From db4b95827e4e6d13577513946bff4f956c849756 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sun, 23 Oct 2005 22:20:42 +0000
Subject: r11270: Move the core CrackNames code from rpc_server/drsuapi to
 dsdb/samdb. I'm sure this will not be the final resting place, but it will do
 for now.

Use the cracknames code in auth/ for creating a server_info given a
principal name only (should avoid assumtions about spliting a
user@realm principal).

Andrew Bartlett
(This used to be commit c9d5d8e45dd7b7c99b6cf35b087bc18012f31222)
---
 source4/auth/auth_sam.c             | 109 +++++++++++++++++++++++-------------
 source4/auth/gensec/gensec_gssapi.c |  41 ++------------
 source4/auth/gensec/gensec_krb5.c   |  19 ++-----
 3 files changed, 81 insertions(+), 88 deletions(-)

(limited to 'source4/auth')

diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index de4be9586c..9fd011ea30 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -26,6 +26,31 @@
 #include "auth/auth.h"
 #include "lib/ldb/include/ldb.h"
 
+const char *user_attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
+		       "userAccountControl",
+		       "pwdLastSet",
+		       "accountExpires",
+		       "objectSid",
+		       "userWorkstations",
+		       
+		       /* required for server_info, not access control: */
+		       "sAMAccountName",
+		       "displayName",
+		       "scriptPath",
+		       "profilePath",
+		       "homeDirectory",
+		       "homeDrive",
+		       "lastLogon",
+		       "lastLogoff",
+		       "accountExpires",
+		       "badPwdCount",
+		       "logonCount",
+		       "primaryGroupID",
+		       NULL,
+};
+
+const char *domain_attrs[] =  {"nETBIOSName", "nCName", NULL};
+
 /****************************************************************************
  Do a specific test for an smb password being correct, given a smb_password and
  the lanman and NT responses.
@@ -217,31 +242,6 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
 
 	const struct ldb_dn *domain_dn = NULL;
 
-	const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
-			       "userAccountControl",
-			       "pwdLastSet",
-			       "accountExpires",
-			       "objectSid",
-			       "userWorkstations",
-			       
-			       /* required for server_info, not access control: */
-			       "sAMAccountName",
-			       "displayName",
-			       "scriptPath",
-			       "profilePath",
-			       "homeDirectory",
-			       "homeDrive",
-			       "lastLogon",
-			       "lastLogoff",
-			       "accountExpires",
-			       "badPwdCount",
-			       "logonCount",
-			       "primaryGroupID",
-			       NULL,
-	};
-
-	const char *domain_attrs[] =  {"nETBIOSName", "nCName", NULL};
-
 	if (domain_name) {
 		/* find the domain's DN */
 		ret_domain = gendb_search(sam_ctx, mem_ctx, NULL, &msgs_domain, domain_attrs,
@@ -267,7 +267,7 @@ static NTSTATUS authsam_search_account(TALLOC_CTX *mem_ctx, struct ldb_context *
 	}
 
 	/* pull the user attributes */
-	ret = gendb_search(sam_ctx, mem_ctx, domain_dn, &msgs, attrs,
+	ret = gendb_search(sam_ctx, mem_ctx, domain_dn, &msgs, user_attrs,
 			   "(&(sAMAccountName=%s)(objectclass=user))", 
 			   account_name);
 	if (ret == -1) {
@@ -511,32 +511,61 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context
 	return NT_STATUS_OK;
 }
 
-NTSTATUS sam_get_server_info(TALLOC_CTX *mem_ctx, const char *account_name, const char *domain_name,
-			     DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
-			     struct auth_serversupplied_info **server_info)
+NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principal,
+				       struct auth_serversupplied_info **server_info)
 {
 	NTSTATUS nt_status;
+	DATA_BLOB user_sess_key = data_blob(NULL, 0);
+	DATA_BLOB lm_sess_key = data_blob(NULL, 0);
 
+	struct ldb_dn *user_dn, *domain_dn;
 	struct ldb_message **msgs;
-	struct ldb_message **domain_msgs;
-	void *sam_ctx;
+	struct ldb_message **msgs_domain;
+	struct ldb_context *sam_ctx;
 
-	sam_ctx = samdb_connect(mem_ctx, system_session(mem_ctx));
+	int ret_domain, ret;
+
+	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+	if (!tmp_ctx) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	sam_ctx = samdb_connect(tmp_ctx, system_session(tmp_ctx));
 	if (sam_ctx == NULL) {
+		talloc_free(tmp_ctx);
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
 
-	nt_status = authsam_search_account(mem_ctx, sam_ctx, account_name, domain_name, &msgs, &domain_msgs);
-	NT_STATUS_NOT_OK_RETURN(nt_status);
+	nt_status = crack_user_principal_name(sam_ctx, tmp_ctx, principal, &user_dn, &domain_dn);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return nt_status;
+	}
+	
+	/* grab domain info */
+	ret_domain = gendb_search_dn(sam_ctx, tmp_ctx,
+				     domain_dn, &msgs_domain, domain_attrs);
 
-	nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, domain_msgs,
+	if (ret_domain != 1) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	
+	/* pull the user attributes */
+	ret = gendb_search_dn(sam_ctx, tmp_ctx, 
+			      user_dn, &msgs, user_attrs);
+	if (ret != 1) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, msgs_domain,
 					     user_sess_key, lm_sess_key,
 					     server_info);
-	NT_STATUS_NOT_OK_RETURN(nt_status);
-
-	talloc_free(msgs);
-	talloc_free(domain_msgs);
-
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return nt_status;
+	}
 	return NT_STATUS_OK;
 }
 
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 42141e4df2..8fcada2352 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -879,6 +879,10 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		}
 	}
 	
+	/* IF we have the PAC - otherwise we need to get this
+	 * data from elsewere - local ldb, or (TODO) lookup of some
+	 * kind... 
+	 */
 	if (maj_stat == 0) {
 		krb5_error_code ret;
 
@@ -912,42 +916,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 	}
 	
 	if (maj_stat) {
-		krb5_error_code ret;
-		DATA_BLOB user_sess_key = data_blob(NULL, 0);
-		DATA_BLOB lm_sess_key = data_blob(NULL, 0);
-		/* IF we have the PAC - otherwise we need to get this
-		 * data from elsewere - local ldb, or (TODO) lookup of some
-		 * kind... 
-		 *
-		 * when heimdal can generate the PAC, we should fail if there's
-		 * no PAC present
-		 */
-
-		char *account_name;
-		const char *realm;
-		ret = krb5_parse_name(gensec_gssapi_state->smb_krb5_context->krb5_context,
-				      principal_string, &principal);
-		if (ret) {
-			talloc_free(mem_ctx);
-			return NT_STATUS_INVALID_PARAMETER;
-		}
-		
-		realm = krb5_principal_get_realm(gensec_gssapi_state->smb_krb5_context->krb5_context, 
-						 principal);
-		ret = krb5_unparse_name_norealm(gensec_gssapi_state->smb_krb5_context->krb5_context, 
-						principal, &account_name);
-		if (ret) {
-			krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
-			talloc_free(mem_ctx);
-			return NT_STATUS_NO_MEMORY;
-		}
-
 		DEBUG(1, ("Unable to use PAC, resorting to local user lookup!\n"));
-		nt_status = sam_get_server_info(mem_ctx, account_name, realm,
-						user_sess_key, lm_sess_key,
-						&server_info);
-		free(account_name);
-		krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
+		nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
+							  &server_info);
 
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(mem_ctx);
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 64de8211dd..3ed38a435c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -518,23 +518,16 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		/* NO pac, or can't parse or verify it */
 		krb5_error_code ret;
-		DATA_BLOB user_sess_key = data_blob(NULL, 0);
-		DATA_BLOB lm_sess_key = data_blob(NULL, 0);
-
-		char *account_name;
-		const char *realm = krb5_principal_get_realm(gensec_krb5_state->smb_krb5_context->krb5_context, 
-							     get_principal_from_tkt(gensec_krb5_state->ticket));
-		ret = krb5_unparse_name_norealm(gensec_krb5_state->smb_krb5_context->krb5_context, 
-						get_principal_from_tkt(gensec_krb5_state->ticket), &account_name);
+		char *principal_string;
+		ret = krb5_unparse_name(gensec_krb5_state->smb_krb5_context->krb5_context, 
+					get_principal_from_tkt(gensec_krb5_state->ticket), &principal_string);
 		if (ret) {
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		/* TODO: should we pass the krb5 session key in here? */
-		nt_status = sam_get_server_info(mem_ctx, account_name, realm,
-						user_sess_key, lm_sess_key,
-						&server_info);
-		free(account_name);
+		nt_status = sam_get_server_info_principal(mem_ctx, principal_string,
+							  &server_info);
+		free(principal_string);
 		
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(mem_ctx);
-- 
cgit