summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--auth/auth_sam_reply.c84
-rw-r--r--auth/auth_sam_reply.h7
-rw-r--r--source3/auth/auth_util.c18
-rw-r--r--source4/auth/gensec/gensec_krb5.c1
-rw-r--r--source4/auth/ntlm/auth_winbind.c7
-rw-r--r--source4/torture/auth/pac.c4
-rw-r--r--source4/torture/rpc/remote_pac.c1
7 files changed, 77 insertions, 45 deletions
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 5cd4530eff..1644278bf0 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -175,16 +175,64 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
}
/**
+ * Make a user_info struct from the info3 or similar returned by a domain logon.
+ *
+ * The netr_SamInfo3 is also a key structure in the source3 auth subsystem
+ */
+
+NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
+ const char *account_name,
+ struct netr_SamBaseInfo *base,
+ bool authenticated,
+ struct auth_user_info **_user_info)
+{
+ struct auth_user_info *info;
+
+ info = talloc_zero(mem_ctx, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(info);
+
+ if (base->account_name.string) {
+ info->account_name = talloc_reference(info, base->account_name.string);
+ } else {
+ info->account_name = talloc_strdup(info, account_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
+ }
+
+ info->domain_name = talloc_reference(info, base->domain.string);
+ info->full_name = talloc_reference(info, base->full_name.string);
+ info->logon_script = talloc_reference(info, base->logon_script.string);
+ info->profile_path = talloc_reference(info, base->profile_path.string);
+ info->home_directory = talloc_reference(info, base->home_directory.string);
+ info->home_drive = talloc_reference(info, base->home_drive.string);
+ info->logon_server = talloc_reference(info, base->logon_server.string);
+ info->last_logon = base->last_logon;
+ info->last_logoff = base->last_logoff;
+ info->acct_expiry = base->acct_expiry;
+ info->last_password_change = base->last_password_change;
+ info->allow_password_change = base->allow_password_change;
+ info->force_password_change = base->force_password_change;
+ info->logon_count = base->logon_count;
+ info->bad_password_count = base->bad_password_count;
+ info->acct_flags = base->acct_flags;
+
+ info->authenticated = authenticated;
+
+ *_user_info = info;
+ return NT_STATUS_OK;
+}
+
+/**
* Make a user_info_dc struct from the info3 returned by a domain logon
*/
NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
const char *account_name,
uint16_t validation_level,
union netr_Validation *validation,
+ bool authenticated,
struct auth_user_info_dc **_user_info_dc)
{
+ NTSTATUS status;
struct auth_user_info_dc *user_info_dc;
- struct auth_user_info *info;
struct netr_SamBaseInfo *base = NULL;
uint32_t i;
@@ -287,35 +335,11 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
/* Where are the 'global' sids?... */
}
- user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
- NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
-
- if (base->account_name.string) {
- info->account_name = talloc_reference(info, base->account_name.string);
- } else {
- info->account_name = talloc_strdup(info, account_name);
- NT_STATUS_HAVE_NO_MEMORY(info->account_name);
+ status = make_user_info_SamBaseInfo(user_info_dc, account_name, base, authenticated, &user_info_dc->info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- info->domain_name = talloc_reference(info, base->domain.string);
- info->full_name = talloc_reference(info, base->full_name.string);
- info->logon_script = talloc_reference(info, base->logon_script.string);
- info->profile_path = talloc_reference(info, base->profile_path.string);
- info->home_directory = talloc_reference(info, base->home_directory.string);
- info->home_drive = talloc_reference(info, base->home_drive.string);
- info->logon_server = talloc_reference(info, base->logon_server.string);
- info->last_logon = base->last_logon;
- info->last_logoff = base->last_logoff;
- info->acct_expiry = base->acct_expiry;
- info->last_password_change = base->last_password_change;
- info->allow_password_change = base->allow_password_change;
- info->force_password_change = base->force_password_change;
- info->logon_count = base->logon_count;
- info->bad_password_count = base->bad_password_count;
- info->acct_flags = base->acct_flags;
-
- info->authenticated = true;
-
/* ensure we are never given NULL session keys */
if (all_zero(base->key.key, sizeof(base->key.key))) {
@@ -350,7 +374,9 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
validation.sam3 = &pac_logon_info->info3;
- nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, &user_info_dc);
+ nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,
+ true, /* This user was authenticated */
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h
index bd92872009..c782c1c5cc 100644
--- a/auth/auth_sam_reply.h
+++ b/auth/auth_sam_reply.h
@@ -32,6 +32,12 @@
/* The following definitions come from auth/auth_sam_reply.c */
+NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
+ const char *account_name,
+ struct netr_SamBaseInfo *base,
+ bool authenticated,
+ struct auth_user_info **_user_info);
+
NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
struct auth_user_info_dc *user_info_dc,
struct netr_SamBaseInfo **_sam);
@@ -46,6 +52,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
const char *account_name,
uint16_t validation_level,
union netr_Validation *validation,
+ bool authenticated,
struct auth_user_info_dc **_user_info_dc);
/**
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 0ef7df88b3..0627911aeb 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -465,8 +465,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
struct dom_sid tmp_sid;
struct auth_session_info *session_info;
struct wbcUnixId *ids;
- struct auth_user_info_dc *user_info_dc;
- union netr_Validation val;
/* Ensure we can't possible take a code path leading to a
* null defref. */
@@ -547,22 +545,16 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
- val.sam3 = server_info->info3;
-
- /* Convert into something we can build a struct
- * auth_session_info from. Most of the work here
- * will be to convert the SIDS, which we will then ignore, but
- * this is the easier way to handle it */
- status = make_user_info_dc_netlogon_validation(talloc_tos(), "", 3, &val, &user_info_dc);
+ /* We need to populate session_info->info with the information found in server_info->info3 */
+ status = make_user_info_SamBaseInfo(session_info, "", &server_info->info3->base,
+ server_info->guest == false,
+ &session_info->info);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("conversion of info3 into user_info_dc failed!\n"));
+ DEBUG(0, ("conversion of info3 into auth_user_info failed!\n"));
TALLOC_FREE(session_info);
return status;
}
- session_info->info = talloc_move(session_info, &user_info_dc->info);
- talloc_free(user_info_dc);
-
/*
* If winbind is not around, we can not make much use of the SIDs the
* domain controller provided us with. Likewise if the user name was
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index c3e3b98f74..d47bc7709c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -714,6 +714,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
NULL,
3, &validation,
+ true, /* This user was authenticated */
&user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index da152e718a..63827ef755 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -220,6 +220,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
user_info->client.account_name,
s->req.in.validation_level,
&s->req.out.validation,
+ true, /* This user was authenticated */
user_info_dc);
NT_STATUS_NOT_OK_RETURN(status);
@@ -304,8 +305,10 @@ static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
validation.sam3 = &info3;
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
- user_info->client.account_name,
- 3, &validation, user_info_dc);
+ user_info->client.account_name,
+ 3, &validation,
+ true, /* This user was authenticated */
+ user_info_dc);
return nt_status;
}
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index f09e039964..4840a79b7f 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -223,7 +223,8 @@ static bool torture_pac_self_check(struct torture_context *tctx)
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
"",
3, &validation,
- &user_info_dc_out);
+ true, /* This user was authenticated */
+ &user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
torture_fail(tctx,
talloc_asprintf(tctx,
@@ -487,6 +488,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
"",
3, &validation,
+ true, /* This user was authenticated */
&user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 70912781a8..37fb8af147 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -598,6 +598,7 @@ static bool test_S2U4Self(struct torture_context *tctx,
ninfo.identity_info.account_name.string,
r.in.validation_level,
r.out.validation,
+ true, /* This user was authenticated */
&netlogon_user_info_dc);
torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed");