[SCM] Samba Shared Repository - branch master updated - release-4-0-0alpha8-1230-g8d58472
Günther Deschner
gd at samba.org
Thu Aug 27 07:55:43 MDT 2009
The branch, master has been updated
via 8d58472706d651fb023ad2eb9d7268429cc7c0ca (commit)
via a69d8ab35c03eab4342b5ffbbb961902c8b5f14b (commit)
via e115cb5cb153f75fe1d97dcd6037da2796a44e64 (commit)
via 360868b6e8ab033993f528d09f803eac660536db (commit)
via a3c6e02748d1025da1b68efb4b03e1dc74eebbfe (commit)
via b089506136f953961a0290d8af030fbaac3e7136 (commit)
via 21a93c2ddc87da3e6e1af8ad7819018526c4b40b (commit)
via 2d8157fb9e91b145a98b4b87a50d3bea69412108 (commit)
via a09b627ecc446e78aa293e9e8b79c12f75a6b74e (commit)
via 7c972d83d268a277501626122ab1c7cdddc0f4a3 (commit)
via 04310cc1c510025c8d5dc10d744ab9825eae3fee (commit)
via 699266920b23fd9ea6079d8ae8e4682bb5141f0d (commit)
via 5a1577884819ccaa21741beb6765819cf640cdc9 (commit)
via 17d3800e923fd51f6dd9799d39d56a012f2ad600 (commit)
via a18d6839aceb7db05f46d87281ad41f30edb515f (commit)
via 598127259894353ffe23316b50408924983a5e82 (commit)
from 1d8d3fd7c3c2e6c46a3e01983dc26a5a650f6f84 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8d58472706d651fb023ad2eb9d7268429cc7c0ca
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 25 11:25:47 2009 +0200
libcli/auth: add netlogon_creds_step_crypt() and netlogon_creds_first_step()
This abstracts the usage of crypto functions instead of directly calling
des_crypt112().
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit a69d8ab35c03eab4342b5ffbbb961902c8b5f14b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 25 11:12:48 2009 +0200
libcli/auth: remove some useless lines
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit e115cb5cb153f75fe1d97dcd6037da2796a44e64
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Aug 25 12:02:38 2009 +0200
libcli/auth: remember schannel type in netlogon_creds_server_init()
metze
Signed-off-by: Günther Deschner <gd at samba.org>
commit 360868b6e8ab033993f528d09f803eac660536db
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 26 00:45:02 2009 +0200
s3-schannel: remove remaining code that was using "struct dcinfo".
Guenther
commit a3c6e02748d1025da1b68efb4b03e1dc74eebbfe
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 25 22:45:15 2009 +0200
s3-credentials: remove unused code.
Guenther
commit b089506136f953961a0290d8af030fbaac3e7136
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 26 11:46:58 2009 +0200
s3-schannel: upgrade old format schannel_store.tdb.
Guenther
commit 21a93c2ddc87da3e6e1af8ad7819018526c4b40b
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 25 22:38:55 2009 +0200
s3-netlogon: use shared credential and schannel storage infrastructure for netlogon server.
Guenther
commit 2d8157fb9e91b145a98b4b87a50d3bea69412108
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 25 22:26:34 2009 +0200
s3-netlogon: add netr_creds_server_step_check() convenience wrapper.
Guenther
commit a09b627ecc446e78aa293e9e8b79c12f75a6b74e
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 26 00:31:27 2009 +0200
s3-schannel: add simple wrappers to fetch and store schannel auth info.
Guenther
commit 7c972d83d268a277501626122ab1c7cdddc0f4a3
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 25 21:45:24 2009 +0200
s3-schannel: make open_schannel_session_store() public.
Guenther
commit 04310cc1c510025c8d5dc10d744ab9825eae3fee
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 25 21:16:27 2009 +0200
libcli/auth: add tdb backend for schannel state.
Guenther
commit 699266920b23fd9ea6079d8ae8e4682bb5141f0d
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 26 15:08:32 2009 +0200
libcli/auth: move netlogon_creds_CredentialState out of libcli.
Guenther
commit 5a1577884819ccaa21741beb6765819cf640cdc9
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 26 14:45:35 2009 +0200
schannel: add netlogon_creds_CredentialState to IDL.
Guenther
commit 17d3800e923fd51f6dd9799d39d56a012f2ad600
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 25 21:09:53 2009 +0200
s4-schannel: add ldb suffix to schannel functions.
Guenther
commit a18d6839aceb7db05f46d87281ad41f30edb515f
Author: Günther Deschner <gd at samba.org>
Date: Tue Aug 25 18:59:39 2009 +0200
libcli/auth: rename schannel_state.c to schannel_state_ldb.c.
Guenther
commit 598127259894353ffe23316b50408924983a5e82
Author: Günther Deschner <gd at samba.org>
Date: Wed Aug 26 16:48:00 2009 +0200
s3-build: add SCHANNEL_OBJ to Makefile.in.
Guenther
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/config.mk | 2 +-
libcli/auth/credentials.c | 33 ++-
libcli/auth/credentials.h | 13 -
libcli/auth/libcli_auth.h | 1 +
libcli/auth/schannel_state.c | 321 ----------------------
libcli/auth/schannel_state.h | 1 +
libcli/auth/schannel_state_ldb.c | 321 ++++++++++++++++++++++
libcli/auth/schannel_state_proto.h | 46 +++-
libcli/auth/schannel_state_tdb.c | 222 +++++++++++++++
librpc/gen_ndr/ndr_schannel.c | 111 ++++++++
librpc/gen_ndr/ndr_schannel.h | 3 +
librpc/gen_ndr/schannel.h | 13 +
librpc/idl/schannel.idl | 15 +
source3/Makefile.in | 9 +-
source3/include/ntdomain.h | 24 +--
source3/include/proto.h | 32 +--
source3/libsmb/credentials.c | 293 --------------------
source3/passdb/secrets.c | 183 +------------
source3/passdb/secrets_schannel.c | 68 +++++
source3/rpc_server/srv_netlog_nt.c | 355 ++++++++++++-------------
source3/rpc_server/srv_pipe.c | 18 +-
source4/auth/gensec/schannel.c | 4 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 16 +-
23 files changed, 1025 insertions(+), 1079 deletions(-)
delete mode 100644 libcli/auth/schannel_state.c
create mode 100644 libcli/auth/schannel_state_ldb.c
create mode 100644 libcli/auth/schannel_state_tdb.c
delete mode 100644 source3/libsmb/credentials.c
create mode 100644 source3/passdb/secrets_schannel.c
Changeset truncated at 500 lines:
diff --git a/libcli/auth/config.mk b/libcli/auth/config.mk
index 11fdeed..bda9850 100644
--- a/libcli/auth/config.mk
+++ b/libcli/auth/config.mk
@@ -23,4 +23,4 @@ PUBLIC_HEADERS += ../libcli/auth/credentials.h
[SUBSYSTEM::COMMON_SCHANNELDB]
PRIVATE_DEPENDENCIES = LDB_WRAP
-COMMON_SCHANNELDB_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, schannel_state.o)
+COMMON_SCHANNELDB_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, schannel_state_ldb.o)
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index dc84ffb..87d1866 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -25,6 +25,13 @@
#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
+static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *in,
+ struct netr_Credential *out)
+{
+ des_crypt112(out->data, in->data, creds->session_key, 1);
+}
+
/*
initialise the credentials state for old-style 64 bit session keys
@@ -47,11 +54,6 @@ static void netlogon_creds_init_64bit(struct netlogon_creds_CredentialState *cre
ZERO_STRUCT(creds->session_key);
des_crypt128(creds->session_key, sum2, machine_password->hash);
-
- des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
- des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
-
- creds->seed = creds->client;
}
/*
@@ -80,17 +82,19 @@ static void netlogon_creds_init_128bit(struct netlogon_creds_CredentialState *cr
MD5Final(tmp, &md5);
hmac_md5_update(tmp, sizeof(tmp), &ctx);
hmac_md5_final(creds->session_key, &ctx);
+}
- creds->client = *client_challenge;
- creds->server = *server_challenge;
+static void netlogon_creds_first_step(struct netlogon_creds_CredentialState *creds,
+ const struct netr_Credential *client_challenge,
+ const struct netr_Credential *server_challenge)
+{
+ netlogon_creds_step_crypt(creds, client_challenge, &creds->client);
- des_crypt112(creds->client.data, client_challenge->data, creds->session_key, 1);
- des_crypt112(creds->server.data, server_challenge->data, creds->session_key, 1);
+ netlogon_creds_step_crypt(creds, server_challenge, &creds->server);
creds->seed = creds->client;
}
-
/*
step the credentials to the next element in the chain, updating the
current client and server credentials and the seed
@@ -107,7 +111,7 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
DEBUG(5,("\tseed+time %08x:%08x\n", IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
- des_crypt112(creds->client.data, time_cred.data, creds->session_key, 1);
+ netlogon_creds_step_crypt(creds, &time_cred, &creds->client);
DEBUG(5,("\tCLIENT %08x:%08x\n",
IVAL(creds->client.data, 0), IVAL(creds->client.data, 4)));
@@ -118,7 +122,7 @@ static void netlogon_creds_step(struct netlogon_creds_CredentialState *creds)
DEBUG(5,("\tseed+time+1 %08x:%08x\n",
IVAL(time_cred.data, 0), IVAL(time_cred.data, 4)));
- des_crypt112(creds->server.data, time_cred.data, creds->session_key, 1);
+ netlogon_creds_step_crypt(creds, &time_cred, &creds->server);
DEBUG(5,("\tSERVER %08x:%08x\n",
IVAL(creds->server.data, 0), IVAL(creds->server.data, 4)));
@@ -228,6 +232,8 @@ struct netlogon_creds_CredentialState *netlogon_creds_client_init(TALLOC_CTX *me
netlogon_creds_init_64bit(creds, client_challenge, server_challenge, machine_password);
}
+ netlogon_creds_first_step(creds, client_challenge, server_challenge);
+
dump_data_pw("Session key", creds->session_key, 16);
dump_data_pw("Credential ", creds->client.data, 8);
@@ -328,6 +334,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
}
creds->negotiate_flags = negotiate_flags;
+ creds->secure_channel_type = secure_channel_type;
creds->computer_name = talloc_strdup(creds, client_computer_name);
if (!creds->computer_name) {
@@ -348,6 +355,8 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me
machine_password);
}
+ netlogon_creds_first_step(creds, client_challenge, server_challenge);
+
/* And before we leak information about the machine account
* password, check that they got the first go right */
if (!netlogon_creds_server_check_internal(creds, credentials_in)) {
diff --git a/libcli/auth/credentials.h b/libcli/auth/credentials.h
index b84b902..7175211 100644
--- a/libcli/auth/credentials.h
+++ b/libcli/auth/credentials.h
@@ -21,19 +21,6 @@
#include "librpc/gen_ndr/netlogon.h"
-struct netlogon_creds_CredentialState {
- uint32_t negotiate_flags;
- uint8_t session_key[16];
- uint32_t sequence;
- struct netr_Credential seed;
- struct netr_Credential client;
- struct netr_Credential server;
- uint16_t secure_channel_type;
- const char *computer_name;
- const char *account_name;
- struct dom_sid *sid;
-};
-
/* The 7 here seems to be required to get Win2k not to downgrade us
to NT4. Actually, anything other than 1ff would seem to do... */
#define NETLOGON_NEG_AUTH2_FLAGS 0x000701ff
diff --git a/libcli/auth/libcli_auth.h b/libcli/auth/libcli_auth.h
index be43007..388694a 100644
--- a/libcli/auth/libcli_auth.h
+++ b/libcli/auth/libcli_auth.h
@@ -19,6 +19,7 @@
#include "librpc/gen_ndr/netlogon.h"
#include "librpc/gen_ndr/wkssvc.h"
+#include "librpc/gen_ndr/schannel.h"
#include "libcli/auth/credentials.h"
#include "libcli/auth/ntlm_check.h"
#include "libcli/auth/proto.h"
diff --git a/libcli/auth/schannel_state.c b/libcli/auth/schannel_state.c
deleted file mode 100644
index e013300..0000000
--- a/libcli/auth/schannel_state.c
+++ /dev/null
@@ -1,321 +0,0 @@
-/*
- Unix SMB/CIFS implementation.
-
- module to store/fetch session keys for the schannel server
-
- Copyright (C) Andrew Tridgell 2004
- Copyright (C) Andrew Bartlett <abartlet at samba.org> 2006-2009
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
-*/
-
-#include "includes.h"
-#include "lib/ldb/include/ldb.h"
-#include "librpc/gen_ndr/ndr_security.h"
-#include "ldb_wrap.h"
-#include "../lib/util/util_ldb.h"
-#include "libcli/auth/libcli_auth.h"
-#include "auth/auth.h"
-#include "param/param.h"
-#include "auth/gensec/schannel_state.h"
-
-static struct ldb_val *schannel_dom_sid_ldb_val(TALLOC_CTX *mem_ctx,
- struct dom_sid *sid)
-{
- enum ndr_err_code ndr_err;
- struct ldb_val *v;
-
- v = talloc(mem_ctx, struct ldb_val);
- if (!v) return NULL;
-
- ndr_err = ndr_push_struct_blob(v, mem_ctx, NULL, sid,
- (ndr_push_flags_fn_t)ndr_push_dom_sid);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- talloc_free(v);
- return NULL;
- }
-
- return v;
-}
-
-static struct dom_sid *schannel_ldb_val_dom_sid(TALLOC_CTX *mem_ctx,
- const struct ldb_val *v)
-{
- enum ndr_err_code ndr_err;
- struct dom_sid *sid;
-
- sid = talloc(mem_ctx, struct dom_sid);
- if (!sid) return NULL;
-
- ndr_err = ndr_pull_struct_blob(v, sid, NULL, sid,
- (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- talloc_free(sid);
- return NULL;
- }
- return sid;
-}
-
-
-/*
- remember an established session key for a netr server authentication
- use a simple ldb structure
-*/
-NTSTATUS schannel_store_session_key(struct ldb_context *ldb,
- TALLOC_CTX *mem_ctx,
- struct netlogon_creds_CredentialState *creds)
-{
- struct ldb_message *msg;
- struct ldb_val val, seed, client_state, server_state;
- struct ldb_val *sid_val;
- char *f;
- char *sct;
- int ret;
-
- f = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->negotiate_flags);
-
- if (f == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- sct = talloc_asprintf(mem_ctx, "%u", (unsigned int)creds->secure_channel_type);
-
- if (sct == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- msg = ldb_msg_new(ldb);
- if (msg == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- msg->dn = ldb_dn_new_fmt(msg, ldb, "computerName=%s", creds->computer_name);
- if ( ! msg->dn) {
- return NT_STATUS_NO_MEMORY;
- }
-
- sid_val = schannel_dom_sid_ldb_val(msg, creds->sid);
- if (sid_val == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- val.data = creds->session_key;
- val.length = sizeof(creds->session_key);
-
- seed.data = creds->seed.data;
- seed.length = sizeof(creds->seed.data);
-
- client_state.data = creds->client.data;
- client_state.length = sizeof(creds->client.data);
- server_state.data = creds->server.data;
- server_state.length = sizeof(creds->server.data);
-
- ldb_msg_add_string(msg, "objectClass", "schannelState");
- ldb_msg_add_value(msg, "sessionKey", &val, NULL);
- ldb_msg_add_value(msg, "seed", &seed, NULL);
- ldb_msg_add_value(msg, "clientState", &client_state, NULL);
- ldb_msg_add_value(msg, "serverState", &server_state, NULL);
- ldb_msg_add_string(msg, "negotiateFlags", f);
- ldb_msg_add_string(msg, "secureChannelType", sct);
- ldb_msg_add_string(msg, "accountName", creds->account_name);
- ldb_msg_add_string(msg, "computerName", creds->computer_name);
- ldb_msg_add_value(msg, "objectSid", sid_val, NULL);
-
- ret = ldb_add(ldb, msg);
- if (ret == LDB_ERR_ENTRY_ALREADY_EXISTS) {
- int i;
- /* from samdb_replace() */
- /* mark all the message elements as LDB_FLAG_MOD_REPLACE */
- for (i=0;i<msg->num_elements;i++) {
- msg->elements[i].flags = LDB_FLAG_MOD_REPLACE;
- }
-
- ret = ldb_modify(ldb, msg);
- }
-
- /* We don't need a transaction here, as we either add or
- * modify records, never delete them, so it must exist */
-
- if (ret != LDB_SUCCESS) {
- DEBUG(0,("Unable to add %s to session key db - %s\n",
- ldb_dn_get_linearized(msg->dn), ldb_errstring(ldb)));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- return NT_STATUS_OK;
-}
-
-/*
- read back a credentials back for a computer
-*/
-NTSTATUS schannel_fetch_session_key(struct ldb_context *ldb,
- TALLOC_CTX *mem_ctx,
- const char *computer_name,
- struct netlogon_creds_CredentialState **creds)
-{
- struct ldb_result *res;
- int ret;
- const struct ldb_val *val;
-
- *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState);
- if (!*creds) {
- return NT_STATUS_NO_MEMORY;
- }
-
- ret = ldb_search(ldb, mem_ctx, &res,
- NULL, LDB_SCOPE_SUBTREE, NULL,
- "(computerName=%s)", computer_name);
- if (ret != LDB_SUCCESS) {
- DEBUG(3,("schannel: Failed to find a record for client %s: %s\n", computer_name, ldb_errstring(ldb)));
- return NT_STATUS_INVALID_HANDLE;
- }
- if (res->count != 1) {
- DEBUG(3,("schannel: Failed to find a record for client: %s (found %d records)\n", computer_name, res->count));
- talloc_free(res);
- return NT_STATUS_INVALID_HANDLE;
- }
-
- val = ldb_msg_find_ldb_val(res->msgs[0], "sessionKey");
- if (val == NULL || val->length != 16) {
- DEBUG(1,("schannel: record in schannel DB must contain a sessionKey of length 16, when searching for client: %s\n", computer_name));
- talloc_free(res);
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- memcpy((*creds)->session_key, val->data, 16);
-
- val = ldb_msg_find_ldb_val(res->msgs[0], "seed");
- if (val == NULL || val->length != 8) {
- DEBUG(1,("schannel: record in schannel DB must contain a vaid seed of length 8, when searching for client: %s\n", computer_name));
- talloc_free(res);
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- memcpy((*creds)->seed.data, val->data, 8);
-
- val = ldb_msg_find_ldb_val(res->msgs[0], "clientState");
- if (val == NULL || val->length != 8) {
- DEBUG(1,("schannel: record in schannel DB must contain a vaid clientState of length 8, when searching for client: %s\n", computer_name));
- talloc_free(res);
- return NT_STATUS_INTERNAL_ERROR;
- }
- memcpy((*creds)->client.data, val->data, 8);
-
- val = ldb_msg_find_ldb_val(res->msgs[0], "serverState");
- if (val == NULL || val->length != 8) {
- DEBUG(1,("schannel: record in schannel DB must contain a vaid serverState of length 8, when searching for client: %s\n", computer_name));
- talloc_free(res);
- return NT_STATUS_INTERNAL_ERROR;
- }
- memcpy((*creds)->server.data, val->data, 8);
-
- (*creds)->negotiate_flags = ldb_msg_find_attr_as_int(res->msgs[0], "negotiateFlags", 0);
-
- (*creds)->secure_channel_type = ldb_msg_find_attr_as_int(res->msgs[0], "secureChannelType", 0);
-
- (*creds)->account_name = talloc_strdup(*creds, ldb_msg_find_attr_as_string(res->msgs[0], "accountName", NULL));
- if ((*creds)->account_name == NULL) {
- talloc_free(res);
- return NT_STATUS_NO_MEMORY;
- }
-
- (*creds)->computer_name = talloc_strdup(*creds, ldb_msg_find_attr_as_string(res->msgs[0], "computerName", NULL));
- if ((*creds)->computer_name == NULL) {
- talloc_free(res);
- return NT_STATUS_NO_MEMORY;
- }
-
- val = ldb_msg_find_ldb_val(res->msgs[0], "objectSid");
- if (val) {
- (*creds)->sid = schannel_ldb_val_dom_sid(*creds, val);
- if ((*creds)->sid == NULL) {
- talloc_free(res);
- return NT_STATUS_INTERNAL_ERROR;
- }
- } else {
- (*creds)->sid = NULL;
- }
-
- talloc_free(res);
- return NT_STATUS_OK;
-}
-
-/*
- Validate an incoming authenticator against the credentials for the remote machine.
-
- The credentials are (re)read and from the schannel database, and
- written back after the caclulations are performed.
-
- The creds_out parameter (if not NULL) returns the credentials, if
- the caller needs some of that information.
-
-*/
-NTSTATUS schannel_creds_server_step_check(struct ldb_context *ldb,
- TALLOC_CTX *mem_ctx,
- const char *computer_name,
- bool schannel_required_for_call,
- bool schannel_in_use,
- struct netr_Authenticator *received_authenticator,
- struct netr_Authenticator *return_authenticator,
- struct netlogon_creds_CredentialState **creds_out)
-{
- struct netlogon_creds_CredentialState *creds;
- NTSTATUS nt_status;
- int ret;
-
- ret = ldb_transaction_start(ldb);
- if (ret != 0) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- /* Because this is a shared structure (even across
- * disconnects) we must update the database every time we
- * update the structure */
-
- nt_status = schannel_fetch_session_key(ldb, ldb, computer_name,
- &creds);
-
- /* If we are flaged that schannel is required for a call, and
- * it is not in use, then make this an error */
-
- /* It would be good to make this mandetory once schannel is
- * negoiated, bu this is not what windows does */
- if (schannel_required_for_call && !schannel_in_use) {
- DEBUG(0,("schannel_creds_server_step_check: client %s not using schannel for netlogon, despite negotiating it\n",
- creds->computer_name ));
- ldb_transaction_cancel(ldb);
- return NT_STATUS_ACCESS_DENIED;
- }
-
- if (NT_STATUS_IS_OK(nt_status)) {
- nt_status = netlogon_creds_server_step_check(creds,
- received_authenticator,
- return_authenticator);
- }
-
- if (NT_STATUS_IS_OK(nt_status)) {
- nt_status = schannel_store_session_key(ldb, mem_ctx, creds);
- }
-
- if (NT_STATUS_IS_OK(nt_status)) {
- ldb_transaction_commit(ldb);
- if (creds_out) {
- *creds_out = creds;
- talloc_steal(mem_ctx, creds);
- }
- } else {
- ldb_transaction_cancel(ldb);
- }
- return nt_status;
-}
diff --git a/libcli/auth/schannel_state.h b/libcli/auth/schannel_state.h
index 048baa9..e60f4d9 100644
--- a/libcli/auth/schannel_state.h
+++ b/libcli/auth/schannel_state.h
@@ -21,4 +21,5 @@
*/
struct ldb_context;
+struct tdb_context;
#include "libcli/auth/schannel_state_proto.h"
diff --git a/libcli/auth/schannel_state_ldb.c b/libcli/auth/schannel_state_ldb.c
new file mode 100644
index 0000000..37458c7
--- /dev/null
+++ b/libcli/auth/schannel_state_ldb.c
@@ -0,0 +1,321 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ module to store/fetch session keys for the schannel server
+
+ Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Andrew Bartlett <abartlet at samba.org> 2006-2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
--
Samba Shared Repository
More information about the samba-cvs
mailing list