s3-auth consolidate create_local_token() into make_server_info_krb5()

This ensures that all callers don't need to each add builtin groups
and privileges to the user's token

Andrew Bartlett

6 files changed, 19 insertions, 51 deletions

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 88cc7074ed..3bf325e763 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -264,5 +264,5 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
 				char *username,
 				struct passwd *pw,
 				struct PAC_LOGON_INFO *logon_info,
-				bool mapped_to_guest,
-				struct auth_serversupplied_info **server_info);
+			       bool mapped_to_guest, bool username_was_mapped,
+			       struct auth_serversupplied_info **server_info);
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index e52149afd7..1d87ccab79 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -185,7 +185,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
 				char *username,
 				struct passwd *pw,
 				struct PAC_LOGON_INFO *logon_info,
-				bool mapped_to_guest,
+			       bool mapped_to_guest, bool username_was_mapped,
 				struct auth_serversupplied_info **server_info)
 {
 	NTSTATUS status;
@@ -259,7 +259,17 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
 			(*server_info)->info3->base.domain.string =
 				talloc_strdup((*server_info)->info3, ntdomain);
 		}
+	}
+
+	(*server_info)->nss_token |= username_was_mapped;
 
+	if (!mapped_to_guest) {
+		status = create_local_token(*server_info);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(10,("failed to create local token: %s\n",
+				nt_errstr(status)));
+			return status;
+		}
 	}
 
 	return NT_STATUS_OK;
diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c
index f60f6ce245..a3007e4044 100644
--- a/source3/rpc_server/dcesrv_gssapi.c
+++ b/source3/rpc_server/dcesrv_gssapi.c
@@ -230,7 +230,7 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
 
 	status = make_server_info_krb5(mem_ctx,
 					ntuser, ntdomain, username, pw,
-					logon_info, is_guest, server_info);
+				       logon_info, is_guest, is_mapped, server_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
 			  nt_errstr(status)));
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 73a34866b2..27a43f30f7 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -738,16 +738,6 @@ static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 
-	if ((*session_info)->security_token == NULL) {
-		status = create_local_token(*session_info);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(1, ("Failed to create local user token (%s)\n",
-				  nt_errstr(status)));
-			status = NT_STATUS_ACCESS_DENIED;
-			return status;
-		}
-	}
-
 	/* TODO: this is what the ntlmssp code does with the session_key, check
 	 * it is ok with gssapi too */
 	/*
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index c5d44c6185..57b0b68be7 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -372,6 +372,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 	ret = make_server_info_krb5(mem_ctx,
 				    user, domain, real_username, pw,
 				    logon_info, map_domainuser_to_guest,
+				    username_was_mapped,
 				    &server_info);
 	if (!NT_STATUS_IS_OK(ret)) {
 		DEBUG(1, ("make_server_info_krb5 failed!\n"));
@@ -382,25 +383,6 @@ static void reply_spnego_kerberos(struct smb_request *req,
 		return;
 	}
 
-	server_info->nss_token |= username_was_mapped;
-
-	/* we need to build the token for the user. make_server_info_guest()
-	   already does this */
-
-	if ( !server_info->security_token ) {
-		ret = create_local_token( server_info );
-		if ( !NT_STATUS_IS_OK(ret) ) {
-			DEBUG(10,("failed to create local token: %s\n",
-				nt_errstr(ret)));
-			data_blob_free(&ap_rep);
-			data_blob_free(&session_key);
-			TALLOC_FREE( mem_ctx );
-			TALLOC_FREE( server_info );
-			reply_nterror(req, nt_status_squash(ret));
-			return;
-		}
-	}
-
 	if (!is_partial_auth_vuid(sconn, sess_vuid)) {
 		sess_vuid = register_initial_vuid(sconn);
 	}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 6649cfb59a..3668ab8851 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -237,29 +237,15 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 	reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
 
 	status = make_server_info_krb5(session,
-					user, domain, real_username, pw,
-					logon_info, map_domainuser_to_guest,
-					&session->session_info);
+				       user, domain, real_username, pw,
+				       logon_info, map_domainuser_to_guest,
+				       username_was_mapped,
+				       &session->session_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
 		goto fail;
 	}
 
-
-	session->session_info->nss_token |= username_was_mapped;
-
-	/* we need to build the token for the user. make_session_info_guest()
-	   already does this */
-
-	if (!session->session_info->security_token ) {
-		status = create_local_token(session->session_info);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(10,("smb2: failed to create local token: %s\n",
-				nt_errstr(status)));
-			goto fail;
-		}
-	}
-
 	if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
 	     lp_server_signing() == Required) {
 		session->do_signing = true;