diff options
| -rw-r--r-- | source4/auth/auth.h | 5 | ||||
| -rw-r--r-- | source4/auth/gensec/gensec.c | 16 | ||||
| -rw-r--r-- | source4/auth/system_session.c | 156 | ||||
| -rw-r--r-- | source4/dsdb/samdb/samdb.c | 27 |
4 files changed, 46 insertions, 158 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 0f6386fb7a..33c398df99 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -44,8 +44,9 @@ struct loadparm_context; /* version 0 - till samba4 is stable - metze */ #define AUTH_INTERFACE_VERSION 0 -#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */ -#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */ +#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */ +#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */ +#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */ struct auth_serversupplied_info { diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 0cb0d3d476..3c25f3b913 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -1315,18 +1315,22 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct auth_session_info **session_info) { NTSTATUS nt_status; + uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (server_info->authenticated) { + flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } if (gensec_security->auth_context) { - uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; - if (server_info->authenticated) { - flags |= AUTH_SESSION_INFO_AUTHENTICATED; - } nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context, server_info, flags, session_info); } else { - nt_status = auth_generate_simple_session_info(mem_ctx, - server_info, session_info); + flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + nt_status = auth_generate_session_info(mem_ctx, + NULL, + NULL, + server_info, flags, + session_info); } return nt_status; } diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 6e0cd7be5a..1058f19f5e 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -29,120 +29,6 @@ #include "auth/session.h" #include "auth/system_session_proto.h" -/** - * Create the SID list for this user. - * - * @note Specialised version for system sessions that doesn't use the SAM. - */ -static NTSTATUS create_token(TALLOC_CTX *mem_ctx, - struct dom_sid *user_sid, - struct dom_sid *group_sid, - unsigned int n_groupSIDs, - struct dom_sid **groupSIDs, - bool is_authenticated, - struct security_token **token) -{ - struct security_token *ptoken; - unsigned int i; - - ptoken = security_token_initialise(mem_ctx); - NT_STATUS_HAVE_NO_MEMORY(ptoken); - - ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 5); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid; - ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid; - ptoken->privilege_mask = 0; - - /* - * Finally add the "standard" SIDs. - * The only difference between guest and "anonymous" - * is the addition of Authenticated_Users. - */ - - if (!dom_sid_parse(SID_WORLD, &ptoken->sids[2])) { - return NT_STATUS_INTERNAL_ERROR; - } - if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[3])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids = 4; - - if (is_authenticated) { - if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[4])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - } - - for (i = 0; i < n_groupSIDs; i++) { - size_t check_sid_idx; - for (check_sid_idx = 1; - check_sid_idx < ptoken->num_sids; - check_sid_idx++) { - if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) { - break; - } - } - - if (check_sid_idx == ptoken->num_sids) { - ptoken->sids[ptoken->num_sids++] = *groupSIDs[i]; - } - } - - *token = ptoken; - - /* Shortcuts to prevent recursion and avoid lookups */ - if (ptoken->sids == NULL) { - ptoken->privilege_mask = 0; - return NT_STATUS_OK; - } - - if (security_token_is_system(ptoken)) { - ptoken->privilege_mask = ~0; - } else if (security_token_is_anonymous(ptoken)) { - ptoken->privilege_mask = 0; - } else if (security_token_has_builtin_administrators(ptoken)) { - ptoken->privilege_mask = ~0; - } else { - /* All other 'users' get a empty priv set so far */ - ptoken->privilege_mask = 0; - } - return NT_STATUS_OK; -} - -NTSTATUS auth_generate_simple_session_info(TALLOC_CTX *mem_ctx, - struct auth_serversupplied_info *server_info, - struct auth_session_info **_session_info) -{ - struct auth_session_info *session_info; - NTSTATUS nt_status; - - session_info = talloc(mem_ctx, struct auth_session_info); - NT_STATUS_HAVE_NO_MEMORY(session_info); - - session_info->server_info = talloc_reference(session_info, server_info); - - /* unless set otherwise, the session key is the user session - * key from the auth subsystem */ - session_info->session_key = server_info->user_session_key; - - nt_status = create_token(session_info, - server_info->account_sid, - server_info->primary_group_sid, - server_info->n_domain_groups, - server_info->domain_groups, - server_info->authenticated, - &session_info->security_token); - NT_STATUS_NOT_OK_RETURN(nt_status); - - session_info->credentials = NULL; - - *_session_info = session_info; - return NT_STATUS_OK; -} - /* prevent the static system session being freed @@ -194,7 +80,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info); + nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -368,11 +254,10 @@ static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx, static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid, - struct auth_session_info **_session_info) + struct auth_session_info **session_info) { NTSTATUS nt_status; struct auth_serversupplied_info *server_info = NULL; - struct auth_session_info *session_info = NULL; TALLOC_CTX *mem_ctx = talloc_new(parent_ctx); nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx), @@ -383,34 +268,15 @@ static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx, return nt_status; } - session_info = talloc(mem_ctx, struct auth_session_info); - NT_STATUS_HAVE_NO_MEMORY(session_info); - - session_info->server_info = talloc_reference(session_info, server_info); - - /* unless set otherwise, the session key is the user session - * key from the auth subsystem */ - session_info->session_key = server_info->user_session_key; - - nt_status = create_token(session_info, - server_info->account_sid, - server_info->primary_group_sid, - server_info->n_domain_groups, - server_info->domain_groups, - true, - &session_info->security_token); - NT_STATUS_NOT_OK_RETURN(nt_status); - - session_info->credentials = cli_credentials_init(session_info); - if (!session_info->credentials) { - return NT_STATUS_NO_MEMORY; + nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, server_info, + AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS, + session_info); + /* There is already a reference between the sesion_info and server_info */ + if (NT_STATUS_IS_OK(nt_status)) { + talloc_steal(parent_ctx, *session_info); } - - cli_credentials_set_conf(session_info->credentials, lp_ctx); - - *_session_info = session_info; - - return NT_STATUS_OK; + talloc_free(mem_ctx); + return nt_status; } _PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid) @@ -445,7 +311,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info); + nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 7ba440006a..a8428a9c54 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -222,11 +222,28 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, } } - /* setup the privilege mask for this token */ - status = samdb_privilege_setup(lp_ctx, ptoken); - if (!NT_STATUS_IS_OK(status)) { - talloc_free(ptoken); - return status; + /* The caller may have requested simple privilages, for example if there isn't a local DB */ + if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { + /* Shortcuts to prevent recursion and avoid lookups */ + if (ptoken->sids == NULL) { + ptoken->privilege_mask = 0; + } else if (security_token_is_system(ptoken)) { + ptoken->privilege_mask = ~0; + } else if (security_token_is_anonymous(ptoken)) { + ptoken->privilege_mask = 0; + } else if (security_token_has_builtin_administrators(ptoken)) { + ptoken->privilege_mask = ~0; + } else { + /* All other 'users' get a empty priv set so far */ + ptoken->privilege_mask = 0; + } + } else { + /* setup the privilege mask for this token */ + status = samdb_privilege_setup(lp_ctx, ptoken); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(ptoken); + return status; + } } security_token_debug(0, 10, ptoken); |