s4:auth Allow the operational module to get a user's tokenGroups from auth

This creates a new interface to the auth subsystem, to allow an auth_context to be created from the ldb, and then tokenGroups to be calculated in the same way that the auth subsystem would. Andrew Bartlett
author: Andrew Bartlett <abartlet@samba.org> 2010-04-15 11:58:05 +1000
committer: Andrew Bartlett <abartlet@samba.org> 2010-05-20 17:39:10 +1000
commit: 72ccbcacddd2c3fdc6bfb61b8efb78625368365d (patch)
tree: aec687078b41d811d85113d27381c0ae70df3a6b /source4/auth/ntlm/auth.c
parent: 4fa9aa30996219821d5d2496d574340f14a4a406 (diff)
download: samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.tar.gz
samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.tar.bz2
samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.zip
1 files changed, 74 insertions, 22 deletions
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index e9e72fa2a5..b5f3afc86d 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -98,13 +98,16 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal
 }
 
 /****************************************************************************
- Try to get a challenge out of the various authentication modules.
- Returns a const char of length 8 bytes.
+Used in the gensec_gssapi and gensec_krb5 server-side code, where the
+PAC isn't available, and for tokenGroups in the DSDB stack.
+
+ Supply either a principal or a DN
 ****************************************************************************/
 _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, 
-						  struct auth_context *auth_ctx,
-						  const char *principal,
-						  struct auth_serversupplied_info **server_info)
+						 struct auth_context *auth_ctx,
+						 const char *principal,
+						 struct ldb_dn *user_dn,
+						 struct auth_serversupplied_info **server_info)
 {
 	NTSTATUS nt_status;
 	struct auth_method_context *method;
@@ -114,7 +117,7 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
 			continue;
 		}
 
-		nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, server_info);
+		nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, user_dn, server_info);
 		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
 			continue;
 		}
@@ -399,13 +402,14 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
 
 /***************************************************************************
  Make a auth_info struct for the auth subsystem
- - Allow the caller to specify the methods to use
+ - Allow the caller to specify the methods to use, including optionally the SAM to use
 ***************************************************************************/
 _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, 
-				     struct tevent_context *ev,
-				     struct messaging_context *msg,
-				     struct loadparm_context *lp_ctx,
-				     struct auth_context **auth_ctx)
+					      struct tevent_context *ev,
+					      struct messaging_context *msg,
+					      struct loadparm_context *lp_ctx,
+					      struct ldb_context *sam_ctx,
+					      struct auth_context **auth_ctx)
 {
 	int i;
 	struct auth_context *ctx;
@@ -437,7 +441,11 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
 	ctx->msg_ctx			= msg;
 	ctx->lp_ctx			= lp_ctx;
 
-	ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx));
+	if (sam_ctx) {
+		ctx->sam_ctx = sam_ctx;
+	} else {
+		ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx));
+	}
 
 	for (i=0; methods[i] ; i++) {
 		struct auth_method_context *method;
@@ -471,15 +479,8 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
 
 	return NT_STATUS_OK;
 }
-/***************************************************************************
- Make a auth_info struct for the auth subsystem
- - Uses default auth_methods, depending on server role and smb.conf settings
-***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, 
-			     struct tevent_context *ev,
-			     struct messaging_context *msg,
-			     struct loadparm_context *lp_ctx,
-			     struct auth_context **auth_ctx)
+
+static const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
 {
 	const char **auth_methods = NULL;
 	switch (lp_server_role(lp_ctx)) {
@@ -493,9 +494,60 @@ _PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
 		auth_methods = lp_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "domain controller", NULL);
 		break;
 	}
-	return auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, auth_ctx);
+	return auth_methods;
 }
 
+/***************************************************************************
+ Make a auth_info struct for the auth subsystem
+ - Uses default auth_methods, depending on server role and smb.conf settings
+***************************************************************************/
+_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
+			     struct tevent_context *ev,
+			     struct messaging_context *msg,
+			     struct loadparm_context *lp_ctx,
+			     struct auth_context **auth_ctx)
+{
+	NTSTATUS status;
+	const char **auth_methods;
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	if (!tmp_ctx) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
+	if (!auth_methods) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, NULL, auth_ctx);
+	talloc_free(tmp_ctx);
+	return status;
+}
+
+/* Create an auth context from an open LDB.
+
+   This allows us not to re-open the LDB when we need to do a some authentication logic (such as tokenGroups)
+
+ */
+NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx)
+{
+	NTSTATUS status;
+	const char **auth_methods;
+	struct loadparm_context *lp_ctx = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context);
+	struct tevent_context *ev = ldb_get_event_context(ldb);
+
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	if (!tmp_ctx) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
+	if (!auth_methods) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	status = auth_context_create_methods(mem_ctx, auth_methods, ev, NULL, lp_ctx, ldb, auth_ctx);
+	talloc_free(tmp_ctx);
+	return status;
+}
 
 /* the list of currently registered AUTH backends */
 static struct auth_backend {
author	Andrew Bartlett <abartlet@samba.org>	2010-04-15 11:58:05 +1000
committer	Andrew Bartlett <abartlet@samba.org>	2010-05-20 17:39:10 +1000
commit	72ccbcacddd2c3fdc6bfb61b8efb78625368365d (patch)
tree	aec687078b41d811d85113d27381c0ae70df3a6b /source4/auth/ntlm/auth.c
parent	4fa9aa30996219821d5d2496d574340f14a4a406 (diff)
download	samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.tar.gz samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.tar.bz2 samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.zip