summaryrefslogtreecommitdiff
path: root/source4/auth/gensec
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-02-08 16:53:13 +1100
committerAndrew Bartlett <abartlet@samba.org>2011-02-09 01:11:06 +0100
commita2ce53c1f5301ffcf990dbab837c328ea22739b6 (patch)
tree52dde7c4bb16c0d885b8691a4c5c87f8213b0599 /source4/auth/gensec
parentf1c0e9532d8e3fb0d8942e4d4e1a122429266b16 (diff)
downloadsamba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.tar.gz
samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.tar.bz2
samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.zip
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r--source4/auth/gensec/gensec.c8
-rw-r--r--source4/auth/gensec/gensec.h2
-rw-r--r--source4/auth/gensec/gensec_gssapi.c39
-rw-r--r--source4/auth/gensec/gensec_krb5.c14
4 files changed, 42 insertions, 21 deletions
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index c732c6e8de..b9385debc3 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -1315,17 +1315,17 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (server_info->authenticated) {
+ if (user_info_dc->info->authenticated) {
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
if (gensec_security->auth_context) {
nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
- server_info,
+ user_info_dc,
flags,
session_info);
} else {
@@ -1333,7 +1333,7 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
nt_status = auth_generate_session_info(mem_ctx,
NULL,
NULL,
- server_info, flags,
+ user_info_dc, flags,
session_info);
}
return nt_status;
diff --git a/source4/auth/gensec/gensec.h b/source4/auth/gensec/gensec.h
index 62d8a45491..ad581e2fa5 100644
--- a/source4/auth/gensec/gensec.h
+++ b/source4/auth/gensec/gensec.h
@@ -180,7 +180,7 @@ struct gensec_critical_sizes {
struct gensec_security;
struct socket_context;
struct auth_context;
-struct auth_serversupplied_info;
+struct auth_user_info_dc;
NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 132ea7d8ae..ed0597ca98 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1257,11 +1257,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
TALLOC_CTX *mem_ctx;
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
OM_uint32 maj_stat, min_stat;
gss_buffer_desc pac;
DATA_BLOB pac_blob;
+ struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
+ struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
|| (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
@@ -1292,10 +1294,23 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
* kind...
*/
if (pac_blob.length) {
- nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
- pac_blob,
- gensec_gssapi_state->smb_krb5_context->krb5_context,
- &server_info);
+ pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ if (!pac_srv_sig) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ if (!pac_kdc_sig) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
+ pac_blob,
+ gensec_gssapi_state->smb_krb5_context->krb5_context,
+ &user_info_dc,
+ pac_srv_sig,
+ pac_kdc_sig);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
@@ -1330,11 +1345,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
+ nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
NULL,
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
@@ -1348,9 +1363,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
}
}
- /* references the server_info into the session_info */
+ /* references the user_info_dc into the session_info */
nt_status = gensec_generate_session_info(mem_ctx, gensec_security,
- server_info, &session_info);
+ user_info_dc, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
@@ -1362,6 +1377,12 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
return nt_status;
}
+ /* Allow torture tests to check the PAC signatures */
+ if (session_info->torture) {
+ session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig);
+ session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig);
+ }
+
if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
} else {
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index fc96e3851c..4f452a07ee 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -603,7 +603,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
struct PAC_LOGON_INFO *logon_info;
@@ -663,10 +663,10 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
principal_string, smb_get_krb5_error_message(context,
ret, mem_ctx)));
- nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
+ nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
- NULL, &server_info);
+ NULL, &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
@@ -709,10 +709,10 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
}
validation.sam3 = &logon_info->info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx,
+ nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
NULL,
3, &validation,
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
@@ -724,8 +724,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
free(principal_string);
krb5_free_principal(context, client_principal);
- /* references the server_info into the session_info */
- nt_status = gensec_generate_session_info(mem_ctx, gensec_security, server_info, &session_info);
+ /* references the user_info_dc into the session_info */
+ nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);