summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/auth_sam.c109
-rw-r--r--source4/auth/gensec/gensec_gssapi.c41
-rw-r--r--source4/auth/gensec/gensec_krb5.c19
3 files changed, 81 insertions, 88 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index de4be9586c..9fd011ea30 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -26,6 +26,31 @@
#include "auth/auth.h"
#include "lib/ldb/include/ldb.h"
+const char *user_attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
+ "userAccountControl",
+ "pwdLastSet",
+ "accountExpires",
+ "objectSid",
+ "userWorkstations",
+
+ /* required for server_info, not access control: */
+ "sAMAccountName",
+ "displayName",
+ "scriptPath",
+ "profilePath",
+ "homeDirectory",
+ "homeDrive",
+ "lastLogon",
+ "lastLogoff",
+ "accountExpires",
+ "badPwdCount",
+ "logonCount",
+ "primaryGroupID",
+ NULL,
+};
+
+const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL};
+
/****************************************************************************
Do a specific test for an smb password being correct, given a smb_password and
the lanman and NT responses.
@@ -217,31 +242,6 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
const struct ldb_dn *domain_dn = NULL;
- const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
- "userAccountControl",
- "pwdLastSet",
- "accountExpires",
- "objectSid",
- "userWorkstations",
-
- /* required for server_info, not access control: */
- "sAMAccountName",
- "displayName",
- "scriptPath",
- "profilePath",
- "homeDirectory",
- "homeDrive",
- "lastLogon",
- "lastLogoff",
- "accountExpires",
- "badPwdCount",
- "logonCount",
- "primaryGroupID",
- NULL,
- };
-
- const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL};
-
if (domain_name) {
/* find the domain's DN */
ret_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs,
@@ -267,7 +267,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
}
/* pull the user attributes */
- ret = gendb_search(sam_ctx, mem_ctx, domain_dn, &msgs, attrs,
+ ret = gendb_search(sam_ctx, mem_ctx, domain_dn, &msgs, user_attrs,
"(&(sAMAccountName=%s)(objectclass=user))",
account_name);
if (ret == -1) {
@@ -511,32 +511,61 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context
return NT_STATUS_OK;
}
-NTSTATUS sam_get_server_info(TALLOC_CTX *mem_ctx, const char *account_name, const char *domain_name,
- DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
- struct auth_serversupplied_info **server_info)
+NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principal,
+ struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
+ DATA_BLOB user_sess_key = data_blob(NULL, 0);
+ DATA_BLOB lm_sess_key = data_blob(NULL, 0);
+ struct ldb_dn *user_dn, *domain_dn;
struct ldb_message **msgs;
- struct ldb_message **domain_msgs;
- void *sam_ctx;
+ struct ldb_message **msgs_domain;
+ struct ldb_context *sam_ctx;
- sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
+ int ret_domain, ret;
+
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sam_ctx = samdb_connect(tmp_ctx, system_session(tmp_ctx));
if (sam_ctx == NULL) {
+ talloc_free(tmp_ctx);
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
- nt_status = authsam_search_account(mem_ctx, sam_ctx, account_name, domain_name, &msgs, &domain_msgs);
- NT_STATUS_NOT_OK_RETURN(nt_status);
+ nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, &domain_dn);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+
+ /* grab domain info */
+ ret_domain = gendb_search_dn(sam_ctx, tmp_ctx,
+ domain_dn, &msgs_domain, domain_attrs);
- nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, domain_msgs,
+ if (ret_domain != 1) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ /* pull the user attributes */
+ ret = gendb_search_dn(sam_ctx, tmp_ctx,
+ user_dn, &msgs, user_attrs);
+ if (ret != 1) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+
+ nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, msgs_domain,
user_sess_key, lm_sess_key,
server_info);
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- talloc_free(msgs);
- talloc_free(domain_msgs);
-
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
return NT_STATUS_OK;
}
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 42141e4df2..8fcada2352 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -879,6 +879,10 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
}
}
+ /* IF we have the PAC - otherwise we need to get this
+ * data from elsewere - local ldb, or (TODO) lookup of some
+ * kind...
+ */
if (maj_stat == 0) {
krb5_error_code ret;
@@ -912,42 +916,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
}
if (maj_stat) {
- krb5_error_code ret;
- DATA_BLOB user_sess_key = data_blob(NULL, 0);
- DATA_BLOB lm_sess_key = data_blob(NULL, 0);
- /* IF we have the PAC - otherwise we need to get this
- * data from elsewere - local ldb, or (TODO) lookup of some
- * kind...
- *
- * when heimdal can generate the PAC, we should fail if there's
- * no PAC present
- */
-
- char *account_name;
- const char *realm;
- ret = krb5_parse_name(gensec_gssapi_state->smb_krb5_context->krb5_context,
- principal_string, &principal);
- if (ret) {
- talloc_free(mem_ctx);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- realm = krb5_principal_get_realm(gensec_gssapi_state->smb_krb5_context->krb5_context,
- principal);
- ret = krb5_unparse_name_norealm(gensec_gssapi_state->smb_krb5_context->krb5_context,
- principal, &account_name);
- if (ret) {
- krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
DEBUG(1, ("Unable to use PAC, resorting to local user lookup!\n"));
- nt_status = sam_get_server_info(mem_ctx, account_name, realm,
- user_sess_key, lm_sess_key,
- &server_info);
- free(account_name);
- krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
+ nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
+ &server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 64de8211dd..3ed38a435c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -518,23 +518,16 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
if (!NT_STATUS_IS_OK(nt_status)) {
/* NO pac, or can't parse or verify it */
krb5_error_code ret;
- DATA_BLOB user_sess_key = data_blob(NULL, 0);
- DATA_BLOB lm_sess_key = data_blob(NULL, 0);
-
- char *account_name;
- const char *realm = krb5_principal_get_realm(gensec_krb5_state->smb_krb5_context->krb5_context,
- get_principal_from_tkt(gensec_krb5_state->ticket));
- ret = krb5_unparse_name_norealm(gensec_krb5_state->smb_krb5_context->krb5_context,
- get_principal_from_tkt(gensec_krb5_state->ticket), &account_name);
+ char *principal_string;
+ ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context,
+ get_principal_from_tkt(gensec_krb5_state->ticket), &principal_string);
if (ret) {
return NT_STATUS_NO_MEMORY;
}
- /* TODO: should we pass the krb5 session key in here? */
- nt_status = sam_get_server_info(mem_ctx, account_name, realm,
- user_sess_key, lm_sess_key,
- &server_info);
- free(account_name);
+ nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
+ &server_info);
+ free(principal_string);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);