From cd6026135d3dc7eaa773c60aa168bae8f3f15502 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 13 Feb 2009 14:02:49 +1100 Subject: Push sam_get_server_info_principal into the auth subsystem This means it must be accessed via the supplied auth_context in the GENSEC server, and should remove the hard depenceny of GENSEC on the auth subsystem and ldb (allowing LDB not to rely on LDB is considered a good thing, apparently) Andrew Bartlett --- source4/auth/ntlm/auth.c | 31 +++++++++++++++++++++ source4/auth/ntlm/auth_sam.c | 65 ++++++++++++++++++++++++++++++++++++++------ source4/auth/ntlm/config.mk | 1 - 3 files changed, 87 insertions(+), 10 deletions(-) (limited to 'source4/auth/ntlm') diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 2aae4a075e..5520c9d01f 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -103,6 +103,36 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_ return NT_STATUS_OK; } +/**************************************************************************** + Try to get a challenge out of the various authentication modules. + Returns a const char of length 8 bytes. +****************************************************************************/ +_PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx, + struct auth_context *auth_ctx, + const char *principal, + struct auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status; + struct auth_method_context *method; + + for (method = auth_ctx->methods; method; method = method->next) { + if (!method->ops->get_server_info_principal) { + continue; + } + + nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, server_info); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { + continue; + } + + NT_STATUS_NOT_OK_RETURN(nt_status); + + break; + } + + return NT_STATUS_OK; +} + struct auth_check_password_sync_state { bool finished; NTSTATUS status; @@ -411,6 +441,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** ctx->get_challenge = auth_get_challenge; ctx->set_challenge = auth_context_set_challenge; ctx->challenge_may_be_modified = auth_challenge_may_be_modified; + ctx->get_server_info_principal = auth_get_server_info_principal; *auth_ctx = ctx; diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 384d342e00..96a13d5ed9 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -1,7 +1,7 @@ /* Unix SMB/CIFS implementation. Password and authentication handling - Copyright (C) Andrew Bartlett 2001-2004 + Copyright (C) Andrew Bartlett 2001-2009 Copyright (C) Gerald Carter 2003 Copyright (C) Stefan Metzmacher 2005 @@ -419,18 +419,65 @@ static NTSTATUS authsam_check_password(struct auth_method_context *ctx, return authsam_check_password_internals(ctx, mem_ctx, domain, user_info, server_info); } + +/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */ +NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, + struct auth_context *auth_context, + const char *principal, + struct auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status; + DATA_BLOB user_sess_key = data_blob(NULL, 0); + DATA_BLOB lm_sess_key = data_blob(NULL, 0); + + struct ldb_message **msgs; + struct ldb_message **msgs_domain_ref; + struct ldb_context *sam_ctx; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + + sam_ctx = samdb_connect(tmp_ctx, auth_context->event_ctx, auth_context->lp_ctx, + system_session(tmp_ctx, auth_context->lp_ctx)); + if (sam_ctx == NULL) { + talloc_free(tmp_ctx); + return NT_STATUS_INVALID_SYSTEM_SERVICE; + } + + nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, + &msgs, &msgs_domain_ref); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, + lp_netbios_name(auth_context->lp_ctx), + msgs[0], msgs_domain_ref[0], + user_sess_key, lm_sess_key, + server_info); + if (NT_STATUS_IS_OK(nt_status)) { + talloc_steal(mem_ctx, *server_info); + } + talloc_free(tmp_ctx); + return nt_status; +} + static const struct auth_operations sam_ignoredomain_ops = { - .name = "sam_ignoredomain", - .get_challenge = auth_get_challenge_not_implemented, - .want_check = authsam_ignoredomain_want_check, - .check_password = authsam_ignoredomain_check_password + .name = "sam_ignoredomain", + .get_challenge = auth_get_challenge_not_implemented, + .want_check = authsam_ignoredomain_want_check, + .check_password = authsam_ignoredomain_check_password, + .get_server_info_principal = authsam_get_server_info_principal }; static const struct auth_operations sam_ops = { - .name = "sam", - .get_challenge = auth_get_challenge_not_implemented, - .want_check = authsam_want_check, - .check_password = authsam_check_password + .name = "sam", + .get_challenge = auth_get_challenge_not_implemented, + .want_check = authsam_want_check, + .check_password = authsam_check_password, + .get_server_info_principal = authsam_get_server_info_principal }; _PUBLIC_ NTSTATUS auth_sam_init(void) diff --git a/source4/auth/ntlm/config.mk b/source4/auth/ntlm/config.mk index 6a487f9b9e..668c528ea9 100644 --- a/source4/auth/ntlm/config.mk +++ b/source4/auth/ntlm/config.mk @@ -8,7 +8,6 @@ ntlm_check_OBJ_FILES = $(addprefix $(authsrcdir)/ntlm/, ntlm_check.o) ####################### # Start MODULE auth_sam [MODULE::auth_sam_module] -# gensec_krb5 and gensec_gssapi depend on it INIT_FUNCTION = auth_sam_init SUBSYSTEM = auth PRIVATE_DEPENDENCIES = \ -- cgit