diff options
Diffstat (limited to 'auth')
-rw-r--r-- | auth/common_auth.h | 5 | ||||
-rw-r--r-- | auth/gensec/gensec.h | 14 | ||||
-rw-r--r-- | auth/gensec/gensec_util.c | 95 | ||||
-rw-r--r-- | auth/gensec/wscript_build | 2 |
4 files changed, 115 insertions, 1 deletions
diff --git a/auth/common_auth.h b/auth/common_auth.h index ce3444ce7a..40f7da4fe7 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -33,6 +33,11 @@ enum auth_password_state { AUTH_PASSWORD_RESPONSE = 3 }; +#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */ +#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */ +#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */ +#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */ + struct auth_usersupplied_info { const char *workstation_name; diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index be330e97fa..a1ae634bf8 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -313,4 +313,18 @@ bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal); +NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, + struct auth_user_info_dc *user_info_dc, + struct auth_session_info **session_info); + +NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_string, + const struct tsocket_address *remote_address, + struct auth_session_info **session_info); + + #endif /* __GENSEC_H__ */ diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c new file mode 100644 index 0000000000..44da345438 --- /dev/null +++ b/auth/gensec/gensec_util.c @@ -0,0 +1,95 @@ +/* + Unix SMB/CIFS implementation. + + Generic Authentication Interface + + Copyright (C) Andrew Tridgell 2003 + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "auth/gensec/gensec.h" +#include "auth/common_auth.h" + +NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, + struct auth_user_info_dc *user_info_dc, + struct auth_session_info **session_info) +{ + NTSTATUS nt_status; + uint32_t session_info_flags = 0; + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (user_info_dc->info->authenticated) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + if (gensec_security->auth_context) { + nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context, + user_info_dc, + session_info_flags, + session_info); + } else { + DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); + return NT_STATUS_INTERNAL_ERROR; + } + return nt_status; +} + +NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_string, + const struct tsocket_address *remote_address, + struct auth_session_info **session_info) +{ + uint32_t session_info_flags = 0; + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + + if (!pac_blob) { + if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { + DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", + principal_string)); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n", + principal_string)); + } + + if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) { + return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context, + mem_ctx, + smb_krb5_context, + pac_blob, + principal_string, + remote_address, + session_info_flags, + session_info); + } else { + DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); + return NT_STATUS_INTERNAL_ERROR; + } +} diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build index e3e9372c3d..03d97e6cc9 100644 --- a/auth/gensec/wscript_build +++ b/auth/gensec/wscript_build @@ -1,6 +1,6 @@ #!/usr/bin/env python bld.SAMBA_LIBRARY('gensec', - source='gensec.c gensec_start.c', + source='gensec.c gensec_start.c gensec_util.c', pc_files='gensec.pc', autoproto='gensec_toplevel_proto.h', public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util', |