diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-12-28 17:48:45 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-12-29 01:10:58 +0100 |
commit | 149f8f16be79dc9d142971fb74633cfc5b186840 (patch) | |
tree | f13e1a8f8b7c58f659330dc8ceb0a20e4fa0448c | |
parent | fc226f81c6c14b1afc9b98692463ff1e2f9b2464 (diff) | |
download | samba-149f8f16be79dc9d142971fb74633cfc5b186840.tar.gz samba-149f8f16be79dc9d142971fb74633cfc5b186840.tar.bz2 samba-149f8f16be79dc9d142971fb74633cfc5b186840.zip |
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
-rw-r--r-- | auth/gensec/gensec.h | 1 | ||||
-rw-r--r-- | source4/auth/auth.h | 16 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 116 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 79 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_util.c | 97 | ||||
-rw-r--r-- | source4/auth/gensec/wscript_build | 6 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 1 | ||||
-rw-r--r-- | source4/auth/ntlm/auth.c | 99 | ||||
-rw-r--r-- | source4/auth/ntlm/wscript_build | 2 |
9 files changed, 248 insertions, 169 deletions
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index 9b2ac19fe1..be330e97fa 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -73,6 +73,7 @@ struct cli_credentials; struct gensec_settings; struct tevent_context; struct tevent_req; +struct smb_krb5_context; struct gensec_settings { struct loadparm_context *lp_ctx; diff --git a/source4/auth/auth.h b/source4/auth/auth.h index ff7a13c967..bb2cd570ed 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -55,6 +55,7 @@ struct auth_check_password_request; struct auth4_context; struct auth_session_info; struct ldb_dn; +struct smb_krb5_context; struct auth_operations { const char *name; @@ -129,17 +130,20 @@ struct auth4_context { NTSTATUS (*set_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by); - NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, - struct auth4_context *auth_ctx, - const char *principal, - struct ldb_dn *user_dn, - struct auth_user_info_dc **user_info_dc); - NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context, struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **session_info); + + NTSTATUS (*generate_session_info_pac)(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx_out, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info); }; /* this structure is used by backends to determine the size of some critical types */ diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 78678cc9d8..1e7a0a3df4 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1307,16 +1307,38 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi TALLOC_CTX *mem_ctx; struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); - struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; OM_uint32 maj_stat, min_stat; - DATA_BLOB pac_blob; - struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; - struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; + DATA_BLOB pac_blob, *pac_blob_ptr = NULL; + + gss_buffer_desc name_token; + char *principal_string; mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + maj_stat = gss_display_name (&min_stat, + gensec_gssapi_state->client_name, + &name_token, + NULL); + if (GSS_ERROR(maj_stat)) { + DEBUG(1, ("GSS display_name failed: %s\n", + gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); + talloc_free(mem_ctx); + return NT_STATUS_FOOBAR; + } + + principal_string = talloc_strndup(mem_ctx, + (const char *)name_token.value, + name_token.length); + + gss_release_buffer(&min_stat, &name_token); + + if (!principal_string) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + nt_status = gssapi_obtain_pac_blob(mem_ctx, gensec_gssapi_state->gssapi_context, gensec_gssapi_state->client_name, &pac_blob); @@ -1326,78 +1348,14 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi * kind... */ if (NT_STATUS_IS_OK(nt_status)) { - pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_srv_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_kdc_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, - pac_blob, - gensec_gssapi_state->smb_krb5_context->krb5_context, - &user_info_dc, - pac_srv_sig, - pac_kdc_sig); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - } else { - gss_buffer_desc name_token; - char *principal_string; - - maj_stat = gss_display_name (&min_stat, - gensec_gssapi_state->client_name, - &name_token, - NULL); - if (GSS_ERROR(maj_stat)) { - DEBUG(1, ("GSS display_name failed: %s\n", - gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - talloc_free(mem_ctx); - return NT_STATUS_FOOBAR; - } - - principal_string = talloc_strndup(mem_ctx, - (const char *)name_token.value, - name_token.length); - - gss_release_buffer(&min_stat, &name_token); - - if (!principal_string) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - if (gensec_security->auth_context && - !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n", - gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, - gensec_security->auth_context, - principal_string, - NULL, - &user_info_dc); - - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - } else { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n", - principal_string, - gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - return NT_STATUS_ACCESS_DENIED; - } - } - - /* references the user_info_dc into the session_info */ - nt_status = gensec_generate_session_info(mem_ctx, gensec_security, - user_info_dc, &session_info); + pac_blob_ptr = &pac_blob; + } + nt_status = gensec_generate_session_info_pac(mem_ctx, + gensec_security, + gensec_gssapi_state->smb_krb5_context, + pac_blob_ptr, principal_string, + gensec_get_remote_address(gensec_security), + &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1409,12 +1367,6 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return nt_status; } - /* Allow torture tests to check the PAC signatures */ - if (session_info->torture) { - session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig); - session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig); - } - if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) { DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n")); } else { diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 0c86177960..d5f5f8a438 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -618,14 +618,12 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; - struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; - struct PAC_LOGON_INFO *logon_info; krb5_principal client_principal; char *principal_string; - DATA_BLOB pac; + DATA_BLOB pac_blob, *pac_blob_ptr = NULL; krb5_data pac_data; krb5_error_code ret; @@ -659,49 +657,15 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security KRB5_AUTHDATA_WIN2K_PAC, &pac_data); - if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n", - principal_string, - smb_get_krb5_error_message(context, - ret, mem_ctx))); - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return NT_STATUS_ACCESS_DENIED; - } else if (ret) { + if (ret) { /* NO pac */ DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); - if (gensec_security->auth_context && - !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s", - principal_string, smb_get_krb5_error_message(context, - ret, mem_ctx))); - nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, - gensec_security->auth_context, - principal_string, - NULL, &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return nt_status; - } - } else { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", - principal_string)); - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return NT_STATUS_ACCESS_DENIED; - } } else { /* Found pac */ - union netr_Validation validation; - - pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length); - if (!pac.data) { + pac_blob = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length); + if (!pac_blob.data) { free(principal_string); krb5_free_principal(context, client_principal); talloc_free(mem_ctx); @@ -709,12 +673,12 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security } /* decode and verify the pac */ - nt_status = kerberos_pac_logon_info(gensec_krb5_state, - pac, - gensec_krb5_state->smb_krb5_context->krb5_context, - NULL, gensec_krb5_state->keyblock, - client_principal, - gensec_krb5_state->ticket->ticket.authtime, &logon_info); + nt_status = kerberos_decode_pac(gensec_krb5_state, + pac_blob, + gensec_krb5_state->smb_krb5_context->krb5_context, + NULL, gensec_krb5_state->keyblock, + client_principal, + gensec_krb5_state->ticket->ticket.authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); @@ -723,26 +687,19 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security return nt_status; } - validation.sam3 = &logon_info->info3; - nt_status = make_user_info_dc_netlogon_validation(mem_ctx, - NULL, - 3, &validation, - true, /* This user was authenticated */ - &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return nt_status; - } + pac_blob_ptr = &pac_blob; } + nt_status = gensec_generate_session_info_pac(mem_ctx, + gensec_security, + gensec_krb5_state->smb_krb5_context, + pac_blob_ptr, principal_string, + gensec_get_remote_address(gensec_security), + &session_info); + free(principal_string); krb5_free_principal(context, client_principal); - /* references the user_info_dc into the session_info */ - nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; diff --git a/source4/auth/gensec/gensec_util.c b/source4/auth/gensec/gensec_util.c index 267366af61..fa28c6528c 100644 --- a/source4/auth/gensec/gensec_util.c +++ b/source4/auth/gensec/gensec_util.c @@ -22,8 +22,13 @@ #include "includes.h" #include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_proto.h" #include "auth/auth.h" +#include "auth/credentials/credentials.h" #include "auth/system_session_proto.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" +#include "auth/kerberos/kerberos_util.h" NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, @@ -57,3 +62,95 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, } return nt_status; } + +NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, + struct gensec_security *gensec_security, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_string, + const struct tsocket_address *remote_address, + struct auth_session_info **session_info) +{ + NTSTATUS nt_status; + uint32_t session_info_flags = 0; + TALLOC_CTX *mem_ctx; + struct auth_user_info_dc *user_info_dc; + struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; + struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + + if (!pac_blob) { + if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { + DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", + principal_string)); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n", + principal_string)); + } + + if (gensec_security->auth_context) { + return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context, + mem_ctx_out, + smb_krb5_context, + pac_blob, + principal_string, + remote_address, + session_info_flags, + session_info); + } else if (!pac_blob) { + DEBUG(0, ("Cannot generate a session_info without either the PAC or the auth_context\n")); + return NT_STATUS_NO_SUCH_USER; + } + + mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_srv_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_kdc_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, + *pac_blob, + smb_krb5_context->krb5_context, + &user_info_dc, + pac_srv_sig, + pac_kdc_sig); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + nt_status = auth_generate_session_info(mem_ctx_out, + NULL, + NULL, + user_info_dc, session_info_flags, + session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + if ((*session_info)->torture) { + (*session_info)->torture->pac_srv_sig + = talloc_steal((*session_info)->torture, pac_srv_sig); + (*session_info)->torture->pac_kdc_sig + = talloc_steal((*session_info)->torture, pac_kdc_sig); + } + + talloc_free(mem_ctx); + return nt_status; +} diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build index 86d958950f..a4c5685f2e 100644 --- a/source4/auth/gensec/wscript_build +++ b/source4/auth/gensec/wscript_build @@ -2,14 +2,14 @@ bld.SAMBA_SUBSYSTEM('gensec_util', source='socket.c gensec_tstream.c gensec_util.c', - deps='tevent-util tevent samba-util LIBTSOCKET', + deps='tevent-util tevent samba-util LIBTSOCKET KERBEROS_UTIL', autoproto='gensec_proto.h') bld.SAMBA_MODULE('gensec_krb5', source='gensec_krb5.c', subsystem='gensec', init_function='gensec_krb5_init', - deps='samba-credentials authkrb5 auth_session com_err', + deps='samba-credentials authkrb5 auth_session com_err gensec_util', internal_module=False, ) @@ -18,7 +18,7 @@ bld.SAMBA_MODULE('gensec_gssapi', source='gensec_gssapi.c', subsystem='gensec', init_function='gensec_gssapi_init', - deps='gssapi samba-credentials authkrb5 com_err' + deps='gssapi samba-credentials authkrb5 com_err gensec_util' ) diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 8ce970e486..2e60af6f84 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -30,6 +30,7 @@ #include "librpc/gen_ndr/ndr_krb5pac.h" #include <ldb.h> #include "auth/auth_sam_reply.h" +#include "auth/kerberos/kerberos_util.h" _PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, DATA_BLOB blob, diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 3a4ddaec5e..d2f1d88508 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -28,6 +28,16 @@ #include "dsdb/samdb/samdb.h" #include "libcli/wbclient/wbclient.h" #include "lib/util/samba_modules.h" +#include "auth/credentials/credentials.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" +#include "auth/kerberos/kerberos_util.h" + +static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx, + struct auth4_context *auth_context, + struct auth_user_info_dc *user_info_dc, + uint32_t session_info_flags, + struct auth_session_info **session_info); /*************************************************************************** Set a fixed challenge @@ -104,24 +114,34 @@ PAC isn't available, and for tokenGroups in the DSDB stack. Supply either a principal or a DN ****************************************************************************/ -_PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx, - struct auth4_context *auth_ctx, - const char *principal, - struct ldb_dn *user_dn, - struct auth_user_info_dc **user_info_dc) +static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx, + const char *principal, + struct ldb_dn *user_dn, + uint32_t session_info_flags, + struct auth_session_info **session_info) { NTSTATUS nt_status; struct auth_method_context *method; + struct auth_user_info_dc *user_info_dc; for (method = auth_ctx->methods; method; method = method->next) { if (!method->ops->get_user_info_dc_principal) { continue; } - nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, user_info_dc); + nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { continue; } + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + nt_status = auth_generate_session_info_wrapper(mem_ctx, auth_ctx, + user_info_dc, + session_info_flags, session_info); + talloc_free(user_info_dc); return nt_status; } @@ -407,19 +427,22 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, return NT_STATUS_OK; } -/* Wrapper because we don't want to expose all callers to needing to - * know that session_info is generated from the main ldb, and because - * we need to break a depenency loop between the DCE/RPC layer and the - * generation of unix tokens via IRPC */ + /* Wrapper because we don't want to expose all callers to needing to + * know that session_info is generated from the main ldb, and because + * we need to break a depenency loop between the DCE/RPC layer and the + * generation of unix tokens via IRPC */ static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx, - struct auth4_context *auth_context, - struct auth_user_info_dc *user_info_dc, - uint32_t session_info_flags, - struct auth_session_info **session_info) + struct auth4_context *auth_context, + struct auth_user_info_dc *user_info_dc, + uint32_t session_info_flags, + struct auth_session_info **session_info) { NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, user_info_dc, session_info_flags, session_info); + if (!NT_STATUS_IS_OK(status)) { + return status; + } if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN) && NT_STATUS_IS_OK(status)) { @@ -441,6 +464,50 @@ static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx, return status; } +/* Wrapper because we don't want to expose all callers to needing to + * know anything about the PAC or auth subsystem internal structures + * before we output a struct auth session_info */ +static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx_out, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + NTSTATUS status; + struct auth_user_info_dc *user_info_dc; + TALLOC_CTX *mem_ctx; + + if (!pac_blob) { + return auth_generate_session_info_principal(auth_ctx, mem_ctx_out, principal_name, + NULL, session_info_flags, session_info); + } + + mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + status = kerberos_pac_blob_to_user_info_dc(mem_ctx, + *pac_blob, + smb_krb5_context->krb5_context, + &user_info_dc, NULL, NULL); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(mem_ctx); + return status; + } + + if (user_info_dc->info->authenticated) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + status = auth_generate_session_info_wrapper(mem_ctx_out, auth_ctx, + user_info_dc, + session_info_flags, session_info); + talloc_free(mem_ctx); + return status; +} + /*************************************************************************** Make a auth_info struct for the auth subsystem - Allow the caller to specify the methods to use, including optionally the SAM to use @@ -462,7 +529,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** return NT_STATUS_INTERNAL_ERROR; } - ctx = talloc(mem_ctx, struct auth4_context); + ctx = talloc_zero(mem_ctx, struct auth4_context); NT_STATUS_HAVE_NO_MEMORY(ctx); ctx->challenge.set_by = NULL; ctx->challenge.may_be_modified = false; @@ -499,8 +566,8 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** ctx->get_challenge = auth_get_challenge; ctx->set_challenge = auth_context_set_challenge; ctx->challenge_may_be_modified = auth_challenge_may_be_modified; - ctx->get_user_info_dc_principal = auth_get_user_info_dc_principal; ctx->generate_session_info = auth_generate_session_info_wrapper; + ctx->generate_session_info_pac = auth_generate_session_info_pac; *auth_ctx = ctx; diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build index 6447bf2ea0..8a8bfcb0b6 100644 --- a/source4/auth/ntlm/wscript_build +++ b/source4/auth/ntlm/wscript_build @@ -51,7 +51,7 @@ bld.SAMBA_MODULE('auth4_unix', bld.SAMBA_LIBRARY('auth4', source='auth.c auth_util.c auth_simple.c', autoproto='auth_proto.h', - deps='samba-util security samdb samba-credentials tevent-util LIBWBCLIENT_OLD auth_unix_token samba-modules', + deps='samba-util security samdb samba-credentials tevent-util LIBWBCLIENT_OLD auth_unix_token samba-modules KERBEROS_UTIL', private_library=True ) |