diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2011-02-08 16:53:13 +1100 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2011-02-09 01:11:06 +0100 |
| commit | a2ce53c1f5301ffcf990dbab837c328ea22739b6 (patch) | |
| tree | 52dde7c4bb16c0d885b8691a4c5c87f8213b0599 /source4/auth/kerberos | |
| parent | f1c0e9532d8e3fb0d8942e4d4e1a122429266b16 (diff) | |
| download | samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.tar.gz samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.tar.bz2 samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.zip | |
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
Diffstat (limited to 'source4/auth/kerberos')
| -rw-r--r-- | source4/auth/kerberos/kerberos.h | 4 | ||||
| -rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 103 |
2 files changed, 57 insertions, 50 deletions
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h index 94de096543..501a4653d7 100644 --- a/source4/auth/kerberos/kerberos.h +++ b/source4/auth/kerberos/kerberos.h @@ -23,7 +23,7 @@ #include "auth/kerberos/krb5_init_context.h" #include "librpc/gen_ndr/krb5pac.h" -struct auth_serversupplied_info; +struct auth_user_info_dc; struct cli_credentials; struct ccache_container { @@ -134,7 +134,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, const krb5_keyblock *service_keyblock, DATA_BLOB *pac); krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, krb5_context context, const krb5_keyblock *krbtgt_keyblock, const krb5_keyblock *service_keyblock, diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 23b875056b..9620a80d02 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -524,7 +524,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, krb5_context context, const krb5_keyblock *krbtgt_keyblock, const krb5_keyblock *service_keyblock, @@ -612,7 +612,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, talloc_free(pac_data); return ENOMEM; } - nt_status = auth_convert_server_info_saminfo3(LOGON_INFO, server_info, &sam3); + nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc, &sam3); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status))); talloc_free(pac_data); @@ -645,10 +645,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, return ret; } -krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, - krb5_pac pac, - krb5_context context, - struct auth_serversupplied_info **server_info) +krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx, + krb5_pac pac, + krb5_context context, + struct auth_user_info_dc **user_info_dc, + struct PAC_SIGNATURE_DATA *pac_srv_sig, + struct PAC_SIGNATURE_DATA *pac_kdc_sig) { NTSTATUS nt_status; enum ndr_err_code ndr_err; @@ -658,7 +660,7 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in; union PAC_INFO info; - struct auth_serversupplied_info *server_info_out; + struct auth_user_info_dc *user_info_dc_out; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -686,62 +688,67 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, } /* Pull this right into the normal auth sysstem structures */ - nt_status = make_server_info_pac(mem_ctx, + nt_status = make_user_info_dc_pac(mem_ctx, info.logon_info.info, - &server_info_out); + &user_info_dc_out); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return EINVAL; } - ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in); - if (ret != 0) { - talloc_free(tmp_ctx); - return ret; - } - - pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length); - - ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, server_info_out, - &server_info_out->pac_srv_sig, - (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); - krb5_data_free(&k5pac_srv_checksum_in); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - nt_status = ndr_map_error2ntstatus(ndr_err); - DEBUG(0,("can't parse the KDC signature: %s\n", - nt_errstr(nt_status))); - return EINVAL; - } + if (pac_srv_sig) { + ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in); + if (ret != 0) { + talloc_free(tmp_ctx); + return ret; + } - ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in); - if (ret != 0) { - talloc_free(tmp_ctx); - return ret; + pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length); + + ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, pac_srv_sig, + pac_srv_sig, + (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); + krb5_data_free(&k5pac_srv_checksum_in); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + nt_status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the KDC signature: %s\n", + nt_errstr(nt_status))); + return EINVAL; + } } - pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length); + if (pac_kdc_sig) { + ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in); + if (ret != 0) { + talloc_free(tmp_ctx); + return ret; + } - ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, server_info_out, - &server_info_out->pac_kdc_sig, - (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); - krb5_data_free(&k5pac_kdc_checksum_in); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - nt_status = ndr_map_error2ntstatus(ndr_err); - DEBUG(0,("can't parse the KDC signature: %s\n", - nt_errstr(nt_status))); - return EINVAL; + pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length); + + ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, pac_kdc_sig, + pac_kdc_sig, + (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA); + krb5_data_free(&k5pac_kdc_checksum_in); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + nt_status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the KDC signature: %s\n", + nt_errstr(nt_status))); + return EINVAL; + } } - - *server_info = server_info_out; + *user_info_dc = user_info_dc_out; return 0; } -NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx, - DATA_BLOB pac_blob, - krb5_context context, - struct auth_serversupplied_info **server_info) +NTSTATUS kerberos_pac_blob_to_user_info_dc(TALLOC_CTX *mem_ctx, + DATA_BLOB pac_blob, + krb5_context context, + struct auth_user_info_dc **user_info_dc, + struct PAC_SIGNATURE_DATA *pac_srv_sig, + struct PAC_SIGNATURE_DATA *pac_kdc_sig) { krb5_error_code ret; krb5_pac pac; @@ -753,7 +760,7 @@ NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx, } - ret = kerberos_pac_to_server_info(mem_ctx, pac, context, server_info); + ret = kerberos_pac_to_user_info_dc(mem_ctx, pac, context, user_info_dc, pac_srv_sig, pac_kdc_sig); krb5_pac_free(context, pac); if (ret) { return map_nt_error_from_unix(ret); |