summaryrefslogtreecommitdiff
path: root/source4/auth/ntlm
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/ntlm')
-rw-r--r--source4/auth/ntlm/auth.c99
-rw-r--r--source4/auth/ntlm/wscript_build2
2 files changed, 84 insertions, 17 deletions
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 3a4ddaec5e..d2f1d88508 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -28,6 +28,16 @@
#include "dsdb/samdb/samdb.h"
#include "libcli/wbclient/wbclient.h"
#include "lib/util/samba_modules.h"
+#include "auth/credentials/credentials.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "auth/kerberos/kerberos_util.h"
+
+static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
+ struct auth4_context *auth_context,
+ struct auth_user_info_dc *user_info_dc,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info);
/***************************************************************************
Set a fixed challenge
@@ -104,24 +114,34 @@ PAC isn't available, and for tokenGroups in the DSDB stack.
Supply either a principal or a DN
****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
- struct auth4_context *auth_ctx,
- const char *principal,
- struct ldb_dn *user_dn,
- struct auth_user_info_dc **user_info_dc)
+static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
{
NTSTATUS nt_status;
struct auth_method_context *method;
+ struct auth_user_info_dc *user_info_dc;
for (method = auth_ctx->methods; method; method = method->next) {
if (!method->ops->get_user_info_dc_principal) {
continue;
}
- nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, user_info_dc);
+ nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
continue;
}
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ nt_status = auth_generate_session_info_wrapper(mem_ctx, auth_ctx,
+ user_info_dc,
+ session_info_flags, session_info);
+ talloc_free(user_info_dc);
return nt_status;
}
@@ -407,19 +427,22 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
return NT_STATUS_OK;
}
-/* Wrapper because we don't want to expose all callers to needing to
- * know that session_info is generated from the main ldb, and because
- * we need to break a depenency loop between the DCE/RPC layer and the
- * generation of unix tokens via IRPC */
+ /* Wrapper because we don't want to expose all callers to needing to
+ * know that session_info is generated from the main ldb, and because
+ * we need to break a depenency loop between the DCE/RPC layer and the
+ * generation of unix tokens via IRPC */
static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
- struct auth4_context *auth_context,
- struct auth_user_info_dc *user_info_dc,
- uint32_t session_info_flags,
- struct auth_session_info **session_info)
+ struct auth4_context *auth_context,
+ struct auth_user_info_dc *user_info_dc,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
{
NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
auth_context->sam_ctx, user_info_dc,
session_info_flags, session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)
&& NT_STATUS_IS_OK(status)) {
@@ -441,6 +464,50 @@ static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
return status;
}
+/* Wrapper because we don't want to expose all callers to needing to
+ * know anything about the PAC or auth subsystem internal structures
+ * before we output a struct auth session_info */
+static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx_out,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS status;
+ struct auth_user_info_dc *user_info_dc;
+ TALLOC_CTX *mem_ctx;
+
+ if (!pac_blob) {
+ return auth_generate_session_info_principal(auth_ctx, mem_ctx_out, principal_name,
+ NULL, session_info_flags, session_info);
+ }
+
+ mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
+ *pac_blob,
+ smb_krb5_context->krb5_context,
+ &user_info_dc, NULL, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ if (user_info_dc->info->authenticated) {
+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
+
+ status = auth_generate_session_info_wrapper(mem_ctx_out, auth_ctx,
+ user_info_dc,
+ session_info_flags, session_info);
+ talloc_free(mem_ctx);
+ return status;
+}
+
/***************************************************************************
Make a auth_info struct for the auth subsystem
- Allow the caller to specify the methods to use, including optionally the SAM to use
@@ -462,7 +529,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
return NT_STATUS_INTERNAL_ERROR;
}
- ctx = talloc(mem_ctx, struct auth4_context);
+ ctx = talloc_zero(mem_ctx, struct auth4_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
ctx->challenge.set_by = NULL;
ctx->challenge.may_be_modified = false;
@@ -499,8 +566,8 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
ctx->get_challenge = auth_get_challenge;
ctx->set_challenge = auth_context_set_challenge;
ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
- ctx->get_user_info_dc_principal = auth_get_user_info_dc_principal;
ctx->generate_session_info = auth_generate_session_info_wrapper;
+ ctx->generate_session_info_pac = auth_generate_session_info_pac;
*auth_ctx = ctx;
diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build
index 6447bf2ea0..8a8bfcb0b6 100644
--- a/source4/auth/ntlm/wscript_build
+++ b/source4/auth/ntlm/wscript_build
@@ -51,7 +51,7 @@ bld.SAMBA_MODULE('auth4_unix',
bld.SAMBA_LIBRARY('auth4',
source='auth.c auth_util.c auth_simple.c',
autoproto='auth_proto.h',
- deps='samba-util security samdb samba-credentials tevent-util LIBWBCLIENT_OLD auth_unix_token samba-modules',
+ deps='samba-util security samdb samba-credentials tevent-util LIBWBCLIENT_OLD auth_unix_token samba-modules KERBEROS_UTIL',
private_library=True
)