From 38d4dba37406515181e4d6f1a1faffc18e652e27 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Sat, 27 Jul 2013 11:30:13 +0200 Subject: s3:rpc_client: make use of the new netlogon_creds_cli_context This exchanges rpc_pipe_client->dc with rpc_pipe_client->netlogon_creds and lets the secure channel session state be stored in node local database. This is the proper fix for a large number of bugs: https://bugzilla.samba.org/show_bug.cgi?id=6563 https://bugzilla.samba.org/show_bug.cgi?id=7944 https://bugzilla.samba.org/show_bug.cgi?id=7945 https://bugzilla.samba.org/show_bug.cgi?id=7568 https://bugzilla.samba.org/show_bug.cgi?id=8599 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- source3/rpcclient/cmd_netlogon.c | 57 ++++++++++++++++++++++++++++++++++------ 1 file changed, 49 insertions(+), 8 deletions(-) (limited to 'source3/rpcclient') diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c index d92434b23c7..2e0b5e5a871 100644 --- a/source3/rpcclient/cmd_netlogon.c +++ b/source3/rpcclient/cmd_netlogon.c @@ -26,6 +26,7 @@ #include "../librpc/gen_ndr/ndr_netlogon_c.h" #include "rpc_client/cli_netlogon.h" #include "secrets.h" +#include "../libcli/auth/netlogon_creds_cli.h" static WERROR cmd_netlogon_logon_ctrl2(struct rpc_pipe_client *cli, TALLOC_CTX *mem_ctx, int argc, @@ -630,8 +631,15 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli, do { struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; + struct netlogon_creds_CredentialState *creds = NULL; - netlogon_creds_client_authenticator(cli->dc, &credential); + status = netlogon_creds_cli_lock(cli->netlogon_creds, + mem_ctx, &creds); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_DatabaseSync2(b, mem_ctx, logon_server, @@ -645,15 +653,18 @@ static NTSTATUS cmd_netlogon_sam_sync(struct rpc_pipe_client *cli, 0xffff, &result); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(creds); return status; } /* Check returned credentials. */ - if (!netlogon_creds_client_check(cli->dc, + if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) { DEBUG(0,("credentials chain check failed\n")); + TALLOC_FREE(creds); return NT_STATUS_ACCESS_DENIED; } + TALLOC_FREE(creds); if (NT_STATUS_IS_ERR(result)) { break; @@ -699,8 +710,15 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli, do { struct netr_DELTA_ENUM_ARRAY *delta_enum_array = NULL; + struct netlogon_creds_CredentialState *creds = NULL; + + status = netlogon_creds_cli_lock(cli->netlogon_creds, + mem_ctx, &creds); + if (!NT_STATUS_IS_OK(status)) { + return status; + } - netlogon_creds_client_authenticator(cli->dc, &credential); + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_DatabaseDeltas(b, mem_ctx, logon_server, @@ -713,15 +731,18 @@ static NTSTATUS cmd_netlogon_sam_deltas(struct rpc_pipe_client *cli, 0xffff, &result); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(creds); return status; } /* Check returned credentials. */ - if (!netlogon_creds_client_check(cli->dc, + if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) { DEBUG(0,("credentials chain check failed\n")); + TALLOC_FREE(creds); return NT_STATUS_ACCESS_DENIED; } + TALLOC_FREE(creds); if (NT_STATUS_IS_ERR(result)) { break; @@ -1129,6 +1150,7 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli, struct netr_ChangeLogEntry e; uint32_t rid = 500; struct dcerpc_binding_handle *b = cli->binding_handle; + struct netlogon_creds_CredentialState *creds = NULL; if (argc > 2) { fprintf(stderr, "Usage: %s \n", argv[0]); @@ -1158,7 +1180,13 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli, return status; } - netlogon_creds_client_authenticator(cli->dc, &clnt_creds); + status = netlogon_creds_cli_lock(cli->netlogon_creds, + mem_ctx, &creds); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + netlogon_creds_client_authenticator(creds, &clnt_creds); ZERO_STRUCT(e); @@ -1176,13 +1204,16 @@ static NTSTATUS cmd_netlogon_database_redo(struct rpc_pipe_client *cli, &delta_enum_array, &result); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(creds); return status; } - if (!netlogon_creds_client_check(cli->dc, &srv_cred.cred)) { + if (!netlogon_creds_client_check(creds, &srv_cred.cred)) { DEBUG(0,("credentials chain check failed\n")); + TALLOC_FREE(creds); return NT_STATUS_ACCESS_DENIED; } + TALLOC_FREE(creds); return result; } @@ -1198,6 +1229,7 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli, union netr_Capabilities capabilities; uint32_t level = 1; struct dcerpc_binding_handle *b = cli->binding_handle; + struct netlogon_creds_CredentialState *creds = NULL; if (argc > 2) { fprintf(stderr, "Usage: %s \n", argv[0]); @@ -1210,7 +1242,13 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli, ZERO_STRUCT(return_authenticator); - netlogon_creds_client_authenticator(cli->dc, &credential); + status = netlogon_creds_cli_lock(cli->netlogon_creds, + mem_ctx, &creds); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + netlogon_creds_client_authenticator(creds, &credential); status = dcerpc_netr_LogonGetCapabilities(b, mem_ctx, cli->desthost, @@ -1221,14 +1259,17 @@ static NTSTATUS cmd_netlogon_capabilities(struct rpc_pipe_client *cli, &capabilities, &result); if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(creds); return status; } - if (!netlogon_creds_client_check(cli->dc, + if (!netlogon_creds_client_check(creds, &return_authenticator.cred)) { DEBUG(0,("credentials chain check failed\n")); + TALLOC_FREE(creds); return NT_STATUS_ACCESS_DENIED; } + TALLOC_FREE(creds); printf("capabilities: 0x%08x\n", capabilities.server_capabilities); -- cgit v1.2.1