diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-04-15 11:58:05 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-05-20 17:39:10 +1000 |
commit | 72ccbcacddd2c3fdc6bfb61b8efb78625368365d (patch) | |
tree | aec687078b41d811d85113d27381c0ae70df3a6b /source4/auth/ntlm/auth_sam.c | |
parent | 4fa9aa30996219821d5d2496d574340f14a4a406 (diff) | |
download | samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.tar.gz samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.tar.bz2 samba-72ccbcacddd2c3fdc6bfb61b8efb78625368365d.zip |
s4:auth Allow the operational module to get a user's tokenGroups from auth
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
Diffstat (limited to 'source4/auth/ntlm/auth_sam.c')
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 60 |
1 files changed, 46 insertions, 14 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index e4e56e1219..6d1ed0ea10 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -23,6 +23,8 @@ #include "system/time.h" #include "lib/ldb/include/ldb.h" #include "../lib/util/util_ldb.h" +#include "libcli/ldap/ldap_ndr.h" +#include "libcli/security/security.h" #include "auth/auth.h" #include "../libcli/auth/ntlm_check.h" #include "auth/ntlm/auth_proto.h" @@ -300,10 +302,14 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, } -/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ +/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack. + + Supply either a principal or a DN +*/ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, const char *principal, + struct ldb_dn *user_dn, struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; @@ -311,7 +317,6 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, DATA_BLOB lm_sess_key = data_blob(NULL, 0); struct ldb_message *msg; - struct ldb_context *sam_ctx; struct ldb_dn *domain_dn; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -319,21 +324,48 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, auth_context->event_ctx, auth_context->lp_ctx, - system_session(auth_context->lp_ctx)); - if (sam_ctx == NULL) { - talloc_free(tmp_ctx); - return NT_STATUS_INVALID_SYSTEM_SERVICE; - } + if (principal) { + nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal, + user_attrs, &domain_dn, &msg); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + } else if (user_dn) { + struct dom_sid *user_sid, *domain_sid; + int ret; + /* pull the user attributes */ + ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn, + LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)"); + if (ret == LDB_ERR_NO_SUCH_OBJECT) { + talloc_free(tmp_ctx); + return NT_STATUS_NO_SUCH_USER; + } else if (ret != LDB_SUCCESS) { + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } - nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, - user_attrs, &domain_dn, &msg); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; + user_sid = samdb_result_dom_sid(msg, msg, "objectSid"); + + nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL, + "(&(objectSid=%s)(objectClass=domain))", + ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid)); + if (!domain_dn) { + DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n", + dom_sid_string(tmp_ctx, domain_sid))); + return NT_STATUS_NO_SUCH_USER; + } + + } else { + return NT_STATUS_INVALID_PARAMETER; } - nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, + nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx, lp_netbios_name(auth_context->lp_ctx), lp_workgroup(auth_context->lp_ctx), domain_dn, |