diff options
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/auth_sam.c | 109 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_gssapi.c | 41 | ||||
-rw-r--r-- | source4/auth/gensec/gensec_krb5.c | 19 |
3 files changed, 81 insertions, 88 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index de4be9586c..9fd011ea30 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -26,6 +26,31 @@ #include "auth/auth.h" #include "lib/ldb/include/ldb.h" +const char *user_attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", + "userAccountControl", + "pwdLastSet", + "accountExpires", + "objectSid", + "userWorkstations", + + /* required for server_info, not access control: */ + "sAMAccountName", + "displayName", + "scriptPath", + "profilePath", + "homeDirectory", + "homeDrive", + "lastLogon", + "lastLogoff", + "accountExpires", + "badPwdCount", + "logonCount", + "primaryGroupID", + NULL, +}; + +const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL}; + /**************************************************************************** Do a specific test for an smb password being correct, given a smb_password and the lanman and NT responses. @@ -217,31 +242,6 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * const struct ldb_dn *domain_dn = NULL; - const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash", - "userAccountControl", - "pwdLastSet", - "accountExpires", - "objectSid", - "userWorkstations", - - /* required for server_info, not access control: */ - "sAMAccountName", - "displayName", - "scriptPath", - "profilePath", - "homeDirectory", - "homeDrive", - "lastLogon", - "lastLogoff", - "accountExpires", - "badPwdCount", - "logonCount", - "primaryGroupID", - NULL, - }; - - const char *domain_attrs[] = {"nETBIOSName", "nCName", NULL}; - if (domain_name) { /* find the domain's DN */ ret_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs, @@ -267,7 +267,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context * } /* pull the user attributes */ - ret = gendb_search(sam_ctx, mem_ctx, domain_dn, &msgs, attrs, + ret = gendb_search(sam_ctx, mem_ctx, domain_dn, &msgs, user_attrs, "(&(sAMAccountName=%s)(objectclass=user))", account_name); if (ret == -1) { @@ -511,32 +511,61 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context return NT_STATUS_OK; } -NTSTATUS sam_get_server_info(TALLOC_CTX *mem_ctx, const char *account_name, const char *domain_name, - DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, - struct auth_serversupplied_info **server_info) +NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principal, + struct auth_serversupplied_info **server_info) { NTSTATUS nt_status; + DATA_BLOB user_sess_key = data_blob(NULL, 0); + DATA_BLOB lm_sess_key = data_blob(NULL, 0); + struct ldb_dn *user_dn, *domain_dn; struct ldb_message **msgs; - struct ldb_message **domain_msgs; - void *sam_ctx; + struct ldb_message **msgs_domain; + struct ldb_context *sam_ctx; - sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx)); + int ret_domain, ret; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + sam_ctx = samdb_connect(tmp_ctx, system_session(tmp_ctx)); if (sam_ctx == NULL) { + talloc_free(tmp_ctx); return NT_STATUS_INVALID_SYSTEM_SERVICE; } - nt_status = authsam_search_account(mem_ctx, sam_ctx, account_name, domain_name, &msgs, &domain_msgs); - NT_STATUS_NOT_OK_RETURN(nt_status); + nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, &domain_dn); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + + /* grab domain info */ + ret_domain = gendb_search_dn(sam_ctx, tmp_ctx, + domain_dn, &msgs_domain, domain_attrs); - nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, domain_msgs, + if (ret_domain != 1) { + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + /* pull the user attributes */ + ret = gendb_search_dn(sam_ctx, tmp_ctx, + user_dn, &msgs, user_attrs); + if (ret != 1) { + talloc_free(tmp_ctx); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, msgs_domain, user_sess_key, lm_sess_key, server_info); - NT_STATUS_NOT_OK_RETURN(nt_status); - - talloc_free(msgs); - talloc_free(domain_msgs); - + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } return NT_STATUS_OK; } diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 42141e4df2..8fcada2352 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -879,6 +879,10 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } } + /* IF we have the PAC - otherwise we need to get this + * data from elsewere - local ldb, or (TODO) lookup of some + * kind... + */ if (maj_stat == 0) { krb5_error_code ret; @@ -912,42 +916,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi } if (maj_stat) { - krb5_error_code ret; - DATA_BLOB user_sess_key = data_blob(NULL, 0); - DATA_BLOB lm_sess_key = data_blob(NULL, 0); - /* IF we have the PAC - otherwise we need to get this - * data from elsewere - local ldb, or (TODO) lookup of some - * kind... - * - * when heimdal can generate the PAC, we should fail if there's - * no PAC present - */ - - char *account_name; - const char *realm; - ret = krb5_parse_name(gensec_gssapi_state->smb_krb5_context->krb5_context, - principal_string, &principal); - if (ret) { - talloc_free(mem_ctx); - return NT_STATUS_INVALID_PARAMETER; - } - - realm = krb5_principal_get_realm(gensec_gssapi_state->smb_krb5_context->krb5_context, - principal); - ret = krb5_unparse_name_norealm(gensec_gssapi_state->smb_krb5_context->krb5_context, - principal, &account_name); - if (ret) { - krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal); - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - DEBUG(1, ("Unable to use PAC, resorting to local user lookup!\n")); - nt_status = sam_get_server_info(mem_ctx, account_name, realm, - user_sess_key, lm_sess_key, - &server_info); - free(account_name); - krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal); + nt_status = sam_get_server_info_principal(mem_ctx, principal_string, + &server_info); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 64de8211dd..3ed38a435c 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -518,23 +518,16 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security if (!NT_STATUS_IS_OK(nt_status)) { /* NO pac, or can't parse or verify it */ krb5_error_code ret; - DATA_BLOB user_sess_key = data_blob(NULL, 0); - DATA_BLOB lm_sess_key = data_blob(NULL, 0); - - char *account_name; - const char *realm = krb5_principal_get_realm(gensec_krb5_state->smb_krb5_context->krb5_context, - get_principal_from_tkt(gensec_krb5_state->ticket)); - ret = krb5_unparse_name_norealm(gensec_krb5_state->smb_krb5_context->krb5_context, - get_principal_from_tkt(gensec_krb5_state->ticket), &account_name); + char *principal_string; + ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, + get_principal_from_tkt(gensec_krb5_state->ticket), &principal_string); if (ret) { return NT_STATUS_NO_MEMORY; } - /* TODO: should we pass the krb5 session key in here? */ - nt_status = sam_get_server_info(mem_ctx, account_name, realm, - user_sess_key, lm_sess_key, - &server_info); - free(account_name); + nt_status = sam_get_server_info_principal(mem_ctx, principal_string, + &server_info); + free(principal_string); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(mem_ctx); |