summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-04-19 15:51:57 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-05-20 17:39:10 +1000
commit9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5 (patch)
tree1526cb9826169a6ea4162b5c3f13f279cda4ff7b /source4/auth
parent3ff2766231625863140434bab18b27d5105deb3c (diff)
downloadsamba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.tar.gz
samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.tar.bz2
samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.zip
s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/auth.h5
-rw-r--r--source4/auth/gensec/gensec.c8
-rw-r--r--source4/auth/ntlm/auth_simple.c8
-rw-r--r--source4/auth/session.c7
-rw-r--r--source4/auth/session.h1
-rw-r--r--source4/auth/system_session.c12
6 files changed, 29 insertions, 12 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 0e32c504dd..9ce338c8ae 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -48,6 +48,10 @@ struct loadparm_context;
#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
#define USER_INFO_INTERACTIVE_LOGON 0x08 /* don't check unix account status */
+#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
+#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_ENTERPRISE_DC 0x04 /* Add the user to the 'enterprise DC' group */
+
enum auth_password_state {
AUTH_PASSWORD_RESPONSE,
AUTH_PASSWORD_HASH,
@@ -211,6 +215,7 @@ struct auth_context {
NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
struct auth_serversupplied_info *server_info,
+ uint32_t session_info_flags,
struct auth_session_info **session_info);
};
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index c19d5ff5d5..b166d238de 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -1327,8 +1327,14 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
{
NTSTATUS nt_status;
if (gensec_security->auth_context) {
+ uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ if (server_info->authenticated) {
+ flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
- server_info, session_info);
+ server_info,
+ flags,
+ session_info);
} else {
nt_status = auth_generate_simple_session_info(mem_ctx,
server_info, session_info);
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 7f972ac296..9c8f7f64ac 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -87,8 +87,14 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
}
if (session_info) {
+ uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ if (server_info->authenticated) {
+ flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
nt_status = auth_context->generate_session_info(tmp_ctx, auth_context,
- server_info, session_info);
+ server_info,
+ flags,
+ session_info);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_steal(mem_ctx, *session_info);
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 7817195727..a21fbcf451 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -45,6 +45,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
struct auth_serversupplied_info *server_info,
+ uint32_t session_info_flags,
struct auth_session_info **_session_info)
{
struct auth_session_info *session_info;
@@ -61,7 +62,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct dom_sid **groupSIDs = NULL;
const struct dom_sid *dom_sid;
- bool is_enterprise_dc = false;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -82,7 +82,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
dom_sid = samdb_domain_sid(auth_context->sam_ctx);
if (dom_sid) {
if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
- is_enterprise_dc = true;
+ session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
} else {
DEBUG(2, ("DC %s is not in our domain. "
"It will not have Enterprise Domain Controllers membership on this server",
@@ -201,8 +201,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
server_info->primary_group_sid,
num_groupSIDs,
groupSIDs,
- server_info->authenticated,
- is_enterprise_dc,
+ session_info_flags,
&session_info->security_token);
NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 574b76946e..8e22cc0576 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -50,6 +50,7 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
struct auth_serversupplied_info *server_info,
+ uint32_t session_info_flags,
struct auth_session_info **_session_info);
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index c6df082f69..2835a20e34 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -36,12 +36,12 @@
* @note Specialised version for system sessions that doesn't use the SAM.
*/
static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
- struct dom_sid *user_sid,
- struct dom_sid *group_sid,
- unsigned int n_groupSIDs,
- struct dom_sid **groupSIDs,
- bool is_authenticated,
- struct security_token **token)
+ struct dom_sid *user_sid,
+ struct dom_sid *group_sid,
+ unsigned int n_groupSIDs,
+ struct dom_sid **groupSIDs,
+ bool is_authenticated,
+ struct security_token **token)
{
struct security_token *ptoken;
unsigned int i;