summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/ntlm/auth.c15
-rw-r--r--source4/auth/session.c13
-rw-r--r--source4/auth/session.h7
-rw-r--r--source4/auth/system_session.c4
-rw-r--r--source4/dsdb/samdb/ldb_modules/operational.c2
-rw-r--r--source4/samba_tool/gpo.c11
6 files changed, 28 insertions, 24 deletions
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index f7de0201b6..0c6c8ef52c 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -408,6 +408,19 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
return NT_STATUS_OK;
}
+/* Wrapper because we don't want to expose all callers to needing to
+ * know that session_info is generated from the main ldb */
+static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
+ struct auth_context *auth_context,
+ struct auth_serversupplied_info *server_info,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
+ auth_context->sam_ctx, server_info,
+ session_info_flags, session_info);
+}
+
/***************************************************************************
Make a auth_info struct for the auth subsystem
- Allow the caller to specify the methods to use, including optionally the SAM to use
@@ -476,7 +489,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
ctx->set_challenge = auth_context_set_challenge;
ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
ctx->get_server_info_principal = auth_get_server_info_principal;
- ctx->generate_session_info = auth_generate_session_info;
+ ctx->generate_session_info = auth_generate_session_info_wrapper;
*auth_ctx = ctx;
diff --git a/source4/auth/session.c b/source4/auth/session.c
index bb6a5946e5..1028aa8320 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -41,7 +41,8 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
}
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context, /* Optional if the domain SID is in the NT AUTHORITY domain */
+ struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
+ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
struct auth_serversupplied_info *server_info,
uint32_t session_info_flags,
struct auth_session_info **_session_info)
@@ -83,7 +84,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
/* Don't expand nested groups of system, anonymous etc*/
} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
/* Don't expand nested groups of system, anonymous etc*/
- } else if (auth_context) {
+ } else if (sam_ctx) {
groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
if (!groupSIDs) {
@@ -119,7 +120,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
account_sid_blob = data_blob_string_const(account_sid_dn);
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &account_sid_blob, true, filter,
+ nt_status = authsam_expand_nested_groups(sam_ctx, &account_sid_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -143,7 +144,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
primary_group_blob = data_blob_string_const(primary_group_dn);
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &primary_group_blob, true, filter,
+ nt_status = authsam_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -167,7 +168,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
/* This function takes in memberOf values and expands
* them, as long as they meet the filter - so only
* builtin groups */
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &group_blob, true, filter,
+ nt_status = authsam_expand_nested_groups(sam_ctx, &group_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -177,7 +178,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
}
nt_status = security_token_create(session_info,
- auth_context ? auth_context->lp_ctx : NULL,
+ lp_ctx,
server_info->account_sid,
server_info->primary_group_sid,
num_groupSIDs,
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 3de054aef1..bdcfe7ab93 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -31,7 +31,6 @@ struct auth_session_info {
#include "librpc/gen_ndr/netlogon.h"
struct tevent_context;
-struct auth_context;
/* Create a security token for a session SYSTEM (the most
* trusted/prvilaged account), including the local machine account as
* the off-host credentials */
@@ -41,11 +40,11 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
const char *netbios_name,
struct auth_serversupplied_info **_server_info) ;
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context,
- struct auth_serversupplied_info *server_info,
+ struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
+ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
+ struct auth_serversupplied_info *server_info,
uint32_t session_info_flags,
struct auth_session_info **_session_info);
-
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info);
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index bec22c1600..6e0cd7be5a 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -194,7 +194,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
}
/* references the server_info into the session_info */
- nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
+ nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info);
talloc_free(mem_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -445,7 +445,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
}
/* references the server_info into the session_info */
- nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
+ nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info);
talloc_free(mem_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index d98131113d..c4c2660f57 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -167,7 +167,7 @@ static int construct_token_groups(struct ldb_module *module,
return LDB_ERR_OPERATIONS_ERROR;
}
- status = auth_generate_session_info(tmp_ctx, auth_context, server_info, 0, &session_info);
+ status = auth_generate_session_info(tmp_ctx, auth_context->lp_ctx, ldb, server_info, 0, &session_info);
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
talloc_free(tmp_ctx);
return ldb_module_oom(module);
diff --git a/source4/samba_tool/gpo.c b/source4/samba_tool/gpo.c
index 65838d0712..93aae60983 100644
--- a/source4/samba_tool/gpo.c
+++ b/source4/samba_tool/gpo.c
@@ -215,7 +215,6 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
NTSTATUS status;
int rv;
unsigned int i;
- struct auth_context *auth_context;
if (argc != 1) {
return net_gpo_list_usage(ctx, argc, argv);
@@ -267,16 +266,8 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
return 1;
}
- /* We do now need an auth context to create a session */
- status = auth_context_create_from_ldb(gp_ctx, gp_ctx->ldb_ctx, &auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("Failed to get an auth context: %s\n", get_friendly_nt_error_msg(status)));
- talloc_free(gp_ctx);
- return 1;
- }
-
/* The session info will contain the security token for this user */
- status = auth_generate_session_info(gp_ctx, auth_context, server_info, 0, &session_info);
+ status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, server_info, 0, &session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to generate session information: %s\n", get_friendly_nt_error_msg(status)));
talloc_free(gp_ctx);