summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/auth.c12
-rw-r--r--source4/auth/auth.h34
-rw-r--r--source4/auth/auth_builtin.c24
-rw-r--r--source4/auth/auth_ntlmssp.c2
-rw-r--r--source4/auth/auth_sam.c48
-rw-r--r--source4/auth/auth_util.c83
6 files changed, 117 insertions, 86 deletions
diff --git a/source4/auth/auth.c b/source4/auth/auth.c
index 49480eeac4..f22ca348e6 100644
--- a/source4/auth/auth.c
+++ b/source4/auth/auth.c
@@ -32,7 +32,7 @@ static const uint8_t *get_ntlm_challenge(struct auth_context *auth_context)
{
DATA_BLOB challenge = data_blob(NULL, 0);
const char *challenge_set_by = NULL;
- auth_methods *auth_method;
+ struct auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
if (auth_context->challenge.length) {
@@ -158,7 +158,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
{
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
- auth_methods *auth_method;
+ struct auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
if (!user_info || !auth_context || !server_info)
@@ -253,7 +253,7 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
static void free_auth_context(struct auth_context **auth_context)
{
- auth_methods *auth_method;
+ struct auth_methods *auth_method;
if (*auth_context) {
/* Free private data of context's authentication methods */
@@ -301,8 +301,8 @@ static NTSTATUS make_auth_context(struct auth_context **auth_context)
static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, char **text_list)
{
- auth_methods *list = NULL;
- auth_methods *t = NULL;
+ struct auth_methods *list = NULL;
+ struct auth_methods *t = NULL;
int i;
NTSTATUS nt_status;
@@ -342,7 +342,7 @@ static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context,
if (NT_STATUS_IS_OK(ops->init(*auth_context, module_params, &t))) {
DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
*text_list));
- DLIST_ADD_END(list, t, auth_methods *);
+ DLIST_ADD_END(list, t, struct auth_methods *);
} else {
DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
*text_list));
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index c6a025dba8..c8347cad20 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -37,7 +37,7 @@ typedef struct auth_str
char *str;
} AUTH_STR;
-typedef struct auth_usersupplied_info
+struct auth_usersupplied_info
{
DATA_BLOB lm_resp;
@@ -54,7 +54,7 @@ typedef struct auth_usersupplied_info
AUTH_STR smb_name; /* username before mapping */
AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */
-} auth_usersupplied_info;
+};
#define SAM_FILL_NAME 0x01
#define SAM_FILL_INFO3 0x02
@@ -62,20 +62,34 @@ typedef struct auth_usersupplied_info
#define SAM_FILL_UNIX 0x08
#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX)
-typedef struct auth_serversupplied_info
+struct auth_serversupplied_info
{
TALLOC_CTX *mem_ctx;
BOOL guest;
- /* NT group information taken from the info3 structure */
-
- NT_USER_TOKEN *ptok;
+ struct dom_sid *user_sid;
+ struct dom_sid *primary_group_sid;
+
+ size_t n_domain_groups;
+ struct dom_sid **domain_groups;
DATA_BLOB user_session_key;
DATA_BLOB lm_session_key;
-} auth_serversupplied_info;
+};
+
+struct auth_session_info
+{
+ TALLOC_CTX *mem_ctx;
+ /* NT group information taken from the info3 structure */
+
+ NT_USER_TOKEN *nt_user_token;
+
+ struct auth_serversupplied_info *server_info;
+
+ DATA_BLOB session_key;
+};
struct auth_context {
DATA_BLOB challenge;
@@ -98,7 +112,7 @@ struct auth_context {
void (*free)(struct auth_context **auth_context);
};
-typedef struct auth_methods
+struct auth_methods
{
struct auth_methods *prev, *next;
const char *name; /* What name got this module */
@@ -107,7 +121,7 @@ typedef struct auth_methods
void *my_private_data,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info);
+ struct auth_serversupplied_info **server_info);
DATA_BLOB (*get_chal)(const struct auth_context *auth_context,
void **my_private_data,
@@ -122,7 +136,7 @@ typedef struct auth_methods
/* Function to send a keepalive message on the above structure */
void (*send_keepalive)(void **private_data);
-} auth_methods;
+};
typedef NTSTATUS (*auth_init_function)(struct auth_context *, const char *, struct auth_methods **);
diff --git a/source4/auth/auth_builtin.c b/source4/auth/auth_builtin.c
index b5f5a101f4..d890b0ec72 100644
--- a/source4/auth/auth_builtin.c
+++ b/source4/auth/auth_builtin.c
@@ -35,8 +35,8 @@
static NTSTATUS check_guest_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
/* mark this as 'not for me' */
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
@@ -51,7 +51,9 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
/* Guest modules initialisation */
-static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method)
+static NTSTATUS auth_init_guest(struct auth_context *auth_context,
+ const char *options,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
@@ -78,8 +80,8 @@ static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *o
static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
fstring user;
@@ -103,7 +105,9 @@ static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_
/** Module initialisation function */
-static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context,
+ const char *param,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
@@ -131,8 +135,8 @@ static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, co
static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
return NT_STATUS_NOT_IMPLEMENTED;
}
@@ -152,7 +156,9 @@ static DATA_BLOB auth_get_fixed_challenge(const struct auth_context *auth_contex
/** Module initailisation function */
-static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context,
+ const char *param,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
diff --git a/source4/auth/auth_ntlmssp.c b/source4/auth/auth_ntlmssp.c
index 7e854359e0..29bd92e7ef 100644
--- a/source4/auth/auth_ntlmssp.c
+++ b/source4/auth/auth_ntlmssp.c
@@ -78,7 +78,7 @@ static NTSTATUS auth_ntlmssp_set_challenge(struct ntlmssp_state *ntlmssp_state,
static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
struct auth_ntlmssp_state *auth_ntlmssp_state = ntlmssp_state->auth_context;
- auth_usersupplied_info *user_info = NULL;
+ struct auth_usersupplied_info *user_info = NULL;
NTSTATUS nt_status;
#if 0
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 3b51b2f396..5d6e0b22f6 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -33,8 +33,9 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
TALLOC_CTX *mem_ctx,
const char *username,
uint16_t acct_flags,
- const uint8_t lm_pw[16], const uint8_t nt_pw[16],
- const auth_usersupplied_info *user_info,
+ const struct samr_Password *lm_pwd,
+ const struct samr_Password *nt_pwd,
+ const struct auth_usersupplied_info *user_info,
DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key)
{
@@ -57,7 +58,7 @@ static NTSTATUS sam_password_ok(const struct auth_context *auth_context,
username,
user_info->smb_name.str,
user_info->client_domain.str,
- lm_pw, nt_pw, user_sess_key, lm_sess_key);
+ lm_pwd->hash, nt_pwd->hash, user_sess_key, lm_sess_key);
}
@@ -73,7 +74,7 @@ static NTSTATUS sam_account_ok(TALLOC_CTX *mem_ctx,
NTTIME *must_change_time,
NTTIME *last_set_time,
const char *workstation_list,
- const auth_usersupplied_info *user_info)
+ const struct auth_usersupplied_info *user_info)
{
DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n", username));
@@ -165,8 +166,8 @@ return an NT_STATUS constant.
static NTSTATUS check_sam_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
struct ldb_message **msgs;
struct ldb_message **msgs_domain;
@@ -187,7 +188,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
NTSTATUS nt_status;
DATA_BLOB user_sess_key = data_blob(NULL, 0);
DATA_BLOB lm_sess_key = data_blob(NULL, 0);
- uint8_t *lm_pwd, *nt_pwd;
+ struct samr_Password *lm_pwd, *nt_pwd;
const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
"userAccountControl",
@@ -311,7 +312,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
/* find list of sids */
struct dom_sid **groupSIDs = NULL;
struct dom_sid *user_sid;
- struct dom_sid *group_sid;
+ struct dom_sid *primary_group_sid;
const char *sidstr;
int i;
@@ -335,19 +336,16 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
sidstr = ldb_msg_find_string(msgs[0], "objectSid", NULL);
user_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
- group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
- group_sid->sub_auths[group_sid->num_auths-1]
+ primary_group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
+ primary_group_sid->sub_auths[primary_group_sid->num_auths-1]
= samdb_result_uint(msgs[0], "primaryGroupID", 0);
- if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx,
- user_sid, group_sid,
- group_ret, groupSIDs,
- False, &(*server_info)->ptok))) {
- DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status)));
- free_server_info(server_info);
- samdb_close(sam_ctx);
- return nt_status;
- }
+ (*server_info)->user_sid = user_sid;
+ (*server_info)->primary_group_sid = primary_group_sid;
+
+ (*server_info)->n_domain_groups = group_ret;
+ (*server_info)->domain_groups = groupSIDs;
+
}
(*server_info)->guest = False;
@@ -359,7 +357,9 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
}
/* module initialisation */
-static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context,
+ const char *param,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
return NT_STATUS_NO_MEMORY;
@@ -378,8 +378,8 @@ Check SAM security (above) but with a few extra checks.
static NTSTATUS check_samstrict_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
if (!user_info || !auth_context) {
@@ -400,7 +400,9 @@ static NTSTATUS check_samstrict_security(const struct auth_context *auth_context
}
/* module initialisation */
-static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_sam(struct auth_context *auth_context,
+ const char *param,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
return NT_STATUS_NO_MEMORY;
diff --git a/source4/auth/auth_util.c b/source4/auth/auth_util.c
index bdbc818822..2044d24666 100644
--- a/source4/auth/auth_util.c
+++ b/source4/auth/auth_util.c
@@ -29,7 +29,7 @@
/****************************************************************************
Create an auth_usersupplied_data structure
****************************************************************************/
-static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
+static NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *internal_username,
const char *client_domain,
@@ -118,7 +118,7 @@ static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
Create an auth_usersupplied_data structure after appropriate mapping.
****************************************************************************/
-NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
+NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
@@ -157,7 +157,7 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
Decrypt and encrypt the passwords.
****************************************************************************/
-BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
+BOOL make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
@@ -189,7 +189,7 @@ BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
Decrypt and encrypt the passwords.
****************************************************************************/
-BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
+BOOL make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
@@ -289,7 +289,7 @@ BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
Create an auth_usersupplied_data structure
****************************************************************************/
-BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
+BOOL make_user_info_for_reply(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const uint8_t chal[8],
@@ -343,7 +343,7 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
Create an auth_usersupplied_data structure
****************************************************************************/
-NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
+NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
@@ -361,7 +361,7 @@ NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
Create a guest user_info blob, for anonymous authenticaion.
****************************************************************************/
-BOOL make_user_info_guest(auth_usersupplied_info **user_info)
+BOOL make_user_info_guest(struct auth_usersupplied_info **user_info)
{
NTSTATUS nt_status;
@@ -491,10 +491,11 @@ NTSTATUS create_nt_user_token(TALLOC_CTX *mem_ctx,
Make a user_info struct
***************************************************************************/
-NTSTATUS make_server_info(auth_serversupplied_info **server_info, const char *username)
+NTSTATUS make_server_info(struct auth_serversupplied_info **server_info,
+ const char *username)
{
TALLOC_CTX *mem_ctx = talloc_init("auth subsystem: server_info for %s", username);
- *server_info = talloc_p(mem_ctx, auth_serversupplied_info);
+ *server_info = talloc_p(mem_ctx, struct auth_serversupplied_info);
if (!*server_info) {
DEBUG(0,("make_server_info: malloc failed!\n"));
talloc_destroy(mem_ctx);
@@ -508,12 +509,10 @@ NTSTATUS make_server_info(auth_serversupplied_info **server_info, const char *us
/***************************************************************************
Make (and fill) a user_info struct for a guest login.
***************************************************************************/
-NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
+NTSTATUS make_server_info_guest(struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
static const char zeros[16];
- struct dom_sid *sid_Anonymous;
- struct dom_sid *sid_Builtin_Guests;
nt_status = make_server_info(server_info, "");
@@ -523,17 +522,10 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
(*server_info)->guest = True;
- sid_Anonymous = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_ANONYMOUS);
- sid_Builtin_Guests = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_BUILTIN_GUESTS);
-
- if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx,
- sid_Anonymous, sid_Builtin_Guests,
- 0, NULL,
- True, &(*server_info)->ptok))) {
- DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status)));
- free_server_info(server_info);
- return nt_status;
- }
+ (*server_info)->user_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_ANONYMOUS);
+ (*server_info)->primary_group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_BUILTIN_GUESTS);
+ (*server_info)->n_domain_groups = 0;
+ (*server_info)->domain_groups = NULL;
/* annoying, but the Guest really does have a session key,
and it is all zeros! */
@@ -547,7 +539,7 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
Free a user_info struct
***************************************************************************/
-void free_user_info(auth_usersupplied_info **user_info)
+void free_user_info(struct auth_usersupplied_info **user_info)
{
DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
if (*user_info != NULL) {
@@ -571,7 +563,7 @@ void free_user_info(auth_usersupplied_info **user_info)
Clear out a server_info struct that has been allocated
***************************************************************************/
-void free_server_info(auth_serversupplied_info **server_info)
+void free_server_info(struct auth_serversupplied_info **server_info)
{
DEBUG(5,("attempting to free a server_info structure\n"));
if (!*server_info) {
@@ -584,7 +576,7 @@ void free_server_info(auth_serversupplied_info **server_info)
Make an auth_methods struct
***************************************************************************/
-BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
+BOOL make_auth_methods(struct auth_context *auth_context, struct auth_methods **auth_method)
{
if (!auth_context) {
smb_panic("no auth_context supplied to make_auth_methods()!\n");
@@ -604,18 +596,35 @@ BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_me
return True;
}
-/****************************************************************************
- Delete a SID token.
-****************************************************************************/
-
-void delete_nt_token(NT_USER_TOKEN **pptoken)
+NTSTATUS make_session_info(struct auth_serversupplied_info *server_info,
+ struct auth_session_info **session_info)
{
- if (*pptoken) {
- NT_USER_TOKEN *ptoken = *pptoken;
- SAFE_FREE( ptoken->user_sids );
- ZERO_STRUCTP(ptoken);
- }
- SAFE_FREE(*pptoken);
+ NTSTATUS nt_status;
+
+ *session_info = talloc_p(server_info->mem_ctx, struct auth_session_info);
+ if (!*session_info) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ (*session_info)->mem_ctx = server_info->mem_ctx;
+ server_info->mem_ctx = NULL; /* make sure not to accidentily destory it,
+ and this information is now constant */
+ (*session_info)->server_info = server_info;
+
+ /* unless set otherwise, the session key is the user session
+ * key from the auth subsystem */
+
+ (*session_info)->session_key = server_info->user_session_key;
+
+ nt_status = create_nt_user_token((*session_info)->mem_ctx,
+ server_info->user_sid,
+ server_info->primary_group_sid,
+ server_info->n_domain_groups,
+ server_info->domain_groups,
+ False,
+ &(*session_info)->nt_user_token);
+
+ return nt_status;
}
/**