diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-02-10 21:04:01 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-04-04 19:48:58 +1000 |
commit | 77e67163daaa670ee43ddbc4fd3fd3e8c3c38d49 (patch) | |
tree | 6b9598e0bffaa21174076c61fa840bfa47591587 | |
parent | 841d0bc9e81dbe56352ac8b12e63e8257963936e (diff) | |
download | samba-77e67163daaa670ee43ddbc4fd3fd3e8c3c38d49.tar.gz samba-77e67163daaa670ee43ddbc4fd3fd3e8c3c38d49.tar.bz2 samba-77e67163daaa670ee43ddbc4fd3fd3e8c3c38d49.zip |
s3-auth consolidate create_local_token() into make_server_info_krb5()
This ensures that all callers don't need to each add builtin groups
and privileges to the user's token
Andrew Bartlett
-rw-r--r-- | source3/auth/proto.h | 4 | ||||
-rw-r--r-- | source3/auth/user_krb5.c | 12 | ||||
-rw-r--r-- | source3/rpc_server/dcesrv_gssapi.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 10 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 20 | ||||
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 22 |
6 files changed, 19 insertions, 51 deletions
diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 88cc7074ed..3bf325e763 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -264,5 +264,5 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, char *username, struct passwd *pw, struct PAC_LOGON_INFO *logon_info, - bool mapped_to_guest, - struct auth_serversupplied_info **server_info); + bool mapped_to_guest, bool username_was_mapped, + struct auth_serversupplied_info **server_info); diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index e52149afd7..1d87ccab79 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -185,7 +185,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, char *username, struct passwd *pw, struct PAC_LOGON_INFO *logon_info, - bool mapped_to_guest, + bool mapped_to_guest, bool username_was_mapped, struct auth_serversupplied_info **server_info) { NTSTATUS status; @@ -259,7 +259,17 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, (*server_info)->info3->base.domain.string = talloc_strdup((*server_info)->info3, ntdomain); } + } + + (*server_info)->nss_token |= username_was_mapped; + if (!mapped_to_guest) { + status = create_local_token(*server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("failed to create local token: %s\n", + nt_errstr(status))); + return status; + } } return NT_STATUS_OK; diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c index f60f6ce245..a3007e4044 100644 --- a/source3/rpc_server/dcesrv_gssapi.c +++ b/source3/rpc_server/dcesrv_gssapi.c @@ -230,7 +230,7 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx, status = make_server_info_krb5(mem_ctx, ntuser, ntdomain, username, pw, - logon_info, is_guest, server_info); + logon_info, is_guest, is_mapped, server_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", nt_errstr(status))); diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 73a34866b2..27a43f30f7 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -738,16 +738,6 @@ static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx, return status; } - if ((*session_info)->security_token == NULL) { - status = create_local_token(*session_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to create local user token (%s)\n", - nt_errstr(status))); - status = NT_STATUS_ACCESS_DENIED; - return status; - } - } - /* TODO: this is what the ntlmssp code does with the session_key, check * it is ok with gssapi too */ /* diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index c5d44c6185..57b0b68be7 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -372,6 +372,7 @@ static void reply_spnego_kerberos(struct smb_request *req, ret = make_server_info_krb5(mem_ctx, user, domain, real_username, pw, logon_info, map_domainuser_to_guest, + username_was_mapped, &server_info); if (!NT_STATUS_IS_OK(ret)) { DEBUG(1, ("make_server_info_krb5 failed!\n")); @@ -382,25 +383,6 @@ static void reply_spnego_kerberos(struct smb_request *req, return; } - server_info->nss_token |= username_was_mapped; - - /* we need to build the token for the user. make_server_info_guest() - already does this */ - - if ( !server_info->security_token ) { - ret = create_local_token( server_info ); - if ( !NT_STATUS_IS_OK(ret) ) { - DEBUG(10,("failed to create local token: %s\n", - nt_errstr(ret))); - data_blob_free(&ap_rep); - data_blob_free(&session_key); - TALLOC_FREE( mem_ctx ); - TALLOC_FREE( server_info ); - reply_nterror(req, nt_status_squash(ret)); - return; - } - } - if (!is_partial_auth_vuid(sconn, sess_vuid)) { sess_vuid = register_initial_vuid(sconn); } diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 6649cfb59a..3668ab8851 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -237,29 +237,15 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true); status = make_server_info_krb5(session, - user, domain, real_username, pw, - logon_info, map_domainuser_to_guest, - &session->session_info); + user, domain, real_username, pw, + logon_info, map_domainuser_to_guest, + username_was_mapped, + &session->session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("smb2: make_server_info_krb5 failed\n")); goto fail; } - - session->session_info->nss_token |= username_was_mapped; - - /* we need to build the token for the user. make_session_info_guest() - already does this */ - - if (!session->session_info->security_token ) { - status = create_local_token(session->session_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("smb2: failed to create local token: %s\n", - nt_errstr(status))); - goto fail; - } - } - if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) || lp_server_signing() == Required) { session->do_signing = true; |