summaryrefslogtreecommitdiff
path: root/auth
diff options
context:
space:
mode:
Diffstat (limited to 'auth')
-rw-r--r--auth/common_auth.h5
-rw-r--r--auth/gensec/gensec.h14
-rw-r--r--auth/gensec/gensec_util.c95
-rw-r--r--auth/gensec/wscript_build2
4 files changed, 115 insertions, 1 deletions
diff --git a/auth/common_auth.h b/auth/common_auth.h
index ce3444ce7a..40f7da4fe7 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -33,6 +33,11 @@ enum auth_password_state {
AUTH_PASSWORD_RESPONSE = 3
};
+#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
+#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
+#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */
+
struct auth_usersupplied_info
{
const char *workstation_name;
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index be330e97fa..a1ae634bf8 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -313,4 +313,18 @@ bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism
NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal);
+NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
+ struct gensec_security *gensec_security,
+ struct auth_user_info_dc *user_info_dc,
+ struct auth_session_info **session_info);
+
+NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
+ struct gensec_security *gensec_security,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_string,
+ const struct tsocket_address *remote_address,
+ struct auth_session_info **session_info);
+
+
#endif /* __GENSEC_H__ */
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
new file mode 100644
index 0000000000..44da345438
--- /dev/null
+++ b/auth/gensec/gensec_util.c
@@ -0,0 +1,95 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ Generic Authentication Interface
+
+ Copyright (C) Andrew Tridgell 2003
+ Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/gensec/gensec.h"
+#include "auth/common_auth.h"
+
+NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
+ struct gensec_security *gensec_security,
+ struct auth_user_info_dc *user_info_dc,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS nt_status;
+ uint32_t session_info_flags = 0;
+
+ if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ if (user_info_dc->info->authenticated) {
+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
+
+ if (gensec_security->auth_context) {
+ nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
+ user_info_dc,
+ session_info_flags,
+ session_info);
+ } else {
+ DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ return nt_status;
+}
+
+NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
+ struct gensec_security *gensec_security,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_string,
+ const struct tsocket_address *remote_address,
+ struct auth_session_info **session_info)
+{
+ uint32_t session_info_flags = 0;
+
+ if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+
+ if (!pac_blob) {
+ if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+ DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
+ principal_string));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
+ principal_string));
+ }
+
+ if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
+ return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
+ mem_ctx,
+ smb_krb5_context,
+ pac_blob,
+ principal_string,
+ remote_address,
+ session_info_flags,
+ session_info);
+ } else {
+ DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+}
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
index e3e9372c3d..03d97e6cc9 100644
--- a/auth/gensec/wscript_build
+++ b/auth/gensec/wscript_build
@@ -1,6 +1,6 @@
#!/usr/bin/env python
bld.SAMBA_LIBRARY('gensec',
- source='gensec.c gensec_start.c',
+ source='gensec.c gensec_start.c gensec_util.c',
pc_files='gensec.pc',
autoproto='gensec_toplevel_proto.h',
public_deps='tevent-util samba-util errors LIBPACKET auth_system_session samba-modules gensec_util',