diff options
-rw-r--r-- | source4/auth/auth_sam_reply.c | 81 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 31 | ||||
-rw-r--r-- | source4/include/structs.h | 1 |
3 files changed, 98 insertions, 15 deletions
diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c index 2ff071f737..6b16d3e610 100644 --- a/source4/auth/auth_sam_reply.c +++ b/source4/auth/auth_sam_reply.c @@ -107,3 +107,84 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx, + struct auth_serversupplied_info *server_info, + struct netr_SamInfo3 **_sam3) +{ + struct netr_SamBaseInfo *sam; + struct netr_SamInfo3 *sam3 = talloc_zero(mem_ctx, struct netr_SamInfo3); + NT_STATUS_HAVE_NO_MEMORY(sam3); + + sam = &sam3->base; + + sam->last_logon = server_info->last_logon; + sam->last_logoff = server_info->last_logoff; + sam->acct_expiry = server_info->acct_expiry; + sam->last_password_change = server_info->last_password_change; + sam->allow_password_change = server_info->allow_password_change; + sam->force_password_change = server_info->force_password_change; + + sam->account_name.string = server_info->account_name; + sam->full_name.string = server_info->full_name; + sam->logon_script.string = server_info->logon_script; + sam->profile_path.string = server_info->profile_path; + sam->home_directory.string = server_info->home_directory; + sam->home_drive.string = server_info->home_drive; + + sam->logon_count = server_info->logon_count; + sam->bad_password_count = sam->bad_password_count; + sam->rid = server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1]; + sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; + + sam->groups.count = 0; + sam->groups.rids = NULL; + + sam->user_flags = 0x20; /* TODO: w2k3 uses 0x120. We know 0x20 + * as extra sids (PAC doc) but what is + * 0x100? */ + sam->acct_flags = server_info->acct_flags; + sam->logon_server.string = lp_netbios_name(); + sam->domain.string = server_info->domain_name; + + sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid); + NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid); + sam->domain_sid->num_auths--; + + ZERO_STRUCT(sam->unknown); + + ZERO_STRUCT(sam->key); + if (server_info->user_session_key.length == sizeof(sam->key.key)) { + memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key)); + } + + ZERO_STRUCT(sam->LMSessKey); + if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) { + memcpy(sam->LMSessKey.key, server_info->lm_session_key.data, + sizeof(sam->LMSessKey.key)); + } + + sam3->sidcount = 0; + sam3->sids = NULL; + + if (server_info->n_domain_groups > 0) { + int i; + sam3->sids = talloc_array(sam, struct netr_SidAttr, + server_info->n_domain_groups); + NT_STATUS_HAVE_NO_MEMORY(sam3->sids); + + for (i=0; i<server_info->n_domain_groups; i++) { + if (!dom_sid_in_domain(sam->domain_sid, server_info->domain_groups[i])) { + continue; + } + sam3->sids[sam3->sidcount].sid = talloc_reference(sam3->sids,server_info->domain_groups[i]); + sam3->sids[sam3->sidcount].attribute = + SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + sam3->sidcount += 1; + } + } + + *_sam3 = sam3; + + return NT_STATUS_OK; +} + diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index c659db064b..b0844187e5 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -230,7 +230,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, DATA_BLOB server_checksum_blob; krb5_error_code ret; struct PAC_DATA *pac_data = talloc(mem_ctx, struct PAC_DATA); - struct netr_SamBaseInfo *sam; + struct netr_SamInfo3 *sam3; struct timeval tv = timeval_current(); union PAC_INFO *u_LOGON_INFO; struct PAC_LOGON_INFO *LOGON_INFO; @@ -244,8 +244,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, enum { PAC_BUF_LOGON_INFO = 0, PAC_BUF_LOGON_NAME = 1, - PAC_BUF_KDC_CHECKSUM = 2, - PAC_BUF_SRV_CHECKSUM = 3, + PAC_BUF_SRV_CHECKSUM = 2, + PAC_BUF_KDC_CHECKSUM = 3, PAC_BUF_NUM_BUFFERS = 4 }; @@ -283,16 +283,6 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, pac_data->buffers[PAC_BUF_LOGON_NAME].info = u_LOGON_NAME; LOGON_NAME = &u_LOGON_NAME->logon_name; - /* KDC_CHECKSUM */ - u_KDC_CHECKSUM = talloc_zero(pac_data->buffers, union PAC_INFO); - if (!u_KDC_CHECKSUM) { - talloc_free(pac_data); - return ENOMEM; - } - pac_data->buffers[PAC_BUF_KDC_CHECKSUM].type = PAC_TYPE_KDC_CHECKSUM; - pac_data->buffers[PAC_BUF_KDC_CHECKSUM].info = u_KDC_CHECKSUM; - KDC_CHECKSUM = &u_KDC_CHECKSUM->kdc_cksum; - /* SRV_CHECKSUM */ u_SRV_CHECKSUM = talloc_zero(pac_data->buffers, union PAC_INFO); if (!u_SRV_CHECKSUM) { @@ -303,6 +293,16 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, pac_data->buffers[PAC_BUF_SRV_CHECKSUM].info = u_SRV_CHECKSUM; SRV_CHECKSUM = &u_SRV_CHECKSUM->srv_cksum; + /* KDC_CHECKSUM */ + u_KDC_CHECKSUM = talloc_zero(pac_data->buffers, union PAC_INFO); + if (!u_KDC_CHECKSUM) { + talloc_free(pac_data); + return ENOMEM; + } + pac_data->buffers[PAC_BUF_KDC_CHECKSUM].type = PAC_TYPE_KDC_CHECKSUM; + pac_data->buffers[PAC_BUF_KDC_CHECKSUM].info = u_KDC_CHECKSUM; + KDC_CHECKSUM = &u_KDC_CHECKSUM->kdc_cksum; + /* now the real work begins... */ LOGON_INFO = talloc_zero(u_LOGON_INFO, struct PAC_LOGON_INFO); @@ -310,7 +310,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, talloc_free(pac_data); return ENOMEM; } - nt_status = auth_convert_server_info_sambaseinfo(LOGON_INFO, server_info, &sam); + nt_status = auth_convert_server_info_saminfo3(LOGON_INFO, server_info, &sam3); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status))); talloc_free(pac_data); @@ -318,7 +318,8 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx, } u_LOGON_INFO->logon_info.info = LOGON_INFO; - LOGON_INFO->info3.base = *sam; + LOGON_INFO->info3 = *sam3; + LOGON_INFO->info3.base.last_logon = timeval_to_nttime(&tv); LOGON_NAME->account_name = server_info->account_name; LOGON_NAME->logon_time = timeval_to_nttime(&tv); diff --git a/source4/include/structs.h b/source4/include/structs.h index e9c8c69fd7..e243d78f20 100644 --- a/source4/include/structs.h +++ b/source4/include/structs.h @@ -104,6 +104,7 @@ struct netr_Credential; struct netr_Authenticator; union netr_Validation; struct netr_SamBaseInfo; +struct netr_SamInfo3; struct iface_struct; |