libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport

This changes the structure being used to convey the current user state
from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built
structure that matches the internals of the Samba auth subsystem and
contains the final group list, as well as the final privilege set and
session key.

These previously had to be re-created on the server side of the pipe
each time.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

1 files changed, 13 insertions, 125 deletions

diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c
index 148d4fdf80..086a037b69 100644
--- a/source4/smbd/service_named_pipe.c
+++ b/source4/smbd/service_named_pipe.c
@@ -33,8 +33,7 @@
 #include "system/passwd.h"
 #include "system/network.h"
 #include "libcli/raw/smb.h"
-#include "auth/credentials/credentials.h"
-#include "auth/credentials/credentials_krb5.h"
+#include "auth/session.h"
 #include "libcli/security/security.h"
 #include "libcli/named_pipe_auth/npa_tstream.h"
 
@@ -93,18 +92,9 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
 	char *client_name;
 	struct tsocket_address *server;
 	char *server_name;
-	struct netr_SamInfo3 *info3;
-	DATA_BLOB session_key;
-	DATA_BLOB delegated_creds;
-
-	union netr_Validation val;
-	struct auth_user_info_dc *user_info_dc;
-	struct auth_context *auth_context;
-	uint32_t session_flags = 0;
-	struct dom_sid *anonymous_sid;
+	struct auth_session_info_transport *session_info_transport;
 	const char *reason = NULL;
 	TALLOC_CTX *tmp_ctx;
-	NTSTATUS status;
 	int error;
 	int ret;
 
@@ -115,14 +105,12 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
 	}
 
 	ret = tstream_npa_accept_existing_recv(subreq, &error, tmp_ctx,
-						&conn->tstream,
-						&client,
-						&client_name,
-						&server,
-						&server_name,
-						&info3,
-						&session_key,
-						&delegated_creds);
+					       &conn->tstream,
+					       &client,
+					       &client_name,
+					       &server,
+					       &server_name,
+					       &session_info_transport);
 	TALLOC_FREE(subreq);
 	if (ret != 0) {
 		reason = talloc_asprintf(conn,
@@ -137,111 +125,11 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
 		   client_name, tsocket_address_string(client, tmp_ctx),
 		   server_name, tsocket_address_string(server, tmp_ctx)));
 
-	if (info3) {
-		val.sam3 = info3;
-
-		status = make_user_info_dc_netlogon_validation(conn,
-					val.sam3->base.account_name.string,
-					3, &val, &user_info_dc);
-		if (!NT_STATUS_IS_OK(status)) {
-			reason = talloc_asprintf(conn,
-					"make_user_info_dc_netlogon_validation "
-					"returned: %s", nt_errstr(status));
-			goto out;
-		}
-
-		status = auth_context_create(conn, conn->event.ctx,
-					     conn->msg_ctx, conn->lp_ctx,
-					     &auth_context);
-		if (!NT_STATUS_IS_OK(status)) {
-			reason = talloc_asprintf(conn,
-					"auth_context_create returned: %s",
-					nt_errstr(status));
-			goto out;
-		}
-
-		anonymous_sid = dom_sid_parse_talloc(auth_context,
-						     SID_NT_ANONYMOUS);
-		if (anonymous_sid == NULL) {
-			talloc_free(auth_context);
-			reason = "Failed to parse Anonymous SID ";
-			goto out;
-		}
-
-		session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
-		if (user_info_dc->num_sids > 1 && !dom_sid_equal(anonymous_sid, &user_info_dc->sids[0])) {
-			session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
-		}
-
-
-		/* setup the session_info on the connection */
-		status = auth_context->generate_session_info(conn,
-							     auth_context,
-							     user_info_dc,
-							     session_flags,
-							     &conn->session_info);
-		talloc_free(auth_context);
-		if (!NT_STATUS_IS_OK(status)) {
-			reason = talloc_asprintf(conn,
-					"auth_generate_session_info "
-					"returned: %s", nt_errstr(status));
-			goto out;
-		}
-	}
-
-	if (session_key.length) {
-		conn->session_info->session_key = session_key;
-		talloc_steal(conn->session_info, session_key.data);
-	}
-
-	if (delegated_creds.length) {
-		struct cli_credentials *creds;
-		OM_uint32 minor_status;
-		gss_buffer_desc cred_token;
-		gss_cred_id_t cred_handle;
-		const char *error_string;
-
-		DEBUG(10, ("Delegated credentials supplied by client\n"));
-
-		cred_token.value = delegated_creds.data;
-		cred_token.length = delegated_creds.length;
-
-		ret = gss_import_cred(&minor_status,
-				      &cred_token,
-				      &cred_handle);
-		if (ret != GSS_S_COMPLETE) {
-			reason = "Internal error in gss_import_cred()";
-			goto out;
-		}
-
-		creds = cli_credentials_init(conn->session_info);
-		if (!creds) {
-			reason = "Out of memory in cli_credentials_init()";
-			goto out;
-		}
-		conn->session_info->credentials = creds;
-
-		cli_credentials_set_conf(creds, conn->lp_ctx);
-		/* Just so we don't segfault trying to get at a username */
-		cli_credentials_set_anonymous(creds);
-
-		ret = cli_credentials_set_client_gss_creds(creds,
-							   conn->lp_ctx,
-							   cred_handle,
-							   CRED_SPECIFIED,
-							   &error_string);
-		if (ret) {
-			reason = talloc_asprintf(conn,
-						 "Failed to set pipe forwarded"
-						 "creds: %s\n", error_string);
-			goto out;
-		}
-
-		/* This credential handle isn't useful for password
-		 * authentication, so ensure nobody tries to do that */
-		cli_credentials_set_kerberos_state(creds,
-						   CRED_MUST_USE_KERBEROS);
-
+	conn->session_info = auth_session_info_from_transport(conn, session_info_transport,
+							      conn->lp_ctx,
+							      &reason);
+	if (!conn->session_info) {
+		goto out;
 	}
 
 	/*