From fe693e9148cdd9faf3525289a97373a5989e5416 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 29 Dec 2011 11:46:41 +1100 Subject: s4-torture: Demonstrate handling of the PAC in a custom auth_context This demonstrates how a different function pointer can be supplied to handle the PAC blob, without depending on the provisioned samdb etc. Andrew Bartlett --- source4/auth/gensec/gensec_util.c | 62 +++------------------------------------ source4/auth/gensec/wscript_build | 2 +- 2 files changed, 5 insertions(+), 59 deletions(-) (limited to 'source4/auth') diff --git a/source4/auth/gensec/gensec_util.c b/source4/auth/gensec/gensec_util.c index fa28c6528c..2b890239b0 100644 --- a/source4/auth/gensec/gensec_util.c +++ b/source4/auth/gensec/gensec_util.c @@ -26,9 +26,6 @@ #include "auth/auth.h" #include "auth/credentials/credentials.h" #include "auth/system_session_proto.h" -#include "system/kerberos.h" -#include "auth/kerberos/kerberos.h" -#include "auth/kerberos/kerberos_util.h" NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx, struct gensec_security *gensec_security, @@ -71,12 +68,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, const struct tsocket_address *remote_address, struct auth_session_info **session_info) { - NTSTATUS nt_status; uint32_t session_info_flags = 0; - TALLOC_CTX *mem_ctx; - struct auth_user_info_dc *user_info_dc; - struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; - struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) { session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN; @@ -94,7 +86,7 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, principal_string)); } - if (gensec_security->auth_context) { + if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) { return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context, mem_ctx_out, smb_krb5_context, @@ -103,54 +95,8 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out, remote_address, session_info_flags, session_info); - } else if (!pac_blob) { - DEBUG(0, ("Cannot generate a session_info without either the PAC or the auth_context\n")); - return NT_STATUS_NO_SUCH_USER; - } - - mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); - NT_STATUS_HAVE_NO_MEMORY(mem_ctx); - - pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_srv_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_kdc_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, - *pac_blob, - smb_krb5_context->krb5_context, - &user_info_dc, - pac_srv_sig, - pac_kdc_sig); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - - session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; - nt_status = auth_generate_session_info(mem_ctx_out, - NULL, - NULL, - user_info_dc, session_info_flags, - session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - - if ((*session_info)->torture) { - (*session_info)->torture->pac_srv_sig - = talloc_steal((*session_info)->torture, pac_srv_sig); - (*session_info)->torture->pac_kdc_sig - = talloc_steal((*session_info)->torture, pac_kdc_sig); + } else { + DEBUG(0, ("Cannot generate a session_info without the auth_context\n")); + return NT_STATUS_INTERNAL_ERROR; } - - talloc_free(mem_ctx); - return nt_status; } diff --git a/source4/auth/gensec/wscript_build b/source4/auth/gensec/wscript_build index a4c5685f2e..9919cffeea 100644 --- a/source4/auth/gensec/wscript_build +++ b/source4/auth/gensec/wscript_build @@ -2,7 +2,7 @@ bld.SAMBA_SUBSYSTEM('gensec_util', source='socket.c gensec_tstream.c gensec_util.c', - deps='tevent-util tevent samba-util LIBTSOCKET KERBEROS_UTIL', + deps='tevent-util tevent samba-util LIBTSOCKET', autoproto='gensec_proto.h') bld.SAMBA_MODULE('gensec_krb5', -- cgit