From cd6026135d3dc7eaa773c60aa168bae8f3f15502 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 13 Feb 2009 14:02:49 +1100
Subject: Push sam_get_server_info_principal into the auth subsystem

This means it must be accessed via the supplied auth_context in the
GENSEC server, and should remove the hard depenceny of GENSEC on the
auth subsystem and ldb (allowing LDB not to rely on LDB is considered
a good thing, apparently)

Andrew Bartlett
---
 source4/auth/gensec/config.mk       |  2 +-
 source4/auth/gensec/gensec_gssapi.c | 10 ++++++----
 source4/auth/gensec/gensec_krb5.c   | 19 +++++++++++++++++--
 3 files changed, 24 insertions(+), 7 deletions(-)

(limited to 'source4/auth/gensec')

diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk
index 3d13ce7f6d..27cf442b68 100644
--- a/source4/auth/gensec/config.mk
+++ b/source4/auth/gensec/config.mk
@@ -21,7 +21,7 @@ $(eval $(call proto_header_template,$(gensecsrcdir)/gensec_proto.h,$(gensec_OBJ_
 [MODULE::gensec_krb5]
 SUBSYSTEM = gensec
 INIT_FUNCTION = gensec_krb5_init
-PRIVATE_DEPENDENCIES = CREDENTIALS KERBEROS auth_session auth_sam
+PRIVATE_DEPENDENCIES = CREDENTIALS KERBEROS auth_session
 # End MODULE gensec_krb5
 ################################################
 
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index dcfffef3df..aae04dffe2 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1290,12 +1290,14 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+		if (gensec_security->auth_context && 
+		    !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
 			DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
 				  gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
-			nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, 
-								  gensec_security->settings->lp_ctx, principal_string,
-								  &server_info);
+			nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, 
+											     gensec_security->auth_context, 
+											     principal_string,
+											     &server_info);
 			
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				talloc_free(mem_ctx);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 6e715d0090..b04abfc16c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -607,8 +607,23 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 		DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n", 
 			  smb_get_krb5_error_message(context, 
 						     ret, mem_ctx)));
-		nt_status = sam_get_server_info_principal(mem_ctx, gensec_security->event_ctx, gensec_security->settings->lp_ctx, principal_string,
-							  &server_info);
+		if (gensec_security->auth_context && 
+		    !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+			DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s"));
+			nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx, 
+											     gensec_security->auth_context, 
+											     principal_string,
+											     &server_info);
+			if (!NT_STATUS_IS_OK(nt_status)) {
+				talloc_free(mem_ctx);
+				return nt_status;
+			}
+		} else {
+			DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
+				  principal_string));
+			return NT_STATUS_ACCESS_DENIED;
+		}
+
 		krb5_free_principal(context, client_principal);
 		free(principal_string);
 		
-- 
cgit