r3190: When we don't have a PAC, do a lookup in the local ldb instead.

This required reworking the auth_sam code, so that it would export the
'name -> server_info' functionality.  It's a bit ugly from a modular
point of view, but it's what we have to do...

Fix up some of the code to better use the new talloc()

Andrew Bartlett
(This used to be commit 18e08b4497ebabc2f31210254e145458b7c6a198)

2 files changed, 57 insertions, 30 deletions

diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 14e2f586c3..1ce05b519e 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -611,39 +611,48 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 	struct dom_sid *sid;
 	char *p;
 	char *principal;
+	const char *username;
+	const char *realm;
 
 	*session_info_out = NULL;
 
-	nt_status = make_server_info(gensec_security, &server_info, gensec_krb5_state->peer_principal);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
-
-	server_info->guest = False;
+	/* IF we have the PAC - otherwise (TODO) we need to get this
+	 * data from elsewere - local ldb, or lookup of some
+	 * kind... */
 
-	principal = talloc_strdup(server_info, gensec_krb5_state->peer_principal);
+	principal = talloc_strdup(gensec_krb5_state, gensec_krb5_state->peer_principal);
 	p = strchr(principal, '@');
 	if (p) {
 		*p = '\0';
 	}
-	server_info->account_name = principal;
-	server_info->domain = talloc_strdup(server_info, p++);
-	if (!server_info->domain) {
-		free_server_info(&server_info);
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	nt_status = make_session_info(server_info, &session_info);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		free_server_info(&server_info);
-		return nt_status;
-	}
+	p++;
+	username = principal;
+	realm = p;
+	
+	if (logon_info) {
+		nt_status = make_server_info(gensec_krb5_state, &server_info, gensec_krb5_state->peer_principal);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			return nt_status;
+		}
+		
+		server_info->guest = False;
+		
+		server_info->account_name = talloc_strdup(server_info, principal);
+		server_info->domain = talloc_strdup(server_info, realm);
+		if (!server_info->domain) {
+			free_server_info(&server_info);
+			return NT_STATUS_NO_MEMORY;
+		}
+		
+		/* references the server_info into the session_info */
+		nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			free_server_info(&server_info);
+			return nt_status;
+		}
 
-	/* IF we have the PAC - otherwise (TODO) we need to get this
-	 * data from elsewere - local ldb, or lookup of some
-	 * kind... */
+		talloc_free(server_info);
 
-	if (logon_info) {
 		ptoken = talloc_p(session_info, struct nt_user_token);
 		if (!ptoken) {
 			return NT_STATUS_NO_MEMORY;
@@ -666,16 +675,37 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 		
 		for (;ptoken->num_sids < logon_info->groups_count; ptoken->num_sids++) {
 			sid = dom_sid_dup(session_info, logon_info->dom_sid);
-			ptoken->user_sids[ptoken->num_sids] = dom_sid_add_rid(session_info, sid, logon_info->groups[ptoken->num_sids - 2].rid);
+			ptoken->user_sids[ptoken->num_sids]
+				= dom_sid_add_rid(session_info, sid, 
+						  logon_info->groups[ptoken->num_sids - 2].rid);
 		}
 		
 		debug_nt_user_token(DBGC_AUTH, 0, ptoken);
 		
 		session_info->nt_user_token = ptoken;
 	} else {
-		session_info->nt_user_token = NULL;
+		TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm);
+		if (!mem_ctx) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			talloc_free(mem_ctx);
+			return nt_status;
+		}
+
+		/* references the server_info into the session_info */
+		nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
+		if (!NT_STATUS_IS_OK(nt_status)) {
+			talloc_free(mem_ctx);
+			return nt_status;
+		}
+
+		talloc_free(mem_ctx);
 	}
 
+	talloc_free(principal);
+
 	nt_status = gensec_krb5_session_key(gensec_security, &session_info->session_key);
 
 	session_info->workstation = NULL;
diff --git a/source4/libcli/auth/gensec_ntlmssp.c b/source4/libcli/auth/gensec_ntlmssp.c
index 0683581495..48438aaae1 100644
--- a/source4/libcli/auth/gensec_ntlmssp.c
+++ b/source4/libcli/auth/gensec_ntlmssp.c
@@ -370,19 +370,16 @@ static NTSTATUS gensec_ntlmssp_update(struct gensec_security *gensec_security, T
  */
 
 static NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
-				     struct auth_session_info **session_info) 
+					    struct auth_session_info **session_info) 
 {
 	NTSTATUS nt_status;
 	struct gensec_ntlmssp_state *gensec_ntlmssp_state = gensec_security->private_data;
-	nt_status = make_session_info(gensec_ntlmssp_state->server_info, session_info);
+	nt_status = make_session_info(gensec_ntlmssp_state, gensec_ntlmssp_state->server_info, session_info);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}
 
-	/* the session_info owns this now */
-	gensec_ntlmssp_state->server_info = NULL;
-
 	(*session_info)->session_key = data_blob_talloc(*session_info, 
 							gensec_ntlmssp_state->ntlmssp_state->session_key.data,
 							gensec_ntlmssp_state->ntlmssp_state->session_key.length);