diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-12-28 17:48:45 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-12-29 01:10:58 +0100 |
commit | 149f8f16be79dc9d142971fb74633cfc5b186840 (patch) | |
tree | f13e1a8f8b7c58f659330dc8ceb0a20e4fa0448c /source4/auth/gensec | |
parent | fc226f81c6c14b1afc9b98692463ff1e2f9b2464 (diff) | |
download | samba-149f8f16be79dc9d142971fb74633cfc5b186840.tar.gz samba-149f8f16be79dc9d142971fb74633cfc5b186840.tar.bz2 samba-149f8f16be79dc9d142971fb74633cfc5b186840.zip |
s4-gensec: Move parsing of the PAC blob and creating the session_info into auth
This uses a single callback to handle the PAC from the DATA_BLOB
format until it becomes a struct auth_session_info.
This allows a seperation between the GSS acceptor code and the PAC
interpretation code based on the supplied auth context.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet@samba.org>
Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104
Diffstat (limited to 'source4/auth/gensec')
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 116 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 79 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_util.c | 97 | ||||
-rw-r--r-- | source4/auth/gensec/wscript_build | 6 |
4 files changed, 152 insertions, 146 deletions
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 78678cc9d8..1e7a0a3df4 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1307,16 +1307,38 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi TALLOC_CTX *mem_ctx; struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); - struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; OM_uint32 maj_stat, min_stat; - DATA_BLOB pac_blob; - struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; - struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; + DATA_BLOB pac_blob, *pac_blob_ptr = NULL; + + gss_buffer_desc name_token; + char *principal_string; mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + maj_stat = gss_display_name (&min_stat, + gensec_gssapi_state->client_name, + &name_token, + NULL); + if (GSS_ERROR(maj_stat)) { + DEBUG(1, ("GSS display_name failed: %s\n", + gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); + talloc_free(mem_ctx); + return NT_STATUS_FOOBAR; + } + + principal_string = talloc_strndup(mem_ctx, + (const char *)name_token.value, + name_token.length); + + gss_release_buffer(&min_stat, &name_token); + + if (!principal_string) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + nt_status = gssapi_obtain_pac_blob(mem_ctx, gensec_gssapi_state->gssapi_context, gensec_gssapi_state->client_name, &pac_blob); @@ -1326,78 +1348,14 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi * kind... */ if (NT_STATUS_IS_OK(nt_status)) { - pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_srv_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_kdc_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, - pac_blob, - gensec_gssapi_state->smb_krb5_context->krb5_context, - &user_info_dc, - pac_srv_sig, - pac_kdc_sig); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - } else { - gss_buffer_desc name_token; - char *principal_string; - - maj_stat = gss_display_name (&min_stat, - gensec_gssapi_state->client_name, - &name_token, - NULL); - if (GSS_ERROR(maj_stat)) { - DEBUG(1, ("GSS display_name failed: %s\n", - gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - talloc_free(mem_ctx); - return NT_STATUS_FOOBAR; - } - - principal_string = talloc_strndup(mem_ctx, - (const char *)name_token.value, - name_token.length); - - gss_release_buffer(&min_stat, &name_token); - - if (!principal_string) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - if (gensec_security->auth_context && - !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n", - gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, - gensec_security->auth_context, - principal_string, - NULL, - &user_info_dc); - - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - } else { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n", - principal_string, - gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - return NT_STATUS_ACCESS_DENIED; - } - } - - /* references the user_info_dc into the session_info */ - nt_status = gensec_generate_session_info(mem_ctx, gensec_security, - user_info_dc, &session_info); + pac_blob_ptr = &pac_blob; + } + nt_status = gensec_generate_session_info_pac(mem_ctx, + gensec_security, + gensec_gssapi_state->smb_krb5_context, + pac_blob_ptr, principal_string, + gensec_get_remote_address(gensec_security), + &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1409,12 +1367,6 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return nt_status; } - /* Allow torture tests to check the PAC signatures */ - if (session_info->torture) { - session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig); - session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig); - } - if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) { DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n")); } else { diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 0c86177960..d5f5f8a438 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -618,14 +618,12 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data; krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context; - struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; - struct PAC_LOGON_INFO *logon_info; krb5_principal client_principal; char *principal_string; - DATA_BLOB pac; + DATA_BLOB pac_blob, *pac_blob_ptr = NULL; krb5_data pac_data; krb5_error_code ret; @@ -659,49 +657,15 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security KRB5_AUTHDATA_WIN2K_PAC, &pac_data); - if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n", - principal_string, - smb_get_krb5_error_message(context, - ret, mem_ctx))); - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return NT_STATUS_ACCESS_DENIED; - } else if (ret) { + if (ret) { /* NO pac */ DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); - if (gensec_security->auth_context && - !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { - DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s", - principal_string, smb_get_krb5_error_message(context, - ret, mem_ctx))); - nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx, - gensec_security->auth_context, - principal_string, - NULL, &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return nt_status; - } - } else { - DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", - principal_string)); - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return NT_STATUS_ACCESS_DENIED; - } } else { /* Found pac */ - union netr_Validation validation; - - pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length); - if (!pac.data) { + pac_blob = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length); + if (!pac_blob.data) { free(principal_string); krb5_free_principal(context, client_principal); talloc_free(mem_ctx); @@ -709,12 +673,12 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security } /* decode and verify the pac */ - nt_status = kerberos_pac_logon_info(gensec_krb5_state, - pac, - gensec_krb5_state->smb_krb5_context->krb5_context, - NULL, gensec_krb5_state->keyblock, - client_principal, - gensec_krb5_state->ticket->ticket.authtime, &logon_info); + nt_status = kerberos_decode_pac(gensec_krb5_state, + pac_blob, + gensec_krb5_state->smb_krb5_context->krb5_context, + NULL, gensec_krb5_state->keyblock, + client_principal, + gensec_krb5_state->ticket->ticket.authtime, NULL); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); @@ -723,26 +687,19 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security return nt_status; } - validation.sam3 = &logon_info->info3; - nt_status = make_user_info_dc_netlogon_validation(mem_ctx, - NULL, - 3, &validation, - true, /* This user was authenticated */ - &user_info_dc); - if (!NT_STATUS_IS_OK(nt_status)) { - free(principal_string); - krb5_free_principal(context, client_principal); - talloc_free(mem_ctx); - return nt_status; - } + pac_blob_ptr = &pac_blob; } + nt_status = gensec_generate_session_info_pac(mem_ctx, + gensec_security, + gensec_krb5_state->smb_krb5_context, + pac_blob_ptr, principal_string, + gensec_get_remote_address(gensec_security), + &session_info); + free(principal_string); krb5_free_principal(context, client_principal); - /* references the user_info_dc into the session_info */ - nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; diff --git a/source4/auth/gensec/gensec_util.c b/source4/auth/gensec/gensec_util.c index 267366af61..fa28c6528c 100644 --- a/source4/auth/gensec/gensec_util.c +++ b/source4/auth/gensec/gensec_util.c @@ -22,8 +22,13 @@ #include "includes.h" #include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_proto.h" #include "auth/auth.h" +#include "auth/credentials/credentials.h" #include "auth/system_session_proto.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" +#include "auth/kerberos/kerberos_util.h" NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, @@ -57,3 +62,95 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, } return nt_status; } + +NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, + struct gensec_security *gensec_security, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_string, + const struct tsocket_address *remote_address, + struct auth_session_info **session_info) +{ + NTSTATUS nt_status; + uint32_t session_info_flags = 0; + TALLOC_CTX *mem_ctx; + struct auth_user_info_dc *user_info_dc; + struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; + struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + + if (!pac_blob) { + if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { + DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", + principal_string)); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n", + principal_string)); + } + + if (gensec_security->auth_context) { + return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context, + mem_ctx_out, + smb_krb5_context, + pac_blob, + principal_string, + remote_address, + session_info_flags, + session_info); + } else if (!pac_blob) { + DEBUG(0, ("Cannot generate a session_info without either the PAC or the auth_context\n")); + return NT_STATUS_NO_SUCH_USER; + } + + mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_srv_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_kdc_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, + *pac_blob, + smb_krb5_context->krb5_context, + &user_info_dc, + pac_srv_sig, + pac_kdc_sig); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + nt_status = auth_generate_session_info(mem_ctx_out, + NULL, + NULL, + user_info_dc, session_info_flags, + session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + if ((*session_info)->torture) { + (*session_info)->torture->pac_srv_sig + = talloc_steal((*session_info)->torture, pac_srv_sig); + (*session_info)->torture->pac_kdc_sig + = talloc_steal((*session_info)->torture, pac_kdc_sig); + } + + talloc_free(mem_ctx); + return nt_status; +} diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build index 86d958950f..a4c5685f2e 100644 --- a/source4/auth/gensec/wscript_build +++ b/source4/auth/gensec/wscript_build @@ -2,14 +2,14 @@ bld.SAMBA_SUBSYSTEM('gensec_util', source='socket.c gensec_tstream.c gensec_util.c', - deps='tevent-util tevent samba-util LIBTSOCKET', + deps='tevent-util tevent samba-util LIBTSOCKET KERBEROS_UTIL', autoproto='gensec_proto.h') bld.SAMBA_MODULE('gensec_krb5', source='gensec_krb5.c', subsystem='gensec', init_function='gensec_krb5_init', - deps='samba-credentials authkrb5 auth_session com_err', + deps='samba-credentials authkrb5 auth_session com_err gensec_util', internal_module=False, ) @@ -18,7 +18,7 @@ bld.SAMBA_MODULE('gensec_gssapi', source='gensec_gssapi.c', subsystem='gensec', init_function='gensec_gssapi_init', - deps='gssapi samba-credentials authkrb5 com_err' + deps='gssapi samba-credentials authkrb5 com_err gensec_util' ) |