From ae42636167f82fee7fb38338dec605521162b5c2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 23 Dec 2004 02:23:42 +0000 Subject: r4338: reuse netlogon structs in the krb5 PAC that simplifies the code a lot... also add a note: we should fail the krb5 auth if there's no PAC present (when heimdal is ready for that:-) metze (This used to be commit 532641a7003d23b034a253d166482f18c2de6191) --- source4/libcli/auth/gensec_krb5.c | 124 ++++++-------------------------------- source4/librpc/idl/krb5pac.idl | 68 ++------------------- 2 files changed, 24 insertions(+), 168 deletions(-) (limited to 'source4') diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index 88e7cdd2e3..9323580e92 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -223,7 +223,7 @@ static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx, return status; } #endif - DEBUG(0,("account_name: %s [%s]\n",logon_info->account_name.string, logon_info->full_name.string)); + DEBUG(0,("account_name: %s [%s]\n",logon_info->info3.base.account_name.string, logon_info->info3.base.full_name.string)); *logon_info_out = logon_info; return status; @@ -609,8 +609,6 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; struct PAC_LOGON_INFO *logon_info; - struct security_token *ptoken; - struct dom_sid *sid; char *p; char *principal; const char *username; @@ -633,119 +631,35 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security /* IF we have the PAC - otherwise we need to get this * data from elsewere - local ldb, or (TODO) lookup of some - * kind... */ + * kind... + * + * when heimdal can generate the PAC, we should fail if there's + * no PAC present + */ if (NT_STATUS_IS_OK(nt_status)) { - nt_status = make_server_info(gensec_krb5_state, &server_info, gensec_krb5_state->peer_principal); + union netr_Validation validation; + validation.sam3 = &logon_info->info3; + nt_status = make_server_info_netlogon_validation(gensec_krb5_state, + username, + &server_info, + 3, + &validation); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } - - server_info->guest = False; - - if (logon_info->account_name.string) { - server_info->account_name - = talloc_reference(server_info, - logon_info->account_name.string); - } else { - server_info->account_name = talloc_strdup(server_info, username); - } - - server_info->domain = talloc_reference(server_info, - logon_info->dom_name.string); - server_info->realm = talloc_strdup(server_info, realm); - server_info->full_name = talloc_reference(server_info, - logon_info->full_name.string); - server_info->logon_script = talloc_reference(server_info, - logon_info->logon_script.string); - server_info->profile_path = talloc_reference(server_info, - logon_info->profile_path.string); - server_info->home_directory = talloc_reference(server_info, - logon_info->home_directory.string); - server_info->home_drive = talloc_reference(server_info, - logon_info->home_drive.string); - - server_info->logon_count = logon_info->logon_count; - /* TODO: bad password count */ - - server_info->acct_flags = logon_info->acct_flags; - - if (!server_info->domain || !server_info->account_name || !server_info->realm) { - free_server_info(&server_info); - return NT_STATUS_NO_MEMORY; - } - - /* references the server_info into the session_info */ - nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - free_server_info(&server_info); - return nt_status; - } - - talloc_free(server_info); - - ptoken = security_token_initialise(session_info); - if (ptoken == NULL) { - return NT_STATUS_NO_MEMORY; - } - - ptoken->num_sids = 0; - ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, - logon_info->groups_count + 2); - if (!ptoken->sids) { - return NT_STATUS_NO_MEMORY; - } - - - sid = dom_sid_dup(server_info, logon_info->dom_sid); - server_info->user_sid = dom_sid_add_rid(server_info, sid, logon_info->user_rid); - sid = dom_sid_dup(server_info, logon_info->dom_sid); - server_info->primary_group_sid = dom_sid_add_rid(server_info, sid, logon_info->group_rid); - - ptoken->user_sid = server_info->user_sid; - ptoken->group_sid = server_info->primary_group_sid; - ptoken->sids[0] = talloc_reference(ptoken, ptoken->user_sid); - ptoken->num_sids++; - ptoken->sids[1] = talloc_reference(ptoken, ptoken->group_sid); - ptoken->num_sids++; - - for (;ptoken->num_sids < (logon_info->groups_count + 2); - ptoken->num_sids++) { - sid = dom_sid_dup(session_info, logon_info->dom_sid); - ptoken->sids[ptoken->num_sids] - = dom_sid_add_rid(session_info, sid, - logon_info->groups[ptoken->num_sids - 2].rid); - } - - /* setup any privileges for this token */ - nt_status = samdb_privilege_setup(ptoken); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(ptoken); - return nt_status; - } - - debug_security_token(DBGC_AUTH, 0, ptoken); - - session_info->security_token = ptoken; } else { - TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm); - if (!mem_ctx) { - return NT_STATUS_NO_MEMORY; - } nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info); if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - - /* references the server_info into the session_info */ - nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); return nt_status; } + } - talloc_free(mem_ctx); + /* references the server_info into the session_info */ + nt_status = make_session_info(gensec_krb5_state, server_info, &session_info); + talloc_free(server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; } talloc_free(principal); diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl index 6efd8526b2..c424f09b78 100644 --- a/source4/librpc/idl/krb5pac.idl +++ b/source4/librpc/idl/krb5pac.idl @@ -8,84 +8,26 @@ uuid("46746756-7567-7567-5677-756756756756"), version(0.0), pointer_default(unique), - depends(security) + depends(security,netlogon) ] interface krb5pac { typedef struct { NTTIME logon_time; [flag(STR_SIZE2|STR_NOTERM|STR_BYTESIZE)] string account_name; - } UNKNOWN_TYPE_10; + } PAC_UNKNOWN_10; typedef [flag(NDR_PAHEX)] struct { uint32 type; uint8 signature[16]; } PAC_SIGNATURE_DATA; - typedef struct { - uint32 rid; - uint32 attrs; - } GROUP_MEMBERSHIP; - - typedef struct { - dom_sid2 *sid; - uint32 attrs; - } EXTRA_SIDS; - - typedef struct { - [value(strlen_m(r->string)*2)] uint16 size; - [value(r->size)] uint16 length; - unistr_noterm *string; - } pac_String; - - /* This is awfully similar to a samr_user_info_23, but not identical. - Many of the field names have been swiped from there, because it is - so similar that they are likely the same, but many have been verified. - Some are in a different order, though... */ typedef struct { uint32 unknown[5]; - NTTIME logon_time; /* logon time */ - NTTIME logoff_time; /* logoff time */ - NTTIME kickoff_time; /* kickoff time */ - NTTIME pass_last_set_time; /* password last set time */ - NTTIME pass_can_change_time; /* password can change time */ - NTTIME pass_must_change_time; /* password must change time */ - - pac_String account_name; - pac_String full_name; - pac_String logon_script; - pac_String profile_path; - pac_String home_directory; - pac_String home_drive; - - uint16 logon_count; /* number of times user has logged onto domain */ - uint16 reserved12; - - uint32 user_rid; - uint32 group_rid; - - uint32 groups_count; - [size_is(groups_count)] GROUP_MEMBERSHIP *groups; - - uint32 user_flags; - - uint32 reserved13[4]; - pac_String dom_controller; - pac_String dom_name; - - dom_sid2 *dom_sid; - - uint32 reserved16[2]; - uint32 acct_flags; /* looks like it may be acb_info */ - uint32 reserved18[7]; - - uint32 extra_sids_count; - [size_is(extra_sids_count)] EXTRA_SIDS *extra_sids; - + netr_SamInfo3 info3; dom_sid2 *res_group_dom_sid; - uint32 res_groups_count; - [size_is(res_groups_count)] GROUP_MEMBERSHIP *res_groups; + [size_is(res_groups_count)] netr_GroupMembership *res_groups; } PAC_LOGON_INFO; const uint8 PAC_TYPE_LOGON_INFO = 1; @@ -97,7 +39,7 @@ interface krb5pac [case(PAC_TYPE_LOGON_INFO)] PAC_LOGON_INFO logon_info; [case(PAC_TYPE_SRV_CHECKSUM)] PAC_SIGNATURE_DATA srv_cksum; [case(PAC_TYPE_KDC_CHECKSUM)] PAC_SIGNATURE_DATA kdc_cksum; - [case(PAC_TYPE_UNKNOWN_10)] UNKNOWN_TYPE_10 type_10; + [case(PAC_TYPE_UNKNOWN_10)] PAC_UNKNOWN_10 type_10; } PAC_INFO; typedef struct { -- cgit