diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-02-08 16:53:13 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-02-09 01:11:06 +0100 |
commit | a2ce53c1f5301ffcf990dbab837c328ea22739b6 (patch) | |
tree | 52dde7c4bb16c0d885b8691a4c5c87f8213b0599 | |
parent | f1c0e9532d8e3fb0d8942e4d4e1a122429266b16 (diff) | |
download | samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.tar.gz samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.tar.bz2 samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.zip |
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
35 files changed, 840 insertions, 787 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 0699ddb11d..10818dc79b 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -49,41 +49,6 @@ struct loadparm_context; #define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */ #define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */ -struct auth_serversupplied_info -{ - size_t num_sids; - struct dom_sid *sids; - - DATA_BLOB user_session_key; - DATA_BLOB lm_session_key; - - const char *account_name; - const char *domain_name; - - const char *full_name; - const char *logon_script; - const char *profile_path; - const char *home_directory; - const char *home_drive; - const char *logon_server; - - NTTIME last_logon; - NTTIME last_logoff; - NTTIME acct_expiry; - NTTIME last_password_change; - NTTIME allow_password_change; - NTTIME force_password_change; - - uint16_t logon_count; - uint16_t bad_password_count; - - uint32_t acct_flags; - - bool authenticated; - - struct PAC_SIGNATURE_DATA pac_srv_sig, pac_kdc_sig; -}; - struct auth_method_context; struct auth_check_password_request; struct auth_context; @@ -109,14 +74,14 @@ struct auth_operations { NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info); - - /* Lookup a 'server info' return based only on the principal */ - NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, - const char *principal, - struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info); + struct auth_user_info_dc **interim_info); + + /* Lookup a 'session info interim' return based only on the principal or DN */ + NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, + struct auth_context *auth_context, + const char *principal, + struct ldb_dn *user_dn, + struct auth_user_info_dc **interim_info); }; struct auth_method_context { @@ -155,7 +120,7 @@ struct auth_context { NTSTATUS (*check_password)(struct auth_context *auth_ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info); + struct auth_user_info_dc **user_info_dc); NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, uint8_t chal[8]); @@ -163,15 +128,15 @@ struct auth_context { NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); - NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx, - struct auth_context *auth_ctx, - const char *principal, - struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info); + NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, + struct auth_context *auth_ctx, + const char *principal, + struct ldb_dn *user_dn, + struct auth_user_info_dc **user_info_dc); NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **session_info); }; @@ -183,7 +148,7 @@ struct auth_critical_sizes { int sizeof_auth_methods; int sizeof_auth_context; int sizeof_auth_usersupplied_info; - int sizeof_auth_serversupplied_info; + int sizeof_auth_user_info_dc; }; NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, @@ -213,13 +178,13 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx, TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids, unsigned int *num_res_sids); struct auth_session_info *system_session(struct loadparm_context *lp_ctx); -NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, +NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, const char *domain_name, struct ldb_dn *domain_dn, struct ldb_message *msg, DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, - struct auth_serversupplied_info **_server_info); + struct auth_user_info_dc **_user_info_dc); NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info) ; @@ -243,7 +208,7 @@ NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *l NTSTATUS auth_check_password(struct auth_context *auth_ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info); + struct auth_user_info_dc **user_info_dc); NTSTATUS auth_init(void); NTSTATUS auth_register(const struct auth_operations *ops); NTSTATUS server_service_auth_init(void); @@ -263,16 +228,16 @@ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info); NTSTATUS auth_check_password_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info **server_info); + struct auth_user_info_dc **user_info_dc); bool auth_challenge_may_be_modified(struct auth_context *auth_ctx); NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by); -NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, +NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx, struct auth_context *auth_ctx, const char *principal, struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info); + struct auth_user_info_dc **user_info_dc); NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx, struct tevent_context *event_ctx, diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c index bb2b6eb534..11f88701e2 100644 --- a/source4/auth/auth_sam_reply.c +++ b/source4/auth/auth_sam_reply.c @@ -25,16 +25,17 @@ #include "libcli/security/security.h" #include "auth/auth_sam_reply.h" -NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *server_info, +NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, + struct auth_user_info_dc *user_info_dc, struct netr_SamBaseInfo **_sam) { NTSTATUS status; + struct auth_user_info *info; struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo); NT_STATUS_HAVE_NO_MEMORY(sam); - if (server_info->num_sids > PRIMARY_USER_SID_INDEX) { - status = dom_sid_split_rid(sam, &server_info->sids[PRIMARY_USER_SID_INDEX], + if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) { + status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX], &sam->domain_sid, &sam->rid); if (!NT_STATUS_IS_OK(status)) { return status; @@ -43,8 +44,8 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - if (server_info->num_sids > PRIMARY_GROUP_SID_INDEX) { - status = dom_sid_split_rid(NULL, &server_info->sids[PRIMARY_GROUP_SID_INDEX], + if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) { + status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], NULL, &sam->primary_gid); if (!NT_STATUS_IS_OK(status)) { return status; @@ -56,35 +57,37 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx, sam->primary_gid = sam->rid; } - sam->last_logon = server_info->last_logon; - sam->last_logoff = server_info->last_logoff; - sam->acct_expiry = server_info->acct_expiry; - sam->last_password_change = server_info->last_password_change; - sam->allow_password_change = server_info->allow_password_change; - sam->force_password_change = server_info->force_password_change; - - sam->account_name.string = server_info->account_name; - sam->full_name.string = server_info->full_name; - sam->logon_script.string = server_info->logon_script; - sam->profile_path.string = server_info->profile_path; - sam->home_directory.string = server_info->home_directory; - sam->home_drive.string = server_info->home_drive; - - sam->logon_count = server_info->logon_count; + info = user_info_dc->info; + + sam->last_logon = info->last_logon; + sam->last_logoff = info->last_logoff; + sam->acct_expiry = info->acct_expiry; + sam->last_password_change = info->last_password_change; + sam->allow_password_change = info->allow_password_change; + sam->force_password_change = info->force_password_change; + + sam->account_name.string = info->account_name; + sam->full_name.string = info->full_name; + sam->logon_script.string = info->logon_script; + sam->profile_path.string = info->profile_path; + sam->home_directory.string = info->home_directory; + sam->home_drive.string = info->home_drive; + + sam->logon_count = info->logon_count; sam->bad_password_count = sam->bad_password_count; sam->groups.count = 0; sam->groups.rids = NULL; - if (server_info->num_sids > 2) { + if (user_info_dc->num_sids > 2) { size_t i; sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute, - server_info->num_sids); + user_info_dc->num_sids); if (sam->groups.rids == NULL) return NT_STATUS_NO_MEMORY; - for (i=2; i<server_info->num_sids; i++) { - struct dom_sid *group_sid = &server_info->sids[i]; + for (i=2; i<user_info_dc->num_sids; i++) { + struct dom_sid *group_sid = &user_info_dc->sids[i]; if (!dom_sid_in_domain(sam->domain_sid, group_sid)) { /* We handle this elsewhere */ continue; @@ -99,20 +102,20 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx, } sam->user_flags = 0; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */ - sam->acct_flags = server_info->acct_flags; - sam->logon_server.string = server_info->logon_server; - sam->domain.string = server_info->domain_name; + sam->acct_flags = user_info_dc->info->acct_flags; + sam->logon_server.string = user_info_dc->info->logon_server; + sam->domain.string = user_info_dc->info->domain_name; ZERO_STRUCT(sam->unknown); ZERO_STRUCT(sam->key); - if (server_info->user_session_key.length == sizeof(sam->key.key)) { - memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key)); + if (user_info_dc->user_session_key.length == sizeof(sam->key.key)) { + memcpy(sam->key.key, user_info_dc->user_session_key.data, sizeof(sam->key.key)); } ZERO_STRUCT(sam->LMSessKey); - if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) { - memcpy(sam->LMSessKey.key, server_info->lm_session_key.data, + if (user_info_dc->lm_session_key.length == sizeof(sam->LMSessKey.key)) { + memcpy(sam->LMSessKey.key, user_info_dc->lm_session_key.data, sizeof(sam->LMSessKey.key)); } @@ -122,9 +125,9 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx, } /* Note that the validity of the _sam3 structure is only as long as - * the server_info it was generated from */ -NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *server_info, + * the user_info_dc it was generated from */ +NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, + struct auth_user_info_dc *user_info_dc, struct netr_SamInfo3 **_sam3) { struct netr_SamBaseInfo *sam; @@ -133,7 +136,7 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx, size_t i; NT_STATUS_HAVE_NO_MEMORY(sam3); - status = auth_convert_server_info_sambaseinfo(sam3, server_info, &sam); + status = auth_convert_user_info_dc_sambaseinfo(sam3, user_info_dc, &sam); if (!NT_STATUS_IS_OK(status)) { talloc_free(sam3); return status; @@ -144,15 +147,15 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx, sam3->sids = talloc_array(sam, struct netr_SidAttr, - server_info->num_sids); + user_info_dc->num_sids); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids, sam3); /* We don't put the user and group SIDs in there */ - for (i=2; i<server_info->num_sids; i++) { - if (dom_sid_in_domain(sam->domain_sid, &server_info->sids[i])) { + for (i=2; i<user_info_dc->num_sids; i++) { + if (dom_sid_in_domain(sam->domain_sid, &user_info_dc->sids[i])) { continue; } - sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &server_info->sids[i]); + sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &user_info_dc->sids[i]); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids[sam3->sidcount].sid, sam3); sam3->sids[sam3->sidcount].attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; @@ -169,15 +172,16 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx, } /** - * Make a server_info struct from the info3 returned by a domain logon + * Make a user_info_dc struct from the info3 returned by a domain logon */ -NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, +NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, const char *account_name, uint16_t validation_level, union netr_Validation *validation, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; + struct auth_user_info *info; struct netr_SamBaseInfo *base = NULL; uint32_t i; @@ -204,8 +208,8 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_LEVEL; } - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); + user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc); /* Here is where we should check the list of @@ -223,27 +227,27 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - server_info->num_sids = 2; + user_info_dc->num_sids = 2; - server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids + base->groups.count); - NT_STATUS_HAVE_NO_MEMORY(server_info->sids); + user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids + base->groups.count); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); - server_info->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid; - if (!sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], base->rid)) { + user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], base->rid)) { return NT_STATUS_INVALID_PARAMETER; } - server_info->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid; - if (!sid_append_rid(&server_info->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) { + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) { return NT_STATUS_INVALID_PARAMETER; } for (i = 0; i < base->groups.count; i++) { - server_info->sids[server_info->num_sids] = *base->domain_sid; - if (!sid_append_rid(&server_info->sids[server_info->num_sids], base->groups.rids[i].rid)) { + user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], base->groups.rids[i].rid)) { return NT_STATUS_INVALID_PARAMETER; } - server_info->num_sids++; + user_info_dc->num_sids++; } /* Copy 'other' sids. We need to do sid filtering here to @@ -253,7 +257,7 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, */ if (validation_level == 3) { - struct dom_sid *dgrps = server_info->sids; + struct dom_sid *dgrps = user_info_dc->sids; size_t sidcount; /* The IDL layer would be a better place to check this, but to @@ -262,88 +266,88 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - sidcount = server_info->num_sids + validation->sam3->sidcount; + sidcount = user_info_dc->num_sids + validation->sam3->sidcount; if (validation->sam3->sidcount > 0) { - dgrps = talloc_realloc(server_info, dgrps, struct dom_sid, sidcount); + dgrps = talloc_realloc(user_info_dc, dgrps, struct dom_sid, sidcount); NT_STATUS_HAVE_NO_MEMORY(dgrps); for (i = 0; i < validation->sam3->sidcount; i++) { if (validation->sam3->sids[i].sid) { - dgrps[server_info->num_sids] = *validation->sam3->sids[i].sid; - server_info->num_sids++; + dgrps[user_info_dc->num_sids] = *validation->sam3->sids[i].sid; + user_info_dc->num_sids++; } } } - server_info->sids = dgrps; + user_info_dc->sids = dgrps; /* Where are the 'global' sids?... */ } + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); + if (base->account_name.string) { - server_info->account_name = talloc_reference(server_info, base->account_name.string); + info->account_name = talloc_reference(info, base->account_name.string); } else { - server_info->account_name = talloc_strdup(server_info, account_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + info->account_name = talloc_strdup(info, account_name); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); } - server_info->domain_name = talloc_reference(server_info, base->domain.string); - server_info->full_name = talloc_reference(server_info, base->full_name.string); - server_info->logon_script = talloc_reference(server_info, base->logon_script.string); - server_info->profile_path = talloc_reference(server_info, base->profile_path.string); - server_info->home_directory = talloc_reference(server_info, base->home_directory.string); - server_info->home_drive = talloc_reference(server_info, base->home_drive.string); - server_info->logon_server = talloc_reference(server_info, base->logon_server.string); - server_info->last_logon = base->last_logon; - server_info->last_logoff = base->last_logoff; - server_info->acct_expiry = base->acct_expiry; - server_info->last_password_change = base->last_password_change; - server_info->allow_password_change = base->allow_password_change; - server_info->force_password_change = base->force_password_change; - server_info->logon_count = base->logon_count; - server_info->bad_password_count = base->bad_password_count; - server_info->acct_flags = base->acct_flags; - - server_info->authenticated = true; + info->domain_name = talloc_reference(info, base->domain.string); + info->full_name = talloc_reference(info, base->full_name.string); + info->logon_script = talloc_reference(info, base->logon_script.string); + info->profile_path = talloc_reference(info, base->profile_path.string); + info->home_directory = talloc_reference(info, base->home_directory.string); + info->home_drive = talloc_reference(info, base->home_drive.string); + info->logon_server = talloc_reference(info, base->logon_server.string); + info->last_logon = base->last_logon; + info->last_logoff = base->last_logoff; + info->acct_expiry = base->acct_expiry; + info->last_password_change = base->last_password_change; + info->allow_password_change = base->allow_password_change; + info->force_password_change = base->force_password_change; + info->logon_count = base->logon_count; + info->bad_password_count = base->bad_password_count; + info->acct_flags = base->acct_flags; + + info->authenticated = true; /* ensure we are never given NULL session keys */ if (all_zero(base->key.key, sizeof(base->key.key))) { - server_info->user_session_key = data_blob(NULL, 0); + user_info_dc->user_session_key = data_blob(NULL, 0); } else { - server_info->user_session_key = data_blob_talloc(server_info, base->key.key, sizeof(base->key.key)); - NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); + user_info_dc->user_session_key = data_blob_talloc(user_info_dc, base->key.key, sizeof(base->key.key)); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data); } if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) { - server_info->lm_session_key = data_blob(NULL, 0); + user_info_dc->lm_session_key = data_blob(NULL, 0); } else { - server_info->lm_session_key = data_blob_talloc(server_info, base->LMSessKey.key, sizeof(base->LMSessKey.key)); - NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); + user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, base->LMSessKey.key, sizeof(base->LMSessKey.key)); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data); } - ZERO_STRUCT(server_info->pac_srv_sig); - ZERO_STRUCT(server_info->pac_kdc_sig); - - *_server_info = server_info; + *_user_info_dc = user_info_dc; return NT_STATUS_OK; } /** - * Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon + * Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5 logon */ -NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx, +NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, struct PAC_LOGON_INFO *pac_logon_info, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { uint32_t i; NTSTATUS nt_status; union netr_Validation validation; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; validation.sam3 = &pac_logon_info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3, &validation, &server_info); + nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } @@ -353,7 +357,7 @@ NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx, /* The IDL layer would be a better place to check this, but to * guard the integer addition below, we double-check */ if (pac_logon_info->res_groups.count > 65535) { - talloc_free(server_info); + talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } @@ -367,20 +371,20 @@ NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - sidcount = server_info->num_sids + pac_logon_info->res_groups.count; - server_info->sids - = talloc_realloc(server_info, server_info->sids, struct dom_sid, sidcount); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info); + sidcount = user_info_dc->num_sids + pac_logon_info->res_groups.count; + user_info_dc->sids + = talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc); for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) { - server_info->sids[server_info->num_sids] = *pac_logon_info->res_group_dom_sid; - if (!sid_append_rid(&server_info->sids[server_info->num_sids], + user_info_dc->sids[user_info_dc->num_sids] = *pac_logon_info->res_group_dom_sid; + if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], pac_logon_info->res_groups.rids[i].rid)) { return NT_STATUS_INVALID_PARAMETER; } - server_info->num_sids++; + user_info_dc->num_sids++; } } - *_server_info = server_info; + *_user_info_dc = user_info_dc; return NT_STATUS_OK; } diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index c732c6e8de..b9385debc3 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -1315,17 +1315,17 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security) NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, struct auth_session_info **session_info) { NTSTATUS nt_status; uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; - if (server_info->authenticated) { + if (user_info_dc->info->authenticated) { flags |= AUTH_SESSION_INFO_AUTHENTICATED; } if (gensec_security->auth_context) { nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context, - server_info, + user_info_dc, flags, session_info); } else { @@ -1333,7 +1333,7 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, - server_info, flags, + user_info_dc, flags, session_info); } return nt_status; diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h index 62d8a45491..ad581e2fa5 100644 --- a/source4/auth/gensec/gensec.h +++ b/source4/auth/gensec/gensec.h @@ -180,7 +180,7 @@ struct gensec_critical_sizes { struct gensec_security; struct socket_context; struct auth_context; -struct auth_serversupplied_info; +struct auth_user_info_dc; NTSTATUS gensec_socket_init(struct gensec_security *gensec_security, TALLOC_CTX *mem_ctx, diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 132ea7d8ae..ed0597ca98 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1257,11 +1257,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi TALLOC_CTX *mem_ctx; struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; OM_uint32 maj_stat, min_stat; gss_buffer_desc pac; DATA_BLOB pac_blob; + struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; + struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length) || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, @@ -1292,10 +1294,23 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi * kind... */ if (pac_blob.length) { - nt_status = kerberos_pac_blob_to_server_info(mem_ctx, - pac_blob, - gensec_gssapi_state->smb_krb5_context->krb5_context, - &server_info); + pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_srv_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_kdc_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, + pac_blob, + gensec_gssapi_state->smb_krb5_context->krb5_context, + &user_info_dc, + pac_srv_sig, + pac_kdc_sig); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1330,11 +1345,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n", gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, + nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, gensec_security->auth_context, principal_string, NULL, - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); @@ -1348,9 +1363,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } } - /* references the server_info into the session_info */ + /* references the user_info_dc into the session_info */ nt_status = gensec_generate_session_info(mem_ctx, gensec_security, - server_info, &session_info); + user_info_dc, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1362,6 +1377,12 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return nt_status; } + /* Allow torture tests to check the PAC signatures */ + if (session_info->torture) { + session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig); + session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig); + } + if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) { DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n")); } else { diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index fc96e3851c..4f452a07ee 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -603,7 +603,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; struct PAC_LOGON_INFO *logon_info; @@ -663,10 +663,10 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s", principal_string, smb_get_krb5_error_message(context, ret, mem_ctx))); - nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, + nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, gensec_security->auth_context, principal_string, - NULL, &server_info); + NULL, &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); krb5_free_principal(context, client_principal); @@ -709,10 +709,10 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security } validation.sam3 = &logon_info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, + nt_status = make_user_info_dc_netlogon_validation(mem_ctx, NULL, 3, &validation, - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); krb5_free_principal(context, client_principal); @@ -724,8 +724,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security free(principal_string); krb5_free_principal(context, client_principal); - /* references the server_info into the session_info */ - nt_status = gensec_generate_session_info(mem_ctx, gensec_security, server_info, &session_info); + /* references the user_info_dc into the session_info */ + nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 94de096543..501a4653d7 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -23,7 +23,7 @@ #include "auth/kerberos/krb5_init_context.h" #include "librpc/gen_ndr/krb5pac.h" -struct auth_serversupplied_info; +struct auth_user_info_dc; struct cli_credentials; struct ccache_container { @@ -134,7 +134,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, const krb5_keyblock *service_keyblock, DATA_BLOB *pac); krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, krb5_context context, const krb5_keyblock *krbtgt_keyblock, const krb5_keyblock *service_keyblock, diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 23b875056b..9620a80d02 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -524,7 +524,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, krb5_context context, const krb5_keyblock *krbtgt_keyblock, const krb5_keyblock *service_keyblock, @@ -612,7 +612,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, talloc_free(pac_data); return ENOMEM; } - nt_status = auth_convert_server_info_saminfo3(LOGON_INFO, server_info, &sam3); + nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc, &sam3); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status))); talloc_free(pac_data); @@ -645,10 +645,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, return ret; } -krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, - krb5_pac pac, - krb5_context context, - struct auth_serversupplied_info **server_info) +krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx, + krb5_pac pac, + krb5_context context, + struct auth_user_info_dc **user_info_dc, + struct PAC_SIGNATURE_DATA *pac_srv_sig, + struct PAC_SIGNATURE_DATA *pac_kdc_sig) { NTSTATUS nt_status; enum ndr_err_code ndr_err; @@ -658,7 +660,7 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in; union PAC_INFO info; - struct auth_serversupplied_info *server_info_out; + struct auth_user_info_dc *user_info_dc_out; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -686,62 +688,67 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, } /* Pull this right into the normal auth sysstem structures */ - nt_status = make_server_info_pac(mem_ctx, + nt_status = make_user_info_dc_pac(mem_ctx, info.logon_info.info, - &server_info_out); + &user_info_dc_out); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return EINVAL; } - ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in); - if (ret != 0) { - talloc_free(tmp_ctx); - return ret; - } - - pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length); - - ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, server_info_out, - &server_info_out->pac_srv_sig, - (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); - krb5_data_free(&k5pac_srv_checksum_in); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - nt_status = ndr_map_error2ntstatus(ndr_err); - DEBUG(0,("can't parse the KDC signature: %s\n", - nt_errstr(nt_status))); - return EINVAL; - } + if (pac_srv_sig) { + ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in); + if (ret != 0) { + talloc_free(tmp_ctx); + return ret; + } - ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in); - if (ret != 0) { - talloc_free(tmp_ctx); - return ret; + pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length); + + ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, pac_srv_sig, + pac_srv_sig, + (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); + krb5_data_free(&k5pac_srv_checksum_in); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + nt_status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the KDC signature: %s\n", + nt_errstr(nt_status))); + return EINVAL; + } } - pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length); + if (pac_kdc_sig) { + ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in); + if (ret != 0) { + talloc_free(tmp_ctx); + return ret; + } - ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, server_info_out, - &server_info_out->pac_kdc_sig, - (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); - krb5_data_free(&k5pac_kdc_checksum_in); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - nt_status = ndr_map_error2ntstatus(ndr_err); - DEBUG(0,("can't parse the KDC signature: %s\n", - nt_errstr(nt_status))); - return EINVAL; + pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length); + + ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, pac_kdc_sig, + pac_kdc_sig, + (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); + krb5_data_free(&k5pac_kdc_checksum_in); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + nt_status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the KDC signature: %s\n", + nt_errstr(nt_status))); + return EINVAL; + } } - - *server_info = server_info_out; + *user_info_dc = user_info_dc_out; return 0; } -NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx, - DATA_BLOB pac_blob, - krb5_context context, - struct auth_serversupplied_info **server_info) +NTSTATUS kerberos_pac_blob_to_user_info_dc(TALLOC_CTX *mem_ctx, + DATA_BLOB pac_blob, + krb5_context context, + struct auth_user_info_dc **user_info_dc, + struct PAC_SIGNATURE_DATA *pac_srv_sig, + struct PAC_SIGNATURE_DATA *pac_kdc_sig) { krb5_error_code ret; krb5_pac pac; @@ -753,7 +760,7 @@ NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx, } - ret = kerberos_pac_to_server_info(mem_ctx, pac, context, server_info); + ret = kerberos_pac_to_user_info_dc(mem_ctx, pac, context, user_info_dc, pac_srv_sig, pac_kdc_sig); krb5_pac_free(context, pac); if (ret) { return map_nt_error_from_unix(ret); diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 1a98fb414f..1558cfdebe 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -103,21 +103,21 @@ PAC isn't available, and for tokenGroups in the DSDB stack. Supply either a principal or a DN ****************************************************************************/ -_PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, +_PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx, struct auth_context *auth_ctx, const char *principal, struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { NTSTATUS nt_status; struct auth_method_context *method; for (method = auth_ctx->methods; method; method = method->next) { - if (!method->ops->get_server_info_principal) { + if (!method->ops->get_user_info_dc_principal) { continue; } - nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, user_dn, server_info); + nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, user_info_dc); if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { continue; } @@ -133,9 +133,9 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, * (sync version) * * Check a user's password, as given in the user_info struct and return various - * interesting details in the server_info struct. + * interesting details in the user_info_dc struct. * - * The return value takes precedence over the contents of the server_info + * The return value takes precedence over the contents of the user_info_dc * struct. When the return is other than NT_STATUS_OK the contents * of that structure is undefined. * @@ -146,9 +146,9 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, * * @param user_info Contains the user supplied components, including the passwords. * - * @param mem_ctx The parent memory context for the server_info structure + * @param mem_ctx The parent memory context for the user_info_dc structure * - * @param server_info If successful, contains information about the authentication, + * @param user_info_dc If successful, contains information about the authentication, * including a SAM_ACCOUNT struct describing the user. * * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. @@ -158,7 +158,7 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { struct tevent_req *subreq; struct tevent_context *ev; @@ -181,7 +181,7 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx, return NT_STATUS_INTERNAL_ERROR; } - status = auth_check_password_recv(subreq, mem_ctx, server_info); + status = auth_check_password_recv(subreq, mem_ctx, user_info_dc); TALLOC_FREE(subreq); return status; @@ -190,7 +190,7 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx, struct auth_check_password_state { struct auth_context *auth_ctx; const struct auth_usersupplied_info *user_info; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; struct auth_method_context *method; }; @@ -202,9 +202,9 @@ static void auth_check_password_async_trigger(struct tevent_context *ev, * async send hook * * Check a user's password, as given in the user_info struct and return various - * interesting details in the server_info struct. + * interesting details in the user_info_dc struct. * - * The return value takes precedence over the contents of the server_info + * The return value takes precedence over the contents of the user_info_dc * struct. When the return is other than NT_STATUS_OK the contents * of that structure is undefined. * @@ -334,7 +334,7 @@ static void auth_check_password_async_trigger(struct tevent_context *ev, status = method->ops->check_password(method, state, state->user_info, - &state->server_info); + &state->user_info_dc); if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) { /* the backend has handled the request */ break; @@ -358,16 +358,16 @@ static void auth_check_password_async_trigger(struct tevent_context *ev, * Check a user's Plaintext, LM or NTLM password. * async receive function * - * The return value takes precedence over the contents of the server_info + * The return value takes precedence over the contents of the user_info_dc * struct. When the return is other than NT_STATUS_OK the contents * of that structure is undefined. * * * @param req The async request state * - * @param mem_ctx The parent memory context for the server_info structure + * @param mem_ctx The parent memory context for the user_info_dc structure * - * @param server_info If successful, contains information about the authentication, + * @param user_info_dc If successful, contains information about the authentication, * including a SAM_ACCOUNT struct describing the user. * * @return An NTSTATUS with NT_STATUS_OK or an appropriate error. @@ -376,7 +376,7 @@ static void auth_check_password_async_trigger(struct tevent_context *ev, _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { struct auth_check_password_state *state = tevent_req_data(req, struct auth_check_password_state); @@ -397,10 +397,10 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, DEBUG(5,("auth_check_password_recv: " "%s authentication for user [%s\\%s] succeeded\n", state->method->ops->name, - state->server_info->domain_name, - state->server_info->account_name)); + state->user_info_dc->info->domain_name, + state->user_info_dc->info->account_name)); - *server_info = talloc_move(mem_ctx, &state->server_info); + *user_info_dc = talloc_move(mem_ctx, &state->user_info_dc); tevent_req_received(req); return NT_STATUS_OK; @@ -410,12 +410,12 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, * know that session_info is generated from the main ldb */ static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **session_info) { return auth_generate_session_info(mem_ctx, auth_context->lp_ctx, - auth_context->sam_ctx, server_info, + auth_context->sam_ctx, user_info_dc, session_info_flags, session_info); } @@ -477,7 +477,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** ctx->get_challenge = auth_get_challenge; ctx->set_challenge = auth_context_set_challenge; ctx->challenge_may_be_modified = auth_challenge_may_be_modified; - ctx->get_server_info_principal = auth_get_server_info_principal; + ctx->get_user_info_dc_principal = auth_get_user_info_dc_principal; ctx->generate_session_info = auth_generate_session_info_wrapper; *auth_ctx = ctx; @@ -625,7 +625,7 @@ const struct auth_critical_sizes *auth_interface_version(void) sizeof(struct auth_method_context), sizeof(struct auth_context), sizeof(struct auth_usersupplied_info), - sizeof(struct auth_serversupplied_info) + sizeof(struct auth_user_info_dc) }; return &critical_sizes; diff --git a/source4/auth/ntlm/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c index d5f1df2891..7535777b60 100644 --- a/source4/auth/ntlm/auth_anonymous.c +++ b/source4/auth/ntlm/auth_anonymous.c @@ -52,9 +52,9 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx, static NTSTATUS anonymous_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { - return auth_anonymous_server_info(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _server_info); + return auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _user_info_dc); } static const struct auth_operations anonymous_auth_ops = { diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c index 6384d98986..255f97fd23 100644 --- a/source4/auth/ntlm/auth_developer.c +++ b/source4/auth/ntlm/auth_developer.c @@ -47,10 +47,11 @@ static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx, static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { NTSTATUS nt_status; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; + struct auth_user_info *info; uint32_t error_num; const char *user; @@ -65,62 +66,65 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, } NT_STATUS_NOT_OK_RETURN(nt_status); - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); + user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc); /* This returns a pointer to a struct dom_sid, which is the * same as a 1 element list of struct dom_sid */ - server_info->num_sids = 1; - server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); - NT_STATUS_HAVE_NO_MEMORY(server_info->sids); + user_info_dc->num_sids = 1; + user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); /* annoying, but the Anonymous really does have a session key, and it is all zeros! */ - server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); - NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); + user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data); - server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16); - NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); + user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data); - data_blob_clear(&server_info->user_session_key); - data_blob_clear(&server_info->lm_session_key); + data_blob_clear(&user_info_dc->user_session_key); + data_blob_clear(&user_info_dc->lm_session_key); - server_info->account_name = talloc_asprintf(server_info, "NAME TO NTSTATUS %s ANONYMOUS LOGON", user); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); - server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY"); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + info->account_name = talloc_asprintf(user_info_dc, "NAME TO NTSTATUS %s ANONYMOUS LOGON", user); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); - server_info->full_name = talloc_asprintf(server_info, "NAME TO NTSTATUS %s Anonymous Logon", user); - NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); + info->domain_name = talloc_strdup(user_info_dc, "NT AUTHORITY"); + NT_STATUS_HAVE_NO_MEMORY(info->domain_name); - server_info->logon_script = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); + info->full_name = talloc_asprintf(user_info_dc, "NAME TO NTSTATUS %s Anonymous Logon", user); + NT_STATUS_HAVE_NO_MEMORY(info->full_name); - server_info->profile_path = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); + info->logon_script = talloc_strdup(user_info_dc, ""); + NT_STATUS_HAVE_NO_MEMORY(info->logon_script); - server_info->home_directory = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); + info->profile_path = talloc_strdup(user_info_dc, ""); + NT_STATUS_HAVE_NO_MEMORY(info->profile_path); - server_info->home_drive = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); + info->home_directory = talloc_strdup(user_info_dc, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_directory); - server_info->last_logon = 0; - server_info->last_logoff = 0; - server_info->acct_expiry = 0; - server_info->last_password_change = 0; - server_info->allow_password_change = 0; - server_info->force_password_change = 0; + info->home_drive = talloc_strdup(user_info_dc, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_drive); - server_info->logon_count = 0; - server_info->bad_password_count = 0; + info->last_logon = 0; + info->last_logoff = 0; + info->acct_expiry = 0; + info->last_password_change = 0; + info->allow_password_change = 0; + info->force_password_change = 0; - server_info->acct_flags = ACB_NORMAL; + info->logon_count = 0; + info->bad_password_count = 0; - server_info->authenticated = false; + info->acct_flags = ACB_NORMAL; - *_server_info = server_info; + info->authenticated = true; + + *_user_info_dc = user_info_dc; return nt_status; } @@ -166,7 +170,7 @@ static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx, static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { /* don't handle any users */ return NT_STATUS_NO_SUCH_USER; diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index d9aec66d52..ef4932e87c 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -237,7 +237,7 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { NTSTATUS nt_status; const char *account_name = user_info->mapped.account_name; @@ -280,18 +280,18 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx return nt_status; } - nt_status = authsam_make_server_info(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), + nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), lpcfg_sam_name(ctx->auth_ctx->lp_ctx), domain_dn, msg, user_sess_key, lm_sess_key, - server_info); + user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } - talloc_steal(mem_ctx, *server_info); + talloc_steal(mem_ctx, *user_info_dc); talloc_free(tmp_ctx); return NT_STATUS_OK; @@ -354,21 +354,21 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, /* Wrapper for the auth subsystem pointer */ -static NTSTATUS authsam_get_server_info_principal_wrapper(TALLOC_CTX *mem_ctx, +static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, const char *principal, struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { - return authsam_get_server_info_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, - principal, user_dn, server_info); + return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, + principal, user_dn, user_info_dc); } static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", .get_challenge = auth_get_challenge_not_implemented, .want_check = authsam_ignoredomain_want_check, .check_password = authsam_check_password_internals, - .get_server_info_principal = authsam_get_server_info_principal_wrapper + .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper }; static const struct auth_operations sam_ops = { @@ -376,7 +376,7 @@ static const struct auth_operations sam_ops = { .get_challenge = auth_get_challenge_not_implemented, .want_check = authsam_want_check, .check_password = authsam_check_password_internals, - .get_server_info_principal = authsam_get_server_info_principal_wrapper + .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper }; _PUBLIC_ NTSTATUS auth_sam_init(void) diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c index 8e9e73c43d..106bc6c15b 100644 --- a/source4/auth/ntlm/auth_server.c +++ b/source4/auth/ntlm/auth_server.c @@ -111,10 +111,11 @@ static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX static NTSTATUS server_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { NTSTATUS nt_status; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; + struct auth_user_info *info; struct cli_credentials *creds; struct smb_composite_sesssetup session_setup; @@ -156,56 +157,59 @@ static NTSTATUS server_check_password(struct auth_method_context *ctx, return nt_status; } - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); + user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - server_info->num_sids = 1; + user_info_dc->num_sids = 1; /* This returns a pointer to a struct dom_sid, which is the * same as a 1 element list of struct dom_sid */ - server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); - NT_STATUS_HAVE_NO_MEMORY(server_info->sids); + user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); /* annoying, but the Anonymous really does have a session key, and it is all zeros! */ - server_info->user_session_key = data_blob(NULL, 0); - server_info->lm_session_key = data_blob(NULL, 0); + user_info_dc->user_session_key = data_blob(NULL, 0); + user_info_dc->lm_session_key = data_blob(NULL, 0); - server_info->account_name = talloc_strdup(server_info, user_info->client.account_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); - server_info->domain_name = talloc_strdup(server_info, user_info->client.domain_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + info->account_name = talloc_strdup(user_info_dc, user_info->client.account_name); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); - server_info->full_name = NULL; + info->domain_name = talloc_strdup(user_info_dc, user_info->client.domain_name); + NT_STATUS_HAVE_NO_MEMORY(info->domain_name); - server_info->logon_script = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); + info->full_name = NULL; - server_info->profile_path = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); + info->logon_script = talloc_strdup(user_info_dc, ""); + NT_STATUS_HAVE_NO_MEMORY(info->logon_script); - server_info->home_directory = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); + info->profile_path = talloc_strdup(user_info_dc, ""); + NT_STATUS_HAVE_NO_MEMORY(info->profile_path); - server_info->home_drive = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); + info->home_directory = talloc_strdup(user_info_dc, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_directory); - server_info->last_logon = 0; - server_info->last_logoff = 0; - server_info->acct_expiry = 0; - server_info->last_password_change = 0; - server_info->allow_password_change = 0; - server_info->force_password_change = 0; + info->home_drive = talloc_strdup(user_info_dc, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_drive); - server_info->logon_count = 0; - server_info->bad_password_count = 0; + info->last_logon = 0; + info->last_logoff = 0; + info->acct_expiry = 0; + info->last_password_change = 0; + info->allow_password_change = 0; + info->force_password_change = 0; - server_info->acct_flags = ACB_NORMAL; + info->logon_count = 0; + info->bad_password_count = 0; - server_info->authenticated = false; + info->acct_flags = ACB_NORMAL; - *_server_info = server_info; + info->authenticated = false; + + *_user_info_dc = user_info_dc; return nt_status; } diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c index 1079fba527..75eabe855b 100644 --- a/source4/auth/ntlm/auth_simple.c +++ b/source4/auth/ntlm/auth_simple.c @@ -40,7 +40,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, { struct auth_context *auth_context; struct auth_usersupplied_info *user_info; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; NTSTATUS nt_status; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -83,7 +83,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, MSV1_0_CLEARTEXT_PASSWORD_ALLOWED | MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED; - nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &server_info); + nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; @@ -91,11 +91,11 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, if (session_info) { uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; - if (server_info->authenticated) { + if (user_info_dc->info->authenticated) { flags |= AUTH_SESSION_INFO_AUTHENTICATED; } nt_status = auth_context->generate_session_info(tmp_ctx, auth_context, - server_info, + user_info_dc, flags, session_info); diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c index 08759aba67..8b41983eef 100644 --- a/source4/auth/ntlm/auth_unix.c +++ b/source4/auth/ntlm/auth_unix.c @@ -31,68 +31,75 @@ /* TODO: look at how to best fill in parms retrieveing a struct passwd info * except in case USER_INFO_DONT_CHECK_UNIX_ACCOUNT is set */ -static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx, +static NTSTATUS authunix_make_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, const struct auth_usersupplied_info *user_info, struct passwd *pwd, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; + struct auth_user_info *info; NTSTATUS status; /* This is a real, real hack */ if (pwd->pw_uid == 0) { - status = auth_system_server_info(mem_ctx, netbios_name, &server_info); + status = auth_system_user_info_dc(mem_ctx, netbios_name, &user_info_dc); if (!NT_STATUS_IS_OK(status)) { return status; } - server_info->account_name = talloc_steal(server_info, pwd->pw_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); + + info->account_name = talloc_steal(info, pwd->pw_name); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); - server_info->domain_name = talloc_strdup(server_info, "unix"); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + info->domain_name = talloc_strdup(info, "unix"); + NT_STATUS_HAVE_NO_MEMORY(info->domain_name); } else { - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); + user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - server_info->authenticated = true; + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); + + info->authenticated = true; - server_info->account_name = talloc_steal(server_info, pwd->pw_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + info->account_name = talloc_steal(info, pwd->pw_name); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); - server_info->domain_name = talloc_strdup(server_info, "unix"); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + info->domain_name = talloc_strdup(info, "unix"); + NT_STATUS_HAVE_NO_MEMORY(info->domain_name); /* This isn't in any way correct.. */ - server_info->num_sids = 0; - server_info->sids = NULL; - } - server_info->user_session_key = data_blob(NULL,0); - server_info->lm_session_key = data_blob(NULL,0); - - server_info->full_name = talloc_steal(server_info, pwd->pw_gecos); - NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); - server_info->logon_script = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); - server_info->profile_path = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); - server_info->home_directory = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); - server_info->home_drive = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); - - server_info->last_logon = 0; - server_info->last_logoff = 0; - server_info->acct_expiry = 0; - server_info->last_password_change = 0; - server_info->allow_password_change = 0; - server_info->force_password_change = 0; - server_info->logon_count = 0; - server_info->bad_password_count = 0; - server_info->acct_flags = 0; - - *_server_info = server_info; + user_info_dc->num_sids = 0; + user_info_dc->sids = NULL; + } + user_info_dc->user_session_key = data_blob(NULL,0); + user_info_dc->lm_session_key = data_blob(NULL,0); + + info->full_name = talloc_steal(info, pwd->pw_gecos); + NT_STATUS_HAVE_NO_MEMORY(info->full_name); + info->logon_script = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->logon_script); + info->profile_path = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->profile_path); + info->home_directory = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_directory); + info->home_drive = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_drive); + + info->last_logon = 0; + info->last_logoff = 0; + info->acct_expiry = 0; + info->last_password_change = 0; + info->allow_password_change = 0; + info->force_password_change = 0; + info->logon_count = 0; + info->bad_password_count = 0; + info->acct_flags = 0; + + *_user_info_dc = user_info_dc; return NT_STATUS_OK; } @@ -791,7 +798,7 @@ static NTSTATUS authunix_want_check(struct auth_method_context *ctx, static NTSTATUS authunix_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { TALLOC_CTX *check_ctx; NTSTATUS nt_status; @@ -812,8 +819,8 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx, return nt_status; } - nt_status = authunix_make_server_info(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), - user_info, pwd, server_info); + nt_status = authunix_make_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), + user_info, pwd, user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(check_ctx); return nt_status; diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index b6bf516a4f..30a2f01585 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -131,7 +131,7 @@ struct winbind_check_password_state { static NTSTATUS winbind_check_password(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { NTSTATUS status; struct dcerpc_binding_handle *irpc_handle; @@ -214,11 +214,11 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx, status = dcerpc_winbind_SamLogon_r(irpc_handle, s, &s->req); NT_STATUS_NOT_OK_RETURN(status); - status = make_server_info_netlogon_validation(mem_ctx, + status = make_user_info_dc_netlogon_validation(mem_ctx, user_info->client.account_name, s->req.in.validation_level, &s->req.out.validation, - server_info); + user_info_dc); NT_STATUS_NOT_OK_RETURN(status); return NT_STATUS_OK; @@ -231,7 +231,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx, static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { struct wbcAuthUserParams params; struct wbcAuthUserInfo *info = NULL; @@ -301,9 +301,9 @@ static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx, NT_STATUS_NOT_OK_RETURN(nt_status); validation.sam3 = &info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, + nt_status = make_user_info_dc_netlogon_validation(mem_ctx, user_info->client.account_name, - 3, &validation, server_info); + 3, &validation, user_info_dc); return nt_status; } diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h index 0adf75f812..ff30317f55 100644 --- a/source4/auth/ntlmssp/ntlmssp.h +++ b/source4/auth/ntlmssp/ntlmssp.h @@ -27,7 +27,7 @@ struct gensec_ntlmssp_context { struct gensec_security *gensec_security; struct ntlmssp_state *ntlmssp_state; struct auth_context *auth_context; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; }; struct loadparm_context; diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index a5ff13eaa4..9db3b560c1 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -181,23 +181,23 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, nt_status = auth_context->check_password(auth_context, gensec_ntlmssp, user_info, - &gensec_ntlmssp->server_info); + &gensec_ntlmssp->user_info_dc); talloc_free(user_info); NT_STATUS_NOT_OK_RETURN(nt_status); - if (gensec_ntlmssp->server_info->user_session_key.length) { + if (gensec_ntlmssp->user_info_dc->user_session_key.length) { DEBUG(10, ("Got NT session key of length %u\n", - (unsigned)gensec_ntlmssp->server_info->user_session_key.length)); - *user_session_key = gensec_ntlmssp->server_info->user_session_key; + (unsigned)gensec_ntlmssp->user_info_dc->user_session_key.length)); + *user_session_key = gensec_ntlmssp->user_info_dc->user_session_key; talloc_steal(mem_ctx, user_session_key->data); - gensec_ntlmssp->server_info->user_session_key = data_blob_null; + gensec_ntlmssp->user_info_dc->user_session_key = data_blob_null; } - if (gensec_ntlmssp->server_info->lm_session_key.length) { + if (gensec_ntlmssp->user_info_dc->lm_session_key.length) { DEBUG(10, ("Got LM session key of length %u\n", - (unsigned)gensec_ntlmssp->server_info->lm_session_key.length)); - *lm_session_key = gensec_ntlmssp->server_info->lm_session_key; + (unsigned)gensec_ntlmssp->user_info_dc->lm_session_key.length)); + *lm_session_key = gensec_ntlmssp->user_info_dc->lm_session_key; talloc_steal(mem_ctx, lm_session_key->data); - gensec_ntlmssp->server_info->lm_session_key = data_blob_null; + gensec_ntlmssp->user_info_dc->lm_session_key = data_blob_null; } return nt_status; } @@ -223,7 +223,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, nt_status = gensec_generate_session_info(ntlmssp_state, gensec_security, - gensec_ntlmssp->server_info, + gensec_ntlmssp->user_info_dc, session_info); NT_STATUS_NOT_OK_RETURN(nt_status); diff --git a/source4/auth/sam.c b/source4/auth/sam.c index c9ce644cbf..83ed790054 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -68,7 +68,7 @@ const char *user_attrs[] = { /* check 'allowed workstations' */ "userWorkstations", - /* required for server_info, not access control: */ + /* required for user_info_dc, not access control: */ "displayName", "scriptPath", "profilePath", @@ -267,7 +267,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -_PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, +_PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, const char *domain_name, @@ -275,10 +275,11 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_message *msg, DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { NTSTATUS status; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; + struct auth_user_info *info; const char *str, *filter; /* SIDs for the account and his primary group */ struct dom_sid *account_sid; @@ -292,23 +293,23 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, TALLOC_CTX *tmp_ctx; struct ldb_message_element *el; - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); + user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - tmp_ctx = talloc_new(server_info); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, server_info); + tmp_ctx = talloc_new(user_info_dc); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc, user_info_dc); - sids = talloc_array(server_info, struct dom_sid, 2); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, server_info); + sids = talloc_array(user_info_dc, struct dom_sid, 2); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, user_info_dc); num_sids = 2; - account_sid = samdb_result_dom_sid(server_info, msg, "objectSid"); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info); + account_sid = samdb_result_dom_sid(user_info_dc, msg, "objectSid"); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, user_info_dc); status = dom_sid_split_rid(tmp_ctx, account_sid, &domain_sid, NULL); if (!NT_STATUS_IS_OK(status)) { - talloc_free(server_info); + talloc_free(user_info_dc); return status; } @@ -320,13 +321,13 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, * for builtin groups later, and not include them in the PAC * on SamLogon validation info */ filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, server_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, user_info_dc); primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, user_info_dc); primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, user_info_dc); primary_group_blob = data_blob_string_const(primary_group_dn); @@ -340,9 +341,9 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, * 'only childs' flag to true */ status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter, - server_info, &sids, &num_sids); + user_info_dc, &sids, &num_sids); if (!NT_STATUS_IS_OK(status)) { - talloc_free(server_info); + talloc_free(user_info_dc); return status; } @@ -353,113 +354,116 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, * them, as long as they meet the filter - so only * domain groups, not builtin groups */ status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter, - server_info, &sids, &num_sids); + user_info_dc, &sids, &num_sids); if (!NT_STATUS_IS_OK(status)) { - talloc_free(server_info); + talloc_free(user_info_dc); return status; } } - server_info->sids = sids; - server_info->num_sids = num_sids; + user_info_dc->sids = sids; + user_info_dc->num_sids = num_sids; - server_info->account_name = talloc_steal(server_info, + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); + + info->account_name = talloc_steal(info, ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL)); - server_info->domain_name = talloc_strdup(server_info, domain_name); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_name, - server_info); + info->domain_name = talloc_strdup(info, domain_name); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->domain_name, + user_info_dc); str = ldb_msg_find_attr_as_string(msg, "displayName", ""); - server_info->full_name = talloc_strdup(server_info, str); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->full_name, server_info); + info->full_name = talloc_strdup(info, str); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->full_name, user_info_dc); str = ldb_msg_find_attr_as_string(msg, "scriptPath", ""); - server_info->logon_script = talloc_strdup(server_info, str); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_script, - server_info); + info->logon_script = talloc_strdup(info, str); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_script, + user_info_dc); str = ldb_msg_find_attr_as_string(msg, "profilePath", ""); - server_info->profile_path = talloc_strdup(server_info, str); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->profile_path, - server_info); + info->profile_path = talloc_strdup(info, str); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->profile_path, + user_info_dc); str = ldb_msg_find_attr_as_string(msg, "homeDirectory", ""); - server_info->home_directory = talloc_strdup(server_info, str); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_directory, - server_info); + info->home_directory = talloc_strdup(info, str); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_directory, + user_info_dc); str = ldb_msg_find_attr_as_string(msg, "homeDrive", ""); - server_info->home_drive = talloc_strdup(server_info, str); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_drive, server_info); + info->home_drive = talloc_strdup(info, str); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_drive, user_info_dc); - server_info->logon_server = talloc_strdup(server_info, netbios_name); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_server, - server_info); + info->logon_server = talloc_strdup(info, netbios_name); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_server, + user_info_dc); - server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); - server_info->last_logoff = samdb_result_last_logoff(msg); - server_info->acct_expiry = samdb_result_account_expires(msg); - server_info->last_password_change = samdb_result_nttime(msg, + info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); + info->last_logoff = samdb_result_last_logoff(msg); + info->acct_expiry = samdb_result_account_expires(msg); + info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); - server_info->allow_password_change + info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, domain_dn, msg, "pwdLastSet"); - server_info->force_password_change + info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx, domain_dn, msg); - server_info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0); - server_info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount", + info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0); + info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount", 0); - server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, + info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); - server_info->user_session_key = data_blob_talloc(server_info, + user_info_dc->user_session_key = data_blob_talloc(user_info_dc, user_sess_key.data, user_sess_key.length); if (user_sess_key.data) { - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->user_session_key.data, - server_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->user_session_key.data, + user_info_dc); } - server_info->lm_session_key = data_blob_talloc(server_info, + user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, lm_sess_key.data, lm_sess_key.length); if (lm_sess_key.data) { - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->lm_session_key.data, - server_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->lm_session_key.data, + user_info_dc); } - if (server_info->acct_flags & ACB_SVRTRUST) { + if (info->acct_flags & ACB_SVRTRUST) { /* the SID_NT_ENTERPRISE_DCS SID gets added into the PAC */ - server_info->sids = talloc_realloc(server_info, - server_info->sids, + user_info_dc->sids = talloc_realloc(user_info_dc, + user_info_dc->sids, struct dom_sid, - server_info->num_sids+1); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info); - server_info->sids[server_info->num_sids] = global_sid_Enterprise_DCs; - server_info->num_sids++; + user_info_dc->num_sids+1); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc); + user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs; + user_info_dc->num_sids++; } - if ((server_info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) == + if ((info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) == (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) { /* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */ - server_info->sids = talloc_realloc(server_info, - server_info->sids, + user_info_dc->sids = talloc_realloc(user_info_dc, + user_info_dc->sids, struct dom_sid, - server_info->num_sids+1); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info); - server_info->sids[server_info->num_sids] = *domain_sid; - sid_append_rid(&server_info->sids[server_info->num_sids], + user_info_dc->num_sids+1); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc); + user_info_dc->sids[user_info_dc->num_sids] = *domain_sid; + sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], DOMAIN_RID_ENTERPRISE_READONLY_DCS); - server_info->num_sids++; + user_info_dc->num_sids++; } - server_info->authenticated = true; + info->authenticated = true; talloc_free(tmp_ctx); - *_server_info = server_info; + *_user_info_dc = user_info_dc; return NT_STATUS_OK; } @@ -504,12 +508,12 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, Supply either a principal or a DN */ -NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, +NTSTATUS authsam_get_user_info_dc_principal(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct ldb_context *sam_ctx, const char *principal, struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info) + struct auth_user_info_dc **user_info_dc) { NTSTATUS nt_status; DATA_BLOB user_sess_key = data_blob(NULL, 0); @@ -555,7 +559,7 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, "(&(objectSid=%s)(objectClass=domain))", ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid)); if (!domain_dn) { - DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n", + DEBUG(3, ("authsam_get_user_info_dc_principal: Failed to find domain with: SID %s\n", dom_sid_string(tmp_ctx, domain_sid))); return NT_STATUS_NO_SUCH_USER; } @@ -564,19 +568,19 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, + nt_status = authsam_make_user_info_dc(tmp_ctx, sam_ctx, lpcfg_netbios_name(lp_ctx), lpcfg_workgroup(lp_ctx), domain_dn, msg, user_sess_key, lm_sess_key, - server_info); + user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } - talloc_steal(mem_ctx, *server_info); + talloc_steal(mem_ctx, *user_info_dc); talloc_free(tmp_ctx); return NT_STATUS_OK; diff --git a/source4/auth/session.c b/source4/auth/session.c index 060f6d2eb6..a6b8b2688c 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -44,7 +44,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **_session_info) { @@ -63,11 +63,20 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, session_info = talloc(tmp_ctx, struct auth_session_info); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx); - session_info->server_info = talloc_reference(session_info, server_info); + session_info->info = talloc_reference(session_info, user_info_dc->info); + + session_info->torture = talloc_zero(session_info, struct auth_user_info_torture); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx); + session_info->torture->num_dc_sids = user_info_dc->num_sids; + session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx); /* unless set otherwise, the session key is the user session * key from the auth subsystem */ - session_info->session_key = server_info->user_session_key; + session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length); + if (!session_info->session_key.data && session_info->session_key.length) { + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx); + } anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx); @@ -75,40 +84,40 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx); - sids = talloc_array(tmp_ctx, struct dom_sid, server_info->num_sids); + sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx); if (!sids) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } - num_sids = server_info->num_sids; + num_sids = user_info_dc->num_sids; - for (i=0; i < server_info->num_sids; i++) { - sids[i] = server_info->sids[i]; + for (i=0; i < user_info_dc->num_sids; i++) { + sids[i] = user_info_dc->sids[i]; } - if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) { + if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) { + } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ } else if (sam_ctx) { filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP); /* Search for each group in the token */ - for (i = 0; i < server_info->num_sids; i++) { + for (i = 0; i < user_info_dc->num_sids; i++) { char *sid_string; const char *sid_dn; DATA_BLOB sid_blob; sid_string = dom_sid_string(tmp_ctx, - &server_info->sids[i]); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, server_info); + &user_info_dc->sids[i]); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc); sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string); talloc_free(sid_string); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, server_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc); sid_blob = data_blob_string_const(sid_dn); /* This function takes in memberOf values and expands @@ -156,21 +165,21 @@ NTSTATUS authsam_get_session_info_principal(TALLOC_CTX *mem_ctx, struct auth_session_info **session_info) { NTSTATUS nt_status; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - nt_status = authsam_get_server_info_principal(tmp_ctx, lp_ctx, sam_ctx, + nt_status = authsam_get_user_info_dc_principal(tmp_ctx, lp_ctx, sam_ctx, principal, user_dn, - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, sam_ctx, - server_info, session_info_flags, + user_info_dc, session_info_flags, session_info); if (NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/auth/session.h b/source4/auth/session.h index caedbc8028..d8c00a39a4 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -23,12 +23,14 @@ struct auth_session_info { struct security_token *security_token; - struct auth_serversupplied_info *server_info; + struct auth_user_info *info; + struct auth_user_info_torture *torture; DATA_BLOB session_key; struct cli_credentials *credentials; }; #include "librpc/gen_ndr/netlogon.h" +#include "librpc/gen_ndr/auth.h" struct tevent_context; struct ldb_context; @@ -38,18 +40,18 @@ struct ldb_dn; * the off-host credentials */ struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ; -NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, - const char *netbios_name, - struct auth_serversupplied_info **_server_info) ; +NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx, + const char *netbios_name, + struct auth_user_info_dc **interim_info); NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *interim_info, uint32_t session_info_flags, - struct auth_session_info **_session_info); + struct auth_session_info **session_info); NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, - struct auth_session_info **_session_info); + struct auth_session_info **session_info); /* Produce a session_info for an arbitary DN or principal in the local * DB, assuming the local DB holds all the groups * diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 6df12fb701..ad0dab6262 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -25,7 +25,7 @@ #include "libcli/security/security.h" #include "auth/credentials/credentials.h" #include "param/param.h" -#include "auth/auth.h" /* for auth_serversupplied_info */ +#include "auth/auth.h" /* for auth_user_info_dc */ #include "auth/session.h" #include "auth/system_session_proto.h" @@ -68,19 +68,19 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, struct auth_session_info **_session_info) { NTSTATUS nt_status; - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); - nt_status = auth_system_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx), - &server_info); + nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx), + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; } - /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info); + /* references the user_info_dc into the session_info */ + nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -98,155 +98,163 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, return NT_STATUS_OK; } -NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, - struct auth_serversupplied_info **_server_info) +NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, + struct auth_user_info_dc **_user_info_dc) { - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; + struct auth_user_info *info; - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); + user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc); /* This returns a pointer to a struct dom_sid, which is the * same as a 1 element list of struct dom_sid */ - server_info->num_sids = 1; - server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM); - NT_STATUS_HAVE_NO_MEMORY(server_info->sids); + user_info_dc->num_sids = 1; + user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); /* annoying, but the Anonymous really does have a session key, and it is all zeros! */ - server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); - NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); + user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data); - server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16); - NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); + user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data); - data_blob_clear(&server_info->user_session_key); - data_blob_clear(&server_info->lm_session_key); + data_blob_clear(&user_info_dc->user_session_key); + data_blob_clear(&user_info_dc->lm_session_key); - server_info->account_name = talloc_strdup(server_info, "SYSTEM"); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); - server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY"); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + info->account_name = talloc_strdup(info, "SYSTEM"); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); - server_info->full_name = talloc_strdup(server_info, "System"); - NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); + info->domain_name = talloc_strdup(info, "NT AUTHORITY"); + NT_STATUS_HAVE_NO_MEMORY(info->domain_name); - server_info->logon_script = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); + info->full_name = talloc_strdup(info, "System"); + NT_STATUS_HAVE_NO_MEMORY(info->full_name); - server_info->profile_path = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); + info->logon_script = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->logon_script); - server_info->home_directory = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); + info->profile_path = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->profile_path); - server_info->home_drive = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); + info->home_directory = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_directory); - server_info->logon_server = talloc_strdup(server_info, netbios_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); + info->home_drive = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_drive); - server_info->last_logon = 0; - server_info->last_logoff = 0; - server_info->acct_expiry = 0; - server_info->last_password_change = 0; - server_info->allow_password_change = 0; - server_info->force_password_change = 0; + info->logon_server = talloc_strdup(info, netbios_name); + NT_STATUS_HAVE_NO_MEMORY(info->logon_server); - server_info->logon_count = 0; - server_info->bad_password_count = 0; + info->last_logon = 0; + info->last_logoff = 0; + info->acct_expiry = 0; + info->last_password_change = 0; + info->allow_password_change = 0; + info->force_password_change = 0; - server_info->acct_flags = ACB_NORMAL; + info->logon_count = 0; + info->bad_password_count = 0; - server_info->authenticated = true; + info->acct_flags = ACB_NORMAL; - *_server_info = server_info; + info->authenticated = true; + + *_user_info_dc = user_info_dc; return NT_STATUS_OK; } -static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx, +static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, const char *domain_name, struct dom_sid *domain_sid, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; + struct auth_user_info *info; - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); + user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc); - server_info->num_sids = 7; - server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids); + user_info_dc->num_sids = 7; + user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids); - server_info->sids[PRIMARY_USER_SID_INDEX] = *domain_sid; - sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR); + user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid; + sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR); - server_info->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; - sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS); + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; + sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS); - server_info->sids[2] = global_sid_Builtin_Administrators; + user_info_dc->sids[2] = global_sid_Builtin_Administrators; - server_info->sids[3] = *domain_sid; - sid_append_rid(&server_info->sids[3], DOMAIN_RID_ADMINS); - server_info->sids[4] = *domain_sid; - sid_append_rid(&server_info->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS); - server_info->sids[5] = *domain_sid; - sid_append_rid(&server_info->sids[5], DOMAIN_RID_POLICY_ADMINS); - server_info->sids[6] = *domain_sid; - sid_append_rid(&server_info->sids[6], DOMAIN_RID_SCHEMA_ADMINS); + user_info_dc->sids[3] = *domain_sid; + sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS); + user_info_dc->sids[4] = *domain_sid; + sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS); + user_info_dc->sids[5] = *domain_sid; + sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS); + user_info_dc->sids[6] = *domain_sid; + sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS); /* What should the session key be?*/ - server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); - NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); + user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data); + + user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data); - server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16); - NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); + data_blob_clear(&user_info_dc->user_session_key); + data_blob_clear(&user_info_dc->lm_session_key); - data_blob_clear(&server_info->user_session_key); - data_blob_clear(&server_info->lm_session_key); + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); - server_info->account_name = talloc_strdup(server_info, "Administrator"); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + info->account_name = talloc_strdup(info, "Administrator"); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); - server_info->domain_name = talloc_strdup(server_info, domain_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + info->domain_name = talloc_strdup(info, domain_name); + NT_STATUS_HAVE_NO_MEMORY(info->domain_name); - server_info->full_name = talloc_strdup(server_info, "Administrator"); - NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); + info->full_name = talloc_strdup(info, "Administrator"); + NT_STATUS_HAVE_NO_MEMORY(info->full_name); - server_info->logon_script = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); + info->logon_script = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->logon_script); - server_info->profile_path = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); + info->profile_path = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->profile_path); - server_info->home_directory = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); + info->home_directory = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_directory); - server_info->home_drive = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); + info->home_drive = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_drive); - server_info->logon_server = talloc_strdup(server_info, netbios_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); + info->logon_server = talloc_strdup(info, netbios_name); + NT_STATUS_HAVE_NO_MEMORY(info->logon_server); - server_info->last_logon = 0; - server_info->last_logoff = 0; - server_info->acct_expiry = 0; - server_info->last_password_change = 0; - server_info->allow_password_change = 0; - server_info->force_password_change = 0; + info->last_logon = 0; + info->last_logoff = 0; + info->acct_expiry = 0; + info->last_password_change = 0; + info->allow_password_change = 0; + info->force_password_change = 0; - server_info->logon_count = 0; - server_info->bad_password_count = 0; + info->logon_count = 0; + info->bad_password_count = 0; - server_info->acct_flags = ACB_NORMAL; + info->acct_flags = ACB_NORMAL; - server_info->authenticated = true; + info->authenticated = true; - *_server_info = server_info; + *_user_info_dc = user_info_dc; return NT_STATUS_OK; } @@ -257,21 +265,21 @@ static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx, struct auth_session_info **session_info) { NTSTATUS nt_status; - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); - nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx), + nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx), lpcfg_workgroup(lp_ctx), domain_sid, - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; } - nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, server_info, + nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS, session_info); - /* There is already a reference between the sesion_info and server_info */ + /* There is already a reference between the sesion_info and user_info_dc */ if (NT_STATUS_IS_OK(nt_status)) { talloc_steal(parent_ctx, *session_info); } @@ -298,20 +306,20 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, struct auth_session_info **_session_info) { NTSTATUS nt_status; - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); - nt_status = auth_anonymous_server_info(mem_ctx, + nt_status = auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx), - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; } - /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info); + /* references the user_info_dc into the session_info */ + nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -329,70 +337,74 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, return NT_STATUS_OK; } -_PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, +_PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, - struct auth_serversupplied_info **_server_info) + struct auth_user_info_dc **_user_info_dc) { - struct auth_serversupplied_info *server_info; - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); + struct auth_user_info_dc *user_info_dc; + struct auth_user_info *info; + user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc); /* This returns a pointer to a struct dom_sid, which is the * same as a 1 element list of struct dom_sid */ - server_info->num_sids = 1; - server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); - NT_STATUS_HAVE_NO_MEMORY(server_info->sids); + user_info_dc->num_sids = 1; + user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); /* annoying, but the Anonymous really does have a session key... */ - server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); - NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); + user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data); - server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16); - NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); + user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data); /* and it is all zeros! */ - data_blob_clear(&server_info->user_session_key); - data_blob_clear(&server_info->lm_session_key); + data_blob_clear(&user_info_dc->user_session_key); + data_blob_clear(&user_info_dc->lm_session_key); + + user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); - server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON"); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + info->account_name = talloc_strdup(info, "ANONYMOUS LOGON"); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); - server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY"); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + info->domain_name = talloc_strdup(info, "NT AUTHORITY"); + NT_STATUS_HAVE_NO_MEMORY(info->domain_name); - server_info->full_name = talloc_strdup(server_info, "Anonymous Logon"); - NT_STATUS_HAVE_NO_MEMORY(server_info->full_name); + info->full_name = talloc_strdup(info, "Anonymous Logon"); + NT_STATUS_HAVE_NO_MEMORY(info->full_name); - server_info->logon_script = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); + info->logon_script = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->logon_script); - server_info->profile_path = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); + info->profile_path = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->profile_path); - server_info->home_directory = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); + info->home_directory = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_directory); - server_info->home_drive = talloc_strdup(server_info, ""); - NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); + info->home_drive = talloc_strdup(info, ""); + NT_STATUS_HAVE_NO_MEMORY(info->home_drive); - server_info->logon_server = talloc_strdup(server_info, netbios_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server); + info->logon_server = talloc_strdup(info, netbios_name); + NT_STATUS_HAVE_NO_MEMORY(info->logon_server); - server_info->last_logon = 0; - server_info->last_logoff = 0; - server_info->acct_expiry = 0; - server_info->last_password_change = 0; - server_info->allow_password_change = 0; - server_info->force_password_change = 0; + info->last_logon = 0; + info->last_logoff = 0; + info->acct_expiry = 0; + info->last_password_change = 0; + info->allow_password_change = 0; + info->force_password_change = 0; - server_info->logon_count = 0; - server_info->bad_password_count = 0; + info->logon_count = 0; + info->bad_password_count = 0; - server_info->acct_flags = ACB_NORMAL; + info->acct_flags = ACB_NORMAL; - server_info->authenticated = false; + info->authenticated = false; - *_server_info = server_info; + *_user_info_dc = user_info_dc; return NT_STATUS_OK; } diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c index a7bc331f8e..58d3ecde30 100644 --- a/source4/dsdb/samdb/ldb_modules/acl_util.c +++ b/source4/dsdb/samdb/ldb_modules/acl_util.c @@ -235,6 +235,6 @@ const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module) } return talloc_asprintf(mem_ctx, "%s\\%s", - session_info->server_info->domain_name, - session_info->server_info->account_name); + session_info->info->domain_name, + session_info->info->account_name); } diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c index 800d560b44..117cab095d 100644 --- a/source4/kdc/kpasswdd.c +++ b/source4/kdc/kpasswdd.c @@ -169,7 +169,7 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, * seem to be the case here. */ ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs, "(&(objectClass=user)(sAMAccountName=%s))", - session_info->server_info->account_name); + session_info->info->account_name); if (ret != 1) { return kpasswdd_make_error_reply(kdc, mem_ctx, KRB5_KPASSWD_ACCESSDENIED, @@ -197,8 +197,8 @@ static bool kpasswdd_change_password(struct kdc_server *kdc, } DEBUG(3, ("Changing password of %s\\%s (%s)\n", - session_info->server_info->domain_name, - session_info->server_info->account_name, + session_info->info->domain_name, + session_info->info->account_name, dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]))); /* Performs the password change */ @@ -359,8 +359,8 @@ static bool kpasswd_process_request(struct kdc_server *kdc, } DEBUG(3, ("%s\\%s (%s) is changing password of %s\n", - session_info->server_info->domain_name, - session_info->server_info->account_name, + session_info->info->domain_name, + session_info->info->account_name, dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]), set_password_on_princ)); ret = ldb_transaction_start(samdb); diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index 6dbeb354e0..18d29a10cb 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -28,10 +28,11 @@ #include "auth/auth_sam_reply.h" #include "kdc/kdc-glue.h" #include "param/param.h" +#include "librpc/gen_ndr/ndr_krb5pac.h" static NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *info, + struct auth_user_info_dc *info, DATA_BLOB *pac_data) { struct netr_SamInfo3 *info3; @@ -41,7 +42,7 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, ZERO_STRUCT(pac_info); - nt_status = auth_convert_server_info_saminfo3(mem_ctx, info, &info3); + nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info, &info3); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status))); @@ -139,7 +140,7 @@ NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx, DATA_BLOB **_pac_blob) { struct samba_kdc_entry *p = talloc_get_type(client->ctx, struct samba_kdc_entry); - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; DATA_BLOB *pac_blob; NTSTATUS nt_status; @@ -154,21 +155,21 @@ NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - nt_status = authsam_make_server_info(mem_ctx, p->kdc_db_ctx->samdb, + nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb, lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx), lpcfg_sam_name(p->kdc_db_ctx->lp_ctx), p->realm_dn, p->msg, data_blob(NULL, 0), data_blob(NULL, 0), - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Getting user info for PAC failed: %s\n", nt_errstr(nt_status))); return nt_status; } - nt_status = samba_get_logon_info_pac_blob(mem_ctx, server_info, pac_blob); + nt_status = samba_get_logon_info_pac_blob(mem_ctx, user_info_dc, pac_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Building PAC failed: %s\n", nt_errstr(nt_status))); @@ -183,18 +184,18 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx, krb5_context context, krb5_pac *pac, DATA_BLOB *pac_blob) { - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; krb5_error_code ret; NTSTATUS nt_status; - ret = kerberos_pac_to_server_info(mem_ctx, *pac, - context, &server_info); + ret = kerberos_pac_to_user_info_dc(mem_ctx, *pac, + context, &user_info_dc, NULL, NULL); if (ret) { return NT_STATUS_UNSUCCESSFUL; } nt_status = samba_get_logon_info_pac_blob(mem_ctx, - server_info, pac_blob); + user_info_dc, pac_blob); return nt_status; } diff --git a/source4/ntvfs/ipc/vfs_ipc.c b/source4/ntvfs/ipc/vfs_ipc.c index 972de2723c..19127a29bc 100644 --- a/source4/ntvfs/ipc/vfs_ipc.c +++ b/source4/ntvfs/ipc/vfs_ipc.c @@ -255,6 +255,7 @@ static NTSTATUS ipc_open(struct ntvfs_module_context *ntvfs, const struct tsocket_address *server_addr; int ret; DATA_BLOB delegated_creds = data_blob_null; + struct auth_user_info_dc user_info_dc; switch (oi->generic.level) { case RAW_OPEN_NTCREATEX: @@ -309,9 +310,16 @@ static NTSTATUS ipc_open(struct ntvfs_module_context *ntvfs, state->req = req; state->oi = oi; - status = auth_convert_server_info_saminfo3(state, - req->session_info->server_info, - &state->info3); + /* Disgusting hack to recreate the user_info_dc that should + * not be used that this layer in this way */ + ZERO_STRUCT(user_info_dc); + user_info_dc.info = req->session_info->info; + user_info_dc.num_sids = req->session_info->torture->num_dc_sids; + user_info_dc.sids = req->session_info->torture->dc_sids; + + status = auth_convert_user_info_dc_saminfo3(state, + &user_info_dc, + &state->info3); NT_STATUS_NOT_OK_RETURN(status); client_addr = ntvfs_get_local_address(ipriv->ntvfs); diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 6ec078bd4e..5cd532ea13 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -3637,8 +3637,8 @@ static NTSTATUS dcesrv_lsa_GetUserName(struct dcesrv_call_state *dce_call, TALLO return NT_STATUS_INVALID_PARAMETER; } - account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->account_name); - authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->domain_name); + account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->info->account_name); + authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->info->domain_name); _account_name = talloc(mem_ctx, struct lsa_String); NT_STATUS_HAVE_NO_MEMORY(_account_name); diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index e060380402..4d5382f37e 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -602,7 +602,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal { struct auth_context *auth_context; struct auth_usersupplied_info *user_info; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; NTSTATUS nt_status; static const char zeros[16]; struct netr_SamBaseInfo *sam; @@ -734,13 +734,13 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal return NT_STATUS_INVALID_PARAMETER; } - nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info); + nt_status = auth_check_password(auth_context, mem_ctx, user_info, &user_info_dc); /* TODO: set *r->out.authoritative = 0 on specific errors */ NT_STATUS_NOT_OK_RETURN(nt_status); switch (r->in.validation_level) { case 2: - nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam); + nt_status = auth_convert_user_info_dc_sambaseinfo(mem_ctx, user_info_dc, &sam); NT_STATUS_NOT_OK_RETURN(nt_status); sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2); @@ -755,8 +755,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal break; case 3: - nt_status = auth_convert_server_info_saminfo3(mem_ctx, - server_info, + nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, + user_info_dc, &sam3); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -766,8 +766,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal break; case 6: - nt_status = auth_convert_server_info_saminfo3(mem_ctx, - server_info, + nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, + user_info_dc, &sam3); NT_STATUS_NOT_OK_RETURN(nt_status); diff --git a/source4/samba_tool/gpo.c b/source4/samba_tool/gpo.c index 93aae60983..46243a07b6 100644 --- a/source4/samba_tool/gpo.c +++ b/source4/samba_tool/gpo.c @@ -208,7 +208,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv) { struct gp_context *gp_ctx; struct ldb_result *result; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; struct auth_session_info *session_info; DATA_BLOB dummy = { NULL, 0 }; const char **gpos; @@ -227,7 +227,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv) } /* Find the user in the directory. We need extended DN's for group expansion - * in authsam_make_server_info */ + * in authsam_make_user_info_dc */ rv = dsdb_search(gp_ctx->ldb_ctx, gp_ctx, &result, @@ -251,7 +251,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv) /* We need the server info, as this will contain the groups of this * user, needed for a token */ - status = authsam_make_server_info(gp_ctx, + status = authsam_make_user_info_dc(gp_ctx, gp_ctx->ldb_ctx, lpcfg_netbios_name(gp_ctx->lp_ctx), lpcfg_sam_name(gp_ctx->lp_ctx), @@ -259,7 +259,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv) result->msgs[0], dummy, dummy, - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to make server information: %s\n", get_friendly_nt_error_msg(status))); talloc_free(gp_ctx); @@ -267,7 +267,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv) } /* The session info will contain the security token for this user */ - status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, server_info, 0, &session_info); + status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, user_info_dc, 0, &session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to generate session information: %s\n", get_friendly_nt_error_msg(status))); talloc_free(gp_ctx); diff --git a/source4/smb_server/management.c b/source4/smb_server/management.c index 05373595c0..af993717ef 100644 --- a/source4/smb_server/management.c +++ b/source4/smb_server/management.c @@ -59,8 +59,8 @@ static NTSTATUS smbsrv_session_information(struct irpc_message *msg, info->client_ip = client_addr_string; info->vuid = sess->vuid; - info->account_name = sess->session_info->server_info->account_name; - info->domain_name = sess->session_info->server_info->domain_name; + info->account_name = sess->session_info->info->account_name; + info->domain_name = sess->session_info->info->domain_name; info->connect_time = timeval_to_nttime(&sess->statistics.connect_time); info->auth_time = timeval_to_nttime(&sess->statistics.auth_time); diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c index 6b50bcb48e..5e4e3e514f 100644 --- a/source4/smb_server/smb/sesssetup.c +++ b/source4/smb_server/smb/sesssetup.c @@ -68,24 +68,24 @@ static void sesssetup_old_send(struct tevent_req *subreq) struct smbsrv_request *req = state->req; union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup); - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info; struct smbsrv_session *smb_sess; NTSTATUS status; uint32_t flags; - status = auth_check_password_recv(subreq, req, &server_info); + status = auth_check_password_recv(subreq, req, &user_info_dc); TALLOC_FREE(subreq); if (!NT_STATUS_IS_OK(status)) goto failed; flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; - if (server_info->authenticated) { + if (user_info_dc->info->authenticated) { flags |= AUTH_SESSION_INFO_AUTHENTICATED; } - /* This references server_info into session_info */ + /* This references user_info_dc into session_info */ status = req->smb_conn->negotiate.auth_context->generate_session_info(req, req->smb_conn->negotiate.auth_context, - server_info, flags, &session_info); + user_info_dc, flags, &session_info); if (!NT_STATUS_IS_OK(status)) goto failed; /* allocate a new session */ @@ -198,26 +198,25 @@ static void sesssetup_nt1_send(struct tevent_req *subreq) struct sesssetup_context *state = tevent_req_callback_data(subreq, struct sesssetup_context); struct smbsrv_request *req = state->req; union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup); - struct auth_serversupplied_info *server_info = NULL; + struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info; struct smbsrv_session *smb_sess; uint32_t flags; NTSTATUS status; - status = auth_check_password_recv(subreq, req, &server_info); + status = auth_check_password_recv(subreq, req, &user_info_dc); TALLOC_FREE(subreq); if (!NT_STATUS_IS_OK(status)) goto failed; flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; - if (server_info->authenticated) { + if (user_info_dc->info->authenticated) { flags |= AUTH_SESSION_INFO_AUTHENTICATED; } - - /* This references server_info into session_info */ + /* This references user_info_dc into session_info */ status = state->auth_context->generate_session_info(req, state->auth_context, - server_info, + user_info_dc, flags, &session_info); if (!NT_STATUS_IS_OK(status)) goto failed; diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c index d9e09f1209..148d4fdf80 100644 --- a/source4/smbd/service_named_pipe.c +++ b/source4/smbd/service_named_pipe.c @@ -98,7 +98,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq) DATA_BLOB delegated_creds; union netr_Validation val; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; struct auth_context *auth_context; uint32_t session_flags = 0; struct dom_sid *anonymous_sid; @@ -140,12 +140,12 @@ static void named_pipe_accept_done(struct tevent_req *subreq) if (info3) { val.sam3 = info3; - status = make_server_info_netlogon_validation(conn, + status = make_user_info_dc_netlogon_validation(conn, val.sam3->base.account_name.string, - 3, &val, &server_info); + 3, &val, &user_info_dc); if (!NT_STATUS_IS_OK(status)) { reason = talloc_asprintf(conn, - "make_server_info_netlogon_validation " + "make_user_info_dc_netlogon_validation " "returned: %s", nt_errstr(status)); goto out; } @@ -169,7 +169,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq) } session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; - if (server_info->num_sids > 1 && !dom_sid_equal(anonymous_sid, &server_info->sids[0])) { + if (user_info_dc->num_sids > 1 && !dom_sid_equal(anonymous_sid, &user_info_dc->sids[0])) { session_flags |= AUTH_SESSION_INFO_AUTHENTICATED; } @@ -177,7 +177,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq) /* setup the session_info on the connection */ status = auth_context->generate_session_info(conn, auth_context, - server_info, + user_info_dc, session_flags, &conn->session_info); talloc_free(auth_context); diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index e76f0820d4..5c547d71bc 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -29,6 +29,7 @@ #include "torture/torture.h" #include "auth/auth_sam_reply.h" #include "param/param.h" +#include "librpc/gen_ndr/ndr_krb5pac.h" static bool torture_pac_self_check(struct torture_context *tctx) { @@ -48,8 +49,8 @@ static bool torture_pac_self_check(struct torture_context *tctx) struct smb_krb5_context *smb_krb5_context; - struct auth_serversupplied_info *server_info; - struct auth_serversupplied_info *server_info_out; + struct auth_user_info_dc *user_info_dc; + struct auth_user_info_dc *user_info_dc_out; krb5_principal client_principal; time_t logon_time = time(NULL); @@ -90,18 +91,18 @@ static bool torture_pac_self_check(struct torture_context *tctx) } /* We need an input, and this one requires no underlying database */ - nt_status = auth_anonymous_server_info(mem_ctx, lpcfg_netbios_name(tctx->lp_ctx), &server_info); + nt_status = auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(tctx->lp_ctx), &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &server_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); - torture_fail(tctx, "auth_anonymous_server_info"); + torture_fail(tctx, "auth_anonymous_user_info_dc"); } ret = krb5_parse_name_flags(smb_krb5_context->krb5_context, - server_info->account_name, + user_info_dc->info->account_name, KRB5_PRINCIPAL_PARSE_NO_REALM, &client_principal); if (ret) { @@ -114,7 +115,7 @@ static bool torture_pac_self_check(struct torture_context *tctx) /* OK, go ahead and make a PAC */ ret = kerberos_create_pac(mem_ctx, - server_info, + user_info_dc, smb_krb5_context->krb5_context, &krbtgt_keyblock, &server_keyblock, @@ -162,14 +163,14 @@ static bool torture_pac_self_check(struct torture_context *tctx) } /* Now check we can read it back (using Heimdal's pac parsing) */ - nt_status = kerberos_pac_blob_to_server_info(mem_ctx, + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, tmp_blob, smb_krb5_context->krb5_context, - &server_info_out); + &user_info_dc_out, NULL, NULL); /* The user's SID is the first element in the list */ - if (!dom_sid_equal(server_info->sids, - server_info_out->sids)) { + if (!dom_sid_equal(user_info_dc->sids, + user_info_dc_out->sids)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -180,10 +181,10 @@ static bool torture_pac_self_check(struct torture_context *tctx) torture_fail(tctx, talloc_asprintf(tctx, "(self test) PAC Decode resulted in *different* domain SID: %s != %s", - dom_sid_string(mem_ctx, server_info->sids), - dom_sid_string(mem_ctx, server_info_out->sids))); + dom_sid_string(mem_ctx, user_info_dc->sids), + dom_sid_string(mem_ctx, user_info_dc_out->sids))); } - talloc_free(server_info_out); + talloc_free(user_info_dc_out); /* Now check that we can read it back (yet again) */ nt_status = kerberos_pac_logon_info(mem_ctx, @@ -219,10 +220,10 @@ static bool torture_pac_self_check(struct torture_context *tctx) /* And make a server info from the samba-parsed PAC */ validation.sam3 = &logon_info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, + nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, - &server_info_out); + &user_info_dc_out); if (!NT_STATUS_IS_OK(nt_status)) { torture_fail(tctx, talloc_asprintf(tctx, @@ -230,13 +231,13 @@ static bool torture_pac_self_check(struct torture_context *tctx) nt_errstr(nt_status))); } - if (!dom_sid_equal(server_info->sids, - server_info_out->sids)) { + if (!dom_sid_equal(user_info_dc->sids, + user_info_dc_out->sids)) { torture_fail(tctx, talloc_asprintf(tctx, "(self test) PAC Decode resulted in *different* domain SID: %s != %s", - dom_sid_string(mem_ctx, server_info->sids), - dom_sid_string(mem_ctx, server_info_out->sids))); + dom_sid_string(mem_ctx, user_info_dc->sids), + dom_sid_string(mem_ctx, user_info_dc_out->sids))); } return true; } @@ -298,7 +299,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) struct PAC_LOGON_INFO *logon_info; union netr_Validation validation; const char *pac_file, *pac_kdc_key, *pac_member_key; - struct auth_serversupplied_info *server_info_out; + struct auth_user_info_dc *user_info_dc_out; krb5_keyblock server_keyblock; krb5_keyblock krbtgt_keyblock, *krbtgt_keyblock_p; @@ -425,10 +426,11 @@ static bool torture_pac_saved_check(struct torture_context *tctx) } /* Now check we can read it back (using Heimdal's pac parsing) */ - nt_status = kerberos_pac_blob_to_server_info(mem_ctx, + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, tmp_blob, smb_krb5_context->krb5_context, - &server_info_out); + &user_info_dc_out, + NULL, NULL); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -445,7 +447,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), - server_info_out->sids)) { + user_info_dc_out->sids)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -456,10 +458,10 @@ static bool torture_pac_saved_check(struct torture_context *tctx) talloc_asprintf(tctx, "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, server_info_out->sids))); + dom_sid_string(mem_ctx, user_info_dc_out->sids))); } - talloc_free(server_info_out); + talloc_free(user_info_dc_out); /* Parse the PAC again, for the logon info this time (using Samba4's parsing) */ nt_status = kerberos_pac_logon_info(mem_ctx, @@ -484,10 +486,10 @@ static bool torture_pac_saved_check(struct torture_context *tctx) } validation.sam3 = &logon_info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, + nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, - &server_info_out); + &user_info_dc_out); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); @@ -504,7 +506,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), - server_info_out->sids)) { + user_info_dc_out->sids)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -515,7 +517,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) talloc_asprintf(tctx, "(saved test) PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, server_info_out->sids))); + dom_sid_string(mem_ctx, user_info_dc_out->sids))); } if (krbtgt_bytes == NULL) { @@ -578,7 +580,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) } ret = kerberos_create_pac(mem_ctx, - server_info_out, + user_info_dc_out, smb_krb5_context->krb5_context, krbtgt_keyblock_p, &server_keyblock, diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 73e62a3b6f..c4efabcebc 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -32,6 +32,7 @@ #include "libcli/auth/libcli_auth.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_netlogon_c.h" +#include "librpc/gen_ndr/ndr_krb5pac.h" #include "librpc/gen_ndr/ndr_samr_c.h" #include "param/param.h" @@ -130,19 +131,22 @@ static bool test_PACVerify(struct torture_context *tctx, status = gensec_session_info(gensec_server_context, &session_info); torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); - - pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; - pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; - pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; + torture_assert(tctx, session_info->torture != NULL, "gensec_session_info failed to fill in torture sub struct"); + torture_assert(tctx, session_info->torture->pac_srv_sig != NULL, "pac_srv_sig not present"); + torture_assert(tctx, session_info->torture->pac_kdc_sig != NULL, "pac_kdc_sig not present"); + + pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length; + pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type; + pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], - session_info->server_info->pac_srv_sig.signature.data, + session_info->torture->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], - session_info->server_info->pac_kdc_sig.signature.data, + session_info->torture->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, @@ -160,8 +164,8 @@ static bool test_PACVerify(struct torture_context *tctx, generic.identity_info.parameter_control = 0; generic.identity_info.logon_id_high = 0; generic.identity_info.logon_id_low = 0; - generic.identity_info.domain_name.string = session_info->server_info->domain_name; - generic.identity_info.account_name.string = session_info->server_info->account_name; + generic.identity_info.domain_name.string = session_info->info->domain_name; + generic.identity_info.account_name.string = session_info->info->account_name; generic.identity_info.workstation.string = test_machine_name; generic.package_name.string = "Kerberos"; @@ -233,22 +237,22 @@ static bool test_PACVerify(struct torture_context *tctx, &r.out.return_authenticator->cred), "Credential chaining failed"); - pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; - pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; + pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length; + pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type; /* Break the SignatureType */ pac_wrapped_struct.SignatureType++; - pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; + pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], - session_info->server_info->pac_srv_sig.signature.data, + session_info->torture->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], - session_info->server_info->pac_kdc_sig.signature.data, + session_info->torture->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct, @@ -281,19 +285,19 @@ static bool test_PACVerify(struct torture_context *tctx, torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred), "Credential chaining failed"); - pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length; - pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type; - pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length; + pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length; + pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type; + pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length; pac_wrapped_struct.ChecksumAndSignature = payload = data_blob_talloc(tmp_ctx, NULL, pac_wrapped_struct.ChecksumLength + pac_wrapped_struct.SignatureLength); memcpy(&payload.data[0], - session_info->server_info->pac_srv_sig.signature.data, + session_info->torture->pac_srv_sig->signature.data, pac_wrapped_struct.ChecksumLength); memcpy(&payload.data[pac_wrapped_struct.ChecksumLength], - session_info->server_info->pac_kdc_sig.signature.data, + session_info->torture->pac_kdc_sig->signature.data, pac_wrapped_struct.SignatureLength); /* Break the signature length */ @@ -405,7 +409,7 @@ static bool test_S2U4Self(struct torture_context *tctx, struct auth_session_info *kinit_session_info; struct auth_session_info *s2u4self_session_info; - struct auth_serversupplied_info *netlogon_server_info; + struct auth_user_info_dc *netlogon_user_info_dc; struct netr_NetworkInfo ninfo; DATA_BLOB names_blob, chal, lm_resp, nt_resp; @@ -589,31 +593,31 @@ static bool test_S2U4Self(struct torture_context *tctx, &r.out.return_authenticator->cred), "Credential chaining failed"); - status = make_server_info_netlogon_validation(tmp_ctx, + status = make_user_info_dc_netlogon_validation(tmp_ctx, ninfo.identity_info.account_name.string, r.in.validation_level, r.out.validation, - &netlogon_server_info); + &netlogon_user_info_dc); - torture_assert_ntstatus_ok(tctx, status, "make_server_info_netlogon_validation failed"); + torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed"); - torture_assert_str_equal(tctx, netlogon_server_info->account_name == NULL ? "" : netlogon_server_info->account_name, - kinit_session_info->server_info->account_name, "Account name differs for kinit-based PAC"); - torture_assert_str_equal(tctx,netlogon_server_info->account_name == NULL ? "" : netlogon_server_info->account_name, - s2u4self_session_info->server_info->account_name, "Account name differs for S2U4Self"); - torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, kinit_session_info->server_info->full_name, "Full name differs for kinit-based PAC"); - torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, s2u4self_session_info->server_info->full_name, "Full name differs for S2U4Self"); - torture_assert_int_equal(tctx, netlogon_server_info->num_sids, kinit_session_info->server_info->num_sids, "Different numbers of domain groups for kinit-based PAC"); - torture_assert_int_equal(tctx, netlogon_server_info->num_sids, s2u4self_session_info->server_info->num_sids, "Different numbers of domain groups for S2U4Self"); + torture_assert_str_equal(tctx, netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name, + kinit_session_info->info->account_name, "Account name differs for kinit-based PAC"); + torture_assert_str_equal(tctx,netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name, + s2u4self_session_info->info->account_name, "Account name differs for S2U4Self"); + torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, kinit_session_info->info->full_name, "Full name differs for kinit-based PAC"); + torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, s2u4self_session_info->info->full_name, "Full name differs for S2U4Self"); + torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids, "Different numbers of domain groups for kinit-based PAC"); + torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s2u4self_session_info->torture->num_dc_sids, "Different numbers of domain groups for S2U4Self"); builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN); - for (i = 0; i < kinit_session_info->server_info->num_sids; i++) { - torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &kinit_session_info->server_info->sids[i]), "Different domain groups for kinit-based PAC"); - torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &s2u4self_session_info->server_info->sids[i]), "Different domain groups for S2U4Self"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups for S2U4Self"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups kinit-based PAC"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_server_info->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply"); + for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) { + torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[i]), "Different domain groups for kinit-based PAC"); + torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s2u4self_session_info->torture->dc_sids[i]), "Different domain groups for S2U4Self"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups for S2U4Self"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups kinit-based PAC"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply"); } return true; diff --git a/source4/utils/ntlm_auth.c b/source4/utils/ntlm_auth.c index 0d3e2cfb0d..9c73d3c79e 100644 --- a/source4/utils/ntlm_auth.c +++ b/source4/utils/ntlm_auth.c @@ -707,8 +707,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode, reply_code = "AF"; reply_arg = talloc_asprintf(state->gensec_state, - "%s%s%s", session_info->server_info->domain_name, - lpcfg_winbind_separator(lp_ctx), session_info->server_info->account_name); + "%s%s%s", session_info->info->domain_name, + lpcfg_winbind_separator(lp_ctx), session_info->info->account_name); talloc_free(session_info); } } else if (state->gensec_state->gensec_role == GENSEC_CLIENT) { |