/*
parse any auth information from a dcerpc bind request
return false if we can't handle the auth request for some
reason (in which case we send a bind_nak)
*/
bool dcesrv_auth_bind(struct dcesrv_call_state *call)
{
struct cli_credentials *server_credentials;
struct ncacn_packet *pkt = &call->pkt;
struct dcesrv_connection *dce_conn = call->conn;
struct dcesrv_auth *auth = &dce_conn->auth_state;
NTSTATUS status;
uint32_t auth_length;
if (pkt->u.bind.auth_info.length == 0) {
dce_conn->auth_state.auth_info = NULL;
return true;
}
dce_conn->auth_state.auth_info = talloc(dce_conn, struct dcerpc_auth);
if (!dce_conn->auth_state.auth_info) {
return false;
}
status = dcerpc_pull_auth_trailer(pkt, call, &pkt->u.bind.auth_info,
dce_conn->auth_state.auth_info,
&auth_length, false);
server_credentials
= cli_credentials_init(call);
if (!server_credentials) {
DEBUG(1, ("Failed to init server credentials\n"));
return false;
}
cli_credentials_set_conf(server_credentials, call->conn->dce_ctx->lp_ctx);
status = cli_credentials_set_machine_account(server_credentials, call->conn->dce_ctx->lp_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
talloc_free(server_credentials);
server_credentials = NULL;
}
status = samba_server_gensec_start(dce_conn, call->event_ctx,
call->msg_ctx,
call->conn->dce_ctx->lp_ctx,
server_credentials,
NULL,
&auth->gensec_security);
status = gensec_start_mech_by_authtype(auth->gensec_security, auth->auth_info->auth_type,
auth->auth_info->auth_level);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Failed to start GENSEC mechanism for DCERPC server: auth_type=%d, auth_level=%d: %s\n",
(int)auth->auth_info->auth_type,
(int)auth->auth_info->auth_level,
nt_errstr(status)));
return false;
}
return true;
}
static NTSTATUS auth_generic_server_authtype_start_as_root(TALLOC_CTX *mem_ctx,
uint8_t auth_type, uint8_t auth_level,
DATA_BLOB *token_in,
DATA_BLOB *token_out,
const struct tsocket_address *remote_address,
struct gensec_security **ctx)
{
struct gensec_security *gensec_security = NULL;
NTSTATUS status;
status = auth_generic_prepare(talloc_tos(), remote_address, &gensec_security);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_prepare failed: %s\n",
nt_errstr(status)));
return status;
}
status = gensec_start_mech_by_authtype(gensec_security, auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": auth_generic_start failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
status = gensec_update(gensec_security, mem_ctx, NULL, *token_in, token_out);
if (!NT_STATUS_IS_OK(status) && !NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
DEBUG(2, (__location__ ": gensec_update failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(gensec_security);
return status;
}
/* steal gensec context to the caller */
*ctx = talloc_move(mem_ctx, &gensec_security);
return NT_STATUS_OK;
}
NTSTATUS auth_generic_client_start_by_authtype(struct auth_generic_state *ans,
uint8_t auth_type,
uint8_t auth_level)
{
NTSTATUS status;
/* Transfer the credentials to gensec */
status = gensec_set_credentials(ans->gensec_security, ans->credentials);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to set GENSEC credentials: %s\n",
nt_errstr(status)));
return status;
}
talloc_unlink(ans, ans->credentials);
ans->credentials = NULL;
status = gensec_start_mech_by_authtype(ans->gensec_security,
auth_type, auth_level);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
