diff options
Diffstat (limited to 'source4/auth')
45 files changed, 995 insertions, 667 deletions
diff --git a/source4/auth/auth.py b/source4/auth/auth.py index 88675f3626..1a7aa6d0e7 100644 --- a/source4/auth/auth.py +++ b/source4/auth/auth.py @@ -1,5 +1,5 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 1.3.33 +# Version 1.3.35 # # Don't modify this file, modify the SWIG interface instead. diff --git a/source4/auth/auth_server.c b/source4/auth/auth_server.c deleted file mode 100644 index f200ad9665..0000000000 --- a/source4/auth/auth_server.c +++ /dev/null @@ -1,377 +0,0 @@ -/* - Unix SMB/CIFS implementation. - Authenticate to a remote server - Copyright (C) Andrew Tridgell 1992-1998 - Copyright (C) Andrew Bartlett 2001 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" - -/**************************************************************************** - Support for server level security. -****************************************************************************/ - -static struct smbcli_state *server_cryptkey(TALLOC_CTX *mem_ctx, bool unicode, int maxprotocol, struct resolve_context *resolve_ctx) -{ - struct smbcli_state *cli = NULL; - fstring desthost; - struct in_addr dest_ip; - const char *p; - char *pserver; - bool connected_ok = false; - - if (!(cli = smbcli_initialise(cli))) - return NULL; - - /* security = server just can't function with spnego */ - cli->use_spnego = false; - - pserver = talloc_strdup(mem_ctx, lp_passwordserver()); - p = pserver; - - while(next_token( &p, desthost, LIST_SEP, sizeof(desthost))) { - strupper(desthost); - - if(!resolve_name(resolve_ctx, desthost, &dest_ip, 0x20)) { - DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); - continue; - } - - if (ismyip(dest_ip)) { - DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); - continue; - } - - /* we use a mutex to prevent two connections at once - when a - Win2k PDC get two connections where one hasn't completed a - session setup yet it will send a TCP reset to the first - connection (tridge) */ - - if (!grab_server_mutex(desthost)) { - return NULL; - } - - if (smbcli_connect(cli, desthost, &dest_ip)) { - DEBUG(3,("connected to password server %s\n",desthost)); - connected_ok = true; - break; - } - } - - if (!connected_ok) { - release_server_mutex(); - DEBUG(0,("password server not available\n")); - talloc_free(cli); - return NULL; - } - - if (!attempt_netbios_session_request(cli, lp_netbios_name(), - desthost, &dest_ip)) { - release_server_mutex(); - DEBUG(1,("password server fails session request\n")); - talloc_free(cli); - return NULL; - } - - if (strequal(desthost,myhostname(mem_ctx))) { - exit_server("Password server loop!"); - } - - DEBUG(3,("got session\n")); - - if (!smbcli_negprot(cli, unicode, maxprotocol)) { - DEBUG(1,("%s rejected the negprot\n",desthost)); - release_server_mutex(); - talloc_free(cli); - return NULL; - } - - if (cli->protocol < PROTOCOL_LANMAN2 || - !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { - DEBUG(1,("%s isn't in user level security mode\n",desthost)); - release_server_mutex(); - talloc_free(cli); - return NULL; - } - - /* Get the first session setup done quickly, to avoid silly - Win2k bugs. (The next connection to the server will kill - this one... - */ - - if (!smbcli_session_setup(cli, "", "", 0, "", 0, - "")) { - DEBUG(0,("%s rejected the initial session setup (%s)\n", - desthost, smbcli_errstr(cli))); - release_server_mutex(); - talloc_free(cli); - return NULL; - } - - release_server_mutex(); - - DEBUG(3,("password server OK\n")); - - return cli; -} - -/**************************************************************************** - Clean up our allocated cli. -****************************************************************************/ - -static void free_server_private_data(void **private_data_pointer) -{ - struct smbcli_state **cli = (struct smbcli_state **)private_data_pointer; - if (*cli && (*cli)->initialised) { - talloc_free(*cli); - } -} - -/**************************************************************************** - Get the challenge out of a password server. -****************************************************************************/ - -static DATA_BLOB auth_get_challenge_server(const struct auth_context *auth_context, - void **my_private_data, - TALLOC_CTX *mem_ctx) -{ - struct smbcli_state *cli = server_cryptkey(mem_ctx, lp_cli_maxprotocol(auth_context->lp_ctx)); - - if (cli) { - DEBUG(3,("using password server validation\n")); - - if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { - /* We can't work with unencrypted password servers - unless 'encrypt passwords = no' */ - DEBUG(5,("make_auth_info_server: Server is unencrypted, no challenge available..\n")); - - /* However, it is still a perfectly fine connection - to pass that unencrypted password over */ - *my_private_data = (void *)cli; - return data_blob(NULL, 0); - - } else if (cli->secblob.length < 8) { - /* We can't do much if we don't get a full challenge */ - DEBUG(2,("make_auth_info_server: Didn't receive a full challenge from server\n")); - talloc_free(cli); - return data_blob(NULL, 0); - } - - *my_private_data = (void *)cli; - - /* The return must be allocated on the caller's mem_ctx, as our own will be - destoyed just after the call. */ - return data_blob_talloc(auth_context->mem_ctx, cli->secblob.data,8); - } else { - return data_blob(NULL, 0); - } -} - - -/**************************************************************************** - Check for a valid username and password in security=server mode. - - Validate a password with the password server. -****************************************************************************/ - -static NTSTATUS check_smbserver_security(const struct auth_context *auth_context, - void *my_private_data, - TALLOC_CTX *mem_ctx, - const auth_usersupplied_info *user_info, - auth_serversupplied_info **server_info) -{ - struct smbcli_state *cli; - static uint8_t badpass[24]; - static fstring baduser; - static bool tested_password_server = false; - static bool bad_password_server = false; - NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; - bool locally_made_cli = false; - - /* - * Check that the requested domain is not our own machine name. - * If it is, we should never check the PDC here, we use our own local - * password file. - */ - - if (lp_is_myname(auth_context->lp_ctx, user_info->domain.str)) { - DEBUG(3,("check_smbserver_security: Requested domain was for this machine.\n")); - return NT_STATUS_LOGON_FAILURE; - } - - cli = my_private_data; - - if (cli) { - } else { - cli = server_cryptkey(mem_ctx, lp_unicode(auth_context->lp_ctx), lp_cli_maxprotocol(auth_context->lp_ctx), lp_resolve_context(auth_context->lp_ctx)); - locally_made_cli = true; - } - - if (!cli || !cli->initialised) { - DEBUG(1,("password server is not connected (cli not initilised)\n")); - return NT_STATUS_LOGON_FAILURE; - } - - if ((cli->sec_mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE) == 0) { - if (user_info->encrypted) { - DEBUG(1,("password server %s is plaintext, but we are encrypted. This just can't work :-(\n", cli->desthost)); - return NT_STATUS_LOGON_FAILURE; - } - } else { - if (memcmp(cli->secblob.data, auth_context->challenge.data, 8) != 0) { - DEBUG(1,("the challenge that the password server (%s) supplied us is not the one we gave our client. This just can't work :-(\n", cli->desthost)); - return NT_STATUS_LOGON_FAILURE; - } - } - - if(badpass[0] == 0) - memset(badpass, 0x1f, sizeof(badpass)); - - if((user_info->nt_resp.length == sizeof(badpass)) && - !memcmp(badpass, user_info->nt_resp.data, sizeof(badpass))) { - /* - * Very unlikely, our random bad password is the same as the users - * password. - */ - memset(badpass, badpass[0]+1, sizeof(badpass)); - } - - if(baduser[0] == 0) { - fstrcpy(baduser, INVALID_USER_PREFIX); - fstrcat(baduser, lp_netbios_name()); - } - - /* - * Attempt a session setup with a totally incorrect password. - * If this succeeds with the guest bit *NOT* set then the password - * server is broken and is not correctly setting the guest bit. We - * need to detect this as some versions of NT4.x are broken. JRA. - */ - - /* I sure as hell hope that there aren't servers out there that take - * NTLMv2 and have this bug, as we don't test for that... - * - abartlet@samba.org - */ - - if ((!tested_password_server) && (lp_paranoid_server_security())) { - if (smbcli_session_setup(cli, baduser, (char *)badpass, sizeof(badpass), - (char *)badpass, sizeof(badpass), user_info->domain.str)) { - - /* - * We connected to the password server so we - * can say we've tested it. - */ - tested_password_server = true; - - if ((SVAL(cli->inbuf,smb_vwv2) & 1) == 0) { - DEBUG(0,("server_validate: password server %s allows users as non-guest \ -with a bad password.\n", cli->desthost)); - DEBUG(0,("server_validate: This is broken (and insecure) behaviour. Please do not \ -use this machine as the password server.\n")); - smbcli_ulogoff(cli); - - /* - * Password server has the bug. - */ - bad_password_server = true; - return NT_STATUS_LOGON_FAILURE; - } - smbcli_ulogoff(cli); - } - } else { - - /* - * We have already tested the password server. - * Fail immediately if it has the bug. - */ - - if(bad_password_server) { - DEBUG(0,("server_validate: [1] password server %s allows users as non-guest \ -with a bad password.\n", cli->desthost)); - DEBUG(0,("server_validate: [1] This is broken (and insecure) behaviour. Please do not \ -use this machine as the password server.\n")); - return NT_STATUS_LOGON_FAILURE; - } - } - - /* - * Now we know the password server will correctly set the guest bit, or is - * not guest enabled, we can try with the real password. - */ - - if (!user_info->encrypted) { - /* Plaintext available */ - if (!smbcli_session_setup(cli, user_info->smb_name.str, - (char *)user_info->plaintext_password.data, - user_info->plaintext_password.length, - NULL, 0, - user_info->domain.str)) { - DEBUG(1,("password server %s rejected the password\n", cli->desthost)); - /* Make this smbcli_nt_error() when the conversion is in */ - nt_status = smbcli_nt_error(cli); - } else { - nt_status = NT_STATUS_OK; - } - } else { - if (!smbcli_session_setup(cli, user_info->smb_name.str, - (char *)user_info->lm_resp.data, - user_info->lm_resp.length, - (char *)user_info->nt_resp.data, - user_info->nt_resp.length, - user_info->domain.str)) { - DEBUG(1,("password server %s rejected the password\n", cli->desthost)); - /* Make this smbcli_nt_error() when the conversion is in */ - nt_status = smbcli_nt_error(cli); - } else { - nt_status = NT_STATUS_OK; - } - } - - /* if logged in as guest then reject */ - if ((SVAL(cli->inbuf,smb_vwv2) & 1) != 0) { - DEBUG(1,("password server %s gave us guest only\n", cli->desthost)); - nt_status = NT_STATUS_LOGON_FAILURE; - } - - smbcli_ulogoff(cli); - - if NT_STATUS_IS_OK(nt_status) { - struct passwd *pass = Get_Pwnam(user_info->internal_username.str); - if (pass) { - nt_status = make_server_info_pw(auth_context, server_info, pass); - } else { - nt_status = NT_STATUS_NO_SUCH_USER; - } - } - - if (locally_made_cli) { - talloc_free(cli); - } - - return(nt_status); -} - -NTSTATUS auth_init_smbserver(struct auth_context *auth_context, const char* param, auth_methods **auth_method) -{ - if (!make_auth_methods(auth_context, auth_method)) { - return NT_STATUS_NO_MEMORY; - } - (*auth_method)->name = "smbserver"; - (*auth_method)->auth = check_smbserver_security; - (*auth_method)->get_chal = auth_get_challenge_server; - (*auth_method)->send_keepalive = send_server_keepalive; - (*auth_method)->free_private_data = free_server_private_data; - return NT_STATUS_OK; -} diff --git a/source4/auth/auth_wrap.c b/source4/auth/auth_wrap.c index af1827adc9..dea76ef87d 100644 --- a/source4/auth/auth_wrap.c +++ b/source4/auth/auth_wrap.c @@ -1,6 +1,6 @@ /* ---------------------------------------------------------------------------- * This file was automatically generated by SWIG (http://www.swig.org). - * Version 1.3.33 + * Version 1.3.35 * * This file is not intended to be easily readable and contains a number of * coding conventions designed to improve portability and efficiency. Do not make @@ -126,7 +126,7 @@ /* This should only be incremented when either the layout of swig_type_info changes, or for whatever reason, the runtime changes incompatibly */ -#define SWIG_RUNTIME_VERSION "3" +#define SWIG_RUNTIME_VERSION "4" /* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */ #ifdef SWIG_TYPE_TABLE @@ -161,6 +161,7 @@ /* Flags for pointer conversions */ #define SWIG_POINTER_DISOWN 0x1 +#define SWIG_CAST_NEW_MEMORY 0x2 /* Flags for new pointer objects */ #define SWIG_POINTER_OWN 0x1 @@ -301,10 +302,10 @@ SWIGINTERNINLINE int SWIG_CheckState(int r) { extern "C" { #endif -typedef void *(*swig_converter_func)(void *); +typedef void *(*swig_converter_func)(void *, int *); typedef struct swig_type_info *(*swig_dycast_func)(void **); -/* Structure to store inforomation on one type */ +/* Structure to store information on one type */ typedef struct swig_type_info { const char *name; /* mangled name of this type */ const char *str; /* human readable name of this type */ @@ -431,8 +432,8 @@ SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) { Cast a pointer up an inheritance hierarchy */ SWIGRUNTIMEINLINE void * -SWIG_TypeCast(swig_cast_info *ty, void *ptr) { - return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr); +SWIG_TypeCast(swig_cast_info *ty, void *ptr, int *newmemory) { + return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr, newmemory); } /* @@ -856,7 +857,7 @@ SWIG_Python_AddErrorMsg(const char* mesg) Py_DECREF(old_str); Py_DECREF(value); } else { - PyErr_Format(PyExc_RuntimeError, mesg); + PyErr_SetString(PyExc_RuntimeError, mesg); } } @@ -1416,7 +1417,7 @@ PySwigObject_dealloc(PyObject *v) { PySwigObject *sobj = (PySwigObject *) v; PyObject *next = sobj->next; - if (sobj->own) { + if (sobj->own == SWIG_POINTER_OWN) { swig_type_info *ty = sobj->ty; PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0; PyObject *destroy = data ? data->destroy : 0; @@ -1434,12 +1435,13 @@ PySwigObject_dealloc(PyObject *v) res = ((*meth)(mself, v)); } Py_XDECREF(res); - } else { - const char *name = SWIG_TypePrettyName(ty); + } #if !defined(SWIG_PYTHON_SILENT_MEMLEAK) - printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name); -#endif + else { + const char *name = SWIG_TypePrettyName(ty); + printf("swig/python detected a memory leak of type '%s', no destructor found.\n", (name ? name : "unknown")); } +#endif } Py_XDECREF(next); PyObject_DEL(v); @@ -1944,7 +1946,7 @@ SWIG_Python_GetSwigThis(PyObject *pyobj) SWIGRUNTIME int SWIG_Python_AcquirePtr(PyObject *obj, int own) { - if (own) { + if (own == SWIG_POINTER_OWN) { PySwigObject *sobj = SWIG_Python_GetSwigThis(obj); if (sobj) { int oldown = sobj->own; @@ -1965,6 +1967,8 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int return SWIG_OK; } else { PySwigObject *sobj = SWIG_Python_GetSwigThis(obj); + if (own) + *own = 0; while (sobj) { void *vptr = sobj->ptr; if (ty) { @@ -1978,7 +1982,15 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int if (!tc) { sobj = (PySwigObject *)sobj->next; } else { - if (ptr) *ptr = SWIG_TypeCast(tc,vptr); + if (ptr) { + int newmemory = 0; + *ptr = SWIG_TypeCast(tc,vptr,&newmemory); + if (newmemory == SWIG_CAST_NEW_MEMORY) { + assert(own); + if (own) + *own = *own | SWIG_CAST_NEW_MEMORY; + } + } break; } } @@ -1988,7 +2000,8 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int } } if (sobj) { - if (own) *own = sobj->own; + if (own) + *own = *own | sobj->own; if (flags & SWIG_POINTER_DISOWN) { sobj->own = 0; } @@ -2053,8 +2066,13 @@ SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) { } if (ty) { swig_cast_info *tc = SWIG_TypeCheck(desc,ty); - if (!tc) return SWIG_ERROR; - *ptr = SWIG_TypeCast(tc,vptr); + if (tc) { + int newmemory = 0; + *ptr = SWIG_TypeCast(tc,vptr,&newmemory); + assert(!newmemory); /* newmemory handling not yet implemented */ + } else { + return SWIG_ERROR; + } } else { *ptr = vptr; } @@ -2505,7 +2523,7 @@ static swig_module_info swig_module = {swig_types, 16, 0, 0, 0, 0}; #define SWIG_name "_auth" -#define SWIGVERSION 0x010333 +#define SWIGVERSION 0x010335 #define SWIG_VERSION SWIGVERSION @@ -2733,7 +2751,7 @@ SWIGRUNTIME void SWIG_InitializeModule(void *clientdata) { size_t i; swig_module_info *module_head, *iter; - int found; + int found, init; clientdata = clientdata; @@ -2743,6 +2761,9 @@ SWIG_InitializeModule(void *clientdata) { swig_module.type_initial = swig_type_initial; swig_module.cast_initial = swig_cast_initial; swig_module.next = &swig_module; + init = 1; + } else { + init = 0; } /* Try and load any already created modules */ @@ -2771,6 +2792,12 @@ SWIG_InitializeModule(void *clientdata) { module_head->next = &swig_module; } + /* When multiple interpeters are used, a module could have already been initialized in + a different interpreter, but not yet have a pointer in this interpreter. + In this case, we do not want to continue adding types... everything should be + set up already */ + if (init == 0) return; + /* Now work on filling in swig_module.types */ #ifdef SWIGRUNTIME_DEBUG printf("SWIG_InitializeModule: size %d\n", swig_module.size); diff --git a/source4/auth/config.mk b/source4/auth/config.mk index 7d4678b7ac..f13c2e5758 100644 --- a/source4/auth/config.mk +++ b/source4/auth/config.mk @@ -1,107 +1,48 @@ # auth server subsystem +gensecsrcdir := $(authsrcdir)/gensec mkinclude gensec/config.mk mkinclude kerberos/config.mk mkinclude ntlmssp/config.mk +mkinclude ntlm/config.mk mkinclude credentials/config.mk [SUBSYSTEM::auth_session] -PRIVATE_PROTO_HEADER = session_proto.h PUBLIC_DEPENDENCIES = CREDENTIALS -# PUBLIC_HEADERS += auth/session.h +PUBLIC_HEADERS += $(authsrcdir)/session.h -auth_session_OBJ_FILES = $(addprefix auth/, session.o) +auth_session_OBJ_FILES = $(addprefix $(authsrcdir)/, session.o) + +$(eval $(call proto_header_template,$(authsrcdir)/session_proto.h,$(auth_session_OBJ_FILES:.o=.c))) [SUBSYSTEM::auth_system_session] -PRIVATE_PROTO_HEADER = system_session_proto.h PUBLIC_DEPENDENCIES = CREDENTIALS PRIVATE_DEPENDENCIES = auth_session LIBSAMBA-UTIL LIBSECURITY -auth_system_session_OBJ_FILES = $(addprefix auth/, system_session.o) +auth_system_session_OBJ_FILES = $(addprefix $(authsrcdir)/, system_session.o) +$(eval $(call proto_header_template,$(authsrcdir)/system_session_proto.h,$(auth_system_session_OBJ_FILES:.o=.c))) [SUBSYSTEM::auth_sam] -PRIVATE_PROTO_HEADER = auth_sam.h PUBLIC_DEPENDENCIES = SAMDB UTIL_LDB LIBSECURITY PRIVATE_DEPENDENCIES = LDAP_ENCODE -auth_sam_OBJ_FILES = $(addprefix auth/, sam.o ntlm_check.o) +auth_sam_OBJ_FILES = $(addprefix $(authsrcdir)/, sam.o) + +$(eval $(call proto_header_template,$(authsrcdir)/auth_sam.h,$(auth_sam_OBJ_FILES:.o=.c))) [SUBSYSTEM::auth_sam_reply] -PRIVATE_PROTO_HEADER = auth_sam_reply.h - -auth_sam_reply_OBJ_FILES = $(addprefix auth/, auth_sam_reply.o) - -####################### -# Start MODULE auth_sam -[MODULE::auth_sam_module] -# gensec_krb5 and gensec_gssapi depend on it -INIT_FUNCTION = auth_sam_init -SUBSYSTEM = auth -PRIVATE_DEPENDENCIES = \ - SAMDB auth_sam -# End MODULE auth_sam -####################### - -auth_sam_module_OBJ_FILES = $(addprefix auth/, auth_sam.o) - -####################### -# Start MODULE auth_anonymous -[MODULE::auth_anonymous] -INIT_FUNCTION = auth_anonymous_init -SUBSYSTEM = auth -# End MODULE auth_anonymous -####################### - -auth_anonymous_OBJ_FILES = $(addprefix auth/, auth_anonymous.o) - -####################### -# Start MODULE auth_winbind -[MODULE::auth_winbind] -INIT_FUNCTION = auth_winbind_init -SUBSYSTEM = auth -PRIVATE_DEPENDENCIES = NDR_WINBIND MESSAGING LIBWINBIND-CLIENT -# End MODULE auth_winbind -####################### - -auth_winbind_OBJ_FILES = $(addprefix auth/, auth_winbind.o) - -####################### -# Start MODULE auth_developer -[MODULE::auth_developer] -INIT_FUNCTION = auth_developer_init -SUBSYSTEM = auth -# End MODULE auth_developer -####################### - -auth_developer_OBJ_FILES = $(addprefix auth/, auth_developer.o) - -[MODULE::auth_unix] -INIT_FUNCTION = auth_unix_init -SUBSYSTEM = auth -PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER - -auth_unix_OBJ_FILES = $(addprefix auth/, auth_unix.o) - -[SUBSYSTEM::PAM_ERRORS] -PRIVATE_PROTO_HEADER = pam_errors.h - -#VERSION = 0.0.1 -#SO_VERSION = 0 -PAM_ERRORS_OBJ_FILES = $(addprefix auth/, pam_errors.o) - -[MODULE::auth] -INIT_FUNCTION = server_service_auth_init -SUBSYSTEM = service -PRIVATE_PROTO_HEADER = auth_proto.h -PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS - -auth_OBJ_FILES = $(addprefix auth/, auth.o auth_util.o auth_simple.o) - -# PUBLIC_HEADERS += auth/auth.h + +auth_sam_reply_OBJ_FILES = $(addprefix $(authsrcdir)/, auth_sam_reply.o) + +$(eval $(call proto_header_template,$(authsrcdir)/auth_sam_reply.h,$(auth_sam_reply_OBJ_FILES:.o=.c))) [PYTHON::swig_auth] +LIBRARY_REALNAME = samba/_auth.$(SHLIBEXT) PUBLIC_DEPENDENCIES = auth_system_session PRIVATE_DEPENDENCIES = SAMDB -SWIG_FILE = auth.i -swig_auth_OBJ_FILES = auth/auth_wrap.o +$(eval $(call python_py_module_template,samba/auth.py,$(authsrcdir)/auth.py)) + +swig_auth_OBJ_FILES = $(authsrcdir)/auth_wrap.o + +$(swig_auth_OBJ_FILES): CFLAGS+=$(CFLAG_NO_UNUSED_MACROS) $(CFLAG_NO_CAST_QUAL) diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk index 6f3ec3997c..2eeeec20ec 100644 --- a/source4/auth/credentials/config.mk +++ b/source4/auth/credentials/config.mk @@ -1,18 +1,24 @@ ################################# # Start SUBSYSTEM CREDENTIALS [SUBSYSTEM::CREDENTIALS] -PRIVATE_PROTO_HEADER = credentials_proto.h PUBLIC_DEPENDENCIES = \ LIBCLI_AUTH SECRETS LIBCRYPTO KERBEROS UTIL_LDB HEIMDAL_GSSAPI PRIVATE_DEPENDENCIES = \ SECRETS -CREDENTIALS_OBJ_FILES = $(addprefix auth/credentials/, credentials.o credentials_files.o credentials_ntlm.o credentials_krb5.o ../kerberos/kerberos_util.o) -PUBLIC_HEADERS += auth/credentials/credentials.h +CREDENTIALS_OBJ_FILES = $(addprefix $(authsrcdir)/credentials/, credentials.o credentials_files.o credentials_ntlm.o credentials_krb5.o ../kerberos/kerberos_util.o) + +$(eval $(call proto_header_template,$(authsrcdir)/credentials/credentials_proto.h,$(CREDENTIALS_OBJ_FILES:.o=.c))) + +PUBLIC_HEADERS += $(authsrcdir)/credentials/credentials.h [PYTHON::swig_credentials] +LIBRARY_REALNAME = samba/_credentials.$(SHLIBEXT) PUBLIC_DEPENDENCIES = CREDENTIALS LIBCMDLINE_CREDENTIALS -SWIG_FILE = credentials.i -swig_credentials_OBJ_FILES = auth/credentials/credentials_wrap.o +$(eval $(call python_py_module_template,samba/credentials.py,$(authsrcdir)/credentials/credentials.py)) + +swig_credentials_OBJ_FILES = $(authsrcdir)/credentials/credentials_wrap.o + +$(swig_credentials_OBJ_FILES): CFLAGS+=$(CFLAG_NO_UNUSED_MACROS) $(CFLAG_NO_CAST_QUAL) diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index 89dddc9e05..adabe49cb4 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -65,7 +65,6 @@ _PUBLIC_ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->tries = 3; cred->callback_running = false; - cred->ev = NULL; cli_credentials_set_kerberos_state(cred, CRED_AUTO_USE_KERBEROS); cli_credentials_set_gensec_features(cred, 0); @@ -307,6 +306,8 @@ _PUBLIC_ bool cli_credentials_set_password(struct cli_credentials *cred, cli_credentials_invalidate_ccache(cred, cred->password_obtained); cred->nt_hash = NULL; + cred->lm_response = data_blob(NULL, 0); + cred->nt_response = data_blob(NULL, 0); return true; } @@ -377,24 +378,6 @@ _PUBLIC_ const struct samr_Password *cli_credentials_get_nt_hash(struct cli_cred } } -_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, - const struct samr_Password *nt_hash, - enum credentials_obtained obtained) -{ - if (obtained >= cred->password_obtained) { - cli_credentials_set_password(cred, NULL, obtained); - if (nt_hash) { - cred->nt_hash = talloc(cred, struct samr_Password); - *cred->nt_hash = *nt_hash; - } else { - cred->nt_hash = NULL; - } - return true; - } - - return false; -} - /** * Obtain the 'short' or 'NetBIOS' domain for this credentials context. * @param cred credentials context @@ -675,7 +658,7 @@ _PUBLIC_ void cli_credentials_guess(struct cli_credentials *cred, } if (cli_credentials_get_kerberos_state(cred) != CRED_DONT_USE_KERBEROS) { - cli_credentials_set_ccache(cred, lp_ctx, NULL, CRED_GUESS_FILE); + cli_credentials_set_ccache(cred, event_context_find(cred), lp_ctx, NULL, CRED_GUESS_FILE); } } @@ -775,22 +758,3 @@ _PUBLIC_ bool cli_credentials_wrong_password(struct cli_credentials *cred) return (cred->tries > 0); } - -/* - set the common event context for this set of credentials - */ -_PUBLIC_ void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev) -{ - cred->ev = ev; -} - -/* - set the common event context for this set of credentials - */ -_PUBLIC_ struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred) -{ - if (cred->ev == NULL) { - cred->ev = event_context_find(cred); - } - return cred->ev; -} diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index afcb300638..79c50ae5af 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -26,6 +26,7 @@ #include "librpc/gen_ndr/misc.h" struct ccache_container; +struct event_context; /* In order of priority */ enum credentials_obtained { @@ -79,8 +80,13 @@ struct cli_credentials { const char *bind_dn; + /* Allows authentication from a keytab or similar */ struct samr_Password *nt_hash; + /* Allows NTLM pass-though authentication */ + DATA_BLOB lm_response; + DATA_BLOB nt_response; + struct ccache_container *ccache; struct gssapi_creds_container *client_gss_creds; struct keytab_container *keytab; @@ -121,9 +127,6 @@ struct cli_credentials { /* Whether any callback is currently running */ bool callback_running; - - /* an event context for anyone wanting to use the credentials */ - struct event_context *ev; }; struct ldb_context; @@ -152,12 +155,15 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_ const char *cli_credentials_get_realm(struct cli_credentials *cred); const char *cli_credentials_get_username(struct cli_credentials *cred); int cli_credentials_get_krb5_context(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct smb_krb5_context **smb_krb5_context); int cli_credentials_get_ccache(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct ccache_container **ccc); int cli_credentials_get_keytab(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct keytab_container **_ktc); const char *cli_credentials_get_domain(struct cli_credentials *cred); @@ -168,15 +174,15 @@ void cli_credentials_set_conf(struct cli_credentials *cred, struct loadparm_context *lp_ctx); const char *cli_credentials_get_principal(struct cli_credentials *cred, TALLOC_CTX *mem_ctx); int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct gssapi_creds_container **_gcc); int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct gssapi_creds_container **_gcc); -void cli_credentials_set_event_context(struct cli_credentials *cred, struct event_context *ev); void cli_credentials_set_kerberos_state(struct cli_credentials *creds, enum credentials_use_kerberos use_kerberos); -struct event_context *cli_credentials_get_event_context(struct cli_credentials *cred); bool cli_credentials_set_domain(struct cli_credentials *cred, const char *val, enum credentials_obtained obtained); @@ -199,6 +205,7 @@ void cli_credentials_set_netlogon_creds(struct cli_credentials *cred, NTSTATUS cli_credentials_set_krb5_context(struct cli_credentials *cred, struct smb_krb5_context *smb_krb5_context); NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *serviceprincipal); NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cred, @@ -219,15 +226,22 @@ void cli_credentials_set_kvno(struct cli_credentials *cred, bool cli_credentials_set_nt_hash(struct cli_credentials *cred, const struct samr_Password *nt_hash, enum credentials_obtained obtained); +bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, + const DATA_BLOB *lm_response, + const DATA_BLOB *nt_response, + enum credentials_obtained obtained); int cli_credentials_set_keytab_name(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *keytab_name, enum credentials_obtained obtained); int cli_credentials_update_keytab(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx); void cli_credentials_set_gensec_features(struct cli_credentials *creds, uint32_t gensec_features); uint32_t cli_credentials_get_gensec_features(struct cli_credentials *creds); int cli_credentials_set_ccache(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *name, enum credentials_obtained obtained); @@ -239,6 +253,7 @@ void cli_credentials_invalidate_ccache(struct cli_credentials *cred, void cli_credentials_set_salt_principal(struct cli_credentials *cred, const char *principal); enum credentials_use_kerberos cli_credentials_get_kerberos_state(struct cli_credentials *creds); NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct ldb_context *ldb, const char *base, diff --git a/source4/auth/credentials/credentials.i b/source4/auth/credentials/credentials.i index 152d2e673c..89eb4924b3 100644 --- a/source4/auth/credentials/credentials.i +++ b/source4/auth/credentials/credentials.i @@ -59,36 +59,53 @@ typedef struct cli_credentials { return cli_credentials_init(NULL); } /* username */ + %feature("docstring") get_username "S.get_username() -> username\nObtain username."; const char *get_username(void); + %feature("docstring") set_username "S.set_username(name, obtained=CRED_SPECIFIED) -> None\nChange username."; bool set_username(const char *value, - enum credentials_obtained=CRED_SPECIFIED); + enum credentials_obtained obtained=CRED_SPECIFIED); /* password */ + %feature("docstring") get_password "S.get_password() -> password\n" \ + "Obtain password."; const char *get_password(void); + %feature("docstring") set_password "S.set_password(password, obtained=CRED_SPECIFIED) -> None\n" \ + "Change password."; bool set_password(const char *val, - enum credentials_obtained=CRED_SPECIFIED); + enum credentials_obtained obtained=CRED_SPECIFIED); /* domain */ + %feature("docstring") get_password "S.get_domain() -> domain\nObtain domain name."; const char *get_domain(void); + %feature("docstring") set_domain "S.set_domain(domain, obtained=CRED_SPECIFIED) -> None\n" \ + "Change domain name."; bool set_domain(const char *val, - enum credentials_obtained=CRED_SPECIFIED); + enum credentials_obtained obtained=CRED_SPECIFIED); /* realm */ + %feature("docstring") get_realm "S.get_realm() -> realm\nObtain realm name."; const char *get_realm(void); + %feature("docstring") set_realm "S.set_realm(realm, obtained=CRED_SPECIFIED) -> None\n" \ + "Change realm name."; bool set_realm(const char *val, - enum credentials_obtained=CRED_SPECIFIED); + enum credentials_obtained obtained=CRED_SPECIFIED); - /* Kerberos */ + /* Kerberos */ void set_kerberos_state(enum credentials_use_kerberos use_kerberos); + %feature("docstring") parse_string "S.parse_string(text, obtained=CRED_SPECIFIED) -> None\n" \ + "Parse credentials string."; void parse_string(const char *text, - enum credentials_obtained=CRED_SPECIFIED); + enum credentials_obtained obtained=CRED_SPECIFIED); /* bind dn */ + %feature("docstring") get_bind_dn "S.get_bind_dn() -> bind dn\nObtain bind DN."; const char *get_bind_dn(void); + %feature("docstring") set_bind_dn "S.set_bind_dn(bind_dn) -> None\nChange bind DN."; bool set_bind_dn(const char *bind_dn); - void set_anonymous(); + %feature("docstring") set_anonymous "S.set_anonymous() -> None\nUse anonymous credentials."; + void set_anonymous(); /* workstation name */ const char *get_workstation(void); @@ -104,8 +121,10 @@ typedef struct cli_credentials { bool authentication_requested(void); + %feature("docstring") wrong_password "S.wrong_password() -> bool\nIndicate the returned password was incorrect."; bool wrong_password(void); + %feature("docstring") set_cmdline_callbacks "S.set_cmdline_callbacks() -> bool\nUse command-line to obtain credentials not explicitly set."; bool set_cmdline_callbacks(); } } cli_credentials; diff --git a/source4/auth/credentials/credentials.py b/source4/auth/credentials/credentials.py index ba0000dcda..fd00a8e6f0 100644 --- a/source4/auth/credentials/credentials.py +++ b/source4/auth/credentials/credentials.py @@ -1,5 +1,5 @@ # This file was automatically generated by SWIG (http://www.swig.org). -# Version 1.3.33 +# Version 1.3.35 # # Don't modify this file, modify the SWIG interface instead. @@ -66,6 +66,97 @@ class Credentials(object): __repr__ = _swig_repr def __init__(self, *args, **kwargs): _credentials.Credentials_swiginit(self,_credentials.new_Credentials(*args, **kwargs)) + def get_username(*args, **kwargs): + """ + S.get_username() -> username + Obtain username. + """ + return _credentials.Credentials_get_username(*args, **kwargs) + + def set_username(*args, **kwargs): + """ + S.set_username(name, obtained=CRED_SPECIFIED) -> None + Change username. + """ + return _credentials.Credentials_set_username(*args, **kwargs) + + def get_password(*args, **kwargs): + """ + S.get_password() -> password + Obtain password. + """ + return _credentials.Credentials_get_password(*args, **kwargs) + + def set_password(*args, **kwargs): + """ + S.set_password(password, obtained=CRED_SPECIFIED) -> None + Change password. + """ + return _credentials.Credentials_set_password(*args, **kwargs) + + def set_domain(*args, **kwargs): + """ + S.set_domain(domain, obtained=CRED_SPECIFIED) -> None + Change domain name. + """ + return _credentials.Credentials_set_domain(*args, **kwargs) + + def get_realm(*args, **kwargs): + """ + S.get_realm() -> realm + Obtain realm name. + """ + return _credentials.Credentials_get_realm(*args, **kwargs) + + def set_realm(*args, **kwargs): + """ + S.set_realm(realm, obtained=CRED_SPECIFIED) -> None + Change realm name. + """ + return _credentials.Credentials_set_realm(*args, **kwargs) + + def parse_string(*args, **kwargs): + """ + S.parse_string(text, obtained=CRED_SPECIFIED) -> None + Parse credentials string. + """ + return _credentials.Credentials_parse_string(*args, **kwargs) + + def get_bind_dn(*args, **kwargs): + """ + S.get_bind_dn() -> bind dn + Obtain bind DN. + """ + return _credentials.Credentials_get_bind_dn(*args, **kwargs) + + def set_bind_dn(*args, **kwargs): + """ + S.set_bind_dn(bind_dn) -> None + Change bind DN. + """ + return _credentials.Credentials_set_bind_dn(*args, **kwargs) + + def set_anonymous(*args, **kwargs): + """ + S.set_anonymous() -> None + Use anonymous credentials. + """ + return _credentials.Credentials_set_anonymous(*args, **kwargs) + + def wrong_password(*args, **kwargs): + """ + S.wrong_password() -> bool + Indicate the returned password was incorrect. + """ + return _credentials.Credentials_wrong_password(*args, **kwargs) + + def set_cmdline_callbacks(*args, **kwargs): + """ + S.set_cmdline_callbacks() -> bool + Use command-line to obtain credentials not explicitly set. + """ + return _credentials.Credentials_set_cmdline_callbacks(*args, **kwargs) + __swig_destroy__ = _credentials.delete_Credentials Credentials.get_username = new_instancemethod(_credentials.Credentials_get_username,None,Credentials) Credentials.set_username = new_instancemethod(_credentials.Credentials_set_username,None,Credentials) diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index 1bbdf8a5ad..ab76ea2cde 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -30,6 +30,7 @@ #include "auth/credentials/credentials.h" #include "auth/credentials/credentials_krb5.h" #include "param/param.h" +#include "lib/events/events.h" /** * Read a file descriptor, and parse it for a password (eg from a file or stdin) @@ -169,6 +170,7 @@ _PUBLIC_ bool cli_credentials_parse_file(struct cli_credentials *cred, const cha * @retval NTSTATUS error detailing any failure */ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct ldb_context *ldb, const char *base, @@ -305,13 +307,13 @@ _PUBLIC_ NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, * (chewing CPU time) from the password */ keytab = ldb_msg_find_attr_as_string(msgs[0], "krb5Keytab", NULL); if (keytab) { - cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED); } else { keytab = ldb_msg_find_attr_as_string(msgs[0], "privateKeytab", NULL); if (keytab) { keytab = talloc_asprintf(mem_ctx, "FILE:%s", private_path(mem_ctx, lp_ctx, keytab)); if (keytab) { - cli_credentials_set_keytab_name(cred, lp_ctx, keytab, CRED_SPECIFIED); + cli_credentials_set_keytab_name(cred, event_ctx, lp_ctx, keytab, CRED_SPECIFIED); } } } @@ -336,7 +338,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr cred->machine_account_pending = false; filter = talloc_asprintf(cred, SECRETS_PRIMARY_DOMAIN_FILTER, cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, lp_ctx, NULL, + return cli_credentials_set_secrets(cred, event_context_find(cred), lp_ctx, NULL, SECRETS_PRIMARY_DOMAIN_DN, filter); } @@ -348,6 +350,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_machine_account(struct cli_credentials *cr * @retval NTSTATUS error detailing any failure */ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx) { char *filter; @@ -358,7 +361,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, filter = talloc_asprintf(cred, SECRETS_KRBTGT_SEARCH, cli_credentials_get_realm(cred), cli_credentials_get_domain(cred)); - return cli_credentials_set_secrets(cred, lp_ctx, NULL, + return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); } @@ -370,6 +373,7 @@ NTSTATUS cli_credentials_set_krbtgt(struct cli_credentials *cred, * @retval NTSTATUS error detailing any failure */ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *serviceprincipal) { @@ -382,7 +386,7 @@ _PUBLIC_ NTSTATUS cli_credentials_set_stored_principal(struct cli_credentials *c cli_credentials_get_realm(cred), cli_credentials_get_domain(cred), serviceprincipal); - return cli_credentials_set_secrets(cred, lp_ctx, NULL, + return cli_credentials_set_secrets(cred, event_ctx, lp_ctx, NULL, SECRETS_PRINCIPALS_DN, filter); } diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c index cd9285b09d..3bc1764448 100644 --- a/source4/auth/credentials/credentials_krb5.c +++ b/source4/auth/credentials/credentials_krb5.c @@ -30,6 +30,7 @@ #include "param/param.h" _PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct smb_krb5_context **smb_krb5_context) { @@ -39,8 +40,7 @@ _PUBLIC_ int cli_credentials_get_krb5_context(struct cli_credentials *cred, return 0; } - ret = smb_krb5_init_context(cred, cli_credentials_get_event_context(cred), - lp_ctx, &cred->smb_krb5_context); + ret = smb_krb5_init_context(cred, event_ctx, lp_ctx, &cred->smb_krb5_context); if (ret) { cred->smb_krb5_context = NULL; return ret; @@ -128,6 +128,7 @@ static int free_dccache(struct ccache_container *ccc) { } _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *name, enum credentials_obtained obtained) @@ -144,7 +145,7 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, return ENOMEM; } - ret = cli_credentials_get_krb5_context(cred, lp_ctx, + ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &ccc->smb_krb5_context); if (ret) { talloc_free(ccc); @@ -203,6 +204,7 @@ _PUBLIC_ int cli_credentials_set_ccache(struct cli_credentials *cred, static int cli_credentials_new_ccache(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct ccache_container **_ccc) { @@ -221,7 +223,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred, return ENOMEM; } - ret = cli_credentials_get_krb5_context(cred, lp_ctx, + ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &ccc->smb_krb5_context); if (ret) { talloc_free(ccc); @@ -253,6 +255,7 @@ static int cli_credentials_new_ccache(struct cli_credentials *cred, } _PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct ccache_container **ccc) { @@ -271,7 +274,7 @@ _PUBLIC_ int cli_credentials_get_ccache(struct cli_credentials *cred, return EINVAL; } - ret = cli_credentials_new_ccache(cred, lp_ctx, ccc); + ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, ccc); if (ret) { return ret; } @@ -348,6 +351,7 @@ static int free_gssapi_creds(struct gssapi_creds_container *gcc) } _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct gssapi_creds_container **_gcc) { @@ -360,7 +364,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, *_gcc = cred->client_gss_creds; return 0; } - ret = cli_credentials_get_ccache(cred, lp_ctx, + ret = cli_credentials_get_ccache(cred, event_ctx, lp_ctx, &ccache); if (ret) { DEBUG(1, ("Failed to get CCACHE for GSSAPI client: %s\n", error_message(ret))); @@ -402,6 +406,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, */ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, gss_cred_id_t gssapi_cred, enum credentials_obtained obtained) @@ -419,7 +424,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, return ENOMEM; } - ret = cli_credentials_new_ccache(cred, lp_ctx, &ccc); + ret = cli_credentials_new_ccache(cred, event_ctx, lp_ctx, &ccc); if (ret != 0) { return ret; } @@ -456,6 +461,7 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, * it will be generated from the password. */ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct keytab_container **_ktc) { @@ -475,7 +481,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, return EINVAL; } - ret = cli_credentials_get_krb5_context(cred, lp_ctx, + ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context); if (ret) { return ret; @@ -510,6 +516,7 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred, * FILE:/etc/krb5.keytab), open it and attach it */ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *keytab_name, enum credentials_obtained obtained) @@ -523,7 +530,7 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, return 0; } - ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); + ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context); if (ret) { return ret; } @@ -549,6 +556,7 @@ _PUBLIC_ int cli_credentials_set_keytab_name(struct cli_credentials *cred, } _PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx) { krb5_error_code ret; @@ -562,7 +570,7 @@ _PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred, return ENOMEM; } - ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); + ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context); if (ret) { talloc_free(mem_ctx); return ret; @@ -570,7 +578,7 @@ _PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred, enctype_strings = cli_credentials_get_enctype_strings(cred); - ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc); + ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc); if (ret != 0) { talloc_free(mem_ctx); return ret; @@ -585,6 +593,7 @@ _PUBLIC_ int cli_credentials_update_keytab(struct cli_credentials *cred, /* Get server gss credentials (in gsskrb5, this means the keytab) */ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct gssapi_creds_container **_gcc) { @@ -603,12 +612,12 @@ _PUBLIC_ int cli_credentials_get_server_gss_creds(struct cli_credentials *cred, return 0; } - ret = cli_credentials_get_krb5_context(cred, lp_ctx, &smb_krb5_context); + ret = cli_credentials_get_krb5_context(cred, event_ctx, lp_ctx, &smb_krb5_context); if (ret) { return ret; } - ret = cli_credentials_get_keytab(cred, lp_ctx, &ktc); + ret = cli_credentials_get_keytab(cred, event_ctx, lp_ctx, &ktc); if (ret) { DEBUG(1, ("Failed to get keytab for GSSAPI server: %s\n", error_message(ret))); return ret; diff --git a/source4/auth/credentials/credentials_krb5.h b/source4/auth/credentials/credentials_krb5.h index aaa7d7f0da..f672b0ad9a 100644 --- a/source4/auth/credentials/credentials_krb5.h +++ b/source4/auth/credentials/credentials_krb5.h @@ -32,6 +32,7 @@ struct gssapi_creds_container { /* Manually prototyped here to avoid needing gss headers in most callers */ int cli_credentials_set_client_gss_creds(struct cli_credentials *cred, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, gss_cred_id_t gssapi_cred, enum credentials_obtained obtained); diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c index b88f2018df..22e273c35a 100644 --- a/source4/auth/credentials/credentials_ntlm.c +++ b/source4/auth/credentials/credentials_ntlm.c @@ -52,6 +52,20 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred const struct samr_Password *nt_hash; lm_session_key = data_blob(NULL, 0); + /* We may already have an NTLM response we prepared earlier. + * This is used for NTLM pass-though authentication */ + if (cred->nt_response.data || cred->lm_response.data) { + *_nt_response = cred->nt_response; + *_lm_response = cred->lm_response; + + if (!cred->lm_response.data) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + *_lm_session_key = data_blob(NULL, 0); + *_session_key = data_blob(NULL, 0); + return NT_STATUS_OK; + } + nt_hash = cli_credentials_get_nt_hash(cred, mem_ctx); cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain); @@ -215,3 +229,41 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred return NT_STATUS_OK; } +_PUBLIC_ bool cli_credentials_set_nt_hash(struct cli_credentials *cred, + const struct samr_Password *nt_hash, + enum credentials_obtained obtained) +{ + if (obtained >= cred->password_obtained) { + cli_credentials_set_password(cred, NULL, obtained); + if (nt_hash) { + cred->nt_hash = talloc(cred, struct samr_Password); + *cred->nt_hash = *nt_hash; + } else { + cred->nt_hash = NULL; + } + return true; + } + + return false; +} + +_PUBLIC_ bool cli_credentials_set_ntlm_response(struct cli_credentials *cred, + const DATA_BLOB *lm_response, + const DATA_BLOB *nt_response, + enum credentials_obtained obtained) +{ + if (obtained >= cred->password_obtained) { + cli_credentials_set_password(cred, NULL, obtained); + if (nt_response) { + cred->nt_response = data_blob_talloc(cred, nt_response->data, nt_response->length); + talloc_steal(cred, cred->nt_response.data); + } + if (nt_response) { + cred->lm_response = data_blob_talloc(cred, lm_response->data, lm_response->length); + } + return true; + } + + return false; +} + diff --git a/source4/auth/credentials/credentials_wrap.c b/source4/auth/credentials/credentials_wrap.c index 6c99802b09..81ba426e45 100644 --- a/source4/auth/credentials/credentials_wrap.c +++ b/source4/auth/credentials/credentials_wrap.c @@ -1,6 +1,6 @@ /* ---------------------------------------------------------------------------- * This file was automatically generated by SWIG (http://www.swig.org). - * Version 1.3.33 + * Version 1.3.35 * * This file is not intended to be easily readable and contains a number of * coding conventions designed to improve portability and efficiency. Do not make @@ -126,7 +126,7 @@ /* This should only be incremented when either the layout of swig_type_info changes, or for whatever reason, the runtime changes incompatibly */ -#define SWIG_RUNTIME_VERSION "3" +#define SWIG_RUNTIME_VERSION "4" /* define SWIG_TYPE_TABLE_NAME as "SWIG_TYPE_TABLE" */ #ifdef SWIG_TYPE_TABLE @@ -161,6 +161,7 @@ /* Flags for pointer conversions */ #define SWIG_POINTER_DISOWN 0x1 +#define SWIG_CAST_NEW_MEMORY 0x2 /* Flags for new pointer objects */ #define SWIG_POINTER_OWN 0x1 @@ -301,10 +302,10 @@ SWIGINTERNINLINE int SWIG_CheckState(int r) { extern "C" { #endif -typedef void *(*swig_converter_func)(void *); +typedef void *(*swig_converter_func)(void *, int *); typedef struct swig_type_info *(*swig_dycast_func)(void **); -/* Structure to store inforomation on one type */ +/* Structure to store information on one type */ typedef struct swig_type_info { const char *name; /* mangled name of this type */ const char *str; /* human readable name of this type */ @@ -431,8 +432,8 @@ SWIG_TypeCheckStruct(swig_type_info *from, swig_type_info *into) { Cast a pointer up an inheritance hierarchy */ SWIGRUNTIMEINLINE void * -SWIG_TypeCast(swig_cast_info *ty, void *ptr) { - return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr); +SWIG_TypeCast(swig_cast_info *ty, void *ptr, int *newmemory) { + return ((!ty) || (!ty->converter)) ? ptr : (*ty->converter)(ptr, newmemory); } /* @@ -856,7 +857,7 @@ SWIG_Python_AddErrorMsg(const char* mesg) Py_DECREF(old_str); Py_DECREF(value); } else { - PyErr_Format(PyExc_RuntimeError, mesg); + PyErr_SetString(PyExc_RuntimeError, mesg); } } @@ -1416,7 +1417,7 @@ PySwigObject_dealloc(PyObject *v) { PySwigObject *sobj = (PySwigObject *) v; PyObject *next = sobj->next; - if (sobj->own) { + if (sobj->own == SWIG_POINTER_OWN) { swig_type_info *ty = sobj->ty; PySwigClientData *data = ty ? (PySwigClientData *) ty->clientdata : 0; PyObject *destroy = data ? data->destroy : 0; @@ -1434,12 +1435,13 @@ PySwigObject_dealloc(PyObject *v) res = ((*meth)(mself, v)); } Py_XDECREF(res); - } else { - const char *name = SWIG_TypePrettyName(ty); + } #if !defined(SWIG_PYTHON_SILENT_MEMLEAK) - printf("swig/python detected a memory leak of type '%s', no destructor found.\n", name); -#endif + else { + const char *name = SWIG_TypePrettyName(ty); + printf("swig/python detected a memory leak of type '%s', no destructor found.\n", (name ? name : "unknown")); } +#endif } Py_XDECREF(next); PyObject_DEL(v); @@ -1944,7 +1946,7 @@ SWIG_Python_GetSwigThis(PyObject *pyobj) SWIGRUNTIME int SWIG_Python_AcquirePtr(PyObject *obj, int own) { - if (own) { + if (own == SWIG_POINTER_OWN) { PySwigObject *sobj = SWIG_Python_GetSwigThis(obj); if (sobj) { int oldown = sobj->own; @@ -1965,6 +1967,8 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int return SWIG_OK; } else { PySwigObject *sobj = SWIG_Python_GetSwigThis(obj); + if (own) + *own = 0; while (sobj) { void *vptr = sobj->ptr; if (ty) { @@ -1978,7 +1982,15 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int if (!tc) { sobj = (PySwigObject *)sobj->next; } else { - if (ptr) *ptr = SWIG_TypeCast(tc,vptr); + if (ptr) { + int newmemory = 0; + *ptr = SWIG_TypeCast(tc,vptr,&newmemory); + if (newmemory == SWIG_CAST_NEW_MEMORY) { + assert(own); + if (own) + *own = *own | SWIG_CAST_NEW_MEMORY; + } + } break; } } @@ -1988,7 +2000,8 @@ SWIG_Python_ConvertPtrAndOwn(PyObject *obj, void **ptr, swig_type_info *ty, int } } if (sobj) { - if (own) *own = sobj->own; + if (own) + *own = *own | sobj->own; if (flags & SWIG_POINTER_DISOWN) { sobj->own = 0; } @@ -2053,8 +2066,13 @@ SWIG_Python_ConvertFunctionPtr(PyObject *obj, void **ptr, swig_type_info *ty) { } if (ty) { swig_cast_info *tc = SWIG_TypeCheck(desc,ty); - if (!tc) return SWIG_ERROR; - *ptr = SWIG_TypeCast(tc,vptr); + if (tc) { + int newmemory = 0; + *ptr = SWIG_TypeCast(tc,vptr,&newmemory); + assert(!newmemory); /* newmemory handling not yet implemented */ + } else { + return SWIG_ERROR; + } } else { *ptr = vptr; } @@ -2506,7 +2524,7 @@ static swig_module_info swig_module = {swig_types, 17, 0, 0, 0, 0}; #define SWIG_name "_credentials" -#define SWIGVERSION 0x010333 +#define SWIGVERSION 0x010335 #define SWIG_VERSION SWIGVERSION @@ -2863,7 +2881,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_username(PyObject *SWIGUNUSEDPARM(sel PyObject * obj1 = 0 ; PyObject * obj2 = 0 ; char * kwnames[] = { - (char *) "self",(char *) "value",(char *)"arg3", NULL + (char *) "self",(char *) "value",(char *) "obtained", NULL }; arg1 = NULL; @@ -2944,7 +2962,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_password(PyObject *SWIGUNUSEDPARM(sel PyObject * obj1 = 0 ; PyObject * obj2 = 0 ; char * kwnames[] = { - (char *) "self",(char *) "val",(char *)"arg3", NULL + (char *) "self",(char *) "val",(char *) "obtained", NULL }; arg1 = NULL; @@ -3025,7 +3043,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_domain(PyObject *SWIGUNUSEDPARM(self) PyObject * obj1 = 0 ; PyObject * obj2 = 0 ; char * kwnames[] = { - (char *) "self",(char *) "val",(char *)"arg3", NULL + (char *) "self",(char *) "val",(char *) "obtained", NULL }; arg1 = NULL; @@ -3106,7 +3124,7 @@ SWIGINTERN PyObject *_wrap_Credentials_set_realm(PyObject *SWIGUNUSEDPARM(self), PyObject * obj1 = 0 ; PyObject * obj2 = 0 ; char * kwnames[] = { - (char *) "self",(char *) "val",(char *)"arg3", NULL + (char *) "self",(char *) "val",(char *) "obtained", NULL }; arg1 = NULL; @@ -3196,7 +3214,7 @@ SWIGINTERN PyObject *_wrap_Credentials_parse_string(PyObject *SWIGUNUSEDPARM(sel PyObject * obj1 = 0 ; PyObject * obj2 = 0 ; char * kwnames[] = { - (char *) "self",(char *) "text",(char *)"arg3", NULL + (char *) "self",(char *) "text",(char *) "obtained", NULL }; arg1 = NULL; @@ -3672,19 +3690,52 @@ SWIGINTERN PyObject *Credentials_swiginit(PyObject *SWIGUNUSEDPARM(self), PyObje static PyMethodDef SwigMethods[] = { { (char *)"new_Credentials", (PyCFunction)_wrap_new_Credentials, METH_NOARGS, NULL}, - { (char *)"Credentials_get_username", (PyCFunction) _wrap_Credentials_get_username, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_set_username", (PyCFunction) _wrap_Credentials_set_username, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_get_password", (PyCFunction) _wrap_Credentials_get_password, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_set_password", (PyCFunction) _wrap_Credentials_set_password, METH_VARARGS | METH_KEYWORDS, NULL}, + { (char *)"Credentials_get_username", (PyCFunction) _wrap_Credentials_get_username, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.get_username() -> username\n" + "Obtain username.\n" + ""}, + { (char *)"Credentials_set_username", (PyCFunction) _wrap_Credentials_set_username, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.set_username(name, obtained=CRED_SPECIFIED) -> None\n" + "Change username.\n" + ""}, + { (char *)"Credentials_get_password", (PyCFunction) _wrap_Credentials_get_password, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.get_password() -> password\n" + "Obtain password.\n" + ""}, + { (char *)"Credentials_set_password", (PyCFunction) _wrap_Credentials_set_password, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.set_password(password, obtained=CRED_SPECIFIED) -> None\n" + "Change password.\n" + ""}, { (char *)"Credentials_get_domain", (PyCFunction) _wrap_Credentials_get_domain, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_set_domain", (PyCFunction) _wrap_Credentials_set_domain, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_get_realm", (PyCFunction) _wrap_Credentials_get_realm, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_set_realm", (PyCFunction) _wrap_Credentials_set_realm, METH_VARARGS | METH_KEYWORDS, NULL}, + { (char *)"Credentials_set_domain", (PyCFunction) _wrap_Credentials_set_domain, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.set_domain(domain, obtained=CRED_SPECIFIED) -> None\n" + "Change domain name.\n" + ""}, + { (char *)"Credentials_get_realm", (PyCFunction) _wrap_Credentials_get_realm, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.get_realm() -> realm\n" + "Obtain realm name.\n" + ""}, + { (char *)"Credentials_set_realm", (PyCFunction) _wrap_Credentials_set_realm, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.set_realm(realm, obtained=CRED_SPECIFIED) -> None\n" + "Change realm name.\n" + ""}, { (char *)"Credentials_set_kerberos_state", (PyCFunction) _wrap_Credentials_set_kerberos_state, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_parse_string", (PyCFunction) _wrap_Credentials_parse_string, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_get_bind_dn", (PyCFunction) _wrap_Credentials_get_bind_dn, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_set_bind_dn", (PyCFunction) _wrap_Credentials_set_bind_dn, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_set_anonymous", (PyCFunction) _wrap_Credentials_set_anonymous, METH_VARARGS | METH_KEYWORDS, NULL}, + { (char *)"Credentials_parse_string", (PyCFunction) _wrap_Credentials_parse_string, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.parse_string(text, obtained=CRED_SPECIFIED) -> None\n" + "Parse credentials string.\n" + ""}, + { (char *)"Credentials_get_bind_dn", (PyCFunction) _wrap_Credentials_get_bind_dn, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.get_bind_dn() -> bind dn\n" + "Obtain bind DN.\n" + ""}, + { (char *)"Credentials_set_bind_dn", (PyCFunction) _wrap_Credentials_set_bind_dn, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.set_bind_dn(bind_dn) -> None\n" + "Change bind DN.\n" + ""}, + { (char *)"Credentials_set_anonymous", (PyCFunction) _wrap_Credentials_set_anonymous, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.set_anonymous() -> None\n" + "Use anonymous credentials.\n" + ""}, { (char *)"Credentials_get_workstation", (PyCFunction) _wrap_Credentials_get_workstation, METH_VARARGS | METH_KEYWORDS, NULL}, { (char *)"Credentials_set_workstation", (PyCFunction) _wrap_Credentials_set_workstation, METH_VARARGS | METH_KEYWORDS, NULL}, { (char *)"Credentials_set_machine_account", (PyCFunction) _wrap_Credentials_set_machine_account, METH_VARARGS | METH_KEYWORDS, NULL}, @@ -3692,8 +3743,14 @@ static PyMethodDef SwigMethods[] = { { (char *)"Credentials_is_anonymous", (PyCFunction) _wrap_Credentials_is_anonymous, METH_VARARGS | METH_KEYWORDS, NULL}, { (char *)"Credentials_get_nt_hash", (PyCFunction) _wrap_Credentials_get_nt_hash, METH_VARARGS | METH_KEYWORDS, NULL}, { (char *)"Credentials_authentication_requested", (PyCFunction) _wrap_Credentials_authentication_requested, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_wrong_password", (PyCFunction) _wrap_Credentials_wrong_password, METH_VARARGS | METH_KEYWORDS, NULL}, - { (char *)"Credentials_set_cmdline_callbacks", (PyCFunction) _wrap_Credentials_set_cmdline_callbacks, METH_VARARGS | METH_KEYWORDS, NULL}, + { (char *)"Credentials_wrong_password", (PyCFunction) _wrap_Credentials_wrong_password, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.wrong_password() -> bool\n" + "Indicate the returned password was incorrect.\n" + ""}, + { (char *)"Credentials_set_cmdline_callbacks", (PyCFunction) _wrap_Credentials_set_cmdline_callbacks, METH_VARARGS | METH_KEYWORDS, (char *)"\n" + "S.set_cmdline_callbacks() -> bool\n" + "Use command-line to obtain credentials not explicitly set.\n" + ""}, { (char *)"delete_Credentials", (PyCFunction) _wrap_delete_Credentials, METH_VARARGS | METH_KEYWORDS, NULL}, { (char *)"Credentials_swigregister", Credentials_swigregister, METH_VARARGS, NULL}, { (char *)"Credentials_swiginit", Credentials_swiginit, METH_VARARGS, NULL}, @@ -3845,7 +3902,7 @@ SWIGRUNTIME void SWIG_InitializeModule(void *clientdata) { size_t i; swig_module_info *module_head, *iter; - int found; + int found, init; clientdata = clientdata; @@ -3855,6 +3912,9 @@ SWIG_InitializeModule(void *clientdata) { swig_module.type_initial = swig_type_initial; swig_module.cast_initial = swig_cast_initial; swig_module.next = &swig_module; + init = 1; + } else { + init = 0; } /* Try and load any already created modules */ @@ -3883,6 +3943,12 @@ SWIG_InitializeModule(void *clientdata) { module_head->next = &swig_module; } + /* When multiple interpeters are used, a module could have already been initialized in + a different interpreter, but not yet have a pointer in this interpreter. + In this case, we do not want to continue adding types... everything should be + set up already */ + if (init == 0) return; + /* Now work on filling in swig_module.types */ #ifdef SWIGRUNTIME_DEBUG printf("SWIG_InitializeModule: size %d\n", swig_module.size); diff --git a/source4/auth/credentials/tests/bindings.py b/source4/auth/credentials/tests/bindings.py index d0a99502c1..30120b3a60 100644 --- a/source4/auth/credentials/tests/bindings.py +++ b/source4/auth/credentials/tests/bindings.py @@ -24,7 +24,7 @@ the functionality, that's already done in other tests. """ import unittest -import credentials +from samba import credentials class CredentialsTests(unittest.TestCase): def setUp(self): diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk index cfb3493484..f08ff2638a 100644 --- a/source4/auth/gensec/config.mk +++ b/source4/auth/gensec/config.mk @@ -1,30 +1,31 @@ ################################# # Start SUBSYSTEM gensec [LIBRARY::gensec] -PRIVATE_PROTO_HEADER = gensec_proto.h PUBLIC_DEPENDENCIES = \ CREDENTIALS LIBSAMBA-UTIL LIBCRYPTO ASN1_UTIL samba-socket LIBPACKET # End SUBSYSTEM gensec ################################# -PC_FILES += auth/gensec/gensec.pc +PC_FILES += $(gensecsrcdir)/gensec.pc gensec_VERSION = 0.0.1 gensec_SOVERSION = 0 -gensec_OBJ_FILES = $(addprefix auth/gensec/, gensec.o socket.o) +gensec_OBJ_FILES = $(addprefix $(gensecsrcdir)/, gensec.o socket.o) -PUBLIC_HEADERS += auth/gensec/gensec.h +PUBLIC_HEADERS += $(gensecsrcdir)/gensec.h + +$(eval $(call proto_header_template,$(gensecsrcdir)/gensec_proto.h,$(gensec_OBJ_FILES:.o=.c))) ################################################ # Start MODULE gensec_krb5 [MODULE::gensec_krb5] SUBSYSTEM = gensec INIT_FUNCTION = gensec_krb5_init -PRIVATE_DEPENDENCIES = CREDENTIALS KERBEROS auth auth_sam +PRIVATE_DEPENDENCIES = CREDENTIALS KERBEROS auth_session auth_sam # End MODULE gensec_krb5 ################################################ -gensec_krb5_OBJ_FILES = $(addprefix auth/gensec/, gensec_krb5.o) +gensec_krb5_OBJ_FILES = $(addprefix $(gensecsrcdir)/, gensec_krb5.o) ################################################ # Start MODULE gensec_gssapi @@ -35,7 +36,7 @@ PRIVATE_DEPENDENCIES = HEIMDAL_GSSAPI CREDENTIALS KERBEROS # End MODULE gensec_gssapi ################################################ -gensec_gssapi_OBJ_FILES = $(addprefix auth/gensec/, gensec_gssapi.o) +gensec_gssapi_OBJ_FILES = $(addprefix $(gensecsrcdir)/, gensec_gssapi.o) ################################################ # Start MODULE cyrus_sasl @@ -46,40 +47,41 @@ PRIVATE_DEPENDENCIES = CREDENTIALS SASL # End MODULE cyrus_sasl ################################################ -cyrus_sasl_OBJ_FILES = $(addprefix auth/gensec/, cyrus_sasl.o) +cyrus_sasl_OBJ_FILES = $(addprefix $(gensecsrcdir)/, cyrus_sasl.o) ################################################ # Start MODULE gensec_spnego [MODULE::gensec_spnego] SUBSYSTEM = gensec INIT_FUNCTION = gensec_spnego_init -PRIVATE_PROTO_HEADER = spnego_proto.h PRIVATE_DEPENDENCIES = ASN1_UTIL CREDENTIALS # End MODULE gensec_spnego ################################################ -gensec_spnego_OBJ_FILES = $(addprefix auth/gensec/, spnego.o spnego_parse.o) +gensec_spnego_OBJ_FILES = $(addprefix $(gensecsrcdir)/, spnego.o spnego_parse.o) + +$(eval $(call proto_header_template,$(gensecsrcdir)/spnego_proto.h,$(gensec_spnego_OBJ_FILES:.o=.c))) ################################################ # Start MODULE gensec_schannel [MODULE::gensec_schannel] SUBSYSTEM = gensec -PRIVATE_PROTO_HEADER = schannel_proto.h INIT_FUNCTION = gensec_schannel_init PRIVATE_DEPENDENCIES = SCHANNELDB NDR_SCHANNEL CREDENTIALS LIBNDR OUTPUT_TYPE = MERGED_OBJ # End MODULE gensec_schannel ################################################ -gensec_schannel_OBJ_FILES = $(addprefix auth/gensec/, schannel.o schannel_sign.o) +gensec_schannel_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel.o schannel_sign.o) +$(eval $(call proto_header_template,$(gensecsrcdir)/schannel_proto.h,$(gensec_schannel_OBJ_FILES:.o=.c))) ################################################ # Start SUBSYSTEM SCHANNELDB [SUBSYSTEM::SCHANNELDB] -PRIVATE_PROTO_HEADER = schannel_state.h PRIVATE_DEPENDENCIES = LDB_WRAP SAMDB # End SUBSYSTEM SCHANNELDB ################################################ -SCHANNELDB_OBJ_FILES = $(addprefix auth/gensec/, schannel_state.o) +SCHANNELDB_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel_state.o) +$(eval $(call proto_header_template,$(gensecsrcdir)/schannel_state.h,$(SCHANNELDB_OBJ_FILES:.o=.c))) diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c index 59ad15740e..0edb34d740 100644 --- a/source4/auth/gensec/gensec.c +++ b/source4/auth/gensec/gensec.c @@ -23,7 +23,6 @@ #include "includes.h" #include "auth/auth.h" #include "lib/events/events.h" -#include "build.h" #include "librpc/rpc/dcerpc.h" #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" @@ -482,6 +481,11 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, struct messaging_context *msg, struct gensec_security **gensec_security) { + if (ev == NULL) { + DEBUG(0, ("No event context available!\n")); + return NT_STATUS_INTERNAL_ERROR; + } + (*gensec_security) = talloc(mem_ctx, struct gensec_security); NT_STATUS_HAVE_NO_MEMORY(*gensec_security); @@ -493,14 +497,6 @@ static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx, (*gensec_security)->subcontext = false; (*gensec_security)->want_features = 0; - - if (ev == NULL) { - ev = event_context_init(*gensec_security); - if (ev == NULL) { - talloc_free(*gensec_security); - return NT_STATUS_NO_MEMORY; - } - } (*gensec_security)->event_ctx = ev; (*gensec_security)->msg_ctx = msg; @@ -548,20 +544,11 @@ _PUBLIC_ NTSTATUS gensec_client_start(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) { NTSTATUS status; - struct event_context *new_ev = NULL; - - if (ev == NULL) { - new_ev = event_context_init(mem_ctx); - NT_STATUS_HAVE_NO_MEMORY(new_ev); - ev = new_ev; - } status = gensec_start(mem_ctx, ev, lp_ctx, NULL, gensec_security); if (!NT_STATUS_IS_OK(status)) { - talloc_free(new_ev); return status; } - talloc_steal((*gensec_security), new_ev); (*gensec_security)->gensec_role = GENSEC_CLIENT; return status; diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index e7dcb4ea68..cc0d40469e 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -273,7 +273,9 @@ static NTSTATUS gensec_gssapi_server_start(struct gensec_security *gensec_securi DEBUG(3, ("No machine account credentials specified\n")); return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } else { - ret = cli_credentials_get_server_gss_creds(machine_account, gensec_security->lp_ctx, &gcc); + ret = cli_credentials_get_server_gss_creds(machine_account, + gensec_security->event_ctx, + gensec_security->lp_ctx, &gcc); if (ret) { DEBUG(1, ("Aquiring acceptor credentials failed: %s\n", error_message(ret))); @@ -359,7 +361,9 @@ static NTSTATUS gensec_gssapi_client_start(struct gensec_security *gensec_securi return NT_STATUS_INVALID_PARAMETER; } - ret = cli_credentials_get_client_gss_creds(creds, gensec_security->lp_ctx, &gcc); + ret = cli_credentials_get_client_gss_creds(creds, + gensec_security->event_ctx, + gensec_security->lp_ctx, &gcc); switch (ret) { case 0: break; @@ -1323,7 +1327,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } else if (!lp_parm_bool(gensec_security->lp_ctx, NULL, "gensec", "require_pac", false)) { DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n", gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); - nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->lp_ctx, principal_string, + nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { @@ -1338,7 +1342,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(mem_ctx, gensec_security->lp_ctx, server_info, &session_info); + nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); return nt_status; @@ -1361,12 +1365,12 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi return NT_STATUS_NO_MEMORY; } - cli_credentials_set_event_context(session_info->credentials, gensec_security->event_ctx); cli_credentials_set_conf(session_info->credentials, gensec_security->lp_ctx); /* Just so we don't segfault trying to get at a username */ cli_credentials_set_anonymous(session_info->credentials); ret = cli_credentials_set_client_gss_creds(session_info->credentials, + gensec_security->event_ctx, gensec_security->lp_ctx, gensec_gssapi_state->delegated_cred_handle, CRED_SPECIFIED); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index ae601b19c2..47df2ccfcc 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -118,7 +118,9 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) talloc_set_destructor(gensec_krb5_state, gensec_krb5_destroy); - if (cli_credentials_get_krb5_context(creds, gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) { + if (cli_credentials_get_krb5_context(creds, + gensec_security->event_ctx, + gensec_security->lp_ctx, &gensec_krb5_state->smb_krb5_context)) { talloc_free(gensec_krb5_state); return NT_STATUS_INTERNAL_ERROR; } @@ -248,7 +250,9 @@ static NTSTATUS gensec_krb5_client_start(struct gensec_security *gensec_security principal = gensec_get_target_principal(gensec_security); - ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), gensec_security->lp_ctx, &ccache_container); + ret = cli_credentials_get_ccache(gensec_get_credentials(gensec_security), + gensec_security->event_ctx, + gensec_security->lp_ctx, &ccache_container); switch (ret) { case 0: break; @@ -446,7 +450,9 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, } /* Grab the keytab, however generated */ - ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), gensec_security->lp_ctx, &keytab); + ret = cli_credentials_get_keytab(gensec_get_credentials(gensec_security), + gensec_security->event_ctx, + gensec_security->lp_ctx, &keytab); if (ret) { return NT_STATUS_CANT_ACCESS_DOMAIN_INFO; } @@ -597,7 +603,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); - nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->lp_ctx, principal_string, + nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, principal_string, &server_info); krb5_free_principal(context, client_principal); free(principal_string); @@ -645,7 +651,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(mem_ctx, gensec_security->lp_ctx, server_info, &session_info); + nt_status = auth_generate_session_info(mem_ctx, gensec_security->event_ctx, gensec_security->lp_ctx, server_info, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index b3117ee9b2..f21202b86f 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -125,7 +125,8 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ } /* pull the session key for this client */ - status = schannel_fetch_session_key(out_mem_ctx, gensec_security->lp_ctx, workstation, + status = schannel_fetch_session_key(out_mem_ctx, gensec_security->event_ctx, + gensec_security->lp_ctx, workstation, domain, &creds); if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n", @@ -189,7 +190,7 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, struct auth_session_info **_session_info) { struct schannel_state *state = talloc_get_type(gensec_security->private_data, struct schannel_state); - return auth_anonymous_session_info(state, gensec_security->lp_ctx, _session_info); + return auth_anonymous_session_info(state, gensec_security->event_ctx, gensec_security->lp_ctx, _session_info); } static NTSTATUS schannel_start(struct gensec_security *gensec_security) diff --git a/source4/auth/gensec/schannel_state.c b/source4/auth/gensec/schannel_state.c index 0c7c509954..0f7c4ca11d 100644 --- a/source4/auth/gensec/schannel_state.c +++ b/source4/auth/gensec/schannel_state.c @@ -32,7 +32,8 @@ /** connect to the schannel ldb */ -struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) +struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct event_context *ev_ctx, + struct loadparm_context *lp_ctx) { char *path; struct ldb_context *ldb; @@ -49,7 +50,7 @@ struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct loadparm_con existed = file_exist(path); - ldb = ldb_wrap_connect(mem_ctx, lp_ctx, path, + ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, path, system_session(mem_ctx, lp_ctx), NULL, LDB_FLG_NOSYNC, NULL); talloc_free(path); @@ -137,6 +138,7 @@ NTSTATUS schannel_store_session_key_ldb(TALLOC_CTX *mem_ctx, } NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, + struct event_context *ev_ctx, struct loadparm_context *lp_ctx, struct creds_CredentialState *creds) { @@ -144,7 +146,7 @@ NTSTATUS schannel_store_session_key(TALLOC_CTX *mem_ctx, NTSTATUS nt_status; int ret; - ldb = schannel_db_connect(mem_ctx, lp_ctx); + ldb = schannel_db_connect(mem_ctx, ev_ctx, lp_ctx); if (!ldb) { return NT_STATUS_ACCESS_DENIED; } @@ -268,6 +270,7 @@ NTSTATUS schannel_fetch_session_key_ldb(TALLOC_CTX *mem_ctx, } NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, + struct event_context *ev_ctx, struct loadparm_context *lp_ctx, const char *computer_name, const char *domain, @@ -276,7 +279,7 @@ NTSTATUS schannel_fetch_session_key(TALLOC_CTX *mem_ctx, NTSTATUS nt_status; struct ldb_context *ldb; - ldb = schannel_db_connect(mem_ctx, lp_ctx); + ldb = schannel_db_connect(mem_ctx, ev_ctx, lp_ctx); if (!ldb) { return NT_STATUS_ACCESS_DENIED; } diff --git a/source4/auth/kerberos/config.mk b/source4/auth/kerberos/config.mk index 762d6f8c49..951e247258 100644 --- a/source4/auth/kerberos/config.mk +++ b/source4/auth/kerberos/config.mk @@ -1,13 +1,12 @@ ################################# # Start SUBSYSTEM KERBEROS [SUBSYSTEM::KERBEROS] -PRIVATE_PROTO_HEADER = proto.h PUBLIC_DEPENDENCIES = HEIMDAL_KRB5 NDR_KRB5PAC samba-socket LIBCLI_RESOLVE PRIVATE_DEPENDENCIES = ASN1_UTIL auth_sam_reply LIBPACKET LIBNDR # End SUBSYSTEM KERBEROS ################################# -KERBEROS_OBJ_FILES = $(addprefix auth/kerberos/, \ +KERBEROS_OBJ_FILES = $(addprefix $(authsrcdir)/kerberos/, \ kerberos.o \ clikrb5.o \ kerberos_heimdal.o \ @@ -15,3 +14,5 @@ KERBEROS_OBJ_FILES = $(addprefix auth/kerberos/, \ gssapi_parse.o \ krb5_init_context.o) +$(eval $(call proto_header_template,$(authsrcdir)/kerberos/proto.h,$(KERBEROS_OBJ_FILES:.o=.c))) + diff --git a/source4/auth/auth.c b/source4/auth/ntlm/auth.c index 6c86cf2d7c..0f1ef3ccdb 100644 --- a/source4/auth/auth.c +++ b/source4/auth/ntlm/auth.c @@ -21,9 +21,8 @@ #include "includes.h" #include "lib/util/dlinklist.h" #include "auth/auth.h" -#include "auth/auth_proto.h" +#include "auth/ntlm/auth_proto.h" #include "lib/events/events.h" -#include "build.h" #include "param/param.h" /*************************************************************************** @@ -521,6 +520,7 @@ _PUBLIC_ NTSTATUS auth_init(void) extern NTSTATUS auth_anonymous_init(void); extern NTSTATUS auth_unix_init(void); extern NTSTATUS auth_sam_init(void); + extern NTSTATUS auth_server_init(void); init_module_fn static_init[] = { STATIC_auth_MODULES }; diff --git a/source4/auth/auth_anonymous.c b/source4/auth/ntlm/auth_anonymous.c index b93c7c2008..c889071878 100644 --- a/source4/auth/auth_anonymous.c +++ b/source4/auth/ntlm/auth_anonymous.c @@ -21,7 +21,7 @@ #include "includes.h" #include "auth/auth.h" -#include "auth/auth_proto.h" +#include "auth/ntlm/auth_proto.h" #include "param/param.h" /** diff --git a/source4/auth/auth_developer.c b/source4/auth/ntlm/auth_developer.c index a2c9cbc828..3b8c83c349 100644 --- a/source4/auth/auth_developer.c +++ b/source4/auth/ntlm/auth_developer.c @@ -21,7 +21,7 @@ #include "includes.h" #include "auth/auth.h" -#include "auth/auth_proto.h" +#include "auth/ntlm/auth_proto.h" #include "libcli/security/security.h" #include "librpc/gen_ndr/ndr_samr.h" diff --git a/source4/auth/ntlm/auth_proto.h b/source4/auth/ntlm/auth_proto.h new file mode 100644 index 0000000000..572c1a4ca7 --- /dev/null +++ b/source4/auth/ntlm/auth_proto.h @@ -0,0 +1,50 @@ +#ifndef __AUTH_NTLM_AUTH_PROTO_H__ +#define __AUTH_NTLM_AUTH_PROTO_H__ + +#undef _PRINTF_ATTRIBUTE +#define _PRINTF_ATTRIBUTE(a1, a2) PRINTF_ATTRIBUTE(a1, a2) +/* This file was automatically generated by mkproto.pl. DO NOT EDIT */ + +/* this file contains prototypes for functions that are private + * to this subsystem or library. These functions should not be + * used outside this particular subsystem! */ + + +/* The following definitions come from auth/ntlm/auth.c */ + + +/*************************************************************************** + Set a fixed challenge +***************************************************************************/ +bool auth_challenge_may_be_modified(struct auth_context *auth_ctx) ; +const struct auth_operations *auth_backend_byname(const char *name); +const struct auth_critical_sizes *auth_interface_version(void); +NTSTATUS server_service_auth_init(void); + +/* The following definitions come from auth/ntlm/auth_util.c */ + +NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *challenge); + +/**************************************************************************** + Create an auth_usersupplied_data structure after appropriate mapping. +****************************************************************************/ +NTSTATUS map_user_info(TALLOC_CTX *mem_ctx, + const char *default_domain, + const struct auth_usersupplied_info *user_info, + struct auth_usersupplied_info **user_info_mapped); + +/**************************************************************************** + Create an auth_usersupplied_data structure after appropriate mapping. +****************************************************************************/ +NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, + enum auth_password_state to_state, + const struct auth_usersupplied_info *user_info_in, + const struct auth_usersupplied_info **user_info_encrypted); + +/* The following definitions come from auth/ntlm/auth_simple.c */ + +#undef _PRINTF_ATTRIBUTE +#define _PRINTF_ATTRIBUTE(a1, a2) + +#endif /* __AUTH_NTLM_AUTH_PROTO_H__ */ + diff --git a/source4/auth/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 4b467cee75..2c13cd963d 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -25,7 +25,8 @@ #include "lib/ldb/include/ldb.h" #include "util/util_ldb.h" #include "auth/auth.h" -#include "auth/auth_proto.h" +#include "auth/ntlm/ntlm_check.h" +#include "auth/ntlm/auth_proto.h" #include "auth/auth_sam.h" #include "dsdb/samdb/samdb.h" #include "libcli/security/security.h" @@ -289,7 +290,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, ctx->auth_ctx->lp_ctx, system_session(mem_ctx, ctx->auth_ctx->lp_ctx)); + sam_ctx = samdb_connect(tmp_ctx, ctx->auth_ctx->event_ctx, ctx->auth_ctx->lp_ctx, system_session(mem_ctx, ctx->auth_ctx->lp_ctx)); if (sam_ctx == NULL) { talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c new file mode 100644 index 0000000000..f154cf0425 --- /dev/null +++ b/source4/auth/ntlm/auth_server.c @@ -0,0 +1,225 @@ +/* + Unix SMB/CIFS implementation. + Authenticate by using a remote server + Copyright (C) Andrew Bartlett 2001-2002, 2008 + Copyright (C) Jelmer Vernooij 2002 + Copyright (C) Stefan Metzmacher 2005 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "auth/auth.h" +#include "auth/ntlm/auth_proto.h" +#include "auth/credentials/credentials.h" +#include "libcli/security/security.h" +#include "librpc/gen_ndr/ndr_samr.h" +#include "libcli/smb_composite/smb_composite.h" +#include "param/param.h" +#include "libcli/resolve/resolve.h" + +/* This version of 'security=server' rewirtten from scratch for Samba4 + * libraries in 2008 */ + + +static NTSTATUS server_want_check(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info) +{ + return NT_STATUS_OK; +} +/** + * The challenge from the target server, when operating in security=server + **/ +static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx, DATA_BLOB *_blob) +{ + struct smb_composite_connect io; + struct smbcli_options smb_options; + const char **host_list; + NTSTATUS status; + + /* Make a connection to the target server, found by 'password server' in smb.conf */ + + lp_smbcli_options(ctx->auth_ctx->lp_ctx, &smb_options); + + /* Make a negprot, WITHOUT SPNEGO, so we get a challenge nice an easy */ + io.in.options.use_spnego = false; + + /* Hope we don't get * (the default), as this won't work... */ + host_list = lp_passwordserver(ctx->auth_ctx->lp_ctx); + if (!host_list) { + return NT_STATUS_INTERNAL_ERROR; + } + io.in.dest_host = host_list[0]; + if (strequal(io.in.dest_host, "*")) { + return NT_STATUS_INTERNAL_ERROR; + } + io.in.dest_ports = lp_smb_ports(ctx->auth_ctx->lp_ctx); + + io.in.called_name = strupper_talloc(mem_ctx, io.in.dest_host); + + /* We don't want to get as far as the session setup */ + io.in.credentials = NULL; + io.in.service = NULL; + + io.in.workgroup = ""; /* only used with SPNEGO, disabled above */ + + io.in.options = smb_options; + + status = smb_composite_connect(&io, mem_ctx, lp_resolve_context(ctx->auth_ctx->lp_ctx), + ctx->auth_ctx->event_ctx); + if (!NT_STATUS_IS_OK(status)) { + *_blob = io.out.tree->session->transport->negotiate.secblob; + ctx->private_data = talloc_steal(ctx, io.out.tree->session); + } + return NT_STATUS_OK; +} + +/** + * Return an error based on username + * + * This function allows the testing of obsure errors, as well as the generation + * of NT_STATUS -> DOS error mapping tables. + * + * This module is of no value to end-users. + * + * The password is ignored. + * + * @return An NTSTATUS value based on the username + **/ + +static NTSTATUS server_check_password(struct auth_method_context *ctx, + TALLOC_CTX *mem_ctx, + const struct auth_usersupplied_info *user_info, + struct auth_serversupplied_info **_server_info) +{ + NTSTATUS nt_status; + struct auth_serversupplied_info *server_info; + struct cli_credentials *creds; + const char *user; + struct smb_composite_sesssetup session_setup; + + struct smbcli_session *session = talloc_get_type(ctx->private_data, struct smbcli_session); + + creds = cli_credentials_init(mem_ctx); + + NT_STATUS_HAVE_NO_MEMORY(creds); + + cli_credentials_set_username(creds, user_info->client.account_name, CRED_SPECIFIED); + cli_credentials_set_domain(creds, user_info->client.domain_name, CRED_SPECIFIED); + + switch (user_info->password_state) { + case AUTH_PASSWORD_PLAIN: + cli_credentials_set_password(creds, user_info->password.plaintext, + CRED_SPECIFIED); + break; + case AUTH_PASSWORD_HASH: + cli_credentials_set_nt_hash(creds, user_info->password.hash.nt, + CRED_SPECIFIED); + break; + + case AUTH_PASSWORD_RESPONSE: + cli_credentials_set_ntlm_response(creds, &user_info->password.response.lanman, &user_info->password.response.nt, CRED_SPECIFIED); + break; + } + + session_setup.in.sesskey = session->transport->negotiate.sesskey; + session_setup.in.capabilities = session->transport->negotiate.capabilities; + + session_setup.in.credentials = creds; + session_setup.in.workgroup = ""; /* Only used with SPNEGO, which we are not doing */ + + /* Check password with remove server - this should be async some day */ + nt_status = smb_composite_sesssetup(session, &session_setup); + + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + server_info = talloc(mem_ctx, struct auth_serversupplied_info); + NT_STATUS_HAVE_NO_MEMORY(server_info); + + server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); + NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); + + /* is this correct? */ + server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS); + NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); + + server_info->n_domain_groups = 0; + server_info->domain_groups = NULL; + + /* annoying, but the Anonymous really does have a session key, + and it is all zeros! */ + server_info->user_session_key = data_blob(NULL, 0); + server_info->lm_session_key = data_blob(NULL, 0); + + server_info->account_name = talloc_strdup(server_info, user_info->client.account_name); + NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + + server_info->domain_name = talloc_strdup(server_info, user_info->client.domain_name); + NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); + + server_info->full_name = NULL; + + server_info->logon_script = talloc_strdup(server_info, ""); + NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script); + + server_info->profile_path = talloc_strdup(server_info, ""); + NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path); + + server_info->home_directory = talloc_strdup(server_info, ""); + NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory); + + server_info->home_drive = talloc_strdup(server_info, ""); + NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive); + + server_info->last_logon = 0; + server_info->last_logoff = 0; + server_info->acct_expiry = 0; + server_info->last_password_change = 0; + server_info->allow_password_change = 0; + server_info->force_password_change = 0; + + server_info->logon_count = 0; + server_info->bad_password_count = 0; + + server_info->acct_flags = ACB_NORMAL; + + server_info->authenticated = false; + + *_server_info = server_info; + + return nt_status; +} + +static const struct auth_operations server_auth_ops = { + .name = "server", + .get_challenge = server_get_challenge, + .want_check = server_want_check, + .check_password = server_check_password +}; + +_PUBLIC_ NTSTATUS auth_server_init(void) +{ + NTSTATUS ret; + + ret = auth_register(&server_auth_ops); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(0,("Failed to register 'server' auth backend!\n")); + return ret; + } + + return ret; +} diff --git a/source4/auth/auth_simple.c b/source4/auth/ntlm/auth_simple.c index 50be02a353..e7039c3657 100644 --- a/source4/auth/auth_simple.c +++ b/source4/auth/ntlm/auth_simple.c @@ -90,7 +90,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx, } if (session_info) { - nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, server_info, session_info); + nt_status = auth_generate_session_info(tmp_ctx, ev, lp_ctx, server_info, session_info); if (NT_STATUS_IS_OK(nt_status)) { talloc_steal(mem_ctx, *session_info); diff --git a/source4/auth/auth_unix.c b/source4/auth/ntlm/auth_unix.c index a417107025..1717b9d0e1 100644 --- a/source4/auth/auth_unix.c +++ b/source4/auth/ntlm/auth_unix.c @@ -21,10 +21,10 @@ #include "includes.h" #include "auth/auth.h" -#include "auth/auth_proto.h" +#include "auth/ntlm/auth_proto.h" #include "system/passwd.h" /* needed by some systems for struct passwd */ #include "lib/socket/socket.h" -#include "auth/pam_errors.h" +#include "auth/ntlm/pam_errors.h" #include "param/param.h" /* TODO: look at how to best fill in parms retrieveing a struct passwd info diff --git a/source4/auth/auth_util.c b/source4/auth/ntlm/auth_util.c index 1d86b858cf..1d86b858cf 100644 --- a/source4/auth/auth_util.c +++ b/source4/auth/ntlm/auth_util.c diff --git a/source4/auth/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index 149f549afa..ac63b242e4 100644 --- a/source4/auth/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -23,7 +23,7 @@ #include "includes.h" #include "auth/auth.h" -#include "auth/auth_proto.h" +#include "auth/ntlm/auth_proto.h" #include "auth/session_proto.h" #include "nsswitch/winbind_client.h" #include "librpc/gen_ndr/ndr_netlogon.h" diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk new file mode 100644 index 0000000000..f31c2b7279 --- /dev/null +++ b/source4/auth/ntlm/config.mk @@ -0,0 +1,86 @@ +# NTLM auth server subsystem + +[SUBSYSTEM::ntlm_check] +PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL + +ntlm_check_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, ntlm_check.o) + +####################### +# Start MODULE auth_sam +[MODULE::auth_sam_module] +# gensec_krb5 and gensec_gssapi depend on it +INIT_FUNCTION = auth_sam_init +SUBSYSTEM = auth +PRIVATE_DEPENDENCIES = \ + SAMDB auth_sam ntlm_check +# End MODULE auth_sam +####################### + +auth_sam_module_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_sam.o) + +####################### +# Start MODULE auth_anonymous +[MODULE::auth_anonymous] +INIT_FUNCTION = auth_anonymous_init +SUBSYSTEM = auth +# End MODULE auth_anonymous +####################### + +auth_anonymous_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_anonymous.o) + +####################### +# Start MODULE auth_anonymous +[MODULE::auth_server] +INIT_FUNCTION = auth_server_init +SUBSYSTEM = auth +PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBCLI_SMB +OUTPUT_TYPE = SHARED_LIBRARY +# End MODULE auth_server +####################### + +auth_server_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_server.o) + +####################### +# Start MODULE auth_winbind +[MODULE::auth_winbind] +INIT_FUNCTION = auth_winbind_init +SUBSYSTEM = auth +PRIVATE_DEPENDENCIES = NDR_WINBIND MESSAGING LIBWINBIND-CLIENT +# End MODULE auth_winbind +####################### + +auth_winbind_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_winbind.o) + +####################### +# Start MODULE auth_developer +[MODULE::auth_developer] +INIT_FUNCTION = auth_developer_init +SUBSYSTEM = auth +# End MODULE auth_developer +####################### + +auth_developer_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_developer.o) + +[MODULE::auth_unix] +INIT_FUNCTION = auth_unix_init +SUBSYSTEM = auth +PRIVATE_DEPENDENCIES = CRYPT PAM PAM_ERRORS NSS_WRAPPER + +auth_unix_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth_unix.o) + +[SUBSYSTEM::PAM_ERRORS] + +#VERSION = 0.0.1 +#SO_VERSION = 0 +PAM_ERRORS_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, pam_errors.o) + +[MODULE::auth] +INIT_FUNCTION = server_service_auth_init +SUBSYSTEM = service +PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL LIBSECURITY SAMDB CREDENTIALS + +auth_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, auth.o auth_util.o auth_simple.o) +$(eval $(call proto_header_template,$(authsrcdir)/auth_proto.h,$(auth_OBJ_FILES:.o=.c))) + +# PUBLIC_HEADERS += auth/auth.h + diff --git a/source4/auth/ntlm_check.c b/source4/auth/ntlm/ntlm_check.c index 55f2595f44..0dbbce0edc 100644 --- a/source4/auth/ntlm_check.c +++ b/source4/auth/ntlm/ntlm_check.c @@ -24,6 +24,7 @@ #include "librpc/gen_ndr/netlogon.h" #include "libcli/auth/libcli_auth.h" #include "param/param.h" +#include "auth/ntlm/ntlm_check.h" /**************************************************************************** Core of smb password checking routine. diff --git a/source4/auth/ntlm/ntlm_check.h b/source4/auth/ntlm/ntlm_check.h new file mode 100644 index 0000000000..eb115b74d6 --- /dev/null +++ b/source4/auth/ntlm/ntlm_check.h @@ -0,0 +1,75 @@ +/* + Unix SMB/CIFS implementation. + Password and authentication handling + Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004 + Copyright (C) Gerald Carter 2003 + Copyright (C) Luke Kenneth Casson Leighton 1996-2000 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + + +/** + * Compare password hashes against those from the SAM + * + * @param mem_ctx talloc context + * @param client_lanman LANMAN password hash, as supplied by the client + * @param client_nt NT (MD4) password hash, as supplied by the client + * @param username internal Samba username, for log messages + * @param client_username username the client used + * @param client_domain domain name the client used (may be mapped) + * @param stored_lanman LANMAN password hash, as stored on the SAM + * @param stored_nt NT (MD4) password hash, as stored on the SAM + * @param user_sess_key User session key + * @param lm_sess_key LM session key (first 8 bytes of the LM hash) + */ + +NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + const struct samr_Password *client_lanman, + const struct samr_Password *client_nt, + const char *username, + const struct samr_Password *stored_lanman, + const struct samr_Password *stored_nt); + +/** + * Check a challenge-response password against the value of the NT or + * LM password hash. + * + * @param mem_ctx talloc context + * @param challenge 8-byte challenge. If all zero, forces plaintext comparison + * @param nt_response 'unicode' NT response to the challenge, or unicode password + * @param lm_response ASCII or LANMAN response to the challenge, or password in DOS code page + * @param username internal Samba username, for log messages + * @param client_username username the client used + * @param client_domain domain name the client used (may be mapped) + * @param stored_lanman LANMAN ASCII password from our passdb or similar + * @param stored_nt MD4 unicode password from our passdb or similar + * @param user_sess_key User session key + * @param lm_sess_key LM session key (first 8 bytes of the LM hash) + */ + +NTSTATUS ntlm_password_check(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + uint32_t logon_parameters, + const DATA_BLOB *challenge, + const DATA_BLOB *lm_response, + const DATA_BLOB *nt_response, + const char *username, + const char *client_username, + const char *client_domain, + const struct samr_Password *stored_lanman, + const struct samr_Password *stored_nt, + DATA_BLOB *user_sess_key, + DATA_BLOB *lm_sess_key); diff --git a/source4/auth/pam_errors.c b/source4/auth/ntlm/pam_errors.c index 9774ad8727..9774ad8727 100644 --- a/source4/auth/pam_errors.c +++ b/source4/auth/ntlm/pam_errors.c diff --git a/source4/auth/ntlm/pam_errors.h b/source4/auth/ntlm/pam_errors.h new file mode 100644 index 0000000000..959e1f3517 --- /dev/null +++ b/source4/auth/ntlm/pam_errors.h @@ -0,0 +1,47 @@ +/* + * Unix SMB/CIFS implementation. + * PAM error mapping functions + * Copyright (C) Andrew Bartlett 2002 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef __AUTH_NTLM_PAM_ERRORS_H__ +#define __AUTH_NTLM_PAM_ERRORS_H__ + +/* The following definitions come from auth/pam_errors.c */ + + +/***************************************************************************** +convert a PAM error to a NT status32 code + *****************************************************************************/ +NTSTATUS pam_to_nt_status(int pam_error); + +/***************************************************************************** +convert an NT status32 code to a PAM error + *****************************************************************************/ +int nt_status_to_pam(NTSTATUS nt_status); + +/***************************************************************************** +convert a PAM error to a NT status32 code + *****************************************************************************/ +NTSTATUS pam_to_nt_status(int pam_error); + +/***************************************************************************** +convert an NT status32 code to a PAM error + *****************************************************************************/ +int nt_status_to_pam(NTSTATUS nt_status); + +#endif /* __AUTH_NTLM_PAM_ERRORS_H__ */ + diff --git a/source4/auth/ntlmssp/config.mk b/source4/auth/ntlmssp/config.mk index f8e711feda..129f58de83 100644 --- a/source4/auth/ntlmssp/config.mk +++ b/source4/auth/ntlmssp/config.mk @@ -1,17 +1,19 @@ [SUBSYSTEM::MSRPC_PARSE] -PRIVATE_PROTO_HEADER = msrpc_parse.h -MSRPC_PARSE_OBJ_FILES = $(addprefix auth/ntlmssp/, ntlmssp_parse.o) +MSRPC_PARSE_OBJ_FILES = $(addprefix $(authsrcdir)/ntlmssp/, ntlmssp_parse.o) + +$(eval $(call proto_header_template,$(authsrcdir)/ntlmssp/msrpc_parse.h,$(MSRPC_PARSE_OBJ_FILES:.o=.c))) ################################################ # Start MODULE gensec_ntlmssp [MODULE::gensec_ntlmssp] SUBSYSTEM = gensec INIT_FUNCTION = gensec_ntlmssp_init -PRIVATE_PROTO_HEADER = proto.h -PRIVATE_DEPENDENCIES = MSRPC_PARSE CREDENTIALS +PRIVATE_DEPENDENCIES = MSRPC_PARSE CREDENTIALS auth OUTPUT_TYPE = MERGED_OBJ # End MODULE gensec_ntlmssp ################################################ -gensec_ntlmssp_OBJ_FILES = $(addprefix auth/ntlmssp/, ntlmssp.o ntlmssp_sign.o ntlmssp_client.o ntlmssp_server.o) +gensec_ntlmssp_OBJ_FILES = $(addprefix $(authsrcdir)/ntlmssp/, ntlmssp.o ntlmssp_sign.o ntlmssp_client.o ntlmssp_server.o) + +$(eval $(call proto_header_template,$(authsrcdir)/ntlmssp/proto.h,$(gensec_ntlmssp_OBJ_FILES:.o=.c))) diff --git a/source4/auth/ntlmssp/ntlmssp.c b/source4/auth/ntlmssp/ntlmssp.c index 64bfebd3d1..0b7f0da9af 100644 --- a/source4/auth/ntlmssp/ntlmssp.c +++ b/source4/auth/ntlmssp/ntlmssp.c @@ -29,7 +29,7 @@ #include "auth/gensec/gensec.h" #include "auth/gensec/gensec_proto.h" #include "auth/auth.h" -#include "auth/auth_proto.h" +#include "auth/ntlm/auth_proto.h" #include "param/param.h" /** diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c index 12802b7e79..dfc5940d99 100644 --- a/source4/auth/ntlmssp/ntlmssp_server.c +++ b/source4/auth/ntlmssp/ntlmssp_server.c @@ -30,7 +30,7 @@ #include "auth/credentials/credentials.h" #include "auth/gensec/gensec.h" #include "auth/auth.h" -#include "auth/auth_proto.h" +#include "auth/ntlm/auth_proto.h" #include "param/param.h" #include "auth/session_proto.h" @@ -725,7 +725,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security, NTSTATUS nt_status; struct gensec_ntlmssp_state *gensec_ntlmssp_state = (struct gensec_ntlmssp_state *)gensec_security->private_data; - nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->lp_ctx, gensec_ntlmssp_state->server_info, session_info); + nt_status = auth_generate_session_info(gensec_ntlmssp_state, gensec_security->event_ctx, gensec_security->lp_ctx, gensec_ntlmssp_state->server_info, session_info); NT_STATUS_NOT_OK_RETURN(nt_status); (*session_info)->session_key = data_blob_talloc(*session_info, diff --git a/source4/auth/sam.c b/source4/auth/sam.c index ed44754993..a2090afcdc 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -428,6 +428,7 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, const char *principal, struct auth_serversupplied_info **server_info) @@ -445,7 +446,7 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sam_ctx = samdb_connect(tmp_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx)); + sam_ctx = samdb_connect(tmp_ctx, event_ctx, lp_ctx, system_session(tmp_ctx, lp_ctx)); if (sam_ctx == NULL) { talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; diff --git a/source4/auth/session.c b/source4/auth/session.c index 112eac95d8..8f5e8d6c56 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -31,11 +31,12 @@ #include "auth/session_proto.h" _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, struct loadparm_context *lp_ctx) { NTSTATUS nt_status; struct auth_session_info *session_info = NULL; - nt_status = auth_anonymous_session_info(mem_ctx, lp_ctx, &session_info); + nt_status = auth_anonymous_session_info(mem_ctx, event_ctx, lp_ctx, &session_info); if (!NT_STATUS_IS_OK(nt_status)) { return NULL; } @@ -43,6 +44,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, } _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info) { @@ -60,7 +62,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, lp_ctx, server_info, &session_info); + nt_status = auth_generate_session_info(parent_ctx, event_ctx, lp_ctx, server_info, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -151,6 +153,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, } _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct auth_serversupplied_info *server_info, struct auth_session_info **_session_info) @@ -168,6 +171,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, session_info->session_key = server_info->user_session_key; nt_status = security_token_create(session_info, + event_ctx, lp_ctx, server_info->account_sid, server_info->primary_group_sid, diff --git a/source4/auth/session.h b/source4/auth/session.h index 87fc47791a..933b14a1b4 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -1,6 +1,6 @@ /* Unix SMB/CIFS implementation. - Auth session handling + Process and provide the logged on user's authorization token Copyright (C) Andrew Bartlett 2001 Copyright (C) Stefan Metzmacher 2005 @@ -30,12 +30,23 @@ struct auth_session_info { #include "librpc/gen_ndr/netlogon.h" -struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); +/* Create a security token for a session SYSTEM (the most + * trusted/prvilaged account), including the local machine account as + * the off-host credentials */ struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) ; + +/* + * Create a system session, but with anonymous credentials (so we do + * not need to open secrets.ldb) + */ +struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx); + + NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, struct auth_serversupplied_info **_server_info) ; NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, struct loadparm_context *lp_ctx, struct auth_serversupplied_info *server_info, struct auth_session_info **_session_info) ; @@ -46,10 +57,12 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, union netr_Validation *validation, struct auth_serversupplied_info **_server_info); NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, + struct event_context *ev_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info); struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, + struct event_context *event_ctx, struct loadparm_context *lp_ctx); diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index e99bbbb1ab..1d227fe468 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -147,9 +147,10 @@ static NTSTATUS generate_session_info(TALLOC_CTX *mem_ctx, -/** - Create a system session, with machine account credentials -*/ +/* Create a security token for a session SYSTEM (the most + * trusted/prvilaged account), including the local machine account as + * the off-host credentials + */ _PUBLIC_ struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) { NTSTATUS nt_status; diff --git a/source4/auth/tests/bindings.py b/source4/auth/tests/bindings.py index 4a4b12bf69..b7a5994675 100644 --- a/source4/auth/tests/bindings.py +++ b/source4/auth/tests/bindings.py @@ -24,7 +24,7 @@ the functionality, that's already done in other tests. """ import unittest -import auth +from samba import auth class AuthTests(unittest.TestCase): def test_system_session(self): |