summaryrefslogtreecommitdiff
path: root/source4/smbd
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-02-09 14:22:16 +1100
committerAndrew Tridgell <tridge@samba.org>2011-02-10 06:51:06 +0100
commitd66150c14def46711a15a35b4734e8f438b6dad6 (patch)
tree78aa50274367fd6af3f9647fbded3f9305a91d7a /source4/smbd
parent248c8217803341aa48626f5b68cc939d28aea5ab (diff)
downloadsamba-d66150c14def46711a15a35b4734e8f438b6dad6.tar.gz
samba-d66150c14def46711a15a35b4734e8f438b6dad6.tar.bz2
samba-d66150c14def46711a15a35b4734e8f438b6dad6.zip
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport
This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source4/smbd')
-rw-r--r--source4/smbd/service_named_pipe.c138
1 files changed, 13 insertions, 125 deletions
diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c
index 148d4fdf80..086a037b69 100644
--- a/source4/smbd/service_named_pipe.c
+++ b/source4/smbd/service_named_pipe.c
@@ -33,8 +33,7 @@
#include "system/passwd.h"
#include "system/network.h"
#include "libcli/raw/smb.h"
-#include "auth/credentials/credentials.h"
-#include "auth/credentials/credentials_krb5.h"
+#include "auth/session.h"
#include "libcli/security/security.h"
#include "libcli/named_pipe_auth/npa_tstream.h"
@@ -93,18 +92,9 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
char *client_name;
struct tsocket_address *server;
char *server_name;
- struct netr_SamInfo3 *info3;
- DATA_BLOB session_key;
- DATA_BLOB delegated_creds;
-
- union netr_Validation val;
- struct auth_user_info_dc *user_info_dc;
- struct auth_context *auth_context;
- uint32_t session_flags = 0;
- struct dom_sid *anonymous_sid;
+ struct auth_session_info_transport *session_info_transport;
const char *reason = NULL;
TALLOC_CTX *tmp_ctx;
- NTSTATUS status;
int error;
int ret;
@@ -115,14 +105,12 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
}
ret = tstream_npa_accept_existing_recv(subreq, &error, tmp_ctx,
- &conn->tstream,
- &client,
- &client_name,
- &server,
- &server_name,
- &info3,
- &session_key,
- &delegated_creds);
+ &conn->tstream,
+ &client,
+ &client_name,
+ &server,
+ &server_name,
+ &session_info_transport);
TALLOC_FREE(subreq);
if (ret != 0) {
reason = talloc_asprintf(conn,
@@ -137,111 +125,11 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
client_name, tsocket_address_string(client, tmp_ctx),
server_name, tsocket_address_string(server, tmp_ctx)));
- if (info3) {
- val.sam3 = info3;
-
- status = make_user_info_dc_netlogon_validation(conn,
- val.sam3->base.account_name.string,
- 3, &val, &user_info_dc);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "make_user_info_dc_netlogon_validation "
- "returned: %s", nt_errstr(status));
- goto out;
- }
-
- status = auth_context_create(conn, conn->event.ctx,
- conn->msg_ctx, conn->lp_ctx,
- &auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "auth_context_create returned: %s",
- nt_errstr(status));
- goto out;
- }
-
- anonymous_sid = dom_sid_parse_talloc(auth_context,
- SID_NT_ANONYMOUS);
- if (anonymous_sid == NULL) {
- talloc_free(auth_context);
- reason = "Failed to parse Anonymous SID ";
- goto out;
- }
-
- session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (user_info_dc->num_sids > 1 && !dom_sid_equal(anonymous_sid, &user_info_dc->sids[0])) {
- session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
- }
-
-
- /* setup the session_info on the connection */
- status = auth_context->generate_session_info(conn,
- auth_context,
- user_info_dc,
- session_flags,
- &conn->session_info);
- talloc_free(auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "auth_generate_session_info "
- "returned: %s", nt_errstr(status));
- goto out;
- }
- }
-
- if (session_key.length) {
- conn->session_info->session_key = session_key;
- talloc_steal(conn->session_info, session_key.data);
- }
-
- if (delegated_creds.length) {
- struct cli_credentials *creds;
- OM_uint32 minor_status;
- gss_buffer_desc cred_token;
- gss_cred_id_t cred_handle;
- const char *error_string;
-
- DEBUG(10, ("Delegated credentials supplied by client\n"));
-
- cred_token.value = delegated_creds.data;
- cred_token.length = delegated_creds.length;
-
- ret = gss_import_cred(&minor_status,
- &cred_token,
- &cred_handle);
- if (ret != GSS_S_COMPLETE) {
- reason = "Internal error in gss_import_cred()";
- goto out;
- }
-
- creds = cli_credentials_init(conn->session_info);
- if (!creds) {
- reason = "Out of memory in cli_credentials_init()";
- goto out;
- }
- conn->session_info->credentials = creds;
-
- cli_credentials_set_conf(creds, conn->lp_ctx);
- /* Just so we don't segfault trying to get at a username */
- cli_credentials_set_anonymous(creds);
-
- ret = cli_credentials_set_client_gss_creds(creds,
- conn->lp_ctx,
- cred_handle,
- CRED_SPECIFIED,
- &error_string);
- if (ret) {
- reason = talloc_asprintf(conn,
- "Failed to set pipe forwarded"
- "creds: %s\n", error_string);
- goto out;
- }
-
- /* This credential handle isn't useful for password
- * authentication, so ensure nobody tries to do that */
- cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
-
+ conn->session_info = auth_session_info_from_transport(conn, session_info_transport,
+ conn->lp_ctx,
+ &reason);
+ if (!conn->session_info) {
+ goto out;
}
/*