diff options
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/auth.c | 12 | ||||
-rw-r--r-- | source4/auth/auth.h | 34 | ||||
-rw-r--r-- | source4/auth/auth_builtin.c | 24 | ||||
-rw-r--r-- | source4/auth/auth_ntlmssp.c | 2 | ||||
-rw-r--r-- | source4/auth/auth_sam.c | 48 | ||||
-rw-r--r-- | source4/auth/auth_util.c | 83 |
6 files changed, 117 insertions, 86 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c index 49480eeac4..f22ca348e6 100644 --- a/source4/auth/auth.c +++ b/source4/auth/auth.c @@ -32,7 +32,7 @@ static const uint8_t *get_ntlm_challenge(struct auth_context *auth_context) { DATA_BLOB challenge = data_blob(NULL, 0); const char *challenge_set_by = NULL; - auth_methods *auth_method; + struct auth_methods *auth_method; TALLOC_CTX *mem_ctx; if (auth_context->challenge.length) { @@ -158,7 +158,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, { /* if all the modules say 'not for me' this is reasonable */ NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER; - auth_methods *auth_method; + struct auth_methods *auth_method; TALLOC_CTX *mem_ctx; if (!user_info || !auth_context || !server_info) @@ -253,7 +253,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context, static void free_auth_context(struct auth_context **auth_context) { - auth_methods *auth_method; + struct auth_methods *auth_method; if (*auth_context) { /* Free private data of context's authentication methods */ @@ -301,8 +301,8 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context) static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, char **text_list) { - auth_methods *list = NULL; - auth_methods *t = NULL; + struct auth_methods *list = NULL; + struct auth_methods *t = NULL; int i; NTSTATUS nt_status; @@ -342,7 +342,7 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, if (NT_STATUS_IS_OK(ops->init(*auth_context, module_params, &t))) { DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n", *text_list)); - DLIST_ADD_END(list, t, auth_methods *); + DLIST_ADD_END(list, t, struct auth_methods *); } else { DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n", *text_list)); diff --git a/source4/auth/auth.h b/source4/auth/auth.h index c6a025dba8..c8347cad20 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -37,7 +37,7 @@ typedef struct auth_str char *str; } AUTH_STR; -typedef struct auth_usersupplied_info +struct auth_usersupplied_info { DATA_BLOB lm_resp; @@ -54,7 +54,7 @@ typedef struct auth_usersupplied_info AUTH_STR smb_name; /* username before mapping */ AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */ -} auth_usersupplied_info; +}; #define SAM_FILL_NAME 0x01 #define SAM_FILL_INFO3 0x02 @@ -62,20 +62,34 @@ typedef struct auth_usersupplied_info #define SAM_FILL_UNIX 0x08 #define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX) -typedef struct auth_serversupplied_info +struct auth_serversupplied_info { TALLOC_CTX *mem_ctx; BOOL guest; - /* NT group information taken from the info3 structure */ - - NT_USER_TOKEN *ptok; + struct dom_sid *user_sid; + struct dom_sid *primary_group_sid; + + size_t n_domain_groups; + struct dom_sid **domain_groups; DATA_BLOB user_session_key; DATA_BLOB lm_session_key; -} auth_serversupplied_info; +}; + +struct auth_session_info +{ + TALLOC_CTX *mem_ctx; + /* NT group information taken from the info3 structure */ + + NT_USER_TOKEN *nt_user_token; + + struct auth_serversupplied_info *server_info; + + DATA_BLOB session_key; +}; struct auth_context { DATA_BLOB challenge; @@ -98,7 +112,7 @@ struct auth_context { void (*free)(struct auth_context **auth_context); }; -typedef struct auth_methods +struct auth_methods { struct auth_methods *prev, *next; const char *name; /* What name got this module */ @@ -107,7 +121,7 @@ typedef struct auth_methods void *my_private_data, TALLOC_CTX *mem_ctx, const struct auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info); + struct auth_serversupplied_info **server_info); DATA_BLOB (*get_chal)(const struct auth_context *auth_context, void **my_private_data, @@ -122,7 +136,7 @@ typedef struct auth_methods /* Function to send a keepalive message on the above structure */ void (*send_keepalive)(void **private_data); -} auth_methods; +}; typedef NTSTATUS (*auth_init_function)(struct auth_context *, const char *, struct auth_methods **); diff --git a/source4/auth/auth_builtin.c b/source4/auth/auth_builtin.c index b5f5a101f4..d890b0ec72 100644 --- a/source4/auth/auth_builtin.c +++ b/source4/auth/auth_builtin.c @@ -35,8 +35,8 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, void *my_private_data, TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) { /* mark this as 'not for me' */ NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; @@ -51,7 +51,9 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context, /* Guest modules initialisation */ -static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method) +static NTSTATUS auth_init_guest(struct auth_context *auth_context, + const char *options, + struct auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; @@ -78,8 +80,8 @@ static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *o static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_context, void *my_private_data, TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; fstring user; @@ -103,7 +105,9 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_ /** Module initialisation function */ -static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, + const char *param, + struct auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; @@ -131,8 +135,8 @@ static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, co static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context, void *my_private_data, TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) { return NT_STATUS_NOT_IMPLEMENTED; } @@ -152,7 +156,9 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex /** Module initailisation function */ -static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, + const char *param, + struct auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) return NT_STATUS_NO_MEMORY; diff --git a/source4/auth/auth_ntlmssp.c b/source4/auth/auth_ntlmssp.c index 7e854359e0..29bd92e7ef 100644 --- a/source4/auth/auth_ntlmssp.c +++ b/source4/auth/auth_ntlmssp.c @@ -78,7 +78,7 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state, static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key) { struct auth_ntlmssp_state *auth_ntlmssp_state = ntlmssp_state->auth_context; - auth_usersupplied_info *user_info = NULL; + struct auth_usersupplied_info *user_info = NULL; NTSTATUS nt_status; #if 0 diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index 3b51b2f396..5d6e0b22f6 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -33,8 +33,9 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, TALLOC_CTX *mem_ctx, const char *username, uint16_t acct_flags, - const uint8_t lm_pw[16], const uint8_t nt_pw[16], - const auth_usersupplied_info *user_info, + const struct samr_Password *lm_pwd, + const struct samr_Password *nt_pwd, + const struct auth_usersupplied_info *user_info, DATA_BLOB *user_sess_key, DATA_BLOB *lm_sess_key) { @@ -57,7 +58,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context, username, user_info->smb_name.str, user_info->client_domain.str, - lm_pw, nt_pw, user_sess_key, lm_sess_key); + lm_pwd->hash, nt_pwd->hash, user_sess_key, lm_sess_key); } @@ -73,7 +74,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx, NTTIME *must_change_time, NTTIME *last_set_time, const char *workstation_list, - const auth_usersupplied_info *user_info) + const struct auth_usersupplied_info *user_info) { DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n", username)); @@ -165,8 +166,8 @@ return an NT_STATUS constant. static NTSTATUS check_sam_security(const struct auth_context *auth_context, void *my_private_data, TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) { struct ldb_message **msgs; struct ldb_message **msgs_domain; @@ -187,7 +188,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, NTSTATUS nt_status; DATA_BLOB user_sess_key = data_blob(NULL, 0); DATA_BLOB lm_sess_key = data_blob(NULL, 0); - uint8_t *lm_pwd, *nt_pwd; + struct samr_Password *lm_pwd, *nt_pwd; const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", "userAccountControl", @@ -311,7 +312,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, /* find list of sids */ struct dom_sid **groupSIDs = NULL; struct dom_sid *user_sid; - struct dom_sid *group_sid; + struct dom_sid *primary_group_sid; const char *sidstr; int i; @@ -335,19 +336,16 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, sidstr = ldb_msg_find_string(msgs[0], "objectSid", NULL); user_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr); - group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr); - group_sid->sub_auths[group_sid->num_auths-1] + primary_group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr); + primary_group_sid->sub_auths[primary_group_sid->num_auths-1] = samdb_result_uint(msgs[0], "primaryGroupID", 0); - if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx, - user_sid, group_sid, - group_ret, groupSIDs, - False, &(*server_info)->ptok))) { - DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status))); - free_server_info(server_info); - samdb_close(sam_ctx); - return nt_status; - } + (*server_info)->user_sid = user_sid; + (*server_info)->primary_group_sid = primary_group_sid; + + (*server_info)->n_domain_groups = group_ret; + (*server_info)->domain_groups = groupSIDs; + } (*server_info)->guest = False; @@ -359,7 +357,9 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context, } /* module initialisation */ -static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, + const char *param, + struct auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; @@ -378,8 +378,8 @@ Check SAM security (above) but with a few extra checks. static NTSTATUS check_samstrict_security(const struct auth_context *auth_context, void *my_private_data, TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **server_info) { if (!user_info || !auth_context) { @@ -400,7 +400,9 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context } /* module initialisation */ -static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method) +static NTSTATUS auth_init_sam(struct auth_context *auth_context, + const char *param, + struct auth_methods **auth_method) { if (!make_auth_methods(auth_context, auth_method)) { return NT_STATUS_NO_MEMORY; diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c index bdbc818822..2044d24666 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/auth_util.c @@ -29,7 +29,7 @@ /**************************************************************************** Create an auth_usersupplied_data structure ****************************************************************************/ -static NTSTATUS make_user_info(auth_usersupplied_info **user_info, +static NTSTATUS make_user_info(struct auth_usersupplied_info **user_info, const char *smb_name, const char *internal_username, const char *client_domain, @@ -118,7 +118,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info, Create an auth_usersupplied_data structure after appropriate mapping. ****************************************************************************/ -NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, +NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, @@ -157,7 +157,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, Decrypt and encrypt the passwords. ****************************************************************************/ -BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, +BOOL make_user_info_netlogon_network(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, @@ -189,7 +189,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info, Decrypt and encrypt the passwords. ****************************************************************************/ -BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, +BOOL make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const char *wksta_name, @@ -289,7 +289,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info, Create an auth_usersupplied_data structure ****************************************************************************/ -BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, +BOOL make_user_info_for_reply(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, const uint8_t chal[8], @@ -343,7 +343,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, Create an auth_usersupplied_data structure ****************************************************************************/ -NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, +NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info, const char *smb_name, const char *client_domain, DATA_BLOB lm_resp, DATA_BLOB nt_resp) @@ -361,7 +361,7 @@ NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info, Create a guest user_info blob, for anonymous authenticaion. ****************************************************************************/ -BOOL make_user_info_guest(auth_usersupplied_info **user_info) +BOOL make_user_info_guest(struct auth_usersupplied_info **user_info) { NTSTATUS nt_status; @@ -491,10 +491,11 @@ NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx, Make a user_info struct ***************************************************************************/ -NTSTATUS make_server_info(auth_serversupplied_info **server_info, const char *username) +NTSTATUS make_server_info(struct auth_serversupplied_info **server_info, + const char *username) { TALLOC_CTX *mem_ctx = talloc_init("auth subsystem: server_info for %s", username); - *server_info = talloc_p(mem_ctx, auth_serversupplied_info); + *server_info = talloc_p(mem_ctx, struct auth_serversupplied_info); if (!*server_info) { DEBUG(0,("make_server_info: malloc failed!\n")); talloc_destroy(mem_ctx); @@ -508,12 +509,10 @@ NTSTATUS make_server_info(auth_serversupplied_info **server_info, const char *us /*************************************************************************** Make (and fill) a user_info struct for a guest login. ***************************************************************************/ -NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) +NTSTATUS make_server_info_guest(struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; static const char zeros[16]; - struct dom_sid *sid_Anonymous; - struct dom_sid *sid_Builtin_Guests; nt_status = make_server_info(server_info, ""); @@ -523,17 +522,10 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) (*server_info)->guest = True; - sid_Anonymous = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_ANONYMOUS); - sid_Builtin_Guests = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_BUILTIN_GUESTS); - - if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx, - sid_Anonymous, sid_Builtin_Guests, - 0, NULL, - True, &(*server_info)->ptok))) { - DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status))); - free_server_info(server_info); - return nt_status; - } + (*server_info)->user_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_ANONYMOUS); + (*server_info)->primary_group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_BUILTIN_GUESTS); + (*server_info)->n_domain_groups = 0; + (*server_info)->domain_groups = NULL; /* annoying, but the Guest really does have a session key, and it is all zeros! */ @@ -547,7 +539,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info) Free a user_info struct ***************************************************************************/ -void free_user_info(auth_usersupplied_info **user_info) +void free_user_info(struct auth_usersupplied_info **user_info) { DEBUG(5,("attempting to free (and zero) a user_info structure\n")); if (*user_info != NULL) { @@ -571,7 +563,7 @@ void free_user_info(auth_usersupplied_info **user_info) Clear out a server_info struct that has been allocated ***************************************************************************/ -void free_server_info(auth_serversupplied_info **server_info) +void free_server_info(struct auth_serversupplied_info **server_info) { DEBUG(5,("attempting to free a server_info structure\n")); if (!*server_info) { @@ -584,7 +576,7 @@ void free_server_info(auth_serversupplied_info **server_info) Make an auth_methods struct ***************************************************************************/ -BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method) +BOOL make_auth_methods(struct auth_context *auth_context, struct auth_methods **auth_method) { if (!auth_context) { smb_panic("no auth_context supplied to make_auth_methods()!\n"); @@ -604,18 +596,35 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me return True; } -/**************************************************************************** - Delete a SID token. -****************************************************************************/ - -void delete_nt_token(NT_USER_TOKEN **pptoken) +NTSTATUS make_session_info(struct auth_serversupplied_info *server_info, + struct auth_session_info **session_info) { - if (*pptoken) { - NT_USER_TOKEN *ptoken = *pptoken; - SAFE_FREE( ptoken->user_sids ); - ZERO_STRUCTP(ptoken); - } - SAFE_FREE(*pptoken); + NTSTATUS nt_status; + + *session_info = talloc_p(server_info->mem_ctx, struct auth_session_info); + if (!*session_info) { + return NT_STATUS_NO_MEMORY; + } + + (*session_info)->mem_ctx = server_info->mem_ctx; + server_info->mem_ctx = NULL; /* make sure not to accidentily destory it, + and this information is now constant */ + (*session_info)->server_info = server_info; + + /* unless set otherwise, the session key is the user session + * key from the auth subsystem */ + + (*session_info)->session_key = server_info->user_session_key; + + nt_status = create_nt_user_token((*session_info)->mem_ctx, + server_info->user_sid, + server_info->primary_group_sid, + server_info->n_domain_groups, + server_info->domain_groups, + False, + &(*session_info)->nt_user_token); + + return nt_status; } /** |