* Success! */
-
-done:
-
cli_shutdown(cli);
- return retval;
+ return 0;
}
/**
More information about the samba-cvs
mailing list