{
DATA_BLOB challenge = data_blob(NULL, 0);
const char *challenge_set_by = NULL;
- auth_methods *auth_method;
+ struct auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
if (auth_context->challenge.length) {
{
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status = NT_STATUS_NO_SUCH_USER;
- auth_methods *auth_method;
+ struct auth_methods *auth_method;
TALLOC_CTX *mem_ctx;
if (!user_info || !auth_context || !server_info)
static void free_auth_context(struct auth_context **auth_context)
{
- auth_methods *auth_method;
+ struct auth_methods *auth_method;
if (*auth_context) {
/* Free private data of context's authentication methods */
static NTSTATUS make_auth_context_text_list(struct auth_context **auth_context, char **text_list)
{
- auth_methods *list = NULL;
- auth_methods *t = NULL;
+ struct auth_methods *list = NULL;
+ struct auth_methods *t = NULL;
int i;
NTSTATUS nt_status;
if (NT_STATUS_IS_OK(ops->init(*auth_context, module_params, &t))) {
DEBUG(5,("make_auth_context_text_list: auth method %s has a valid init\n",
*text_list));
- DLIST_ADD_END(list, t, auth_methods *);
+ DLIST_ADD_END(list, t, struct auth_methods *);
} else {
DEBUG(0,("make_auth_context_text_list: auth method %s did not correctly init\n",
*text_list));
char *str;
} AUTH_STR;
-typedef struct auth_usersupplied_info
+struct auth_usersupplied_info
{
DATA_BLOB lm_resp;
AUTH_STR smb_name; /* username before mapping */
AUTH_STR wksta_name; /* workstation name (netbios calling name) unicode string */
-} auth_usersupplied_info;
+};
#define SAM_FILL_NAME 0x01
#define SAM_FILL_INFO3 0x02
#define SAM_FILL_UNIX 0x08
#define SAM_FILL_ALL (SAM_FILL_NAME | SAM_FILL_INFO3 | SAM_FILL_SAM | SAM_FILL_UNIX)
-typedef struct auth_serversupplied_info
+struct auth_serversupplied_info
{
TALLOC_CTX *mem_ctx;
BOOL guest;
- /* NT group information taken from the info3 structure */
-
- NT_USER_TOKEN *ptok;
+ struct dom_sid *user_sid;
+ struct dom_sid *primary_group_sid;
+
+ size_t n_domain_groups;
+ struct dom_sid **domain_groups;
DATA_BLOB user_session_key;
DATA_BLOB lm_session_key;
-} auth_serversupplied_info;
+};
+
+struct auth_session_info
+{
+ TALLOC_CTX *mem_ctx;
+ /* NT group information taken from the info3 structure */
+
+ NT_USER_TOKEN *nt_user_token;
+
+ struct auth_serversupplied_info *server_info;
+
+ DATA_BLOB session_key;
+};
struct auth_context {
DATA_BLOB challenge;
void (*free)(struct auth_context **auth_context);
};
-typedef struct auth_methods
+struct auth_methods
{
struct auth_methods *prev, *next;
const char *name; /* What name got this module */
void *my_private_data,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info);
+ struct auth_serversupplied_info **server_info);
DATA_BLOB (*get_chal)(const struct auth_context *auth_context,
void **my_private_data,
/* Function to send a keepalive message on the above structure */
void (*send_keepalive)(void **private_data);
-} auth_methods;
+};
typedef NTSTATUS (*auth_init_function)(struct auth_context *, const char *, struct auth_methods **);
static NTSTATUS check_guest_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
/* mark this as 'not for me' */
NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
/* Guest modules initialisation */
-static NTSTATUS auth_init_guest(struct auth_context *auth_context, const char *options, auth_methods **auth_method)
+static NTSTATUS auth_init_guest(struct auth_context *auth_context,
+ const char *options,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
static NTSTATUS check_name_to_ntstatus_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
fstring user;
/** Module initialisation function */
-static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_name_to_ntstatus(struct auth_context *auth_context,
+ const char *param,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
static NTSTATUS check_fixed_challenge_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
return NT_STATUS_NOT_IMPLEMENTED;
}
/** Module initailisation function */
-static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_fixed_challenge(struct auth_context *auth_context,
+ const char *param,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method))
return NT_STATUS_NO_MEMORY;
static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
{
struct auth_ntlmssp_state *auth_ntlmssp_state = ntlmssp_state->auth_context;
- auth_usersupplied_info *user_info = NULL;
+ struct auth_usersupplied_info *user_info = NULL;
NTSTATUS nt_status;
#if 0
TALLOC_CTX *mem_ctx,
const char *username,
uint16_t acct_flags,
- const uint8_t lm_pw[16], const uint8_t nt_pw[16],
- const auth_usersupplied_info *user_info,
+ const struct samr_Password *lm_pwd,
+ const struct samr_Password *nt_pwd,
+ const struct auth_usersupplied_info *user_info,
DATA_BLOB *user_sess_key,
DATA_BLOB *lm_sess_key)
{
username,
user_info->smb_name.str,
user_info->client_domain.str,
- lm_pw, nt_pw, user_sess_key, lm_sess_key);
+ lm_pwd->hash, nt_pwd->hash, user_sess_key, lm_sess_key);
}
NTTIME *must_change_time,
NTTIME *last_set_time,
const char *workstation_list,
- const auth_usersupplied_info *user_info)
+ const struct auth_usersupplied_info *user_info)
{
DEBUG(4,("sam_account_ok: Checking SMB password for user %s\n", username));
static NTSTATUS check_sam_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
struct ldb_message **msgs;
struct ldb_message **msgs_domain;
NTSTATUS nt_status;
DATA_BLOB user_sess_key = data_blob(NULL, 0);
DATA_BLOB lm_sess_key = data_blob(NULL, 0);
- uint8_t *lm_pwd, *nt_pwd;
+ struct samr_Password *lm_pwd, *nt_pwd;
const char *attrs[] = {"unicodePwd", "lmPwdHash", "ntPwdHash",
"userAccountControl",
/* find list of sids */
struct dom_sid **groupSIDs = NULL;
struct dom_sid *user_sid;
- struct dom_sid *group_sid;
+ struct dom_sid *primary_group_sid;
const char *sidstr;
int i;
sidstr = ldb_msg_find_string(msgs[0], "objectSid", NULL);
user_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
- group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
- group_sid->sub_auths[group_sid->num_auths-1]
+ primary_group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, sidstr);
+ primary_group_sid->sub_auths[primary_group_sid->num_auths-1]
= samdb_result_uint(msgs[0], "primaryGroupID", 0);
- if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx,
- user_sid, group_sid,
- group_ret, groupSIDs,
- False, &(*server_info)->ptok))) {
- DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status)));
- free_server_info(server_info);
- samdb_close(sam_ctx);
- return nt_status;
- }
+ (*server_info)->user_sid = user_sid;
+ (*server_info)->primary_group_sid = primary_group_sid;
+
+ (*server_info)->n_domain_groups = group_ret;
+ (*server_info)->domain_groups = groupSIDs;
+
}
(*server_info)->guest = False;
}
/* module initialisation */
-static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_sam_ignoredomain(struct auth_context *auth_context,
+ const char *param,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
return NT_STATUS_NO_MEMORY;
static NTSTATUS check_samstrict_security(const struct auth_context *auth_context,
void *my_private_data,
TALLOC_CTX *mem_ctx,
- const auth_usersupplied_info *user_info,
- auth_serversupplied_info **server_info)
+ const struct auth_usersupplied_info *user_info,
+ struct auth_serversupplied_info **server_info)
{
if (!user_info || !auth_context) {
}
/* module initialisation */
-static NTSTATUS auth_init_sam(struct auth_context *auth_context, const char *param, auth_methods **auth_method)
+static NTSTATUS auth_init_sam(struct auth_context *auth_context,
+ const char *param,
+ struct auth_methods **auth_method)
{
if (!make_auth_methods(auth_context, auth_method)) {
return NT_STATUS_NO_MEMORY;
/****************************************************************************
Create an auth_usersupplied_data structure
****************************************************************************/
-static NTSTATUS make_user_info(auth_usersupplied_info **user_info,
+static NTSTATUS make_user_info(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *internal_username,
const char *client_domain,
Create an auth_usersupplied_data structure after appropriate mapping.
****************************************************************************/
-NTSTATUS make_user_info_map(auth_usersupplied_info **user_info,
+NTSTATUS make_user_info_map(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
Decrypt and encrypt the passwords.
****************************************************************************/
-BOOL make_user_info_netlogon_network(auth_usersupplied_info **user_info,
+BOOL make_user_info_netlogon_network(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
Decrypt and encrypt the passwords.
****************************************************************************/
-BOOL make_user_info_netlogon_interactive(auth_usersupplied_info **user_info,
+BOOL make_user_info_netlogon_interactive(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const char *wksta_name,
Create an auth_usersupplied_data structure
****************************************************************************/
-BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
+BOOL make_user_info_for_reply(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
const uint8_t chal[8],
Create an auth_usersupplied_data structure
****************************************************************************/
-NTSTATUS make_user_info_for_reply_enc(auth_usersupplied_info **user_info,
+NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
const char *smb_name,
const char *client_domain,
DATA_BLOB lm_resp, DATA_BLOB nt_resp)
Create a guest user_info blob, for anonymous authenticaion.
****************************************************************************/
-BOOL make_user_info_guest(auth_usersupplied_info **user_info)
+BOOL make_user_info_guest(struct auth_usersupplied_info **user_info)
{
NTSTATUS nt_status;
Make a user_info struct
***************************************************************************/
-NTSTATUS make_server_info(auth_serversupplied_info **server_info, const char *username)
+NTSTATUS make_server_info(struct auth_serversupplied_info **server_info,
+ const char *username)
{
TALLOC_CTX *mem_ctx = talloc_init("auth subsystem: server_info for %s", username);
- *server_info = talloc_p(mem_ctx, auth_serversupplied_info);
+ *server_info = talloc_p(mem_ctx, struct auth_serversupplied_info);
if (!*server_info) {
DEBUG(0,("make_server_info: malloc failed!\n"));
talloc_destroy(mem_ctx);
/***************************************************************************
Make (and fill) a user_info struct for a guest login.
***************************************************************************/
-NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
+NTSTATUS make_server_info_guest(struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
static const char zeros[16];
- struct dom_sid *sid_Anonymous;
- struct dom_sid *sid_Builtin_Guests;
nt_status = make_server_info(server_info, "");
(*server_info)->guest = True;
- sid_Anonymous = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_ANONYMOUS);
- sid_Builtin_Guests = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_BUILTIN_GUESTS);
-
- if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token((*server_info)->mem_ctx,
- sid_Anonymous, sid_Builtin_Guests,
- 0, NULL,
- True, &(*server_info)->ptok))) {
- DEBUG(1,("check_sam_security: create_nt_user_token failed with '%s'\n", nt_errstr(nt_status)));
- free_server_info(server_info);
- return nt_status;
- }
+ (*server_info)->user_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_ANONYMOUS);
+ (*server_info)->primary_group_sid = dom_sid_parse_talloc((*server_info)->mem_ctx, SID_BUILTIN_GUESTS);
+ (*server_info)->n_domain_groups = 0;
+ (*server_info)->domain_groups = NULL;
/* annoying, but the Guest really does have a session key,
and it is all zeros! */
Free a user_info struct
***************************************************************************/
-void free_user_info(auth_usersupplied_info **user_info)
+void free_user_info(struct auth_usersupplied_info **user_info)
{
DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
if (*user_info != NULL) {
Clear out a server_info struct that has been allocated
***************************************************************************/
-void free_server_info(auth_serversupplied_info **server_info)
+void free_server_info(struct auth_serversupplied_info **server_info)
{
DEBUG(5,("attempting to free a server_info structure\n"));
if (!*server_info) {
Make an auth_methods struct
***************************************************************************/
-BOOL make_auth_methods(struct auth_context *auth_context, auth_methods **auth_method)
+BOOL make_auth_methods(struct auth_context *auth_context, struct auth_methods **auth_method)
{
if (!auth_context) {
smb_panic("no auth_context supplied to make_auth_methods()!\n");
return True;
}
-/****************************************************************************
- Delete a SID token.
-****************************************************************************/
-
-void delete_nt_token(NT_USER_TOKEN **pptoken)
+NTSTATUS make_session_info(struct auth_serversupplied_info *server_info,
+ struct auth_session_info **session_info)
{
- if (*pptoken) {
- NT_USER_TOKEN *ptoken = *pptoken;
- SAFE_FREE( ptoken->user_sids );
- ZERO_STRUCTP(ptoken);
- }
- SAFE_FREE(*pptoken);
+ NTSTATUS nt_status;
+
+ *session_info = talloc_p(server_info->mem_ctx, struct auth_session_info);
+ if (!*session_info) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ (*session_info)->mem_ctx = server_info->mem_ctx;
+ server_info->mem_ctx = NULL; /* make sure not to accidentily destory it,
+ and this information is now constant */
+ (*session_info)->server_info = server_info;
+
+ /* unless set otherwise, the session key is the user session
+ * key from the auth subsystem */
+
+ (*session_info)->session_key = server_info->user_session_key;
+
+ nt_status = create_nt_user_token((*session_info)->mem_ctx,
+ server_info->user_sid,
+ server_info->primary_group_sid,
+ server_info->n_domain_groups,
+ server_info->domain_groups,
+ False,
+ &(*session_info)->nt_user_token);
+
+ return nt_status;
}
/**
struct user_struct *next, *prev;
uint16_t vuid; /* Tag for this entry. */
- DATA_BLOB session_key;
-
char *session_keystr; /* used by utmp and pam session code.
TDB key string */
int homes_snum;
- struct auth_serversupplied_info *server_info;
+ struct auth_session_info *session_info;
} user_struct;
/* tell the RPC layer the transport session key */
if (req->user_ctx->vuser) {
- dcesrv_set_session_key(p->dce_conn, req->user_ctx->vuser->session_key);
+ /* TODO: Fix this to push more than just a session key
+ * down - we need the entire session_info, reference counted... */
+ dcesrv_set_session_key(p->dce_conn, req->user_ctx->vuser->session_info->session_key);
}
return NT_STATUS_OK;
if (vuser == NULL)
return;
-
- data_blob_free(&vuser->session_key);
session_yield(vuser);
- free_server_info(&vuser->server_info);
+ talloc_destroy(vuser->session_info->mem_ctx);
DLIST_REMOVE(smb->users.validated_users, vuser);
*/
int register_vuid(struct server_context *smb,
- struct auth_serversupplied_info *server_info,
- DATA_BLOB *session_key,
+ struct auth_session_info *session_info,
const char *smb_name)
{
user_struct *vuser = NULL;
vuser->vuid = smb->users.next_vuid;
- vuser->session_key = *session_key;
-
- if (!server_info->ptok) {
- DEBUG(1, ("server_info does not contain a user_token - cannot continue\n"));
- free_server_info(&server_info);
-
- SAFE_FREE(vuser);
- return UID_FIELD_INVALID;
- }
-
/* use this to keep tabs on all our info from the authentication */
- vuser->server_info = server_info;
+ vuser->session_info = session_info;
smb->users.next_vuid++;
smb->users.num_validated_vuids++;
if (!session_claim(smb, vuser)) {
DEBUG(1,("Failed to claim session for vuid=%d\n", vuser->vuid));
invalidate_vuid(smb, vuser->vuid);
- return -1;
+ return UID_FIELD_INVALID;
}
return vuser->vuid;
static NTSTATUS sesssetup_old(struct request_context *req, union smb_sesssetup *sess)
{
NTSTATUS status;
- auth_usersupplied_info *user_info = NULL;
- auth_serversupplied_info *server_info = NULL;
+ struct auth_usersupplied_info *user_info = NULL;
+ struct auth_serversupplied_info *server_info = NULL;
+ struct auth_session_info *session_info;
DATA_BLOB null_blob;
- DATA_BLOB session_key;
if (!req->smb->negotiate.done_sesssetup) {
req->smb->negotiate.max_send = sess->old.in.bufsize;
return nt_status_squash(status);
}
- if (server_info->user_session_key.data) {
- session_key = data_blob(server_info->user_session_key.data, server_info->user_session_key.length);
- } else {
- session_key = data_blob(NULL, 0);
+ status = make_session_info(server_info, &session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return nt_status_squash(status);
}
sess->old.out.action = 0;
- sess->old.out.vuid = register_vuid(req->smb, server_info, &session_key, sess->old.in.user);
+ sess->old.out.vuid = register_vuid(req->smb, session_info, sess->old.in.user);
sesssetup_common_strings(req,
&sess->old.out.os,
&sess->old.out.lanman,
static NTSTATUS sesssetup_nt1(struct request_context *req, union smb_sesssetup *sess)
{
NTSTATUS status;
- auth_usersupplied_info *user_info = NULL;
- auth_serversupplied_info *server_info = NULL;
- DATA_BLOB session_key;
+ struct auth_usersupplied_info *user_info = NULL;
+ struct auth_serversupplied_info *server_info = NULL;
+ struct auth_session_info *session_info;
if (!req->smb->negotiate.done_sesssetup) {
req->smb->negotiate.max_send = sess->nt1.in.bufsize;
return nt_status_squash(status);
}
- if (server_info->user_session_key.data) {
- session_key = data_blob(server_info->user_session_key.data, server_info->user_session_key.length);
- } else {
- session_key = data_blob(NULL, 0);
+ status = make_session_info(server_info, &session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return nt_status_squash(status);
}
sess->nt1.out.action = 0;
- sess->nt1.out.vuid = register_vuid(req->smb, server_info, &session_key, sess->old.in.user);
+ sess->nt1.out.vuid = register_vuid(req->smb, session_info, sess->old.in.user);
+ if (sess->nt1.out.vuid == UID_FIELD_INVALID) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
sesssetup_common_strings(req,
&sess->nt1.out.os,
&sess->nt1.out.lanman,
&sess->nt1.out.domain);
-
- srv_setup_signing(req->smb, &session_key, &sess->nt1.in.password2);
-
+
+ srv_setup_signing(req->smb, &session_info->session_key, &sess->nt1.in.password2);
return NT_STATUS_OK;
}
git.samba.org / kamenim / samba.git / commitdiff