summaryrefslogtreecommitdiff
path: root/source4/auth/ntlm
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-02-13 14:02:49 +1100
committerAndrew Bartlett <abartlet@samba.org>2009-02-13 14:02:49 +1100
commitcd6026135d3dc7eaa773c60aa168bae8f3f15502 (patch)
tree9843b78f5fbb32605b6a6f7527783b13995187f8 /source4/auth/ntlm
parent71632a16977a93968b0d520a491a52f635e611a1 (diff)
downloadsamba-cd6026135d3dc7eaa773c60aa168bae8f3f15502.tar.gz
samba-cd6026135d3dc7eaa773c60aa168bae8f3f15502.tar.bz2
samba-cd6026135d3dc7eaa773c60aa168bae8f3f15502.zip
Push sam_get_server_info_principal into the auth subsystem
This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett
Diffstat (limited to 'source4/auth/ntlm')
-rw-r--r--source4/auth/ntlm/auth.c31
-rw-r--r--source4/auth/ntlm/auth_sam.c65
-rw-r--r--source4/auth/ntlm/config.mk1
3 files changed, 87 insertions, 10 deletions
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 2aae4a075e..5520c9d01f 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -103,6 +103,36 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_
return NT_STATUS_OK;
}
+/****************************************************************************
+ Try to get a challenge out of the various authentication modules.
+ Returns a const char of length 8 bytes.
+****************************************************************************/
+_PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
+ struct auth_context *auth_ctx,
+ const char *principal,
+ struct auth_serversupplied_info **server_info)
+{
+ NTSTATUS nt_status;
+ struct auth_method_context *method;
+
+ for (method = auth_ctx->methods; method; method = method->next) {
+ if (!method->ops->get_server_info_principal) {
+ continue;
+ }
+
+ nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, server_info);
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+ continue;
+ }
+
+ NT_STATUS_NOT_OK_RETURN(nt_status);
+
+ break;
+ }
+
+ return NT_STATUS_OK;
+}
+
struct auth_check_password_sync_state {
bool finished;
NTSTATUS status;
@@ -411,6 +441,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
ctx->get_challenge = auth_get_challenge;
ctx->set_challenge = auth_context_set_challenge;
ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
+ ctx->get_server_info_principal = auth_get_server_info_principal;
*auth_ctx = ctx;
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 384d342e00..96a13d5ed9 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -1,7 +1,7 @@
/*
Unix SMB/CIFS implementation.
Password and authentication handling
- Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2009
Copyright (C) Gerald Carter 2003
Copyright (C) Stefan Metzmacher 2005
@@ -419,18 +419,65 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx,
return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info);
}
+
+/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */
+NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
+ struct auth_context *auth_context,
+ const char *principal,
+ struct auth_serversupplied_info **server_info)
+{
+ NTSTATUS nt_status;
+ DATA_BLOB user_sess_key = data_blob(NULL, 0);
+ DATA_BLOB lm_sess_key = data_blob(NULL, 0);
+
+ struct ldb_message **msgs;
+ struct ldb_message **msgs_domain_ref;
+ struct ldb_context *sam_ctx;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sam_ctx = samdb_connect(tmp_ctx, auth_context->event_ctx, auth_context->lp_ctx,
+ system_session(tmp_ctx, auth_context->lp_ctx));
+ if (sam_ctx == NULL) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
+ nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal,
+ &msgs, &msgs_domain_ref);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ nt_status = authsam_make_server_info(tmp_ctx, sam_ctx,
+ lp_netbios_name(auth_context->lp_ctx),
+ msgs[0], msgs_domain_ref[0],
+ user_sess_key, lm_sess_key,
+ server_info);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ talloc_steal(mem_ctx, *server_info);
+ }
+ talloc_free(tmp_ctx);
+ return nt_status;
+}
+
static const struct auth_operations sam_ignoredomain_ops = {
- .name = "sam_ignoredomain",
- .get_challenge = auth_get_challenge_not_implemented,
- .want_check = authsam_ignoredomain_want_check,
- .check_password = authsam_ignoredomain_check_password
+ .name = "sam_ignoredomain",
+ .get_challenge = auth_get_challenge_not_implemented,
+ .want_check = authsam_ignoredomain_want_check,
+ .check_password = authsam_ignoredomain_check_password,
+ .get_server_info_principal = authsam_get_server_info_principal
};
static const struct auth_operations sam_ops = {
- .name = "sam",
- .get_challenge = auth_get_challenge_not_implemented,
- .want_check = authsam_want_check,
- .check_password = authsam_check_password
+ .name = "sam",
+ .get_challenge = auth_get_challenge_not_implemented,
+ .want_check = authsam_want_check,
+ .check_password = authsam_check_password,
+ .get_server_info_principal = authsam_get_server_info_principal
};
_PUBLIC_ NTSTATUS auth_sam_init(void)
diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk
index 6a487f9b9e..668c528ea9 100644
--- a/source4/auth/ntlm/config.mk
+++ b/source4/auth/ntlm/config.mk
@@ -8,7 +8,6 @@ ntlm_check_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, ntlm_check.o)
#######################
# Start MODULE auth_sam
[MODULE::auth_sam_module]
-# gensec_krb5 and gensec_gssapi depend on it
INIT_FUNCTION = auth_sam_init
SUBSYSTEM = auth
PRIVATE_DEPENDENCIES = \