From 52b28ec813ff3696606fc8f3a6bf4759a1a104e5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 18 Jul 2011 13:55:20 +1000 Subject: auth: Split out make_user_info_SamBaseInfo and add authenticated argument This will allow the source3 auth code to call this without needing to double-parse the SIDs Andrew Bartlett Signed-off-by: Andrew Tridgell --- auth/auth_sam_reply.c | 84 +++++++++++++++++++++++++-------------- auth/auth_sam_reply.h | 7 ++++ source3/auth/auth_util.c | 18 +++------ source4/auth/gensec/gensec_krb5.c | 1 + source4/auth/ntlm/auth_winbind.c | 7 +++- source4/torture/auth/pac.c | 4 +- source4/torture/rpc/remote_pac.c | 1 + 7 files changed, 77 insertions(+), 45 deletions(-) diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 5cd4530eff..1644278bf0 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -174,6 +174,53 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/** + * Make a user_info struct from the info3 or similar returned by a domain logon. + * + * The netr_SamInfo3 is also a key structure in the source3 auth subsystem + */ + +NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, + const char *account_name, + struct netr_SamBaseInfo *base, + bool authenticated, + struct auth_user_info **_user_info) +{ + struct auth_user_info *info; + + info = talloc_zero(mem_ctx, struct auth_user_info); + NT_STATUS_HAVE_NO_MEMORY(info); + + if (base->account_name.string) { + info->account_name = talloc_reference(info, base->account_name.string); + } else { + info->account_name = talloc_strdup(info, account_name); + NT_STATUS_HAVE_NO_MEMORY(info->account_name); + } + + info->domain_name = talloc_reference(info, base->domain.string); + info->full_name = talloc_reference(info, base->full_name.string); + info->logon_script = talloc_reference(info, base->logon_script.string); + info->profile_path = talloc_reference(info, base->profile_path.string); + info->home_directory = talloc_reference(info, base->home_directory.string); + info->home_drive = talloc_reference(info, base->home_drive.string); + info->logon_server = talloc_reference(info, base->logon_server.string); + info->last_logon = base->last_logon; + info->last_logoff = base->last_logoff; + info->acct_expiry = base->acct_expiry; + info->last_password_change = base->last_password_change; + info->allow_password_change = base->allow_password_change; + info->force_password_change = base->force_password_change; + info->logon_count = base->logon_count; + info->bad_password_count = base->bad_password_count; + info->acct_flags = base->acct_flags; + + info->authenticated = authenticated; + + *_user_info = info; + return NT_STATUS_OK; +} + /** * Make a user_info_dc struct from the info3 returned by a domain logon */ @@ -181,10 +228,11 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, const char *account_name, uint16_t validation_level, union netr_Validation *validation, + bool authenticated, struct auth_user_info_dc **_user_info_dc) { + NTSTATUS status; struct auth_user_info_dc *user_info_dc; - struct auth_user_info *info; struct netr_SamBaseInfo *base = NULL; uint32_t i; @@ -287,35 +335,11 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, /* Where are the 'global' sids?... */ } - user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); - NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); - - if (base->account_name.string) { - info->account_name = talloc_reference(info, base->account_name.string); - } else { - info->account_name = talloc_strdup(info, account_name); - NT_STATUS_HAVE_NO_MEMORY(info->account_name); + status = make_user_info_SamBaseInfo(user_info_dc, account_name, base, authenticated, &user_info_dc->info); + if (!NT_STATUS_IS_OK(status)) { + return status; } - info->domain_name = talloc_reference(info, base->domain.string); - info->full_name = talloc_reference(info, base->full_name.string); - info->logon_script = talloc_reference(info, base->logon_script.string); - info->profile_path = talloc_reference(info, base->profile_path.string); - info->home_directory = talloc_reference(info, base->home_directory.string); - info->home_drive = talloc_reference(info, base->home_drive.string); - info->logon_server = talloc_reference(info, base->logon_server.string); - info->last_logon = base->last_logon; - info->last_logoff = base->last_logoff; - info->acct_expiry = base->acct_expiry; - info->last_password_change = base->last_password_change; - info->allow_password_change = base->allow_password_change; - info->force_password_change = base->force_password_change; - info->logon_count = base->logon_count; - info->bad_password_count = base->bad_password_count; - info->acct_flags = base->acct_flags; - - info->authenticated = true; - /* ensure we are never given NULL session keys */ if (all_zero(base->key.key, sizeof(base->key.key))) { @@ -350,7 +374,9 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, validation.sam3 = &pac_logon_info->info3; - nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, &user_info_dc); + nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, + true, /* This user was authenticated */ + &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h index bd92872009..c782c1c5cc 100644 --- a/auth/auth_sam_reply.h +++ b/auth/auth_sam_reply.h @@ -32,6 +32,12 @@ /* The following definitions come from auth/auth_sam_reply.c */ +NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, + const char *account_name, + struct netr_SamBaseInfo *base, + bool authenticated, + struct auth_user_info **_user_info); + NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, struct auth_user_info_dc *user_info_dc, struct netr_SamBaseInfo **_sam); @@ -46,6 +52,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, const char *account_name, uint16_t validation_level, union netr_Validation *validation, + bool authenticated, struct auth_user_info_dc **_user_info_dc); /** diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 0ef7df88b3..0627911aeb 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -465,8 +465,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, struct dom_sid tmp_sid; struct auth_session_info *session_info; struct wbcUnixId *ids; - struct auth_user_info_dc *user_info_dc; - union netr_Validation val; /* Ensure we can't possible take a code path leading to a * null defref. */ @@ -547,22 +545,16 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } - val.sam3 = server_info->info3; - - /* Convert into something we can build a struct - * auth_session_info from. Most of the work here - * will be to convert the SIDS, which we will then ignore, but - * this is the easier way to handle it */ - status = make_user_info_dc_netlogon_validation(talloc_tos(), "", 3, &val, &user_info_dc); + /* We need to populate session_info->info with the information found in server_info->info3 */ + status = make_user_info_SamBaseInfo(session_info, "", &server_info->info3->base, + server_info->guest == false, + &session_info->info); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("conversion of info3 into user_info_dc failed!\n")); + DEBUG(0, ("conversion of info3 into auth_user_info failed!\n")); TALLOC_FREE(session_info); return status; } - session_info->info = talloc_move(session_info, &user_info_dc->info); - talloc_free(user_info_dc); - /* * If winbind is not around, we can not make much use of the SIDs the * domain controller provided us with. Likewise if the user name was diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index c3e3b98f74..d47bc7709c 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -714,6 +714,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security nt_status = make_user_info_dc_netlogon_validation(mem_ctx, NULL, 3, &validation, + true, /* This user was authenticated */ &user_info_dc); if (!NT_STATUS_IS_OK(nt_status)) { free(principal_string); diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index da152e718a..63827ef755 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -220,6 +220,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx, user_info->client.account_name, s->req.in.validation_level, &s->req.out.validation, + true, /* This user was authenticated */ user_info_dc); NT_STATUS_NOT_OK_RETURN(status); @@ -304,8 +305,10 @@ static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx, validation.sam3 = &info3; nt_status = make_user_info_dc_netlogon_validation(mem_ctx, - user_info->client.account_name, - 3, &validation, user_info_dc); + user_info->client.account_name, + 3, &validation, + true, /* This user was authenticated */ + user_info_dc); return nt_status; } diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index f09e039964..4840a79b7f 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -223,7 +223,8 @@ static bool torture_pac_self_check(struct torture_context *tctx) nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, - &user_info_dc_out); + true, /* This user was authenticated */ + &user_info_dc_out); if (!NT_STATUS_IS_OK(nt_status)) { torture_fail(tctx, talloc_asprintf(tctx, @@ -487,6 +488,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, + true, /* This user was authenticated */ &user_info_dc_out); if (!NT_STATUS_IS_OK(nt_status)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 70912781a8..37fb8af147 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -598,6 +598,7 @@ static bool test_S2U4Self(struct torture_context *tctx, ninfo.identity_info.account_name.string, r.in.validation_level, r.out.validation, + true, /* This user was authenticated */ &netlogon_user_info_dc); torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed"); -- cgit