diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-12-28 17:48:45 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-12-29 01:10:58 +0100 |
commit | 149f8f16be79dc9d142971fb74633cfc5b186840 (patch) | |
tree | f13e1a8f8b7c58f659330dc8ceb0a20e4fa0448c /source4/auth/gensec/gensec_krb5.c | |
parent | fc226f81c6c14b1afc9b98692463ff1e2f9b2464 (diff) | |
download | samba-149f8f16be79dc9d142971fb74633cfc5b186840.tar.gz samba-149f8f16be79dc9d142971fb74633cfc5b186840.tar.bz2 samba-149f8f16be79dc9d142971fb74633cfc5b186840.zip |
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
Diffstat (limited to 'source4/auth/gensec/gensec_krb5.c')
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 79 |
1 files changed, 18 insertions, 61 deletions
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 0c86177960..d5f5f8a438 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -618,14 +618,12 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; - struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; - struct PAC_LOGON_INFO *logon_info; krb5_principal client_principal; char *principal_string; - DATA_BLOB pac; + DATA_BLOB pac_blob, *pac_blob_ptr = NULL; krb5_data pac_data; krb5_error_code ret; @@ -659,49 +657,15 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security KRB5_AUTHDATA_WIN2K_PAC, &pac_data); - if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n", - principal_string, - smb_get_krb5_error_message(context, - ret, mem_ctx))); - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return NT_STATUS_ACCESS_DENIED; - } else if (ret) { + if (ret) { /* NO pac */ DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); - if (gensec_security->auth_context && - !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s", - principal_string, smb_get_krb5_error_message(context, - ret, mem_ctx))); - nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, - gensec_security->auth_context, - principal_string, - NULL, &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return nt_status; - } - } else { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", - principal_string)); - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return NT_STATUS_ACCESS_DENIED; - } } else { /* Found pac */ - union netr_Validation validation; - - pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length); - if (!pac.data) { + pac_blob = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length); + if (!pac_blob.data) { free(principal_string); krb5_free_principal(context, client_principal); talloc_free(mem_ctx); @@ -709,12 +673,12 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security } /* decode and verify the pac */ - nt_status = kerberos_pac_logon_info(gensec_krb5_state, - pac, - gensec_krb5_state->smb_krb5_context->krb5_context, - NULL, gensec_krb5_state->keyblock, - client_principal, - gensec_krb5_state->ticket->ticket.authtime, &logon_info); + nt_status = kerberos_decode_pac(gensec_krb5_state, + pac_blob, + gensec_krb5_state->smb_krb5_context->krb5_context, + NULL, gensec_krb5_state->keyblock, + client_principal, + gensec_krb5_state->ticket->ticket.authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); @@ -723,26 +687,19 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security return nt_status; } - validation.sam3 = &logon_info->info3; - nt_status = make_user_info_dc_netlogon_validation(mem_ctx, - NULL, - 3, &validation, - true, /* This user was authenticated */ - &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return nt_status; - } + pac_blob_ptr = &pac_blob; } + nt_status = gensec_generate_session_info_pac(mem_ctx, + gensec_security, + gensec_krb5_state->smb_krb5_context, + pac_blob_ptr, principal_string, + gensec_get_remote_address(gensec_security), + &session_info); + free(principal_string); krb5_free_principal(context, client_principal); - /* references the user_info_dc into the session_info */ - nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; |