diff options
Diffstat (limited to 'source4/auth/gensec/gensec_util.c')
-rw-r--r-- | source4/auth/gensec/gensec_util.c | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/source4/auth/gensec/gensec_util.c b/source4/auth/gensec/gensec_util.c index 267366af61..fa28c6528c 100644 --- a/source4/auth/gensec/gensec_util.c +++ b/source4/auth/gensec/gensec_util.c @@ -22,8 +22,13 @@ #include "includes.h" #include "auth/gensec/gensec.h" +#include "auth/gensec/gensec_proto.h" #include "auth/auth.h" +#include "auth/credentials/credentials.h" #include "auth/system_session_proto.h" +#include "system/kerberos.h" +#include "auth/kerberos/kerberos.h" +#include "auth/kerberos/kerberos_util.h" NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, @@ -57,3 +62,95 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, } return nt_status; } + +NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, + struct gensec_security *gensec_security, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_string, + const struct tsocket_address *remote_address, + struct auth_session_info **session_info) +{ + NTSTATUS nt_status; + uint32_t session_info_flags = 0; + TALLOC_CTX *mem_ctx; + struct auth_user_info_dc *user_info_dc; + struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; + struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; + + if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { + session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; + } + + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + + if (!pac_blob) { + if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { + DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", + principal_string)); + return NT_STATUS_ACCESS_DENIED; + } + DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n", + principal_string)); + } + + if (gensec_security->auth_context) { + return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context, + mem_ctx_out, + smb_krb5_context, + pac_blob, + principal_string, + remote_address, + session_info_flags, + session_info); + } else if (!pac_blob) { + DEBUG(0, ("Cannot generate a session_info without either the PAC or the auth_context\n")); + return NT_STATUS_NO_SUCH_USER; + } + + mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_srv_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); + if (!pac_kdc_sig) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, + *pac_blob, + smb_krb5_context->krb5_context, + &user_info_dc, + pac_srv_sig, + pac_kdc_sig); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + nt_status = auth_generate_session_info(mem_ctx_out, + NULL, + NULL, + user_info_dc, session_info_flags, + session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + return nt_status; + } + + if ((*session_info)->torture) { + (*session_info)->torture->pac_srv_sig + = talloc_steal((*session_info)->torture, pac_srv_sig); + (*session_info)->torture->pac_kdc_sig + = talloc_steal((*session_info)->torture, pac_kdc_sig); + } + + talloc_free(mem_ctx); + return nt_status; +} |