summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2004-12-11 05:41:19 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:06:31 -0500
commit6ca874f71ad77c82d6e161a3e4772100de2ad6c5 (patch)
tree6379d5d502d779df1da563911d40249030268ac6 /source4/auth
parent280bb1cf0fc84c61e20f6f557cecbeba726e2749 (diff)
downloadsamba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.tar.gz
samba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.tar.bz2
samba-6ca874f71ad77c82d6e161a3e4772100de2ad6c5.zip
r4147: converted from NT_USER_TOKEN to struct security_token
this is mostly just a tidyup, but also adds the privilege_mask, which I will be using shortly in ACL checking. note that I had to move the definition of struct security_token out of security.idl as pidl doesn't yet handle arrays of pointers, and the usual workaround (to use a intermediate structure) would make things too cumbersome for this structure, especially given we never encode it to NDR. (This used to be commit 7b446af09b8050746bfc2c50e9d56aa94397cc1a)
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/auth.h9
-rw-r--r--source4/auth/auth_util.c128
2 files changed, 58 insertions, 79 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 741cd55542..3f1d11cb45 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -97,15 +97,10 @@ struct auth_serversupplied_info
uint32 acct_flags;
};
-struct auth_session_info
-{
+struct auth_session_info {
int refcount;
- /* NT group information taken from the info3 structure */
-
- NT_USER_TOKEN *nt_user_token;
-
+ struct security_token *security_token;
struct auth_serversupplied_info *server_info;
-
DATA_BLOB session_key;
/* needed to key the schannel credentials */
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c
index 503e1dee82..4a60c3f847 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/auth_util.c
@@ -298,127 +298,111 @@ BOOL make_user_info_guest(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
- prints a NT_USER_TOKEN to debug output.
+ prints a struct security_token to debug output.
****************************************************************************/
-
-void debug_nt_user_token(int dbg_class, int dbg_lev, const NT_USER_TOKEN *token)
+void debug_security_token(int dbg_class, int dbg_lev, const struct security_token *token)
{
TALLOC_CTX *mem_ctx;
size_t i;
if (!token) {
- DEBUGC(dbg_class, dbg_lev, ("NT user token: (NULL)\n"));
+ DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
return;
}
- mem_ctx = talloc_init("debug_nt_user_token()");
+ mem_ctx = talloc_init("debug_security_token()");
if (!mem_ctx) {
return;
}
- DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n",
- dom_sid_string(mem_ctx, token->user_sids[0]) ));
- DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", (unsigned long)token->num_sids));
- for (i = 0; i < token->num_sids; i++)
- DEBUGADDC(dbg_class, dbg_lev, ("SID[%3lu]: %s\n", (unsigned long)i,
- dom_sid_string(mem_ctx, token->user_sids[i])));
+ DEBUGC(dbg_class, dbg_lev, ("Security token of user %s\n",
+ dom_sid_string(mem_ctx, token->user_sid) ));
+ DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n",
+ (unsigned long)token->num_sids));
+ for (i = 0; i < token->num_sids; i++) {
+ DEBUGADDC(dbg_class, dbg_lev,
+ ("SID[%3lu]: %s\n", (unsigned long)i,
+ dom_sid_string(mem_ctx, token->sids[i])));
+ }
talloc_destroy(mem_ctx);
}
/****************************************************************************
- prints a NT_USER_TOKEN to debug output.
+ prints a struct auth_session_info security token to debug output.
****************************************************************************/
-
-void debug_session_info(int dbg_class, int dbg_lev, const struct auth_session_info *session_info)
+void debug_session_info(int dbg_class, int dbg_lev,
+ const struct auth_session_info *session_info)
{
if (!session_info) {
DEBUGC(dbg_class, dbg_lev, ("Session Info: (NULL)\n"));
return;
}
- debug_nt_user_token(dbg_class, dbg_lev, session_info->nt_user_token);
+ debug_security_token(dbg_class, dbg_lev, session_info->security_token);
}
/****************************************************************************
Create the SID list for this user.
****************************************************************************/
-
-NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx,
- struct dom_sid *user_sid, struct dom_sid *group_sid,
- int n_groupSIDs, struct dom_sid **groupSIDs,
- BOOL is_guest, struct nt_user_token **token)
+NTSTATUS create_security_token(TALLOC_CTX *mem_ctx,
+ struct dom_sid *user_sid, struct dom_sid *group_sid,
+ int n_groupSIDs, struct dom_sid **groupSIDs,
+ BOOL is_guest, struct security_token **token)
{
- NTSTATUS nt_status = NT_STATUS_OK;
- struct nt_user_token *ptoken;
+ struct security_token *ptoken;
int i;
- int sid_ndx;
-
- if (!(ptoken = talloc_p(mem_ctx, struct nt_user_token))) {
- DEBUG(0, ("create_nt_token: Out of memory allocating token\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- return nt_status;
- }
- ptoken->num_sids = 0;
+ ptoken = security_token_initialise(mem_ctx);
+ if (ptoken == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
- if (!(ptoken->user_sids = talloc_array_p(mem_ctx, struct dom_sid*, n_groupSIDs + 5))) {
- DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- return nt_status;
+ ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, n_groupSIDs + 5);
+ if (!ptoken->sids) {
+ return NT_STATUS_NO_MEMORY;
}
-
- /*
- * Note - user SID *MUST* be first in token !
- * se_access_check depends on this.
- *
- * Primary group SID is second in token. Convention.
- */
- ptoken->user_sids[PRIMARY_USER_SID_INDEX] = user_sid;
- ptoken->num_sids++;
- ptoken->user_sids[PRIMARY_GROUP_SID_INDEX] = group_sid;
- ptoken->num_sids++;
+ ptoken->user_sid = user_sid;
+ ptoken->group_sid = group_sid;
+ ptoken->privilege_mask = 0;
+
+ ptoken->sids[0] = user_sid;
+ ptoken->sids[1] = group_sid;
/*
* Finally add the "standard" SIDs.
* The only difference between guest and "anonymous" (which we
* don't really support) is the addition of Authenticated_Users.
*/
- ptoken->user_sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD);
- ptoken->user_sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK);
-
- if (is_guest) {
- ptoken->user_sids[4] = dom_sid_parse_talloc(mem_ctx, SID_BUILTIN_GUESTS);
- ptoken->num_sids++;
- } else {
- ptoken->user_sids[4] = dom_sid_parse_talloc(mem_ctx, SID_NT_AUTHENTICATED_USERS);
- ptoken->num_sids++;
- }
-
- sid_ndx = 5; /* next available spot */
+ ptoken->sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD);
+ ptoken->sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK);
+ ptoken->sids[4] = dom_sid_parse_talloc(mem_ctx,
+ is_guest?SID_BUILTIN_GUESTS:
+ SID_NT_AUTHENTICATED_USERS);
+ ptoken->num_sids = 5;
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
- for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
- if (dom_sid_equal(ptoken->user_sids[check_sid_idx],
- groupSIDs[i])) {
+ for (check_sid_idx = 1;
+ check_sid_idx < ptoken->num_sids;
+ check_sid_idx++) {
+ if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
break;
}
}
- if (check_sid_idx >= ptoken->num_sids) /* Not found already */ {
- ptoken->user_sids[sid_ndx++] = groupSIDs[i];
- ptoken->num_sids++;
+ if (check_sid_idx == ptoken->num_sids) {
+ ptoken->sids[ptoken->num_sids++] = groupSIDs[i];
}
}
- debug_nt_user_token(DBGC_AUTH, 10, ptoken);
+ debug_security_token(DBGC_AUTH, 10, ptoken);
*token = ptoken;
- return nt_status;
+ return NT_STATUS_OK;
}
/***************************************************************************
@@ -699,13 +683,13 @@ NTSTATUS make_session_info(TALLOC_CTX *mem_ctx,
/* we should search for local groups here */
- nt_status = create_nt_user_token((*session_info),
- server_info->user_sid,
- server_info->primary_group_sid,
- server_info->n_domain_groups,
- server_info->domain_groups,
- False,
- &(*session_info)->nt_user_token);
+ nt_status = create_security_token((*session_info),
+ server_info->user_sid,
+ server_info->primary_group_sid,
+ server_info->n_domain_groups,
+ server_info->domain_groups,
+ False,
+ &(*session_info)->security_token);
return nt_status;
}