diff options
| author | Volker Lendecke <vl@samba.org> | 2017-09-07 12:43:00 +0200 |
|---|---|---|
| committer | Volker Lendecke <vl@samba.org> | 2017-09-25 09:43:12 +0200 |
| commit | 4b97de8adb2977aaec21940241dbc4d615307f4f (patch) | |
| tree | 813222c0fbd924b74fc7675f6fde1ef03bb33560 | |
| parent | 6f879b780a5ff37e80d1bf7c06e377909bcfc950 (diff) | |
| download | samba-4b97de8adb2977aaec21940241dbc4d615307f4f.tar.gz | |
rpc_client3: Avoid "cli_credentials" in cli_rpc_pipe_open_schannel_with_creds
This provides cleaner data dependencies. A netlogon_creds_ctx contains
everything required to open an schannel, there is no good reason to
require cli_credentials here.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | libcli/auth/netlogon_creds_cli.c | 1 | ||||
| -rw-r--r-- | source3/libnet/libnet_join.c | 1 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe.c | 17 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe.h | 1 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe_schannel.c | 1 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_cm.c | 14 |
6 files changed, 21 insertions, 14 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 25f14316dc2..3209f6cf871 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -474,6 +474,7 @@ NTSTATUS netlogon_creds_bind_cli_credentials( TALLOC_FREE(cli_creds); return status; } + cli_credentials_set_netlogon_creds(cli_creds, ncreds); *pcli_creds = cli_creds; return NT_STATUS_OK; diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c index 5880913a39f..eb6b894908f 100644 --- a/source3/libnet/libnet_join.c +++ b/source3/libnet/libnet_join.c @@ -1662,7 +1662,6 @@ NTSTATUS libnet_join_ok(struct messaging_context *msg_ctx, status = cli_rpc_pipe_open_schannel_with_creds( cli, &ndr_table_netlogon, NCACN_NP, - cli_creds, netlogon_creds, &netlogon_pipe); TALLOC_FREE(netlogon_pipe); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 07476c745fe..5e87bad46a2 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -3275,7 +3275,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, const struct ndr_interface_table *table, enum dcerpc_transport_t transport, - struct cli_credentials *cli_creds, struct netlogon_creds_cli_context *netlogon_creds, struct rpc_pipe_client **_rpccli) { @@ -3283,6 +3282,7 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, struct pipe_auth_data *rpcauth; const char *target_service = table->authservices->names[0]; struct netlogon_creds_CredentialState *ncreds = NULL; + struct cli_credentials *cli_creds; enum dcerpc_AuthLevel auth_level; NTSTATUS status; int rpc_pipe_bind_dbglvl = 0; @@ -3302,7 +3302,14 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, auth_level = netlogon_creds_cli_auth_level(netlogon_creds); - cli_credentials_set_netlogon_creds(cli_creds, ncreds); + status = netlogon_creds_bind_cli_credentials( + netlogon_creds, rpccli, &cli_creds); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("netlogon_creds_bind_cli_credentials failed: %s\n", + nt_errstr(status)); + TALLOC_FREE(rpccli); + return status; + } status = rpccli_generic_bind_data_from_creds(rpccli, DCERPC_AUTH_TYPE_SCHANNEL, @@ -3319,7 +3326,11 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, } status = rpc_pipe_bind(rpccli, rpcauth); - cli_credentials_set_netlogon_creds(cli_creds, NULL); + + /* No TALLOC_FREE, gensec takes references */ + talloc_unlink(rpccli, cli_creds); + cli_creds = NULL; + if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_ACCESS_DENIED)) { rpc_pipe_bind_dbglvl = 1; netlogon_creds_cli_delete(netlogon_creds, ncreds); diff --git a/source3/rpc_client/cli_pipe.h b/source3/rpc_client/cli_pipe.h index 2290d62b49d..5df43c57e95 100644 --- a/source3/rpc_client/cli_pipe.h +++ b/source3/rpc_client/cli_pipe.h @@ -102,7 +102,6 @@ NTSTATUS cli_rpc_pipe_open_generic_auth(struct cli_state *cli, NTSTATUS cli_rpc_pipe_open_schannel_with_creds(struct cli_state *cli, const struct ndr_interface_table *table, enum dcerpc_transport_t transport, - struct cli_credentials *cli_creds, struct netlogon_creds_cli_context *netlogon_creds, struct rpc_pipe_client **_rpccli); diff --git a/source3/rpc_client/cli_pipe_schannel.c b/source3/rpc_client/cli_pipe_schannel.c index a94429538c7..8a8177be2e5 100644 --- a/source3/rpc_client/cli_pipe_schannel.c +++ b/source3/rpc_client/cli_pipe_schannel.c @@ -93,7 +93,6 @@ NTSTATUS cli_rpc_pipe_open_schannel(struct cli_state *cli, if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) { status = cli_rpc_pipe_open_schannel_with_creds(cli, table, transport, - cli_creds, netlogon_creds, &result); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index afde0c87b7a..a5e5ab3f4e3 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2771,9 +2771,9 @@ retry: nt_errstr(result))); goto anonymous; } - status = cli_rpc_pipe_open_schannel_with_creds - (conn->cli, &ndr_table_samr, NCACN_NP, - creds, p_creds, &conn->samr_pipe); + status = cli_rpc_pipe_open_schannel_with_creds( + conn->cli, &ndr_table_samr, NCACN_NP, p_creds, + &conn->samr_pipe); if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED) && !retry) { @@ -2950,7 +2950,6 @@ static NTSTATUS cm_connect_lsa_tcp(struct winbindd_domain *domain, status = cli_rpc_pipe_open_schannel_with_creds(conn->cli, &ndr_table_lsarpc, NCACN_IP_TCP, - creds, p_creds, &conn->lsa_pipe_tcp); if (!NT_STATUS_IS_OK(status)) { @@ -3077,9 +3076,9 @@ retry: nt_errstr(result))); goto anonymous; } - result = cli_rpc_pipe_open_schannel_with_creds - (conn->cli, &ndr_table_lsarpc, NCACN_NP, - creds, p_creds, &conn->lsa_pipe); + result = cli_rpc_pipe_open_schannel_with_creds( + conn->cli, &ndr_table_lsarpc, NCACN_NP, p_creds, + &conn->lsa_pipe); if (NT_STATUS_EQUAL(result, NT_STATUS_NETWORK_SESSION_EXPIRED) && !retry) { @@ -3343,7 +3342,6 @@ static NTSTATUS cm_connect_netlogon_transport(struct winbindd_domain *domain, result = cli_rpc_pipe_open_schannel_with_creds( conn->cli, &ndr_table_netlogon, transport, - creds, conn->netlogon_creds_ctx, &conn->netlogon_pipe); if (!NT_STATUS_IS_OK(result)) { |