s3-auth use create_local_token() to transform server_info -> session_info

Before a auth_serversupplied_info struct can be used for
authorization, the local groups and privileges must be calculated.
create_local_token() now copies the server_info, and then sets the
calulated token and unix groups.

Soon, it will also transform the result into an expanded struct
auth_session_info.  Until then, the variable name (server_info vs
session_info provides a clue to the developer about what information
has been entered in the structure).

By moving the calls to create_local_token within the codebase, we
remove duplication, and ensure that the session key (where modified)
is consistently copied into the new structure.

Andrew Bartlett

9 files changed, 193 insertions, 183 deletions

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index ae29c30570..99f4564cdf 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -31,23 +31,16 @@ NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
 					struct auth_ntlmssp_state *auth_ntlmssp_state,
 					struct auth_serversupplied_info **session_info)
 {
-	/* Free the current server_info user_session_key and reset it from the
-	 * current ntlmssp_state session_key */
-	data_blob_free(&auth_ntlmssp_state->server_info->user_session_key);
-	/* Set up the final session key for the connection */
-	auth_ntlmssp_state->server_info->user_session_key =
-		data_blob_talloc(
-			auth_ntlmssp_state->server_info,
-			auth_ntlmssp_state->ntlmssp_state->session_key.data,
-			auth_ntlmssp_state->ntlmssp_state->session_key.length);
-	if (auth_ntlmssp_state->ntlmssp_state->session_key.length &&
-	    !auth_ntlmssp_state->server_info->user_session_key.data) {
-		*session_info = NULL;
-		return NT_STATUS_NO_MEMORY;
+	NTSTATUS nt_status = create_local_token(mem_ctx,
+						auth_ntlmssp_state->server_info,
+						&auth_ntlmssp_state->ntlmssp_state->session_key,
+						session_info);
+
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(10, ("create_local_token failed: %s\n",
+			   nt_errstr(nt_status)));
 	}
-	/* Steal session_info away from auth_ntlmssp_state */
-	*session_info = talloc_move(mem_ctx, &auth_ntlmssp_state->server_info);
-	return NT_STATUS_OK;
+	return nt_status;
 }
 
 /**
@@ -156,14 +149,6 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 
 	auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 
-	nt_status = create_local_token(auth_ntlmssp_state->server_info);
-
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(10, ("create_local_token failed: %s\n",
-			nt_errstr(nt_status)));
-		return nt_status;
-	}
-
 	/* Clear out the session keys, and pass them to the caller.
 	 * They will not be used in this form again - instead the
 	 * NTLMSSP code will decide on the final correct session key,
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index c84e3d3508..8666b55b47 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -442,11 +442,46 @@ static NTSTATUS log_nt_token(struct security_token *token)
  * server_info->sids (the info3/sam groups). Find the unix gids.
  */
 
-NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
+NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+			    struct auth_serversupplied_info *server_info,
+			    DATA_BLOB *session_key,
+			    struct auth_serversupplied_info **session_info_out)
 {
 	NTSTATUS status;
 	size_t i;
 	struct dom_sid tmp_sid;
+	struct auth_serversupplied_info *session_info;
+
+	/* Ensure we can't possible take a code path leading to a
+	 * null defref. */
+	if (!server_info) {
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	session_info = copy_serverinfo(mem_ctx, server_info);
+
+	if (!session_info) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (session_key) {
+		data_blob_free(&session_info->user_session_key);
+		session_info->user_session_key = data_blob_talloc(session_info,
+								  session_key->data,
+								  session_key->length);
+		if (!session_info->user_session_key.data && session_key->length) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	if (session_info->security_token) {
+		/* Just copy the token, it has already been finalised
+		 * (nasty hack to support a cached guest session_info,
+		 * and a possible strategy for auth_samba4 to pass in
+		 * a finalised session) */
+		*session_info_out = session_info;
+		return NT_STATUS_OK;
+	}
 
 	/*
 	 * If winbind is not around, we can not make much use of the SIDs the
@@ -455,21 +490,21 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
 	 */
 
 	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
-	    (server_info->nss_token)) {
-		status = create_token_from_username(server_info,
-						    server_info->unix_name,
-						    server_info->guest,
-						    &server_info->utok.uid,
-						    &server_info->utok.gid,
-						    &server_info->unix_name,
-						    &server_info->security_token);
+	    (session_info->nss_token)) {
+		status = create_token_from_username(session_info,
+						    session_info->unix_name,
+						    session_info->guest,
+						    &session_info->utok.uid,
+						    &session_info->utok.gid,
+						    &session_info->unix_name,
+						    &session_info->security_token);
 
 	} else {
-		status = create_local_nt_token_from_info3(server_info,
-							  server_info->guest,
-							  server_info->info3,
-							  &server_info->extra,
-							  &server_info->security_token);
+		status = create_local_nt_token_from_info3(session_info,
+							  session_info->guest,
+							  session_info->info3,
+							  &session_info->extra,
+							  &session_info->security_token);
 	}
 
 	if (!NT_STATUS_IS_OK(status)) {
@@ -478,14 +513,14 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
 
 	/* Convert the SIDs to gids. */
 
-	server_info->utok.ngroups = 0;
-	server_info->utok.groups = NULL;
+	session_info->utok.ngroups = 0;
+	session_info->utok.groups = NULL;
 
 	/* Start at index 1, where the groups start. */
 
-	for (i=1; i<server_info->security_token->num_sids; i++) {
+	for (i=1; i<session_info->security_token->num_sids; i++) {
 		gid_t gid;
-		struct dom_sid *sid = &server_info->security_token->sids[i];
+		struct dom_sid *sid = &session_info->security_token->sids[i];
 
 		if (!sid_to_gid(sid, &gid)) {
 			DEBUG(10, ("Could not convert SID %s to gid, "
@@ -493,8 +528,8 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
 			continue;
 		}
 		if (!add_gid_to_array_unique(server_info, gid,
-					     &server_info->utok.groups,
-					     &server_info->utok.ngroups)) {
+					&session_info->utok.groups,
+					&session_info->utok.ngroups)) {
 			return NT_STATUS_NO_MEMORY;
 		}
 	}
@@ -512,28 +547,33 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
 	 * the nt token.
 	 */
 
-	uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid);
+	uid_to_unix_users_sid(session_info->utok.uid, &tmp_sid);
 
-	add_sid_to_array_unique(server_info->security_token, &tmp_sid,
-				&server_info->security_token->sids,
-				&server_info->security_token->num_sids);
+	add_sid_to_array_unique(session_info->security_token, &tmp_sid,
+				&session_info->security_token->sids,
+				&session_info->security_token->num_sids);
 
-	for ( i=0; i<server_info->utok.ngroups; i++ ) {
-		gid_to_unix_groups_sid(server_info->utok.groups[i], &tmp_sid);
-		add_sid_to_array_unique(server_info->security_token, &tmp_sid,
-					&server_info->security_token->sids,
-					&server_info->security_token->num_sids);
+	for ( i=0; i<session_info->utok.ngroups; i++ ) {
+		gid_to_unix_groups_sid(session_info->utok.groups[i], &tmp_sid);
+		add_sid_to_array_unique(session_info->security_token, &tmp_sid,
+					&session_info->security_token->sids,
+					&session_info->security_token->num_sids);
 	}
 
-	security_token_debug(DBGC_AUTH, 10, server_info->security_token);
+	security_token_debug(DBGC_AUTH, 10, session_info->security_token);
 	debug_unix_user_token(DBGC_AUTH, 10,
-			      server_info->utok.uid,
-			      server_info->utok.gid,
-			      server_info->utok.ngroups,
-			      server_info->utok.groups);
+			      session_info->utok.uid,
+			      session_info->utok.gid,
+			      session_info->utok.ngroups,
+			      session_info->utok.groups);
 
-	status = log_nt_token(server_info->security_token);
-	return status;
+	status = log_nt_token(session_info->security_token);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	*session_info_out = session_info;
+	return NT_STATUS_OK;
 }
 
 /***************************************************************************
@@ -693,10 +733,16 @@ static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
  Make (and fill) a user_info struct for a guest login.
  This *must* succeed for smbd to start. If there is no mapping entry for
  the guest gid, then create one.
+
+ The resulting structure is a 'session_info' because
+ create_local_token() has already been called on it.  This is quite
+ nasty, as the auth subsystem isn't expect this, but the behaviour is
+ left as-is for now.
 ***************************************************************************/
 
-static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
+static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **session_info)
 {
+	struct auth_serversupplied_info *server_info;
 	static const char zeros[16] = {0};
 	const char *guest_account = lp_guestaccount();
 	const char *domain = global_myname();
@@ -720,29 +766,34 @@ static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **ser
 	status = make_server_info_info3(tmp_ctx,
 					guest_account,
 					domain,
-					server_info,
+					&server_info,
 					&info3);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
 	}
 
-	(*server_info)->guest = True;
+	server_info->guest = True;
 
-	status = create_local_token(*server_info);
+	/* This should not be done here (we should produce a server
+	 * info, and later construct a session info from it), but for
+	 * now this does not change the previous behaviours */
+	status = create_local_token(tmp_ctx, server_info, NULL, session_info);
+	TALLOC_FREE(server_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("create_local_token failed: %s\n",
 			   nt_errstr(status)));
 		goto done;
 	}
+	talloc_steal(NULL, *session_info);
 
 	/* annoying, but the Guest really does have a session key, and it is
 	   all zeros! */
-	(*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
-	(*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
+	(*session_info)->user_session_key = data_blob(zeros, sizeof(zeros));
+	(*session_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
 
-	alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
+	alpha_strcpy(tmp, (*session_info)->info3->base.account_name.string,
 		     ". _-$", sizeof(tmp));
-	(*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
+	(*session_info)->sanitized_username = talloc_strdup(*session_info, tmp);
 
 	status = NT_STATUS_OK;
 done:
@@ -766,10 +817,10 @@ static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_SUCH_USER;
 	}
 
-	status = make_serverinfo_from_username(mem_ctx,
-					     pwd->pw_name,
-					     false,
-					     session_info);
+	status = make_session_info_from_username(mem_ctx,
+						 pwd->pw_name,
+						 false,
+						 session_info);
 	TALLOC_FREE(pwd);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -790,13 +841,15 @@ static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************************
-  Fake a auth_serversupplied_info just from a username
+  Fake a auth_serversupplied_info just from a username (as a
+  session_info structure, with create_local_token() already called on
+  it.
 ****************************************************************************/
 
-NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
-				       const char *username,
-				       bool is_guest,
-				       struct auth_serversupplied_info **presult)
+NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
+					 const char *username,
+					 bool is_guest,
+					 struct auth_serversupplied_info **session_info)
 {
 	struct auth_serversupplied_info *result;
 	struct passwd *pwd;
@@ -818,15 +871,10 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
 	result->nss_token = true;
 	result->guest = is_guest;
 
-	status = create_local_token(result);
-
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(result);
-		return status;
-	}
-
-	*presult = talloc_steal(mem_ctx, result);
-	return NT_STATUS_OK;
+	/* Now turn the server_info into a session_info with the full token etc */
+	status = create_local_token(mem_ctx, result, NULL, session_info);
+	talloc_free(result);
+	return status;
 }
 
 
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 3bf325e763..15e79dda0a 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -101,7 +101,10 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info) ;
 struct samu;
 NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
 			      struct samu *sampass);
-NTSTATUS create_local_token(struct auth_serversupplied_info *server_info);
+NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+			    struct auth_serversupplied_info *server_info,
+			    DATA_BLOB *session_key,
+			    struct auth_serversupplied_info **session_info_out);
 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 				    bool is_guest,
 				    uid_t *uid, gid_t *gid,
@@ -113,10 +116,10 @@ struct passwd;
 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
                              char *unix_username,
 			     struct passwd *pwd);
-NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
-				       const char *username,
-				       bool is_guest,
-				       struct auth_serversupplied_info **presult);
+NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
+					 const char *username,
+					 bool is_guest,
+					 struct auth_serversupplied_info **session_info);
 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
 						 const struct auth_serversupplied_info *src);
 bool init_guest_info(void);
@@ -258,11 +261,12 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 				     char **ntdomain,
 				     char **username,
 				     struct passwd **_pw);
-NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntuser,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
 				struct PAC_LOGON_INFO *logon_info,
-			       bool mapped_to_guest, bool username_was_mapped,
-			       struct auth_serversupplied_info **server_info);
+				bool mapped_to_guest, bool username_was_mapped,
+				DATA_BLOB *session_key,
+				struct auth_serversupplied_info **session_info);
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 1d87ccab79..db73c6dfc0 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -179,19 +179,21 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntuser,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
 				struct PAC_LOGON_INFO *logon_info,
-			       bool mapped_to_guest, bool username_was_mapped,
-				struct auth_serversupplied_info **server_info)
+				bool mapped_to_guest, bool username_was_mapped,
+				DATA_BLOB *session_key,
+				struct auth_serversupplied_info **session_info)
 {
 	NTSTATUS status;
+	struct auth_serversupplied_info *server_info;
 
 	if (mapped_to_guest) {
-		status = make_server_info_guest(mem_ctx, server_info);
+		status = make_server_info_guest(mem_ctx, &server_info);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("make_server_info_guest failed: %s!\n",
 				  nt_errstr(status)));
@@ -204,7 +206,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
 
 		status = make_server_info_info3(mem_ctx,
 						ntuser, ntdomain,
-						server_info,
+						&server_info,
 						&logon_info->info3);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("make_server_info_info3 failed: %s!\n",
@@ -248,28 +250,24 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
 			return status;
                 }
 
-		/* Steal tmp server info into the server_info pointer. */
-		*server_info = talloc_move(mem_ctx, &tmp);
-
 		/* make_server_info_pw does not set the domain. Without this
 		 * we end up with the local netbios name in substitutions for
 		 * %D. */
 
-		if ((*server_info)->info3 != NULL) {
-			(*server_info)->info3->base.domain.string =
-				talloc_strdup((*server_info)->info3, ntdomain);
+		if (server_info->info3 != NULL) {
+			server_info->info3->base.domain.string =
+				talloc_strdup(server_info->info3, ntdomain);
 		}
 	}
 
-	(*server_info)->nss_token |= username_was_mapped;
+	server_info->nss_token |= username_was_mapped;
 
-	if (!mapped_to_guest) {
-		status = create_local_token(*server_info);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(10,("failed to create local token: %s\n",
-				nt_errstr(status)));
-			return status;
-		}
+	status = create_local_token(mem_ctx, server_info, session_key, session_info);
+	talloc_free(server_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10,("failed to create local token: %s\n",
+			  nt_errstr(status)));
+		return status;
 	}
 
 	return NT_STATUS_OK;
@@ -290,14 +288,15 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntuser,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
 				struct PAC_LOGON_INFO *logon_info,
-				bool mapped_to_guest,
-				struct auth_serversupplied_info **server_info)
+				bool mapped_to_guest, bool username_was_mapped,
+				DATA_BLOB *session_key,
+				struct auth_serversupplied_info **session_info)
 {
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c
index a3007e4044..c8a015e066 100644
--- a/source3/rpc_server/dcesrv_gssapi.c
+++ b/source3/rpc_server/dcesrv_gssapi.c
@@ -228,9 +228,10 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
 
 	/* TODO: save PAC data in netsamlogon cache ? */
 
-	status = make_server_info_krb5(mem_ctx,
+	status = make_session_info_krb5(mem_ctx,
 					ntuser, ntdomain, username, pw,
-				       logon_info, is_guest, is_mapped, server_info);
+					logon_info, is_guest, is_mapped, NULL /* No session key for now */,
+					server_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
 			  nt_errstr(status)));
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index b9e5f9f946..9934e196cc 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -88,6 +88,7 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
 	struct netr_SamInfo3 *info3;
 	struct auth_user_info_dc *auth_user_info_dc;
 	struct pipes_struct *p;
+	struct auth_serversupplied_info *server_info;
 	NTSTATUS status;
 	bool ok;
 
@@ -148,7 +149,7 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
 	status = make_server_info_info3(p,
 					info3->base.account_name.string,
 					info3->base.domain.string,
-					&p->session_info, info3);
+					&server_info, info3);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to init server info\n"));
 		TALLOC_FREE(p);
@@ -160,7 +161,8 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
 	 * Some internal functions need a local token to determine access to
 	 * resoutrces.
 	 */
-	status = create_local_token(p->session_info);
+	status = create_local_token(p, server_info, &session_info->session_key, &p->session_info);
+	talloc_free(server_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to init local auth token\n"));
 		TALLOC_FREE(p);
@@ -173,10 +175,6 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
 	 * regardless of what we just calculated */
 	p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token);
 
-	/* Also set the session key to the correct value */
-	p->session_info->user_session_key = session_info->session_key;
-	p->session_info->user_session_key.data = talloc_move(p->session_info, &session_info->session_key.data);
-
 	p->client_id = talloc_zero(p, struct client_address);
 	if (!p->client_id) {
 		TALLOC_FREE(p);
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index f48cfcaa5d..b29713d21d 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -655,8 +655,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
 			return NT_STATUS_WRONG_PASSWORD;
                 }
 
-		return make_serverinfo_from_username(mem_ctx, user, guest,
-						     presult);
+		return make_session_info_from_username(mem_ctx, user, guest,
+						       presult);
         }
 
 	DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
@@ -688,7 +688,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		status = make_serverinfo_from_username(
+		status = make_session_info_from_username(
 			conn, fuser, conn->session_info->guest,
 			&forced_serverinfo);
 		if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 57b0b68be7..5067201a65 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -248,7 +248,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 	int sess_vuid = req->vuid;
 	NTSTATUS ret = NT_STATUS_OK;
 	DATA_BLOB ap_rep, ap_rep_wrapped, response;
-	struct auth_serversupplied_info *server_info = NULL;
+	struct auth_serversupplied_info *session_info = NULL;
 	DATA_BLOB session_key = data_blob_null;
 	uint8 tok_id[2];
 	DATA_BLOB nullblob = data_blob_null;
@@ -369,15 +369,16 @@ static void reply_spnego_kerberos(struct smb_request *req,
 	/* reload services so that the new %U is taken into account */
 	reload_services(sconn->msg_ctx, sconn->sock, True);
 
-	ret = make_server_info_krb5(mem_ctx,
-				    user, domain, real_username, pw,
-				    logon_info, map_domainuser_to_guest,
-				    username_was_mapped,
-				    &server_info);
+	ret = make_session_info_krb5(mem_ctx,
+				     user, domain, real_username, pw,
+				     logon_info, map_domainuser_to_guest,
+				     username_was_mapped,
+				     &session_key,
+				     &session_info);
+	data_blob_free(&session_key);
 	if (!NT_STATUS_IS_OK(ret)) {
 		DEBUG(1, ("make_server_info_krb5 failed!\n"));
 		data_blob_free(&ap_rep);
-		data_blob_free(&session_key);
 		TALLOC_FREE(mem_ctx);
 		reply_nterror(req, nt_status_squash(ret));
 		return;
@@ -387,20 +388,13 @@ static void reply_spnego_kerberos(struct smb_request *req,
 		sess_vuid = register_initial_vuid(sconn);
 	}
 
-	data_blob_free(&server_info->user_session_key);
-	/* Set the kerberos-derived session key onto the server_info */
-	server_info->user_session_key = session_key;
-	talloc_steal(server_info, session_key.data);
-
-	session_key = data_blob_null;
-
 	/* register_existing_vuid keeps the server info */
 	/* register_existing_vuid takes ownership of session_key on success,
 	 * no need to free after this on success. A better interface would copy
 	 * it.... */
 
 	sess_vuid = register_existing_vuid(sconn, sess_vuid,
-					   server_info, nullblob, user);
+					   session_info, nullblob, user);
 
 	reply_outbuf(req, 4, 0);
 	SSVAL(req->outbuf,smb_uid,sess_vuid);
@@ -413,7 +407,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 
 		SSVAL(req->outbuf, smb_vwv3, 0);
 
-		if (server_info->guest) {
+		if (session_info->guest) {
 			SSVAL(req->outbuf,smb_vwv2,1);
 		}
 
@@ -1275,6 +1269,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
 	const char *primary_domain;
 	struct auth_usersupplied_info *user_info = NULL;
 	struct auth_serversupplied_info *server_info = NULL;
+	struct auth_serversupplied_info *session_info = NULL;
 	uint16 smb_flag2 = req->flags2;
 
 	NTSTATUS nt_status;
@@ -1622,29 +1617,20 @@ void reply_sesssetup_and_X(struct smb_request *req)
 		return;
 	}
 
-	/* Ensure we can't possible take a code path leading to a
-	 * null defref. */
-	if (!server_info) {
-		reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
+	nt_status = create_local_token(req, server_info, NULL, &session_info);
+	TALLOC_FREE(server_info);
+
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(10, ("create_local_token failed: %s\n",
+			   nt_errstr(nt_status)));
+		data_blob_free(&nt_resp);
+		data_blob_free(&lm_resp);
+		data_blob_clear_free(&plaintext_password);
+		reply_nterror(req, nt_status_squash(nt_status));
 		END_PROFILE(SMBsesssetupX);
 		return;
 	}
 
-	if (!server_info->security_token) {
-		nt_status = create_local_token(server_info);
-
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			DEBUG(10, ("create_local_token failed: %s\n",
-				   nt_errstr(nt_status)));
-			data_blob_free(&nt_resp);
-			data_blob_free(&lm_resp);
-			data_blob_clear_free(&plaintext_password);
-			reply_nterror(req, nt_status_squash(nt_status));
-			END_PROFILE(SMBsesssetupX);
-			return;
-		}
-	}
-
 	data_blob_clear_free(&plaintext_password);
 
 	/* it's ok - setup a reply */
@@ -1654,7 +1640,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
 		/* perhaps grab OS version here?? */
 	}
 
-	if (server_info->guest) {
+	if (session_info->guest) {
 		SSVAL(req->outbuf,smb_vwv2,1);
 	}
 
@@ -1663,7 +1649,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
 
 	if (lp_security() == SEC_SHARE) {
 		sess_vuid = UID_FIELD_INVALID;
-		TALLOC_FREE(server_info);
+		TALLOC_FREE(session_info);
 	} else {
 		/* Ignore the initial vuid. */
 		sess_vuid = register_initial_vuid(sconn);
@@ -1675,9 +1661,9 @@ void reply_sesssetup_and_X(struct smb_request *req)
 			END_PROFILE(SMBsesssetupX);
 			return;
 		}
-		/* register_existing_vuid keeps the server info */
+		/* register_existing_vuid keeps the session_info */
 		sess_vuid = register_existing_vuid(sconn, sess_vuid,
-					server_info,
+					session_info,
 					nt_resp.data ? nt_resp : lm_resp,
 					sub_user);
 		if (sess_vuid == UID_FIELD_INVALID) {
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 3668ab8851..722e4c7705 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -236,11 +236,12 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 	/* reload services so that the new %U is taken into account */
 	reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
 
-	status = make_server_info_krb5(session,
-				       user, domain, real_username, pw,
-				       logon_info, map_domainuser_to_guest,
-				       username_was_mapped,
-				       &session->session_info);
+	status = make_session_info_krb5(session,
+					user, domain, real_username, pw,
+					logon_info, map_domainuser_to_guest,
+					username_was_mapped,
+					&session_key,
+					&session->session_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
 		goto fail;
@@ -259,18 +260,6 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 		session->do_signing = false;
 	}
 
-	data_blob_free(&session->session_info->user_session_key);
-	session->session_info->user_session_key =
-			data_blob_talloc(
-				session->session_info,
-				session_key.data,
-				session_key.length);
-        if (session_key.length > 0) {
-		if (session->session_info->user_session_key.data == NULL) {
-			status = NT_STATUS_NO_MEMORY;
-			goto fail;
-		}
-	}
 	session->session_key = session->session_info->user_session_key;
 
 	session->compat_vuser = talloc_zero(session, user_struct);