summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-02-03 17:09:37 +1100
committerAndrew Bartlett <abartlet@samba.org>2012-03-08 10:14:05 +0100
commit50547a9950062311a4952846960b15e1d6cdfdf5 (patch)
tree9ea17788d4f7fed7df3dc6d32fe6ddd8ecf599e5
parent79753ec02c8315a55557c418f3a802fd2631878f (diff)
downloadsamba-50547a9950062311a4952846960b15e1d6cdfdf5.tar.gz
samba-50547a9950062311a4952846960b15e1d6cdfdf5.tar.bz2
samba-50547a9950062311a4952846960b15e1d6cdfdf5.zip
s3-auth: Follow auth_ntlmssp and use auth4_context for Session Setup
This patch ensures consistency in behaviour between NTLMSSP and NTLM session setup handlers. By calling the same layer that auth_ntlmssp calls, we can not only allow redirection of all authentication to the AD DC, we ensure that map to guest and username map handling is consistent, even in the file server alone. Andrew Bartlett
-rw-r--r--source3/auth/auth_util.c20
-rw-r--r--source3/smbd/globals.h2
-rw-r--r--source3/smbd/negprot.c2
-rw-r--r--source3/smbd/sesssetup.c63
4 files changed, 32 insertions, 55 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 06aa9c5108..21a8642751 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -347,8 +347,8 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
return false;
}
- ret = make_user_info_map(
- user_info, smb_name, client_domain,
+ ret = make_user_info(
+ user_info, smb_name, smb_name, client_domain, client_domain,
get_remote_machine_name(),
remote_address,
local_lm_blob.data ? &local_lm_blob : NULL,
@@ -376,14 +376,14 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
const struct tsocket_address *remote_address,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
{
- return make_user_info_map(user_info, smb_name,
- client_domain,
- get_remote_machine_name(),
- remote_address,
- lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
- nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
- NULL, NULL, NULL,
- AUTH_PASSWORD_RESPONSE);
+ return make_user_info(user_info, smb_name, smb_name,
+ client_domain, client_domain,
+ get_remote_machine_name(),
+ remote_address,
+ lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
+ nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
+ NULL, NULL, NULL,
+ AUTH_PASSWORD_RESPONSE);
}
/****************************************************************************
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index bfa649b98b..5b65711b99 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -509,7 +509,7 @@ struct smbd_server_connection {
struct {
bool encrypted_passwords;
bool spnego;
- struct auth_context *auth_context;
+ struct auth4_context *auth_context;
bool done;
/*
* Size of the data we can receive. Set by us.
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 8a6b509fea..e44ac5cb75 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -44,7 +44,7 @@ static void get_challenge(struct smbd_server_connection *sconn, uint8 buff[8])
}
DEBUG(10, ("get challenge: creating negprot_global_auth_context\n"));
- nt_status = make_auth_context_subsystem(
+ nt_status = make_auth4_context(
sconn, &sconn->smb1.negprot.auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("make_auth_context_subsystem returned %s",
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index da306b97bc..b2e1f2421f 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -77,31 +77,33 @@ static int push_signature(uint8 **outbuf)
****************************************************************************/
static NTSTATUS check_guest_password(const struct tsocket_address *remote_address,
- struct auth_serversupplied_info **server_info)
+ TALLOC_CTX *mem_ctx,
+ struct auth_session_info **session_info)
{
- struct auth_context *auth_context;
+ struct auth4_context *auth_context;
struct auth_usersupplied_info *user_info = NULL;
-
+ uint8_t chal[8];
NTSTATUS nt_status;
- static unsigned char chal[8] = { 0, };
DEBUG(3,("Got anonymous request\n"));
- nt_status = make_auth_context_fixed(talloc_tos(), &auth_context, chal);
+ nt_status = make_auth4_context(talloc_tos(), &auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
+ auth_context->get_ntlm_challenge(auth_context,
+ chal);
+
if (!make_user_info_guest(remote_address, &user_info)) {
TALLOC_FREE(auth_context);
return NT_STATUS_NO_MEMORY;
}
- nt_status = auth_context->check_ntlm_password(auth_context,
- user_info,
- server_info);
- TALLOC_FREE(auth_context);
+ nt_status = auth_check_password_session_info(auth_context,
+ mem_ctx, user_info, session_info);
free_user_info(&user_info);
+ TALLOC_FREE(auth_context);
return nt_status;
}
@@ -396,7 +398,6 @@ void reply_sesssetup_and_X(struct smb_request *req)
const char *native_lanman;
const char *primary_domain;
struct auth_usersupplied_info *user_info = NULL;
- struct auth_serversupplied_info *server_info = NULL;
struct auth_session_info *session_info = NULL;
uint16 smb_flag2 = req->flags2;
@@ -671,10 +672,10 @@ void reply_sesssetup_and_X(struct smb_request *req)
if (!*user) {
- nt_status = check_guest_password(sconn->remote_address, &server_info);
+ nt_status = check_guest_password(sconn->remote_address, req, &session_info);
} else if (doencrypt) {
- struct auth_context *negprot_auth_context = NULL;
+ struct auth4_context *negprot_auth_context = NULL;
negprot_auth_context = sconn->smb1.negprot.auth_context;
if (!negprot_auth_context) {
DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted "
@@ -689,15 +690,13 @@ void reply_sesssetup_and_X(struct smb_request *req)
sconn->remote_address,
lm_resp, nt_resp);
if (NT_STATUS_IS_OK(nt_status)) {
- nt_status = negprot_auth_context->check_ntlm_password(
- negprot_auth_context,
- user_info,
- &server_info);
+ nt_status = auth_check_password_session_info(negprot_auth_context,
+ req, user_info, &session_info);
}
} else {
- struct auth_context *plaintext_auth_context = NULL;
+ struct auth4_context *plaintext_auth_context = NULL;
- nt_status = make_auth_context_subsystem(
+ nt_status = make_auth4_context(
talloc_tos(), &plaintext_auth_context);
if (NT_STATUS_IS_OK(nt_status)) {
@@ -715,38 +714,16 @@ void reply_sesssetup_and_X(struct smb_request *req)
}
if (NT_STATUS_IS_OK(nt_status)) {
- nt_status = plaintext_auth_context->check_ntlm_password(
- plaintext_auth_context,
- user_info,
- &server_info);
-
- TALLOC_FREE(plaintext_auth_context);
+ nt_status = auth_check_password_session_info(plaintext_auth_context,
+ req, user_info, &session_info);
}
+ TALLOC_FREE(plaintext_auth_context);
}
}
free_user_info(&user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
- nt_status = do_map_to_guest_server_info(nt_status, &server_info,
- user, domain);
- }
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- data_blob_free(&nt_resp);
- data_blob_free(&lm_resp);
- data_blob_clear_free(&plaintext_password);
- reply_nterror(req, nt_status_squash(nt_status));
- END_PROFILE(SMBsesssetupX);
- return;
- }
-
- nt_status = create_local_token(req, server_info, NULL, sub_user, &session_info);
- TALLOC_FREE(server_info);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(10, ("create_local_token failed: %s\n",
- nt_errstr(nt_status)));
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
data_blob_clear_free(&plaintext_password);