diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-12-29 11:46:41 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-12-29 14:01:55 +1100 |
commit | fe693e9148cdd9faf3525289a97373a5989e5416 (patch) | |
tree | d3dbfab3b4c6bf0870ea323c5b9146d61ff2ac8a | |
parent | 502140a6ff1bae3a81f79c7753da8ca69b440d1c (diff) | |
download | samba-fe693e9148cdd9faf3525289a97373a5989e5416.tar.gz samba-fe693e9148cdd9faf3525289a97373a5989e5416.tar.bz2 samba-fe693e9148cdd9faf3525289a97373a5989e5416.zip |
s4-torture: Demonstrate handling of the PAC in a custom auth_context
This demonstrates how a different function pointer can be supplied
to handle the PAC blob, without depending on the provisioned samdb etc.
Andrew Bartlett
-rw-r--r-- | source4/auth/gensec/gensec_util.c | 62 | ||||
-rw-r--r-- | source4/auth/gensec/wscript_build | 2 | ||||
-rw-r--r-- | source4/torture/rpc/remote_pac.c | 83 |
3 files changed, 85 insertions, 62 deletions
diff --git a/source4/auth/gensec/gensec_util.c b/source4/auth/gensec/gensec_util.c index fa28c6528c..2b890239b0 100644 --- a/source4/auth/gensec/gensec_util.c +++ b/source4/auth/gensec/gensec_util.c @@ -26,9 +26,6 @@ #include "auth/auth.h" #include "auth/credentials/credentials.h" #include "auth/system_session_proto.h" -#include "system/kerberos.h" -#include "auth/kerberos/kerberos.h" -#include "auth/kerberos/kerberos_util.h" NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, @@ -71,12 +68,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, const struct tsocket_address *remote_address, struct auth_session_info **session_info) { - NTSTATUS nt_status; uint32_t session_info_flags = 0; - TALLOC_CTX *mem_ctx; - struct auth_user_info_dc *user_info_dc; - struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; - struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; @@ -94,7 +86,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, principal_string)); } - if (gensec_security->auth_context) { + if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) { return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context, mem_ctx_out, smb_krb5_context, @@ -103,54 +95,8 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, remote_address, session_info_flags, session_info); - } else if (!pac_blob) { - DEBUG(0, ("Cannot generate a session_info without either the PAC or the auth_context\n")); - return NT_STATUS_NO_SUCH_USER; - } - - mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); - NT_STATUS_HAVE_NO_MEMORY(mem_ctx); - - pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_srv_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_kdc_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, - *pac_blob, - smb_krb5_context->krb5_context, - &user_info_dc, - pac_srv_sig, - pac_kdc_sig); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - - session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; - nt_status = auth_generate_session_info(mem_ctx_out, - NULL, - NULL, - user_info_dc, session_info_flags, - session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - - if ((*session_info)->torture) { - (*session_info)->torture->pac_srv_sig - = talloc_steal((*session_info)->torture, pac_srv_sig); - (*session_info)->torture->pac_kdc_sig - = talloc_steal((*session_info)->torture, pac_kdc_sig); + } else { + DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); + return NT_STATUS_INTERNAL_ERROR; } - - talloc_free(mem_ctx); - return nt_status; } diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build index a4c5685f2e..9919cffeea 100644 --- a/source4/auth/gensec/wscript_build +++ b/source4/auth/gensec/wscript_build @@ -2,7 +2,7 @@ bld.SAMBA_SUBSYSTEM('gensec_util', source='socket.c gensec_tstream.c gensec_util.c', - deps='tevent-util tevent samba-util LIBTSOCKET KERBEROS_UTIL', + deps='tevent-util tevent samba-util LIBTSOCKET', autoproto='gensec_proto.h') bld.SAMBA_MODULE('gensec_krb5', diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 22fcd73cb4..aca518799d 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -42,6 +42,71 @@ #define TEST_MACHINE_NAME_S2U4SELF_BDC "tests2u4selfbdc" #define TEST_MACHINE_NAME_S2U4SELF_WKSTA "tests2u4selfwk" +/* A helper function which avoids touching the local databases to + * generate the session info, as we just want to verify the PAC + * details, not the full local token */ +static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx_out, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + NTSTATUS nt_status; + struct auth_user_info_dc *user_info_dc; + struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; + struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; + TALLOC_CTX *mem_ctx; + + mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_srv_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_kdc_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, + *pac_blob, + smb_krb5_context->krb5_context, + &user_info_dc, + pac_srv_sig, + pac_kdc_sig); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + nt_status = auth_generate_session_info(mem_ctx_out, + NULL, + NULL, + user_info_dc, session_info_flags, + session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + if ((*session_info)->torture) { + (*session_info)->torture->pac_srv_sig + = talloc_steal((*session_info)->torture, pac_srv_sig); + (*session_info)->torture->pac_kdc_sig + = talloc_steal((*session_info)->torture, pac_kdc_sig); + } + + talloc_free(mem_ctx); + return nt_status; +} + /* Check to see if we can pass the PAC across to the NETLOGON server for validation */ /* Also happens to be a really good one-step verfication of our Kerberos stack */ @@ -73,6 +138,7 @@ static bool test_PACVerify(struct torture_context *tctx, enum ndr_err_code ndr_err; + struct auth4_context *auth_context; struct auth_session_info *session_info; struct dcerpc_binding_handle *b = p->binding_handle; @@ -85,6 +151,11 @@ static bool test_PACVerify(struct torture_context *tctx, return false; } + auth_context = talloc_zero(tmp_ctx, struct auth4_context); + torture_assert(tctx, auth_context != NULL, "talloc_new() failed"); + + auth_context->generate_session_info_pac = test_generate_session_info_pac; + status = gensec_client_start(tctx, &gensec_client_context, lpcfg_gensec_settings(tctx, tctx->lp_ctx)); torture_assert_ntstatus_ok(tctx, status, "gensec_client_start (client) failed"); @@ -99,7 +170,7 @@ static bool test_PACVerify(struct torture_context *tctx, status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), - NULL, &gensec_server_context); + auth_context, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); @@ -407,6 +478,7 @@ static bool test_S2U4Self(struct torture_context *tctx, struct gensec_security *gensec_client_context; struct gensec_security *gensec_server_context; + struct auth4_context *auth_context; struct auth_session_info *kinit_session_info; struct auth_session_info *s2u4self_session_info; struct auth_user_info_dc *netlogon_user_info_dc; @@ -422,6 +494,11 @@ static bool test_S2U4Self(struct torture_context *tctx, torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); + auth_context = talloc_zero(tmp_ctx, struct auth4_context); + torture_assert(tctx, auth_context != NULL, "talloc_new() failed"); + + auth_context->generate_session_info_pac = test_generate_session_info_pac; + /* First, do a normal Kerberos connection */ status = gensec_client_start(tctx, &gensec_client_context, @@ -438,7 +515,7 @@ static bool test_S2U4Self(struct torture_context *tctx, status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), - NULL, &gensec_server_context); + auth_context, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); @@ -495,7 +572,7 @@ static bool test_S2U4Self(struct torture_context *tctx, status = gensec_server_start(tctx, lpcfg_gensec_settings(tctx, tctx->lp_ctx), - NULL, &gensec_server_context); + auth_context, &gensec_server_context); torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); status = gensec_set_credentials(gensec_server_context, credentials); |