diff options
author | Stefan Metzmacher <metze@samba.org> | 2004-12-23 02:23:42 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:07:36 -0500 |
commit | ae42636167f82fee7fb38338dec605521162b5c2 (patch) | |
tree | 450430977c3e1eefc8104cf3362985eea95363c2 /source4/libcli | |
parent | 61b1620fc495d28fce5e585fe92f23cc9f5eb2af (diff) | |
download | samba-ae42636167f82fee7fb38338dec605521162b5c2.tar.gz samba-ae42636167f82fee7fb38338dec605521162b5c2.tar.bz2 samba-ae42636167f82fee7fb38338dec605521162b5c2.zip |
r4338: reuse netlogon structs in the krb5 PAC
that simplifies the code a lot...
also add a note: we should fail the krb5 auth if there's no
PAC present (when heimdal is ready for that:-)
metze
(This used to be commit 532641a7003d23b034a253d166482f18c2de6191)
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/auth/gensec_krb5.c | 124 |
1 files changed, 19 insertions, 105 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index 88e7cdd2e3..9323580e92 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -223,7 +223,7 @@ static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx, return status; } #endif - DEBUG(0,("account_name: %s [%s]\n",logon_info->account_name.string, logon_info->full_name.string)); + DEBUG(0,("account_name: %s [%s]\n",logon_info->info3.base.account_name.string, logon_info->info3.base.full_name.string)); *logon_info_out = logon_info; return status; @@ -609,8 +609,6 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; struct PAC_LOGON_INFO *logon_info; - struct security_token *ptoken; - struct dom_sid *sid; char *p; char *principal; const char *username; @@ -633,119 +631,35 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security /* IF we have the PAC - otherwise we need to get this * data from elsewere - local ldb, or (TODO) lookup of some - * kind... */ + * kind... + * + * when heimdal can generate the PAC, we should fail if there's + * no PAC present + */ if (NT_STATUS_IS_OK(nt_status)) { - nt_status = make_server_info(gensec_krb5_state, &server_info, gensec_krb5_state->peer_principal); + union netr_Validation validation; + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(gensec_krb5_state, + username, + &server_info, + 3, + &validation); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - - server_info->guest = False; - - if (logon_info->account_name.string) { - server_info->account_name - = talloc_reference(server_info, - logon_info->account_name.string); - } else { - server_info->account_name = talloc_strdup(server_info, username); - } - - server_info->domain = talloc_reference(server_info, - logon_info->dom_name.string); - server_info->realm = talloc_strdup(server_info, realm); - server_info->full_name = talloc_reference(server_info, - logon_info->full_name.string); - server_info->logon_script = talloc_reference(server_info, - logon_info->logon_script.string); - server_info->profile_path = talloc_reference(server_info, - logon_info->profile_path.string); - server_info->home_directory = talloc_reference(server_info, - logon_info->home_directory.string); - server_info->home_drive = talloc_reference(server_info, - logon_info->home_drive.string); - - server_info->logon_count = logon_info->logon_count; - /* TODO: bad password count */ - - server_info->acct_flags = logon_info->acct_flags; - - if (!server_info->domain || !server_info->account_name || !server_info->realm) { - free_server_info(&server_info); - return NT_STATUS_NO_MEMORY; - } - - /* references the server_info into the session_info */ - nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - free_server_info(&server_info); - return nt_status; - } - - talloc_free(server_info); - - ptoken = security_token_initialise(session_info); - if (ptoken == NULL) { - return NT_STATUS_NO_MEMORY; - } - - ptoken->num_sids = 0; - ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, - logon_info->groups_count + 2); - if (!ptoken->sids) { - return NT_STATUS_NO_MEMORY; - } - - - sid = dom_sid_dup(server_info, logon_info->dom_sid); - server_info->user_sid = dom_sid_add_rid(server_info, sid, logon_info->user_rid); - sid = dom_sid_dup(server_info, logon_info->dom_sid); - server_info->primary_group_sid = dom_sid_add_rid(server_info, sid, logon_info->group_rid); - - ptoken->user_sid = server_info->user_sid; - ptoken->group_sid = server_info->primary_group_sid; - ptoken->sids[0] = talloc_reference(ptoken, ptoken->user_sid); - ptoken->num_sids++; - ptoken->sids[1] = talloc_reference(ptoken, ptoken->group_sid); - ptoken->num_sids++; - - for (;ptoken->num_sids < (logon_info->groups_count + 2); - ptoken->num_sids++) { - sid = dom_sid_dup(session_info, logon_info->dom_sid); - ptoken->sids[ptoken->num_sids] - = dom_sid_add_rid(session_info, sid, - logon_info->groups[ptoken->num_sids - 2].rid); - } - - /* setup any privileges for this token */ - nt_status = samdb_privilege_setup(ptoken); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(ptoken); - return nt_status; - } - - debug_security_token(DBGC_AUTH, 0, ptoken); - - session_info->security_token = ptoken; } else { - TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm); - if (!mem_ctx) { - return NT_STATUS_NO_MEMORY; - } nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - - /* references the server_info into the session_info */ - nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); return nt_status; } + } - talloc_free(mem_ctx); + /* references the server_info into the session_info */ + nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); + talloc_free(server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } talloc_free(principal); |