From 17d8f0ad30847bb940f645ee1817d782ddaaee74 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 11 Feb 2011 11:50:37 +1100 Subject: s3-auth use create_local_token() to transform server_info -> session_info Before a auth_serversupplied_info struct can be used for authorization, the local groups and privileges must be calculated. create_local_token() now copies the server_info, and then sets the calulated token and unix groups. Soon, it will also transform the result into an expanded struct auth_session_info. Until then, the variable name (server_info vs session_info provides a clue to the developer about what information has been entered in the structure). By moving the calls to create_local_token within the codebase, we remove duplication, and ensure that the session key (where modified) is consistently copied into the new structure. Andrew Bartlett --- source3/smbd/sesssetup.c | 64 +++++++++++++++++++----------------------------- 1 file changed, 25 insertions(+), 39 deletions(-) (limited to 'source3/smbd/sesssetup.c') diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 57b0b68be7..5067201a65 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -248,7 +248,7 @@ static void reply_spnego_kerberos(struct smb_request *req, int sess_vuid = req->vuid; NTSTATUS ret = NT_STATUS_OK; DATA_BLOB ap_rep, ap_rep_wrapped, response; - struct auth_serversupplied_info *server_info = NULL; + struct auth_serversupplied_info *session_info = NULL; DATA_BLOB session_key = data_blob_null; uint8 tok_id[2]; DATA_BLOB nullblob = data_blob_null; @@ -369,15 +369,16 @@ static void reply_spnego_kerberos(struct smb_request *req, /* reload services so that the new %U is taken into account */ reload_services(sconn->msg_ctx, sconn->sock, True); - ret = make_server_info_krb5(mem_ctx, - user, domain, real_username, pw, - logon_info, map_domainuser_to_guest, - username_was_mapped, - &server_info); + ret = make_session_info_krb5(mem_ctx, + user, domain, real_username, pw, + logon_info, map_domainuser_to_guest, + username_was_mapped, + &session_key, + &session_info); + data_blob_free(&session_key); if (!NT_STATUS_IS_OK(ret)) { DEBUG(1, ("make_server_info_krb5 failed!\n")); data_blob_free(&ap_rep); - data_blob_free(&session_key); TALLOC_FREE(mem_ctx); reply_nterror(req, nt_status_squash(ret)); return; @@ -387,20 +388,13 @@ static void reply_spnego_kerberos(struct smb_request *req, sess_vuid = register_initial_vuid(sconn); } - data_blob_free(&server_info->user_session_key); - /* Set the kerberos-derived session key onto the server_info */ - server_info->user_session_key = session_key; - talloc_steal(server_info, session_key.data); - - session_key = data_blob_null; - /* register_existing_vuid keeps the server info */ /* register_existing_vuid takes ownership of session_key on success, * no need to free after this on success. A better interface would copy * it.... */ sess_vuid = register_existing_vuid(sconn, sess_vuid, - server_info, nullblob, user); + session_info, nullblob, user); reply_outbuf(req, 4, 0); SSVAL(req->outbuf,smb_uid,sess_vuid); @@ -413,7 +407,7 @@ static void reply_spnego_kerberos(struct smb_request *req, SSVAL(req->outbuf, smb_vwv3, 0); - if (server_info->guest) { + if (session_info->guest) { SSVAL(req->outbuf,smb_vwv2,1); } @@ -1275,6 +1269,7 @@ void reply_sesssetup_and_X(struct smb_request *req) const char *primary_domain; struct auth_usersupplied_info *user_info = NULL; struct auth_serversupplied_info *server_info = NULL; + struct auth_serversupplied_info *session_info = NULL; uint16 smb_flag2 = req->flags2; NTSTATUS nt_status; @@ -1622,29 +1617,20 @@ void reply_sesssetup_and_X(struct smb_request *req) return; } - /* Ensure we can't possible take a code path leading to a - * null defref. */ - if (!server_info) { - reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE)); + nt_status = create_local_token(req, server_info, NULL, &session_info); + TALLOC_FREE(server_info); + + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(10, ("create_local_token failed: %s\n", + nt_errstr(nt_status))); + data_blob_free(&nt_resp); + data_blob_free(&lm_resp); + data_blob_clear_free(&plaintext_password); + reply_nterror(req, nt_status_squash(nt_status)); END_PROFILE(SMBsesssetupX); return; } - if (!server_info->security_token) { - nt_status = create_local_token(server_info); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("create_local_token failed: %s\n", - nt_errstr(nt_status))); - data_blob_free(&nt_resp); - data_blob_free(&lm_resp); - data_blob_clear_free(&plaintext_password); - reply_nterror(req, nt_status_squash(nt_status)); - END_PROFILE(SMBsesssetupX); - return; - } - } - data_blob_clear_free(&plaintext_password); /* it's ok - setup a reply */ @@ -1654,7 +1640,7 @@ void reply_sesssetup_and_X(struct smb_request *req) /* perhaps grab OS version here?? */ } - if (server_info->guest) { + if (session_info->guest) { SSVAL(req->outbuf,smb_vwv2,1); } @@ -1663,7 +1649,7 @@ void reply_sesssetup_and_X(struct smb_request *req) if (lp_security() == SEC_SHARE) { sess_vuid = UID_FIELD_INVALID; - TALLOC_FREE(server_info); + TALLOC_FREE(session_info); } else { /* Ignore the initial vuid. */ sess_vuid = register_initial_vuid(sconn); @@ -1675,9 +1661,9 @@ void reply_sesssetup_and_X(struct smb_request *req) END_PROFILE(SMBsesssetupX); return; } - /* register_existing_vuid keeps the server info */ + /* register_existing_vuid keeps the session_info */ sess_vuid = register_existing_vuid(sconn, sess_vuid, - server_info, + session_info, nt_resp.data ? nt_resp : lm_resp, sub_user); if (sess_vuid == UID_FIELD_INVALID) { -- cgit