From 50547a9950062311a4952846960b15e1d6cdfdf5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 3 Feb 2012 17:09:37 +1100 Subject: s3-auth: Follow auth_ntlmssp and use auth4_context for Session Setup This patch ensures consistency in behaviour between NTLMSSP and NTLM session setup handlers. By calling the same layer that auth_ntlmssp calls, we can not only allow redirection of all authentication to the AD DC, we ensure that map to guest and username map handling is consistent, even in the file server alone. Andrew Bartlett --- source3/smbd/globals.h | 2 +- source3/smbd/negprot.c | 2 +- source3/smbd/sesssetup.c | 63 +++++++++++++++--------------------------------- 3 files changed, 22 insertions(+), 45 deletions(-) (limited to 'source3/smbd') diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index bfa649b98b..5b65711b99 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -509,7 +509,7 @@ struct smbd_server_connection { struct { bool encrypted_passwords; bool spnego; - struct auth_context *auth_context; + struct auth4_context *auth_context; bool done; /* * Size of the data we can receive. Set by us. diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c index 8a6b509fea..e44ac5cb75 100644 --- a/source3/smbd/negprot.c +++ b/source3/smbd/negprot.c @@ -44,7 +44,7 @@ static void get_challenge(struct smbd_server_connection *sconn, uint8 buff[8]) } DEBUG(10, ("get challenge: creating negprot_global_auth_context\n")); - nt_status = make_auth_context_subsystem( + nt_status = make_auth4_context( sconn, &sconn->smb1.negprot.auth_context); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("make_auth_context_subsystem returned %s", diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index da306b97bc..b2e1f2421f 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -77,31 +77,33 @@ static int push_signature(uint8 **outbuf) ****************************************************************************/ static NTSTATUS check_guest_password(const struct tsocket_address *remote_address, - struct auth_serversupplied_info **server_info) + TALLOC_CTX *mem_ctx, + struct auth_session_info **session_info) { - struct auth_context *auth_context; + struct auth4_context *auth_context; struct auth_usersupplied_info *user_info = NULL; - + uint8_t chal[8]; NTSTATUS nt_status; - static unsigned char chal[8] = { 0, }; DEBUG(3,("Got anonymous request\n")); - nt_status = make_auth_context_fixed(talloc_tos(), &auth_context, chal); + nt_status = make_auth4_context(talloc_tos(), &auth_context); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } + auth_context->get_ntlm_challenge(auth_context, + chal); + if (!make_user_info_guest(remote_address, &user_info)) { TALLOC_FREE(auth_context); return NT_STATUS_NO_MEMORY; } - nt_status = auth_context->check_ntlm_password(auth_context, - user_info, - server_info); - TALLOC_FREE(auth_context); + nt_status = auth_check_password_session_info(auth_context, + mem_ctx, user_info, session_info); free_user_info(&user_info); + TALLOC_FREE(auth_context); return nt_status; } @@ -396,7 +398,6 @@ void reply_sesssetup_and_X(struct smb_request *req) const char *native_lanman; const char *primary_domain; struct auth_usersupplied_info *user_info = NULL; - struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; uint16 smb_flag2 = req->flags2; @@ -671,10 +672,10 @@ void reply_sesssetup_and_X(struct smb_request *req) if (!*user) { - nt_status = check_guest_password(sconn->remote_address, &server_info); + nt_status = check_guest_password(sconn->remote_address, req, &session_info); } else if (doencrypt) { - struct auth_context *negprot_auth_context = NULL; + struct auth4_context *negprot_auth_context = NULL; negprot_auth_context = sconn->smb1.negprot.auth_context; if (!negprot_auth_context) { DEBUG(0, ("reply_sesssetup_and_X: Attempted encrypted " @@ -689,15 +690,13 @@ void reply_sesssetup_and_X(struct smb_request *req) sconn->remote_address, lm_resp, nt_resp); if (NT_STATUS_IS_OK(nt_status)) { - nt_status = negprot_auth_context->check_ntlm_password( - negprot_auth_context, - user_info, - &server_info); + nt_status = auth_check_password_session_info(negprot_auth_context, + req, user_info, &session_info); } } else { - struct auth_context *plaintext_auth_context = NULL; + struct auth4_context *plaintext_auth_context = NULL; - nt_status = make_auth_context_subsystem( + nt_status = make_auth4_context( talloc_tos(), &plaintext_auth_context); if (NT_STATUS_IS_OK(nt_status)) { @@ -715,38 +714,16 @@ void reply_sesssetup_and_X(struct smb_request *req) } if (NT_STATUS_IS_OK(nt_status)) { - nt_status = plaintext_auth_context->check_ntlm_password( - plaintext_auth_context, - user_info, - &server_info); - - TALLOC_FREE(plaintext_auth_context); + nt_status = auth_check_password_session_info(plaintext_auth_context, + req, user_info, &session_info); } + TALLOC_FREE(plaintext_auth_context); } } free_user_info(&user_info); if (!NT_STATUS_IS_OK(nt_status)) { - nt_status = do_map_to_guest_server_info(nt_status, &server_info, - user, domain); - } - - if (!NT_STATUS_IS_OK(nt_status)) { - data_blob_free(&nt_resp); - data_blob_free(&lm_resp); - data_blob_clear_free(&plaintext_password); - reply_nterror(req, nt_status_squash(nt_status)); - END_PROFILE(SMBsesssetupX); - return; - } - - nt_status = create_local_token(req, server_info, NULL, sub_user, &session_info); - TALLOC_FREE(server_info); - - if (!NT_STATUS_IS_OK(nt_status)) { - DEBUG(10, ("create_local_token failed: %s\n", - nt_errstr(nt_status))); data_blob_free(&nt_resp); data_blob_free(&lm_resp); data_blob_clear_free(&plaintext_password); -- cgit