From ece6eae4d8862a564c581a3f3808c04edab6cb19 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 22 Dec 2010 17:17:07 +1100 Subject: s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett --- source4/auth/ntlm/auth_sam.c | 87 ++++---------------------------------------- 1 file changed, 8 insertions(+), 79 deletions(-) (limited to 'source4/auth/ntlm/auth_sam.c') diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 259efec8e5..645713286d 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -353,87 +353,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, } -/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack. - - Supply either a principal or a DN -*/ -NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, - const char *principal, - struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info) +/* Wrapper for the auth subsystem pointer */ +NTSTATUS authsam_get_server_info_principal_wrapper(TALLOC_CTX *mem_ctx, + struct auth_context *auth_context, + const char *principal, + struct ldb_dn *user_dn, + struct auth_serversupplied_info **server_info) { - NTSTATUS nt_status; - DATA_BLOB user_sess_key = data_blob(NULL, 0); - DATA_BLOB lm_sess_key = data_blob(NULL, 0); - - struct ldb_message *msg; - struct ldb_dn *domain_dn; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - if (!tmp_ctx) { - return NT_STATUS_NO_MEMORY; - } - - if (principal) { - nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal, - user_attrs, &domain_dn, &msg); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - } else if (user_dn) { - struct dom_sid *user_sid, *domain_sid; - int ret; - /* pull the user attributes */ - ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn, - LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)"); - if (ret == LDB_ERR_NO_SUCH_OBJECT) { - talloc_free(tmp_ctx); - return NT_STATUS_NO_SUCH_USER; - } else if (ret != LDB_SUCCESS) { - talloc_free(tmp_ctx); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - user_sid = samdb_result_dom_sid(msg, msg, "objectSid"); - - nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL, - "(&(objectSid=%s)(objectClass=domain))", - ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid)); - if (!domain_dn) { - DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n", - dom_sid_string(tmp_ctx, domain_sid))); - return NT_STATUS_NO_SUCH_USER; - } - - } else { - return NT_STATUS_INVALID_PARAMETER; - } - - nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx, - lpcfg_netbios_name(auth_context->lp_ctx), - lpcfg_workgroup(auth_context->lp_ctx), - domain_dn, - msg, - user_sess_key, lm_sess_key, - server_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - - talloc_steal(mem_ctx, *server_info); - talloc_free(tmp_ctx); - - return NT_STATUS_OK; + return authsam_get_server_info_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, + principal, user_dn, server_info); } - static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", .get_challenge = auth_get_challenge_not_implemented, -- cgit