const struct samr_Password *nt_hashes[2] = { NULL, NULL };
uint8_t idx_nt_hashes = 0;
NTSTATUS status;
+ bool client_use_krb5_netlogon = true;
+ bool reject_aes_servers = true;
+
+ netlogon_creds_cli_use_kerberos(creds_ctx,
+ &client_use_krb5_netlogon,
+ &reject_aes_servers);
status = netlogon_creds_cli_get(creds_ctx, frame, &creds);
if (NT_STATUS_IS_OK(status)) {
num_nt_hashes = 2;
}
+ if (client_use_krb5_netlogon) {
+ status = cli_rpc_pipe_open_with_creds(cli,
+ &ndr_table_netlogon,
+ transport,
+ DCERPC_AUTH_TYPE_KRB5,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ "netlogon",
+ remote_name,
+ remote_sockaddr,
+ cli_creds,
+ &netlogon_pipe);
+ if (NT_STATUS_IS_OK(status)) {
+ goto do_auth;
+ }
+
+ if (reject_aes_servers) {
+ DBG_ERR("failed to open krb5 netlogon connection to %s - %s\n",
+ remote_name,
+ nt_errstr(status));
+ TALLOC_FREE(frame);
+ return status;
+ }
+
+ /* Fall back to noauth */
+ }
+
status = cli_rpc_pipe_open_noauth_transport(cli,
transport,
&ndr_table_netlogon,
TALLOC_FREE(frame);
return status;
}
+
+do_auth:
talloc_steal(frame, netlogon_pipe);
status = netlogon_creds_cli_auth(creds_ctx,
enum netr_SchannelType sec_chan_type;
struct netlogon_creds_cli_lck *lck = NULL;
uint32_t negotiate_flags;
+ bool authenticate_kerberos = false;
uint8_t found_session_key[16] = {0};
bool found_existing_creds = false;
bool do_serverauth;
creds->session_key,
sizeof(found_session_key));
+ authenticate_kerberos = creds->authenticate_kerberos;
TALLOC_FREE(creds);
}
memcpy(found_session_key, creds->session_key,
sizeof(found_session_key));
+ authenticate_kerberos = creds->authenticate_kerberos;
TALLOC_FREE(creds);
}
}
do_serverauth = force_reauth || !found_existing_creds;
if (!do_serverauth) {
+ if (authenticate_kerberos) {
+ /*
+ * Do the quick krb5 bind without a reauth
+ */
+ status = cli_rpc_pipe_open_with_creds(cli,
+ &ndr_table_netlogon,
+ transport,
+ DCERPC_AUTH_TYPE_KRB5,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ "netlogon",
+ remote_name,
+ remote_sockaddr,
+ trust_creds,
+ &rpccli);
+ if (NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ if (!retry) {
+ DBG_DEBUG("Retrying with serverauthenticate\n");
+ TALLOC_FREE(lck);
+ force_reauth = true;
+ retry = true;
+ goto again;
+ }
+ DBG_DEBUG("cli_rpc_pipe_open_with_creds(krb5) "
+ "failed: %s\n", nt_errstr(status));
+ goto fail;
+ }
+
/*
* Do the quick schannel bind without a reauth
*/
goto done;
}
+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH) {
+ /*
+ * we keep the AUTH_TYPE_KRB5 rpccli for the
+ * caller...
+ */
+ goto check;
+ }
+
status = cli_rpc_pipe_client_prepare_alter(rpccli,
true, /* new_auth_context */
&ndr_table_netlogon,
goto fail;
}
+check:
status = netlogon_creds_cli_check(creds_ctx, rpccli->binding_handle,
NULL);
if (!NT_STATUS_IS_OK(status)) {
struct netlogon_creds_cli_context *netlogon_creds = NULL;
struct netlogon_creds_CredentialState *creds = NULL;
uint32_t netlogon_flags;
+ bool authenticate_kerberos;
status = pdb_get_trust_credentials(domain, NULL,
frame, &cli_creds);
}
netlogon_flags = creds->negotiate_flags;
+ authenticate_kerberos = creds->authenticate_kerberos;
TALLOC_FREE(creds);
- if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
+ if (authenticate_kerberos) {
+ status = cli_rpc_pipe_open_with_creds(cli,
+ table,
+ transport,
+ DCERPC_AUTH_TYPE_KRB5,
+ DCERPC_AUTH_LEVEL_PRIVACY,
+ "netlogon",
+ remote_name,
+ remote_sockaddr,
+ cli_creds,
+ &result);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
+ return status;
+ }
+ } else if (netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC) {
status = cli_rpc_pipe_open_schannel_with_creds(cli, table,
transport,
netlogon_creds,
projects / thirdparty / samba.git / commitdiff
