diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-07-15 11:38:49 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2011-07-20 09:17:10 +1000 |
| commit | d7d8a5ed94a2b572b6818008a858f8c6b529dd03 (patch) | |
| tree | 11193077b44dc73c6c245b63592eef5cdc331add /source3/include/auth.h | |
| parent | e2443195992c33d69073bcae320779041215339a (diff) | |
| download | samba-d7d8a5ed94a2b572b6818008a858f8c6b529dd03.tar.gz samba-d7d8a5ed94a2b572b6818008a858f8c6b529dd03.tar.bz2 samba-d7d8a5ed94a2b572b6818008a858f8c6b529dd03.zip | |
s3-auth Add struct auth3_session_info to aid transition to auth_session info
This will allow a gradual conversion of the required elements from the
current struct auth_serversupplied_info.
This commit adds the structure definition and some helper functions to
copy between the two structures.
At this stage these structures and functions are IDENTICAL to the
existing code, and so show the past history of that code. The plan is
to slowly modify them over the course of the patch series, so that the
changes being made a clear.
By using a seperate structure to auth_serversupplied_info we can
remove elements that are not needed after the authentication, and we
can choose a layout that best reflects the needs of runtime users,
rather than the internals of the authentication subsystem.
By eventually using the auth_session_info from auth.idl, we will gain
a single session authorization structure across the whole codebase,
allowing more code to be shared, and a much more transparent process
for forwarding authorization credentials over the named pipe proxy.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3/include/auth.h')
| -rw-r--r-- | source3/include/auth.h | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/source3/include/auth.h b/source3/include/auth.h index 4f7cb9bb14..b1e5c32c36 100644 --- a/source3/include/auth.h +++ b/source3/include/auth.h @@ -75,6 +75,55 @@ struct auth_serversupplied_info { char *sanitized_username; }; +struct auth3_session_info { + bool guest; + bool system; + + struct security_unix_token utok; + + /* NT group information taken from the info3 structure */ + + struct security_token *security_token; + + /* This is the final session key, as used by SMB signing, and + * (truncated to 16 bytes) encryption on the SAMR and LSA pipes + * when over ncacn_np. + * It is calculated by NTLMSSP from the session key in the info3, + * and is set from the Kerberos session key using + * krb5_auth_con_getremotesubkey(). + * + * Bottom line, it is not the same as the session keys in info3. + */ + + DATA_BLOB session_key; + DATA_BLOB lm_session_key; + + struct netr_SamInfo3 *info3; + + /* this structure is filled *only* in pathological cases where the user + * sid or the primary group sid are not sids of the domain. Normally + * this happens only for unix accounts that have unix domain sids. + * This is checked only when info3.rid and/or info3.primary_gid are set + * to the special invalid value of 0xFFFFFFFF */ + struct extra_auth_info extra; + + /* + * This is a token from /etc/passwd and /etc/group + */ + bool nss_token; + + char *unix_name; + + /* + * For performance reasons we keep an alpha_strcpy-sanitized version + * of the username around as long as the global variable current_user + * still exists. If we did not do keep this, we'd have to call + * alpha_strcpy whenever we do a become_user(), potentially on every + * smb request. See set_current_user_info. + */ + char *sanitized_username; +}; + struct auth_context { DATA_BLOB challenge; |