From 1961d7a4119200b8a4ad7b0207e0cdcf2e10d3f8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Dec 2010 10:19:53 +1100 Subject: s4-auth rework session_info handling not to require an auth context This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett --- source4/auth/ntlm/auth.c | 15 ++++++++++++++- source4/auth/session.c | 13 +++++++------ source4/auth/session.h | 7 +++---- source4/auth/system_session.c | 4 ++-- 4 files changed, 26 insertions(+), 13 deletions(-) (limited to 'source4/auth') diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index f7de0201b6..0c6c8ef52c 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -408,6 +408,19 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, return NT_STATUS_OK; } +/* Wrapper because we don't want to expose all callers to needing to + * know that session_info is generated from the main ldb */ +static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx, + struct auth_context *auth_context, + struct auth_serversupplied_info *server_info, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + return auth_generate_session_info(mem_ctx, auth_context->lp_ctx, + auth_context->sam_ctx, server_info, + session_info_flags, session_info); +} + /*************************************************************************** Make a auth_info struct for the auth subsystem - Allow the caller to specify the methods to use, including optionally the SAM to use @@ -476,7 +489,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** ctx->set_challenge = auth_context_set_challenge; ctx->challenge_may_be_modified = auth_challenge_may_be_modified; ctx->get_server_info_principal = auth_get_server_info_principal; - ctx->generate_session_info = auth_generate_session_info; + ctx->generate_session_info = auth_generate_session_info_wrapper; *auth_ctx = ctx; diff --git a/source4/auth/session.c b/source4/auth/session.c index bb6a5946e5..1028aa8320 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -41,7 +41,8 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, } _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, /* Optional if the domain SID is in the NT AUTHORITY domain */ + struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ + struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ struct auth_serversupplied_info *server_info, uint32_t session_info_flags, struct auth_session_info **_session_info) @@ -83,7 +84,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, /* Don't expand nested groups of system, anonymous etc*/ } else if (dom_sid_equal(system_sid, server_info->account_sid)) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (auth_context) { + } else if (sam_ctx) { groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx); if (!groupSIDs) { @@ -119,7 +120,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, account_sid_blob = data_blob_string_const(account_sid_dn); - nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &account_sid_blob, true, filter, + nt_status = authsam_expand_nested_groups(sam_ctx, &account_sid_blob, true, filter, tmp_ctx, &groupSIDs, &num_groupSIDs); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -143,7 +144,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, primary_group_blob = data_blob_string_const(primary_group_dn); - nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &primary_group_blob, true, filter, + nt_status = authsam_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter, tmp_ctx, &groupSIDs, &num_groupSIDs); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -167,7 +168,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, /* This function takes in memberOf values and expands * them, as long as they meet the filter - so only * builtin groups */ - nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &group_blob, true, filter, + nt_status = authsam_expand_nested_groups(sam_ctx, &group_blob, true, filter, tmp_ctx, &groupSIDs, &num_groupSIDs); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -177,7 +178,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, } nt_status = security_token_create(session_info, - auth_context ? auth_context->lp_ctx : NULL, + lp_ctx, server_info->account_sid, server_info->primary_group_sid, num_groupSIDs, diff --git a/source4/auth/session.h b/source4/auth/session.h index 3de054aef1..bdcfe7ab93 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -31,7 +31,6 @@ struct auth_session_info { #include "librpc/gen_ndr/netlogon.h" struct tevent_context; -struct auth_context; /* Create a security token for a session SYSTEM (the most * trusted/prvilaged account), including the local machine account as * the off-host credentials */ @@ -41,11 +40,11 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, struct auth_serversupplied_info **_server_info) ; NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, - struct auth_serversupplied_info *server_info, + struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ + struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ + struct auth_serversupplied_info *server_info, uint32_t session_info_flags, struct auth_session_info **_session_info); - NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info); diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index bec22c1600..6e0cd7be5a 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -194,7 +194,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info); + nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -445,7 +445,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info); + nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); -- cgit