diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-12-22 17:17:07 +1100 |
|---|---|---|
| committer | Andrew Tridgell <tridge@samba.org> | 2011-01-14 16:39:32 +1100 |
| commit | ece6eae4d8862a564c581a3f3808c04edab6cb19 (patch) | |
| tree | 5989f3b1f029595076106811ff5e7c4d55d4b18a /source4/auth/ntlm | |
| parent | c82269cf862b00c987c02aefa78155c142f6d065 (diff) | |
| download | samba-ece6eae4d8862a564c581a3f3808c04edab6cb19.tar.gz samba-ece6eae4d8862a564c581a3f3808c04edab6cb19.tar.bz2 samba-ece6eae4d8862a564c581a3f3808c04edab6cb19.zip | |
s4-auth Add function to obtain any user's session_info from a given LDB
This will be a building block for a tokenGroups test, which can
compare against a remote server (in particular the rootDSE) against
what we would calculate the tokenGroups to be.
(this meant moving some parts out of the auth_sam code into the
containing library)
Andrew Bartlett
Diffstat (limited to 'source4/auth/ntlm')
| -rw-r--r-- | source4/auth/ntlm/auth_sam.c | 87 |
1 files changed, 8 insertions, 79 deletions
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 259efec8e5..645713286d 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -353,87 +353,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, } -/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack. - - Supply either a principal or a DN -*/ -NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, - const char *principal, - struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info) +/* Wrapper for the auth subsystem pointer */ +NTSTATUS authsam_get_server_info_principal_wrapper(TALLOC_CTX *mem_ctx, + struct auth_context *auth_context, + const char *principal, + struct ldb_dn *user_dn, + struct auth_serversupplied_info **server_info) { - NTSTATUS nt_status; - DATA_BLOB user_sess_key = data_blob(NULL, 0); - DATA_BLOB lm_sess_key = data_blob(NULL, 0); - - struct ldb_message *msg; - struct ldb_dn *domain_dn; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - if (!tmp_ctx) { - return NT_STATUS_NO_MEMORY; - } - - if (principal) { - nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal, - user_attrs, &domain_dn, &msg); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - } else if (user_dn) { - struct dom_sid *user_sid, *domain_sid; - int ret; - /* pull the user attributes */ - ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn, - LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)"); - if (ret == LDB_ERR_NO_SUCH_OBJECT) { - talloc_free(tmp_ctx); - return NT_STATUS_NO_SUCH_USER; - } else if (ret != LDB_SUCCESS) { - talloc_free(tmp_ctx); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - user_sid = samdb_result_dom_sid(msg, msg, "objectSid"); - - nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL, - "(&(objectSid=%s)(objectClass=domain))", - ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid)); - if (!domain_dn) { - DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n", - dom_sid_string(tmp_ctx, domain_sid))); - return NT_STATUS_NO_SUCH_USER; - } - - } else { - return NT_STATUS_INVALID_PARAMETER; - } - - nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx, - lpcfg_netbios_name(auth_context->lp_ctx), - lpcfg_workgroup(auth_context->lp_ctx), - domain_dn, - msg, - user_sess_key, lm_sess_key, - server_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - - talloc_steal(mem_ctx, *server_info); - talloc_free(tmp_ctx); - - return NT_STATUS_OK; + return authsam_get_server_info_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, + principal, user_dn, server_info); } - static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", .get_challenge = auth_get_challenge_not_implemented, |