s3-auth: Follow auth_ntlmssp and use auth4_context for Session Setup

This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers.  By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.

Andrew Bartlett

4 files changed, 32 insertions, 55 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 06aa9c5108..21a8642751 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -347,8 +347,8 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
 		return false;
 	}
 
-	ret = make_user_info_map(
-		user_info, smb_name, client_domain, 
+	ret = make_user_info(
+		user_info, smb_name, smb_name, client_domain, client_domain, 
 		get_remote_machine_name(),
 		remote_address,
 		local_lm_blob.data ? &local_lm_blob : NULL,
@@ -376,14 +376,14 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
 				      const struct tsocket_address *remote_address,
                                       DATA_BLOB lm_resp, DATA_BLOB nt_resp)
 {
-	return make_user_info_map(user_info, smb_name, 
-				  client_domain, 
-				  get_remote_machine_name(),
-				  remote_address,
-				  lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
-				  nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
-				  NULL, NULL, NULL,
-				  AUTH_PASSWORD_RESPONSE);
+	return make_user_info(user_info, smb_name, smb_name, 
+			      client_domain, client_domain, 
+			      get_remote_machine_name(),
+			      remote_address,
+			      lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
+			      nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
+			      NULL, NULL, NULL,
+			      AUTH_PASSWORD_RESPONSE);
 }
 
 /****************************************************************************
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index bfa649b98b..5b65711b99 100644
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -509,7 +509,7 @@ struct smbd_server_connection {
 		struct {
 			bool encrypted_passwords;
 			bool spnego;
-			struct auth_context *auth_context;
+			struct auth4_context *auth_context;
 			bool done;
 			/*
 			 * Size of the data we can receive. Set by us.
diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 8a6b509fea..e44ac5cb75 100644
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -44,7 +44,7 @@ static void get_challenge(struct smbd_server_connection *sconn, uint8 buff[8])
 	}
 
 	DEBUG(10, ("get challenge: creating negprot_global_auth_context\n"));
-	nt_status = make_auth_context_subsystem(
+	nt_status = make_auth4_context(
 		sconn, &sconn->smb1.negprot.auth_context);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("make_auth_context_subsystem returned %s",
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index da306b97bc..b2e1f2421f 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -77,31 +77,33 @@ static int push_signature(uint8 **outbuf)
 ****************************************************************************/
 
 static NTSTATUS check_guest_password(const struct tsocket_address *remote_address,
-				     struct auth_serversupplied_info **server_info)
+				     TALLOC_CTX *mem_ctx, 
+				     struct auth_session_info **session_info)
 {
-	struct auth_context *auth_context;
+	struct auth4_context *auth_context;
 	struct auth_usersupplied_info *user_info = NULL;
-
+	uint8_t chal[8];
 	NTSTATUS nt_status;
-	static unsigned char chal[8] = { 0, };
 
 	DEBUG(3,("Got anonymous request\n"));
 
-	nt_status = make_auth_context_fixed(talloc_tos(), &auth_context, chal);
+	nt_status = make_auth4_context(talloc_tos(), &auth_context);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
 
+	auth_context->get_ntlm_challenge(auth_context,
+					 chal);
+
 	if (!make_user_info_guest(remote_address, &user_info)) {
 		TALLOC_FREE(auth_context);
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	nt_status = auth_context->check_ntlm_password(auth_context,
-						user_info,
-						server_info);
-	TALLOC_FREE(auth_context);
+	nt_status = auth_check_password_session_info(auth_context, 
+						     mem_ctx, user_info, session_info);
 	free_user_info(&user_info);
+	TALLOC_FREE(auth_context);
 	return nt_status;
 }
 
@@ -396,7 +398,6 @@ void reply_sesssetup_and_X(struct smb_request *req)
 	const char *native_lanman;
 	const char *primary_domain;
 	struct auth_usersupplied_info *user_info = NULL;
-	struct auth_serversupplied_info *server_info = NULL;
 	struct auth_session_info *session_info = NULL;
 	uint16 smb_flag2 = req->flags2;
 
@@ -671,10 +672,10 @@ void reply_sesssetup_and_X(struct smb_request *req)
 
 	if (!*user) {
 
-		nt_status = check_guest_password(sconn->remote_address, &server_info);
+		nt_status = check_guest_password(sconn->remote_address, req, &session_info);
 
 	} else if (doencrypt) {
-		struct auth_context *negprot_auth_context = NULL;
+		struct auth4_context *negprot_auth_context = NULL;
 		negprot_auth_context = sconn->smb1.negprot.auth_context;
 		if (!negprot_auth_context) {
 			DEBUG(0, ("reply_sesssetup_and_X:  Attempted encrypted "
@@ -689,15 +690,13 @@ void reply_sesssetup_and_X(struct smb_request *req)
 						sconn->remote_address,
 						lm_resp, nt_resp);
 		if (NT_STATUS_IS_OK(nt_status)) {
-			nt_status = negprot_auth_context->check_ntlm_password(
-					negprot_auth_context,
-					user_info,
-					&server_info);
+			nt_status = auth_check_password_session_info(negprot_auth_context, 
+								     req, user_info, &session_info);
 		}
 	} else {
-		struct auth_context *plaintext_auth_context = NULL;
+		struct auth4_context *plaintext_auth_context = NULL;
 
-		nt_status = make_auth_context_subsystem(
+		nt_status = make_auth4_context(
 			talloc_tos(), &plaintext_auth_context);
 
 		if (NT_STATUS_IS_OK(nt_status)) {
@@ -715,38 +714,16 @@ void reply_sesssetup_and_X(struct smb_request *req)
 			}
 
 			if (NT_STATUS_IS_OK(nt_status)) {
-				nt_status = plaintext_auth_context->check_ntlm_password(
-						plaintext_auth_context,
-						user_info,
-						&server_info);
-
-				TALLOC_FREE(plaintext_auth_context);
+				nt_status = auth_check_password_session_info(plaintext_auth_context, 
+									     req, user_info, &session_info);
 			}
+			TALLOC_FREE(plaintext_auth_context);
 		}
 	}
 
 	free_user_info(&user_info);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		nt_status = do_map_to_guest_server_info(nt_status, &server_info,
-							user, domain);
-	}
-
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		data_blob_free(&nt_resp);
-		data_blob_free(&lm_resp);
-		data_blob_clear_free(&plaintext_password);
-		reply_nterror(req, nt_status_squash(nt_status));
-		END_PROFILE(SMBsesssetupX);
-		return;
-	}
-
-	nt_status = create_local_token(req, server_info, NULL, sub_user, &session_info);
-	TALLOC_FREE(server_info);
-
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(10, ("create_local_token failed: %s\n",
-			   nt_errstr(nt_status)));
 		data_blob_free(&nt_resp);
 		data_blob_free(&lm_resp);
 		data_blob_clear_free(&plaintext_password);