From ae42636167f82fee7fb38338dec605521162b5c2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 23 Dec 2004 02:23:42 +0000 Subject: r4338: reuse netlogon structs in the krb5 PAC that simplifies the code a lot... also add a note: we should fail the krb5 auth if there's no PAC present (when heimdal is ready for that:-) metze (This used to be commit 532641a7003d23b034a253d166482f18c2de6191) --- source4/libcli/auth/gensec_krb5.c | 124 ++++++-------------------------------- 1 file changed, 19 insertions(+), 105 deletions(-) (limited to 'source4/libcli/auth') diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index 88e7cdd2e3..9323580e92 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -223,7 +223,7 @@ static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx, return status; } #endif - DEBUG(0,("account_name: %s [%s]\n",logon_info->account_name.string, logon_info->full_name.string)); + DEBUG(0,("account_name: %s [%s]\n",logon_info->info3.base.account_name.string, logon_info->info3.base.full_name.string)); *logon_info_out = logon_info; return status; @@ -609,8 +609,6 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; struct PAC_LOGON_INFO *logon_info; - struct security_token *ptoken; - struct dom_sid *sid; char *p; char *principal; const char *username; @@ -633,119 +631,35 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security /* IF we have the PAC - otherwise we need to get this * data from elsewere - local ldb, or (TODO) lookup of some - * kind... */ + * kind... + * + * when heimdal can generate the PAC, we should fail if there's + * no PAC present + */ if (NT_STATUS_IS_OK(nt_status)) { - nt_status = make_server_info(gensec_krb5_state, &server_info, gensec_krb5_state->peer_principal); + union netr_Validation validation; + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(gensec_krb5_state, + username, + &server_info, + 3, + &validation); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - - server_info->guest = False; - - if (logon_info->account_name.string) { - server_info->account_name - = talloc_reference(server_info, - logon_info->account_name.string); - } else { - server_info->account_name = talloc_strdup(server_info, username); - } - - server_info->domain = talloc_reference(server_info, - logon_info->dom_name.string); - server_info->realm = talloc_strdup(server_info, realm); - server_info->full_name = talloc_reference(server_info, - logon_info->full_name.string); - server_info->logon_script = talloc_reference(server_info, - logon_info->logon_script.string); - server_info->profile_path = talloc_reference(server_info, - logon_info->profile_path.string); - server_info->home_directory = talloc_reference(server_info, - logon_info->home_directory.string); - server_info->home_drive = talloc_reference(server_info, - logon_info->home_drive.string); - - server_info->logon_count = logon_info->logon_count; - /* TODO: bad password count */ - - server_info->acct_flags = logon_info->acct_flags; - - if (!server_info->domain || !server_info->account_name || !server_info->realm) { - free_server_info(&server_info); - return NT_STATUS_NO_MEMORY; - } - - /* references the server_info into the session_info */ - nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - free_server_info(&server_info); - return nt_status; - } - - talloc_free(server_info); - - ptoken = security_token_initialise(session_info); - if (ptoken == NULL) { - return NT_STATUS_NO_MEMORY; - } - - ptoken->num_sids = 0; - ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, - logon_info->groups_count + 2); - if (!ptoken->sids) { - return NT_STATUS_NO_MEMORY; - } - - - sid = dom_sid_dup(server_info, logon_info->dom_sid); - server_info->user_sid = dom_sid_add_rid(server_info, sid, logon_info->user_rid); - sid = dom_sid_dup(server_info, logon_info->dom_sid); - server_info->primary_group_sid = dom_sid_add_rid(server_info, sid, logon_info->group_rid); - - ptoken->user_sid = server_info->user_sid; - ptoken->group_sid = server_info->primary_group_sid; - ptoken->sids[0] = talloc_reference(ptoken, ptoken->user_sid); - ptoken->num_sids++; - ptoken->sids[1] = talloc_reference(ptoken, ptoken->group_sid); - ptoken->num_sids++; - - for (;ptoken->num_sids < (logon_info->groups_count + 2); - ptoken->num_sids++) { - sid = dom_sid_dup(session_info, logon_info->dom_sid); - ptoken->sids[ptoken->num_sids] - = dom_sid_add_rid(session_info, sid, - logon_info->groups[ptoken->num_sids - 2].rid); - } - - /* setup any privileges for this token */ - nt_status = samdb_privilege_setup(ptoken); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(ptoken); - return nt_status; - } - - debug_security_token(DBGC_AUTH, 0, ptoken); - - session_info->security_token = ptoken; } else { - TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm); - if (!mem_ctx) { - return NT_STATUS_NO_MEMORY; - } nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - - /* references the server_info into the session_info */ - nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); return nt_status; } + } - talloc_free(mem_ctx); + /* references the server_info into the session_info */ + nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); + talloc_free(server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } talloc_free(principal); -- cgit