summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2004-12-23 02:23:42 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:07:36 -0500
commitae42636167f82fee7fb38338dec605521162b5c2 (patch)
tree450430977c3e1eefc8104cf3362985eea95363c2
parent61b1620fc495d28fce5e585fe92f23cc9f5eb2af (diff)
downloadsamba-ae42636167f82fee7fb38338dec605521162b5c2.tar.gz
samba-ae42636167f82fee7fb38338dec605521162b5c2.tar.bz2
samba-ae42636167f82fee7fb38338dec605521162b5c2.zip
r4338: reuse netlogon structs in the krb5 PAC
that simplifies the code a lot... also add a note: we should fail the krb5 auth if there's no PAC present (when heimdal is ready for that:-) metze (This used to be commit 532641a7003d23b034a253d166482f18c2de6191)
-rw-r--r--source4/libcli/auth/gensec_krb5.c124
-rw-r--r--source4/librpc/idl/krb5pac.idl68
2 files changed, 24 insertions, 168 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 88e7cdd2e3..9323580e92 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -223,7 +223,7 @@ static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx,
return status;
}
#endif
- DEBUG(0,("account_name: %s [%s]\n",logon_info->account_name.string, logon_info->full_name.string));
+ DEBUG(0,("account_name: %s [%s]\n",logon_info->info3.base.account_name.string, logon_info->info3.base.full_name.string));
*logon_info_out = logon_info;
return status;
@@ -609,8 +609,6 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
struct auth_serversupplied_info *server_info = NULL;
struct auth_session_info *session_info = NULL;
struct PAC_LOGON_INFO *logon_info;
- struct security_token *ptoken;
- struct dom_sid *sid;
char *p;
char *principal;
const char *username;
@@ -633,119 +631,35 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
/* IF we have the PAC - otherwise we need to get this
* data from elsewere - local ldb, or (TODO) lookup of some
- * kind... */
+ * kind...
+ *
+ * when heimdal can generate the PAC, we should fail if there's
+ * no PAC present
+ */
if (NT_STATUS_IS_OK(nt_status)) {
- nt_status = make_server_info(gensec_krb5_state, &server_info, gensec_krb5_state->peer_principal);
+ union netr_Validation validation;
+ validation.sam3 = &logon_info->info3;
+ nt_status = make_server_info_netlogon_validation(gensec_krb5_state,
+ username,
+ &server_info,
+ 3,
+ &validation);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
-
- server_info->guest = False;
-
- if (logon_info->account_name.string) {
- server_info->account_name
- = talloc_reference(server_info,
- logon_info->account_name.string);
- } else {
- server_info->account_name = talloc_strdup(server_info, username);
- }
-
- server_info->domain = talloc_reference(server_info,
- logon_info->dom_name.string);
- server_info->realm = talloc_strdup(server_info, realm);
- server_info->full_name = talloc_reference(server_info,
- logon_info->full_name.string);
- server_info->logon_script = talloc_reference(server_info,
- logon_info->logon_script.string);
- server_info->profile_path = talloc_reference(server_info,
- logon_info->profile_path.string);
- server_info->home_directory = talloc_reference(server_info,
- logon_info->home_directory.string);
- server_info->home_drive = talloc_reference(server_info,
- logon_info->home_drive.string);
-
- server_info->logon_count = logon_info->logon_count;
- /* TODO: bad password count */
-
- server_info->acct_flags = logon_info->acct_flags;
-
- if (!server_info->domain || !server_info->account_name || !server_info->realm) {
- free_server_info(&server_info);
- return NT_STATUS_NO_MEMORY;
- }
-
- /* references the server_info into the session_info */
- nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
- if (!NT_STATUS_IS_OK(nt_status)) {
- free_server_info(&server_info);
- return nt_status;
- }
-
- talloc_free(server_info);
-
- ptoken = security_token_initialise(session_info);
- if (ptoken == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
- ptoken->num_sids = 0;
- ptoken->sids = talloc_array_p(ptoken, struct dom_sid *,
- logon_info->groups_count + 2);
- if (!ptoken->sids) {
- return NT_STATUS_NO_MEMORY;
- }
-
-
- sid = dom_sid_dup(server_info, logon_info->dom_sid);
- server_info->user_sid = dom_sid_add_rid(server_info, sid, logon_info->user_rid);
- sid = dom_sid_dup(server_info, logon_info->dom_sid);
- server_info->primary_group_sid = dom_sid_add_rid(server_info, sid, logon_info->group_rid);
-
- ptoken->user_sid = server_info->user_sid;
- ptoken->group_sid = server_info->primary_group_sid;
- ptoken->sids[0] = talloc_reference(ptoken, ptoken->user_sid);
- ptoken->num_sids++;
- ptoken->sids[1] = talloc_reference(ptoken, ptoken->group_sid);
- ptoken->num_sids++;
-
- for (;ptoken->num_sids < (logon_info->groups_count + 2);
- ptoken->num_sids++) {
- sid = dom_sid_dup(session_info, logon_info->dom_sid);
- ptoken->sids[ptoken->num_sids]
- = dom_sid_add_rid(session_info, sid,
- logon_info->groups[ptoken->num_sids - 2].rid);
- }
-
- /* setup any privileges for this token */
- nt_status = samdb_privilege_setup(ptoken);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(ptoken);
- return nt_status;
- }
-
- debug_security_token(DBGC_AUTH, 0, ptoken);
-
- session_info->security_token = ptoken;
} else {
- TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm);
- if (!mem_ctx) {
- return NT_STATUS_NO_MEMORY;
- }
nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return nt_status;
- }
-
- /* references the server_info into the session_info */
- nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
return nt_status;
}
+ }
- talloc_free(mem_ctx);
+ /* references the server_info into the session_info */
+ nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
+ talloc_free(server_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
talloc_free(principal);
diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index 6efd8526b2..c424f09b78 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -8,14 +8,14 @@
uuid("46746756-7567-7567-5677-756756756756"),
version(0.0),
pointer_default(unique),
- depends(security)
+ depends(security,netlogon)
]
interface krb5pac
{
typedef struct {
NTTIME logon_time;
[flag(STR_SIZE2|STR_NOTERM|STR_BYTESIZE)] string account_name;
- } UNKNOWN_TYPE_10;
+ } PAC_UNKNOWN_10;
typedef [flag(NDR_PAHEX)] struct {
uint32 type;
@@ -23,69 +23,11 @@ interface krb5pac
} PAC_SIGNATURE_DATA;
typedef struct {
- uint32 rid;
- uint32 attrs;
- } GROUP_MEMBERSHIP;
-
- typedef struct {
- dom_sid2 *sid;
- uint32 attrs;
- } EXTRA_SIDS;
-
- typedef struct {
- [value(strlen_m(r->string)*2)] uint16 size;
- [value(r->size)] uint16 length;
- unistr_noterm *string;
- } pac_String;
-
- /* This is awfully similar to a samr_user_info_23, but not identical.
- Many of the field names have been swiped from there, because it is
- so similar that they are likely the same, but many have been verified.
- Some are in a different order, though... */
- typedef struct {
uint32 unknown[5];
- NTTIME logon_time; /* logon time */
- NTTIME logoff_time; /* logoff time */
- NTTIME kickoff_time; /* kickoff time */
- NTTIME pass_last_set_time; /* password last set time */
- NTTIME pass_can_change_time; /* password can change time */
- NTTIME pass_must_change_time; /* password must change time */
-
- pac_String account_name;
- pac_String full_name;
- pac_String logon_script;
- pac_String profile_path;
- pac_String home_directory;
- pac_String home_drive;
-
- uint16 logon_count; /* number of times user has logged onto domain */
- uint16 reserved12;
-
- uint32 user_rid;
- uint32 group_rid;
-
- uint32 groups_count;
- [size_is(groups_count)] GROUP_MEMBERSHIP *groups;
-
- uint32 user_flags;
-
- uint32 reserved13[4];
- pac_String dom_controller;
- pac_String dom_name;
-
- dom_sid2 *dom_sid;
-
- uint32 reserved16[2];
- uint32 acct_flags; /* looks like it may be acb_info */
- uint32 reserved18[7];
-
- uint32 extra_sids_count;
- [size_is(extra_sids_count)] EXTRA_SIDS *extra_sids;
-
+ netr_SamInfo3 info3;
dom_sid2 *res_group_dom_sid;
-
uint32 res_groups_count;
- [size_is(res_groups_count)] GROUP_MEMBERSHIP *res_groups;
+ [size_is(res_groups_count)] netr_GroupMembership *res_groups;
} PAC_LOGON_INFO;
const uint8 PAC_TYPE_LOGON_INFO = 1;
@@ -97,7 +39,7 @@ interface krb5pac
[case(PAC_TYPE_LOGON_INFO)] PAC_LOGON_INFO logon_info;
[case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum;
[case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum;
- [case(PAC_TYPE_UNKNOWN_10)] UNKNOWN_TYPE_10 type_10;
+ [case(PAC_TYPE_UNKNOWN_10)] PAC_UNKNOWN_10 type_10;
} PAC_INFO;
typedef struct {