diff options
-rw-r--r-- | source3/Makefile.in | 1 | ||||
-rw-r--r-- | source3/rpc_server/dcesrv_gssapi.c | 223 | ||||
-rw-r--r-- | source3/rpc_server/dcesrv_gssapi.h | 42 | ||||
-rw-r--r-- | source3/rpc_server/dcesrv_spnego.c | 1 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 1 | ||||
-rwxr-xr-x | source3/rpc_server/wscript_build | 2 |
6 files changed, 1 insertions, 269 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 69f4786695..43dabcc998 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -763,7 +763,6 @@ RPC_CONFIG = rpc_server/rpc_config.o RPC_SERVICE = rpc_server/rpc_server.o RPC_CRYPTO = rpc_server/dcesrv_auth_generic.o \ - rpc_server/dcesrv_gssapi.o \ rpc_server/dcesrv_spnego.o RPC_PIPE_OBJ = rpc_server/srv_pipe.o rpc_server/srv_pipe_hnd.o \ diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c deleted file mode 100644 index be97a64cb4..0000000000 --- a/source3/rpc_server/dcesrv_gssapi.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - * GSSAPI Acceptor - * DCERPC Server functions - * Copyright (C) Simo Sorce 2010. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - - -#include "includes.h" -#include "rpc_server/dcesrv_gssapi.h" -#include "../librpc/gen_ndr/ndr_krb5pac.h" -#include "../lib/tsocket/tsocket.h" -#include "librpc/crypto/gse.h" -#include "auth.h" -#ifdef HAVE_KRB5 -#include "libcli/auth/krb5_wrap.h" -#endif -NTSTATUS gssapi_server_auth_start(TALLOC_CTX *mem_ctx, - bool do_sign, - bool do_seal, - bool is_dcerpc, - DATA_BLOB *token_in, - DATA_BLOB *token_out, - struct gse_context **ctx) -{ - struct gse_context *gse_ctx = NULL; - uint32_t add_flags = 0; - NTSTATUS status; - - if (is_dcerpc) { - add_flags = GSS_C_DCE_STYLE; - } - - /* Let's init the gssapi machinery for this connection */ - status = gse_init_server(mem_ctx, do_sign, do_seal, - add_flags, &gse_ctx); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n", - nt_errstr(status))); - return status; - } - - status = gse_get_server_auth_token(mem_ctx, gse_ctx, - token_in, token_out); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to parse initial client token (%s)\n", - nt_errstr(status))); - goto done; - } - - *ctx = gse_ctx; - status = NT_STATUS_OK; - -done: - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(gse_ctx); - } - - return status; -} - -NTSTATUS gssapi_server_step(struct gse_context *gse_ctx, - TALLOC_CTX *mem_ctx, - DATA_BLOB *token_in, - DATA_BLOB *token_out) -{ - NTSTATUS status; - - status = gse_get_server_auth_token(mem_ctx, gse_ctx, - token_in, token_out); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - if (gse_require_more_processing(gse_ctx)) { - /* ask for next leg */ - return NT_STATUS_MORE_PROCESSING_REQUIRED; - } - - return NT_STATUS_OK; -} - -NTSTATUS gssapi_server_check_flags(struct gse_context *gse_ctx) -{ - return gse_verify_server_auth_flags(gse_ctx); -} - -NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx, - TALLOC_CTX *mem_ctx, - const struct tsocket_address *remote_address, - struct auth_session_info **session_info) -{ - TALLOC_CTX *tmp_ctx; - DATA_BLOB pac_blob; - struct PAC_DATA *pac_data = NULL; - struct PAC_LOGON_INFO *logon_info = NULL; - unsigned int i; - bool is_mapped; - bool is_guest; - char *princ_name; - char *ntuser; - char *ntdomain; - char *username; - char *rhost; - struct passwd *pw; - NTSTATUS status; - int rc; - - tmp_ctx = talloc_new(mem_ctx); - if (!tmp_ctx) { - return NT_STATUS_NO_MEMORY; - } - - status = gse_get_pac_blob(gse_ctx, tmp_ctx, &pac_blob); - if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) { - /* TODO: Fetch user by principal name ? */ - status = NT_STATUS_ACCESS_DENIED; - goto done; - } - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - -#ifdef HAVE_KRB5 - status = kerberos_decode_pac(tmp_ctx, - pac_blob, - NULL, NULL, NULL, NULL, 0, &pac_data); -#else - status = NT_STATUS_ACCESS_DENIED; -#endif - data_blob_free(&pac_blob); - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - status = gse_get_client_name(gse_ctx, tmp_ctx, &princ_name); - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - - /* get logon name and logon info */ - for (i = 0; i < pac_data->num_buffers; i++) { - struct PAC_BUFFER *data_buf = &pac_data->buffers[i]; - - switch (data_buf->type) { - case PAC_TYPE_LOGON_INFO: - if (!data_buf->info) { - break; - } - logon_info = data_buf->info->logon_info.info; - break; - default: - break; - } - } - if (!logon_info) { - DEBUG(1, ("Invalid PAC data, missing logon info!\n")); - status = NT_STATUS_NOT_FOUND; - goto done; - } - - rc = get_remote_hostname(remote_address, - &rhost, - tmp_ctx); - if (rc < 0) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - if (strequal(rhost, "UNKNOWN")) { - rhost = tsocket_address_inet_addr_string(remote_address, - tmp_ctx); - if (rhost == NULL) { - status = NT_STATUS_NO_MEMORY; - goto done; - } - } - - status = get_user_from_kerberos_info(tmp_ctx, rhost, - princ_name, logon_info, - &is_mapped, &is_guest, - &ntuser, &ntdomain, - &username, &pw); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to map kerberos principal to system user " - "(%s)\n", nt_errstr(status))); - status = NT_STATUS_ACCESS_DENIED; - goto done; - } - - /* TODO: save PAC data in netsamlogon cache ? */ - - status = make_session_info_krb5(mem_ctx, - ntuser, ntdomain, username, pw, - logon_info, is_guest, is_mapped, NULL /* No session key for now */, - session_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", - nt_errstr(status))); - status = NT_STATUS_ACCESS_DENIED; - goto done; - } - - DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n", - ntuser, ntdomain, rhost)); - - status = NT_STATUS_OK; - -done: - TALLOC_FREE(tmp_ctx); - return status; -} diff --git a/source3/rpc_server/dcesrv_gssapi.h b/source3/rpc_server/dcesrv_gssapi.h deleted file mode 100644 index 8d787b5c8d..0000000000 --- a/source3/rpc_server/dcesrv_gssapi.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * GSSAPI Acceptor - * DCERPC Server functions - * Copyright (C) Simo Sorce 2010. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#ifndef _DCESRV_GSSAPI_H_ -#define _DCESRV_GSSAPI_H_ - -struct gse_context; - -NTSTATUS gssapi_server_auth_start(TALLOC_CTX *mem_ctx, - bool do_sign, - bool do_seal, - bool is_dcerpc, - DATA_BLOB *token_in, - DATA_BLOB *token_out, - struct gse_context **ctx); -NTSTATUS gssapi_server_step(struct gse_context *gse_ctx, - TALLOC_CTX *mem_ctx, - DATA_BLOB *token_in, - DATA_BLOB *token_out); -NTSTATUS gssapi_server_check_flags(struct gse_context *gse_ctx); -NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx, - TALLOC_CTX *mem_ctx, - const struct tsocket_address *remote_address, - struct auth_session_info **session_info); - -#endif /* _DCESRV_GSSAPI_H_ */ diff --git a/source3/rpc_server/dcesrv_spnego.c b/source3/rpc_server/dcesrv_spnego.c index 37d6209d65..ed7d772d59 100644 --- a/source3/rpc_server/dcesrv_spnego.c +++ b/source3/rpc_server/dcesrv_spnego.c @@ -21,7 +21,6 @@ #include "../libcli/auth/spnego.h" #include "../lib/tsocket/tsocket.h" #include "dcesrv_auth_generic.h" -#include "dcesrv_gssapi.h" #include "dcesrv_spnego.h" #include "auth/gensec/gensec.h" diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index 8731a28d82..879b6deabd 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -34,7 +34,6 @@ #include "../libcli/auth/schannel.h" #include "../libcli/auth/spnego.h" #include "dcesrv_auth_generic.h" -#include "dcesrv_gssapi.h" #include "dcesrv_spnego.h" #include "rpc_server.h" #include "rpc_dce.h" diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build index d22d6eb14d..b06fcd20fb 100755 --- a/source3/rpc_server/wscript_build +++ b/source3/rpc_server/wscript_build @@ -37,7 +37,7 @@ bld.SAMBA3_SUBSYSTEM('RPC_SERVICE', deps='samba-util') bld.SAMBA3_SUBSYSTEM('RPC_CRYPTO', - source='dcesrv_auth_generic.c dcesrv_gssapi.c dcesrv_spnego.c', + source='dcesrv_auth_generic.c dcesrv_spnego.c', deps = 'KRB5_PAC') bld.SAMBA3_SUBSYSTEM('RPC_PIPE_REGISTER', |