summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-07-21 17:06:17 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-07-29 04:24:07 +0200
commitf5963aad18de80e837448cbc29feb52081897667 (patch)
tree130c53233356893eb5d11132a48f4f780153f2d0
parente84b8a72bd63d3f4af810536068ae65d33aabff8 (diff)
downloadsamba-f5963aad18de80e837448cbc29feb52081897667.tar.gz
samba-f5963aad18de80e837448cbc29feb52081897667.tar.bz2
samba-f5963aad18de80e837448cbc29feb52081897667.zip
s4-auth Move conversion of security_token to unix_token to auth
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--source4/auth/auth.h2
-rw-r--r--source4/auth/ntlm/auth.c29
-rw-r--r--source4/auth/ntlm/wscript_build2
-rw-r--r--source4/auth/session.c2
-rw-r--r--source4/auth/unix_token.c91
-rw-r--r--source4/auth/wscript_build6
-rw-r--r--source4/ntvfs/unixuid/vfs_unixuid.c56
-rw-r--r--source4/ntvfs/unixuid/wscript_build2
8 files changed, 129 insertions, 61 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index caab230a46..ac2327df9d 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -157,7 +157,9 @@ struct auth_critical_sizes {
const struct auth_usersupplied_info *user_info_in,
const struct auth_usersupplied_info **user_info_encrypted);
+struct wbc_context;
#include "auth/session.h"
+#include "auth/unix_token_proto.h"
#include "auth/system_session_proto.h"
#include "libcli/security/security.h"
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index d2464c3cbf..7006125d16 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -26,7 +26,7 @@
#include "auth/ntlm/auth_proto.h"
#include "param/param.h"
#include "dsdb/samdb/samdb.h"
-
+#include "libcli/wbclient/wbclient.h"
/***************************************************************************
Set a fixed challenge
@@ -407,16 +407,35 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
}
/* Wrapper because we don't want to expose all callers to needing to
- * know that session_info is generated from the main ldb */
+ * know that session_info is generated from the main ldb, and because we need to break a depenency loop between the DCE/RPC layer and the generation of unix tokens via IRPC */
static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context,
struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
- return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
- auth_context->sam_ctx, user_info_dc,
- session_info_flags, session_info);
+ NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
+ auth_context->sam_ctx, user_info_dc,
+ session_info_flags, session_info);
+ if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)
+ && NT_STATUS_IS_OK(status)) {
+ struct wbc_context *wbc_ctx = wbc_init(auth_context,
+ auth_context->msg_ctx,
+ auth_context->event_ctx);
+ if (!wbc_ctx) {
+ TALLOC_FREE(*session_info);
+ DEBUG(1, ("Cannot contact winbind to provide unix token"));
+ return NT_STATUS_INVALID_SERVER_STATE;
+ }
+ status = security_token_to_unix_token(*session_info, wbc_ctx,
+ (*session_info)->security_token,
+ &(*session_info)->unix_token);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(*session_info);
+ }
+ TALLOC_FREE(wbc_ctx);
+ }
+ return status;
}
/***************************************************************************
diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build
index d954ec0086..29e54fd314 100644
--- a/source4/auth/ntlm/wscript_build
+++ b/source4/auth/ntlm/wscript_build
@@ -51,7 +51,7 @@ bld.SAMBA_MODULE('auth4_unix',
bld.SAMBA_LIBRARY('auth4',
source='auth.c auth_util.c auth_simple.c',
autoproto='auth_proto.h',
- deps='samba-util security samdb credentials UTIL_TEVENT',
+ deps='samba-util security samdb credentials UTIL_TEVENT LIBWBCLIENT_OLD auth_unix_token',
private_library=True
)
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 7a4dc5426b..805659c5a4 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -32,6 +32,7 @@
#include "auth/session_proto.h"
#include "system/kerberos.h"
#include <gssapi/gssapi.h>
+#include "libcli/wbclient/wbclient.h"
_PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx)
@@ -335,4 +336,3 @@ void auth_session_info_debug(int dbg_lev,
security_token_debug(0, dbg_lev, session_info->security_token);
}
-
diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c
new file mode 100644
index 0000000000..3cd67ed79a
--- /dev/null
+++ b/source4/auth/unix_token.c
@@ -0,0 +1,91 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Deal with unix elements in the security token
+
+ Copyright (C) Andrew Tridgell 2004
+ Copyright (C) Andrew Bartlett 2011
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/auth.h"
+#include "libcli/wbclient/wbclient.h"
+
+/*
+ form a security_unix_token from the current security_token
+*/
+NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx,
+ struct wbc_context *wbc_ctx,
+ struct security_token *token,
+ struct security_unix_token **sec)
+{
+ int i;
+ NTSTATUS status;
+ struct id_map *ids;
+ struct composite_context *ctx;
+ *sec = talloc(mem_ctx, struct security_unix_token);
+
+ /* we can't do unix security without a user and group */
+ if (token->num_sids < 2) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ ids = talloc_array(mem_ctx, struct id_map, token->num_sids);
+ NT_STATUS_HAVE_NO_MEMORY(ids);
+
+ (*sec)->ngroups = token->num_sids - 2;
+ (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
+ NT_STATUS_HAVE_NO_MEMORY((*sec)->groups);
+
+ for (i=0;i<token->num_sids;i++) {
+ ZERO_STRUCT(ids[i].xid);
+ ids[i].sid = &token->sids[i];
+ ids[i].status = ID_UNKNOWN;
+ }
+
+ ctx = wbc_sids_to_xids_send(wbc_ctx, ids, token->num_sids, ids);
+ NT_STATUS_HAVE_NO_MEMORY(ctx);
+
+ status = wbc_sids_to_xids_recv(ctx, &ids);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ if (ids[0].xid.type == ID_TYPE_BOTH ||
+ ids[0].xid.type == ID_TYPE_UID) {
+ (*sec)->uid = ids[0].xid.id;
+ } else {
+ return NT_STATUS_INVALID_SID;
+ }
+
+ if (ids[1].xid.type == ID_TYPE_BOTH ||
+ ids[1].xid.type == ID_TYPE_GID) {
+ (*sec)->gid = ids[1].xid.id;
+ } else {
+ return NT_STATUS_INVALID_SID;
+ }
+
+ for (i=0;i<(*sec)->ngroups;i++) {
+ if (ids[i+2].xid.type == ID_TYPE_BOTH ||
+ ids[i+2].xid.type == ID_TYPE_GID) {
+ (*sec)->groups[i] = ids[i+2].xid.id;
+ } else {
+ return NT_STATUS_INVALID_SID;
+ }
+ }
+
+ TALLOC_FREE(ids);
+
+ return NT_STATUS_OK;
+}
diff --git a/source4/auth/wscript_build b/source4/auth/wscript_build
index d72086e1d9..f7535c4145 100644
--- a/source4/auth/wscript_build
+++ b/source4/auth/wscript_build
@@ -15,6 +15,12 @@ bld.SAMBA_SUBSYSTEM('auth_session',
deps='samdb auth4_sam'
)
+bld.SAMBA_SUBSYSTEM('auth_unix_token',
+ source='unix_token.c',
+ autoproto='unix_token_proto.h',
+ public_deps='LIBWBCLIENT_OLD',
+ )
+
bld.SAMBA_SUBSYSTEM('samba_server_gensec',
source='samba_server_gensec.c',
diff --git a/source4/ntvfs/unixuid/vfs_unixuid.c b/source4/ntvfs/unixuid/vfs_unixuid.c
index 02b7cb8db5..0221b4391c 100644
--- a/source4/ntvfs/unixuid/vfs_unixuid.c
+++ b/source4/ntvfs/unixuid/vfs_unixuid.c
@@ -164,60 +164,10 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
struct security_unix_token **sec)
{
struct unixuid_private *priv = ntvfs->private_data;
- int i;
- NTSTATUS status;
- struct id_map *ids;
- struct composite_context *ctx;
- *sec = talloc(req, struct security_unix_token);
-
- /* we can't do unix security without a user and group */
- if (token->num_sids < 2) {
- return NT_STATUS_ACCESS_DENIED;
- }
-
- ids = talloc_array(req, struct id_map, token->num_sids);
- NT_STATUS_HAVE_NO_MEMORY(ids);
-
- (*sec)->ngroups = token->num_sids - 2;
- (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
- NT_STATUS_HAVE_NO_MEMORY((*sec)->groups);
-
- for (i=0;i<token->num_sids;i++) {
- ZERO_STRUCT(ids[i].xid);
- ids[i].sid = &token->sids[i];
- ids[i].status = ID_UNKNOWN;
- }
-
- ctx = wbc_sids_to_xids_send(priv->wbc_ctx, ids, token->num_sids, ids);
- NT_STATUS_HAVE_NO_MEMORY(ctx);
-
- status = wbc_sids_to_xids_recv(ctx, &ids);
- NT_STATUS_NOT_OK_RETURN(status);
- if (ids[0].xid.type == ID_TYPE_BOTH ||
- ids[0].xid.type == ID_TYPE_UID) {
- (*sec)->uid = ids[0].xid.id;
- } else {
- return NT_STATUS_INVALID_SID;
- }
-
- if (ids[1].xid.type == ID_TYPE_BOTH ||
- ids[1].xid.type == ID_TYPE_GID) {
- (*sec)->gid = ids[1].xid.id;
- } else {
- return NT_STATUS_INVALID_SID;
- }
-
- for (i=0;i<(*sec)->ngroups;i++) {
- if (ids[i+2].xid.type == ID_TYPE_BOTH ||
- ids[i+2].xid.type == ID_TYPE_GID) {
- (*sec)->groups[i] = ids[i+2].xid.id;
- } else {
- return NT_STATUS_INVALID_SID;
- }
- }
-
- return NT_STATUS_OK;
+ return security_token_to_unix_token(req,
+ priv->wbc_ctx,
+ token, sec);
}
/*
diff --git a/source4/ntvfs/unixuid/wscript_build b/source4/ntvfs/unixuid/wscript_build
index fe5620886a..3a7570956b 100644
--- a/source4/ntvfs/unixuid/wscript_build
+++ b/source4/ntvfs/unixuid/wscript_build
@@ -4,6 +4,6 @@ bld.SAMBA_MODULE('ntvfs_unixuid',
source='vfs_unixuid.c',
subsystem='ntvfs',
init_function='ntvfs_unixuid_init',
- deps='samdb'
+ deps='auth_unix_token'
)