s4-auth Rework auth subsystem to remove struct auth_serversupplied_info

This changes auth_serversupplied_info into the IDL-defined struct
auth_user_info_dc.  This then in turn contains a struct
auth_user_info, which is the only part of the structure that is
mainted into the struct session_info.

The idea here is to avoid keeping the incomplete results of the
authentication (such as session keys, lists of SID memberships etc) in
a namespace where it may be confused for the finalised results.

Andrew Barltett

2 files changed, 16 insertions, 15 deletions

diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index 800d560b44..117cab095d 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -169,7 +169,7 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
 	 * seem to be the case here. */
 	ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs,
 			   "(&(objectClass=user)(sAMAccountName=%s))",
-			   session_info->server_info->account_name);
+			   session_info->info->account_name);
 	if (ret != 1) {
 		return kpasswdd_make_error_reply(kdc, mem_ctx,
 						KRB5_KPASSWD_ACCESSDENIED,
@@ -197,8 +197,8 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
 	}
 
 	DEBUG(3, ("Changing password of %s\\%s (%s)\n",
-		  session_info->server_info->domain_name,
-		  session_info->server_info->account_name,
+		  session_info->info->domain_name,
+		  session_info->info->account_name,
 		  dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX])));
 
 	/* Performs the password change */
@@ -359,8 +359,8 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
 		}
 
 		DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
-			  session_info->server_info->domain_name,
-			  session_info->server_info->account_name,
+			  session_info->info->domain_name,
+			  session_info->info->account_name,
 			  dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
 			  set_password_on_princ));
 		ret = ldb_transaction_start(samdb);
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index 6dbeb354e0..18d29a10cb 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -28,10 +28,11 @@
 #include "auth/auth_sam_reply.h"
 #include "kdc/kdc-glue.h"
 #include "param/param.h"
+#include "librpc/gen_ndr/ndr_krb5pac.h"
 
 static
 NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
-				       struct auth_serversupplied_info *info,
+				       struct auth_user_info_dc *info,
 				       DATA_BLOB *pac_data)
 {
 	struct netr_SamInfo3 *info3;
@@ -41,7 +42,7 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
 
 	ZERO_STRUCT(pac_info);
 
-	nt_status = auth_convert_server_info_saminfo3(mem_ctx, info, &info3);
+	nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info, &info3);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(1, ("Getting Samba info failed: %s\n",
 			  nt_errstr(nt_status)));
@@ -139,7 +140,7 @@ NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
 				DATA_BLOB **_pac_blob)
 {
 	struct samba_kdc_entry *p = talloc_get_type(client->ctx, struct samba_kdc_entry);
-	struct auth_serversupplied_info *server_info;
+	struct auth_user_info_dc *user_info_dc;
 	DATA_BLOB *pac_blob;
 	NTSTATUS nt_status;
 
@@ -154,21 +155,21 @@ NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	nt_status = authsam_make_server_info(mem_ctx, p->kdc_db_ctx->samdb,
+	nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb,
 					     lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx),
 					     lpcfg_sam_name(p->kdc_db_ctx->lp_ctx),
 					     p->realm_dn,
 					     p->msg,
 					     data_blob(NULL, 0),
 					     data_blob(NULL, 0),
-					     &server_info);
+					     &user_info_dc);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Getting user info for PAC failed: %s\n",
 			  nt_errstr(nt_status)));
 		return nt_status;
 	}
 
-	nt_status = samba_get_logon_info_pac_blob(mem_ctx, server_info, pac_blob);
+	nt_status = samba_get_logon_info_pac_blob(mem_ctx, user_info_dc, pac_blob);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		DEBUG(0, ("Building PAC failed: %s\n",
 			  nt_errstr(nt_status)));
@@ -183,18 +184,18 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
 				   krb5_context context,
 				   krb5_pac *pac, DATA_BLOB *pac_blob)
 {
-	struct auth_serversupplied_info *server_info;
+	struct auth_user_info_dc *user_info_dc;
 	krb5_error_code ret;
 	NTSTATUS nt_status;
 
-	ret = kerberos_pac_to_server_info(mem_ctx, *pac,
-					  context, &server_info);
+	ret = kerberos_pac_to_user_info_dc(mem_ctx, *pac,
+					   context, &user_info_dc, NULL, NULL);
 	if (ret) {
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
 	nt_status = samba_get_logon_info_pac_blob(mem_ctx, 
-						  server_info, pac_blob);
+						  user_info_dc, pac_blob);
 
 	return nt_status;
 }