diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-02-08 16:53:13 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-02-09 01:11:06 +0100 |
commit | a2ce53c1f5301ffcf990dbab837c328ea22739b6 (patch) | |
tree | 52dde7c4bb16c0d885b8691a4c5c87f8213b0599 /source4/auth/session.c | |
parent | f1c0e9532d8e3fb0d8942e4d4e1a122429266b16 (diff) | |
download | samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.tar.gz samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.tar.bz2 samba-a2ce53c1f5301ffcf990dbab837c328ea22739b6.zip |
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc. This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.
The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.
Andrew Barltett
Diffstat (limited to 'source4/auth/session.c')
-rw-r--r-- | source4/auth/session.c | 43 |
1 files changed, 26 insertions, 17 deletions
diff --git a/source4/auth/session.c b/source4/auth/session.c index 060f6d2eb6..a6b8b2688c 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -44,7 +44,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ - struct auth_serversupplied_info *server_info, + struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **_session_info) { @@ -63,11 +63,20 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, session_info = talloc(tmp_ctx, struct auth_session_info); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx); - session_info->server_info = talloc_reference(session_info, server_info); + session_info->info = talloc_reference(session_info, user_info_dc->info); + + session_info->torture = talloc_zero(session_info, struct auth_user_info_torture); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx); + session_info->torture->num_dc_sids = user_info_dc->num_sids; + session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx); /* unless set otherwise, the session key is the user session * key from the auth subsystem */ - session_info->session_key = server_info->user_session_key; + session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length); + if (!session_info->session_key.data && session_info->session_key.length) { + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx); + } anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx); @@ -75,40 +84,40 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx); - sids = talloc_array(tmp_ctx, struct dom_sid, server_info->num_sids); + sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx); if (!sids) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } - num_sids = server_info->num_sids; + num_sids = user_info_dc->num_sids; - for (i=0; i < server_info->num_sids; i++) { - sids[i] = server_info->sids[i]; + for (i=0; i < user_info_dc->num_sids; i++) { + sids[i] = user_info_dc->sids[i]; } - if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) { + if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) { + } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ } else if (sam_ctx) { filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP); /* Search for each group in the token */ - for (i = 0; i < server_info->num_sids; i++) { + for (i = 0; i < user_info_dc->num_sids; i++) { char *sid_string; const char *sid_dn; DATA_BLOB sid_blob; sid_string = dom_sid_string(tmp_ctx, - &server_info->sids[i]); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, server_info); + &user_info_dc->sids[i]); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc); sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string); talloc_free(sid_string); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, server_info); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc); sid_blob = data_blob_string_const(sid_dn); /* This function takes in memberOf values and expands @@ -156,21 +165,21 @@ NTSTATUS authsam_get_session_info_principal(TALLOC_CTX *mem_ctx, struct auth_session_info **session_info) { NTSTATUS nt_status; - struct auth_serversupplied_info *server_info; + struct auth_user_info_dc *user_info_dc; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (!tmp_ctx) { return NT_STATUS_NO_MEMORY; } - nt_status = authsam_get_server_info_principal(tmp_ctx, lp_ctx, sam_ctx, + nt_status = authsam_get_user_info_dc_principal(tmp_ctx, lp_ctx, sam_ctx, principal, user_dn, - &server_info); + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; } nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, sam_ctx, - server_info, session_info_flags, + user_info_dc, session_info_flags, session_info); if (NT_STATUS_IS_OK(nt_status)) { |