#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
-struct auth_serversupplied_info
-{
- size_t num_sids;
- struct dom_sid *sids;
-
- DATA_BLOB user_session_key;
- DATA_BLOB lm_session_key;
-
- const char *account_name;
- const char *domain_name;
-
- const char *full_name;
- const char *logon_script;
- const char *profile_path;
- const char *home_directory;
- const char *home_drive;
- const char *logon_server;
-
- NTTIME last_logon;
- NTTIME last_logoff;
- NTTIME acct_expiry;
- NTTIME last_password_change;
- NTTIME allow_password_change;
- NTTIME force_password_change;
-
- uint16_t logon_count;
- uint16_t bad_password_count;
-
- uint32_t acct_flags;
-
- bool authenticated;
-
- struct PAC_SIGNATURE_DATA pac_srv_sig, pac_kdc_sig;
-};
-
struct auth_method_context;
struct auth_check_password_request;
struct auth_context;
NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info);
-
- /* Lookup a 'server info' return based only on the principal */
- NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context,
- const char *principal,
- struct ldb_dn *user_dn,
- struct auth_serversupplied_info **server_info);
+ struct auth_user_info_dc **interim_info);
+
+ /* Lookup a 'session info interim' return based only on the principal or DN */
+ NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
+ struct auth_context *auth_context,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ struct auth_user_info_dc **interim_info);
};
struct auth_method_context {
NTSTATUS (*check_password)(struct auth_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info);
+ struct auth_user_info_dc **user_info_dc);
NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, uint8_t chal[8]);
NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
- NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_ctx,
- const char *principal,
- struct ldb_dn *user_dn,
- struct auth_serversupplied_info **server_info);
+ NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
+ struct auth_context *auth_ctx,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ struct auth_user_info_dc **user_info_dc);
NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **session_info);
};
int sizeof_auth_methods;
int sizeof_auth_context;
int sizeof_auth_usersupplied_info;
- int sizeof_auth_serversupplied_info;
+ int sizeof_auth_user_info_dc;
};
NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
unsigned int *num_res_sids);
struct auth_session_info *system_session(struct loadparm_context *lp_ctx);
-NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
+NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
const char *netbios_name,
const char *domain_name,
struct ldb_dn *domain_dn,
struct ldb_message *msg,
DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
- struct auth_serversupplied_info **_server_info);
+ struct auth_user_info_dc **_user_info_dc);
NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info) ;
NTSTATUS auth_check_password(struct auth_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info);
+ struct auth_user_info_dc **user_info_dc);
NTSTATUS auth_init(void);
NTSTATUS auth_register(const struct auth_operations *ops);
NTSTATUS server_service_auth_init(void);
const struct auth_usersupplied_info *user_info);
NTSTATUS auth_check_password_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info **server_info);
+ struct auth_user_info_dc **user_info_dc);
bool auth_challenge_may_be_modified(struct auth_context *auth_ctx);
NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
-NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
+NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
struct auth_context *auth_ctx,
const char *principal,
struct ldb_dn *user_dn,
- struct auth_serversupplied_info **server_info);
+ struct auth_user_info_dc **user_info_dc);
NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
struct tevent_context *event_ctx,
#include "libcli/security/security.h"
#include "auth/auth_sam_reply.h"
-NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *server_info,
+NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
+ struct auth_user_info_dc *user_info_dc,
struct netr_SamBaseInfo **_sam)
{
NTSTATUS status;
+ struct auth_user_info *info;
struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo);
NT_STATUS_HAVE_NO_MEMORY(sam);
- if (server_info->num_sids > PRIMARY_USER_SID_INDEX) {
- status = dom_sid_split_rid(sam, &server_info->sids[PRIMARY_USER_SID_INDEX],
+ if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) {
+ status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX],
&sam->domain_sid, &sam->rid);
if (!NT_STATUS_IS_OK(status)) {
return status;
return NT_STATUS_INVALID_PARAMETER;
}
- if (server_info->num_sids > PRIMARY_GROUP_SID_INDEX) {
- status = dom_sid_split_rid(NULL, &server_info->sids[PRIMARY_GROUP_SID_INDEX],
+ if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) {
+ status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX],
NULL, &sam->primary_gid);
if (!NT_STATUS_IS_OK(status)) {
return status;
sam->primary_gid = sam->rid;
}
- sam->last_logon = server_info->last_logon;
- sam->last_logoff = server_info->last_logoff;
- sam->acct_expiry = server_info->acct_expiry;
- sam->last_password_change = server_info->last_password_change;
- sam->allow_password_change = server_info->allow_password_change;
- sam->force_password_change = server_info->force_password_change;
-
- sam->account_name.string = server_info->account_name;
- sam->full_name.string = server_info->full_name;
- sam->logon_script.string = server_info->logon_script;
- sam->profile_path.string = server_info->profile_path;
- sam->home_directory.string = server_info->home_directory;
- sam->home_drive.string = server_info->home_drive;
-
- sam->logon_count = server_info->logon_count;
+ info = user_info_dc->info;
+
+ sam->last_logon = info->last_logon;
+ sam->last_logoff = info->last_logoff;
+ sam->acct_expiry = info->acct_expiry;
+ sam->last_password_change = info->last_password_change;
+ sam->allow_password_change = info->allow_password_change;
+ sam->force_password_change = info->force_password_change;
+
+ sam->account_name.string = info->account_name;
+ sam->full_name.string = info->full_name;
+ sam->logon_script.string = info->logon_script;
+ sam->profile_path.string = info->profile_path;
+ sam->home_directory.string = info->home_directory;
+ sam->home_drive.string = info->home_drive;
+
+ sam->logon_count = info->logon_count;
sam->bad_password_count = sam->bad_password_count;
sam->groups.count = 0;
sam->groups.rids = NULL;
- if (server_info->num_sids > 2) {
+ if (user_info_dc->num_sids > 2) {
size_t i;
sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute,
- server_info->num_sids);
+ user_info_dc->num_sids);
if (sam->groups.rids == NULL)
return NT_STATUS_NO_MEMORY;
- for (i=2; i<server_info->num_sids; i++) {
- struct dom_sid *group_sid = &server_info->sids[i];
+ for (i=2; i<user_info_dc->num_sids; i++) {
+ struct dom_sid *group_sid = &user_info_dc->sids[i];
if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
/* We handle this elsewhere */
continue;
}
sam->user_flags = 0; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
- sam->acct_flags = server_info->acct_flags;
- sam->logon_server.string = server_info->logon_server;
- sam->domain.string = server_info->domain_name;
+ sam->acct_flags = user_info_dc->info->acct_flags;
+ sam->logon_server.string = user_info_dc->info->logon_server;
+ sam->domain.string = user_info_dc->info->domain_name;
ZERO_STRUCT(sam->unknown);
ZERO_STRUCT(sam->key);
- if (server_info->user_session_key.length == sizeof(sam->key.key)) {
- memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key));
+ if (user_info_dc->user_session_key.length == sizeof(sam->key.key)) {
+ memcpy(sam->key.key, user_info_dc->user_session_key.data, sizeof(sam->key.key));
}
ZERO_STRUCT(sam->LMSessKey);
- if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
- memcpy(sam->LMSessKey.key, server_info->lm_session_key.data,
+ if (user_info_dc->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
+ memcpy(sam->LMSessKey.key, user_info_dc->lm_session_key.data,
sizeof(sam->LMSessKey.key));
}
}
/* Note that the validity of the _sam3 structure is only as long as
- * the server_info it was generated from */
-NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *server_info,
+ * the user_info_dc it was generated from */
+NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
+ struct auth_user_info_dc *user_info_dc,
struct netr_SamInfo3 **_sam3)
{
struct netr_SamBaseInfo *sam;
size_t i;
NT_STATUS_HAVE_NO_MEMORY(sam3);
- status = auth_convert_server_info_sambaseinfo(sam3, server_info, &sam);
+ status = auth_convert_user_info_dc_sambaseinfo(sam3, user_info_dc, &sam);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(sam3);
return status;
sam3->sids = talloc_array(sam, struct netr_SidAttr,
- server_info->num_sids);
+ user_info_dc->num_sids);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids, sam3);
/* We don't put the user and group SIDs in there */
- for (i=2; i<server_info->num_sids; i++) {
- if (dom_sid_in_domain(sam->domain_sid, &server_info->sids[i])) {
+ for (i=2; i<user_info_dc->num_sids; i++) {
+ if (dom_sid_in_domain(sam->domain_sid, &user_info_dc->sids[i])) {
continue;
}
- sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &server_info->sids[i]);
+ sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &user_info_dc->sids[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids[sam3->sidcount].sid, sam3);
sam3->sids[sam3->sidcount].attributes =
SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
}
/**
- * Make a server_info struct from the info3 returned by a domain logon
+ * Make a user_info_dc struct from the info3 returned by a domain logon
*/
-NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
+NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
const char *account_name,
uint16_t validation_level,
union netr_Validation *validation,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info *info;
struct netr_SamBaseInfo *base = NULL;
uint32_t i;
return NT_STATUS_INVALID_LEVEL;
}
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/*
Here is where we should check the list of
return NT_STATUS_INVALID_PARAMETER;
}
- server_info->num_sids = 2;
+ user_info_dc->num_sids = 2;
- server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids + base->groups.count);
- NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
+ user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids + base->groups.count);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
- server_info->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid;
- if (!sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], base->rid)) {
+ user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid;
+ if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], base->rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
- server_info->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid;
- if (!sid_append_rid(&server_info->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) {
+ user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid;
+ if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) {
return NT_STATUS_INVALID_PARAMETER;
}
for (i = 0; i < base->groups.count; i++) {
- server_info->sids[server_info->num_sids] = *base->domain_sid;
- if (!sid_append_rid(&server_info->sids[server_info->num_sids], base->groups.rids[i].rid)) {
+ user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid;
+ if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], base->groups.rids[i].rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
- server_info->num_sids++;
+ user_info_dc->num_sids++;
}
/* Copy 'other' sids. We need to do sid filtering here to
*/
if (validation_level == 3) {
- struct dom_sid *dgrps = server_info->sids;
+ struct dom_sid *dgrps = user_info_dc->sids;
size_t sidcount;
/* The IDL layer would be a better place to check this, but to
return NT_STATUS_INVALID_PARAMETER;
}
- sidcount = server_info->num_sids + validation->sam3->sidcount;
+ sidcount = user_info_dc->num_sids + validation->sam3->sidcount;
if (validation->sam3->sidcount > 0) {
- dgrps = talloc_realloc(server_info, dgrps, struct dom_sid, sidcount);
+ dgrps = talloc_realloc(user_info_dc, dgrps, struct dom_sid, sidcount);
NT_STATUS_HAVE_NO_MEMORY(dgrps);
for (i = 0; i < validation->sam3->sidcount; i++) {
if (validation->sam3->sids[i].sid) {
- dgrps[server_info->num_sids] = *validation->sam3->sids[i].sid;
- server_info->num_sids++;
+ dgrps[user_info_dc->num_sids] = *validation->sam3->sids[i].sid;
+ user_info_dc->num_sids++;
}
}
}
- server_info->sids = dgrps;
+ user_info_dc->sids = dgrps;
/* Where are the 'global' sids?... */
}
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
+
if (base->account_name.string) {
- server_info->account_name = talloc_reference(server_info, base->account_name.string);
+ info->account_name = talloc_reference(info, base->account_name.string);
} else {
- server_info->account_name = talloc_strdup(server_info, account_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+ info->account_name = talloc_strdup(info, account_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
}
- server_info->domain_name = talloc_reference(server_info, base->domain.string);
- server_info->full_name = talloc_reference(server_info, base->full_name.string);
- server_info->logon_script = talloc_reference(server_info, base->logon_script.string);
- server_info->profile_path = talloc_reference(server_info, base->profile_path.string);
- server_info->home_directory = talloc_reference(server_info, base->home_directory.string);
- server_info->home_drive = talloc_reference(server_info, base->home_drive.string);
- server_info->logon_server = talloc_reference(server_info, base->logon_server.string);
- server_info->last_logon = base->last_logon;
- server_info->last_logoff = base->last_logoff;
- server_info->acct_expiry = base->acct_expiry;
- server_info->last_password_change = base->last_password_change;
- server_info->allow_password_change = base->allow_password_change;
- server_info->force_password_change = base->force_password_change;
- server_info->logon_count = base->logon_count;
- server_info->bad_password_count = base->bad_password_count;
- server_info->acct_flags = base->acct_flags;
-
- server_info->authenticated = true;
+ info->domain_name = talloc_reference(info, base->domain.string);
+ info->full_name = talloc_reference(info, base->full_name.string);
+ info->logon_script = talloc_reference(info, base->logon_script.string);
+ info->profile_path = talloc_reference(info, base->profile_path.string);
+ info->home_directory = talloc_reference(info, base->home_directory.string);
+ info->home_drive = talloc_reference(info, base->home_drive.string);
+ info->logon_server = talloc_reference(info, base->logon_server.string);
+ info->last_logon = base->last_logon;
+ info->last_logoff = base->last_logoff;
+ info->acct_expiry = base->acct_expiry;
+ info->last_password_change = base->last_password_change;
+ info->allow_password_change = base->allow_password_change;
+ info->force_password_change = base->force_password_change;
+ info->logon_count = base->logon_count;
+ info->bad_password_count = base->bad_password_count;
+ info->acct_flags = base->acct_flags;
+
+ info->authenticated = true;
/* ensure we are never given NULL session keys */
if (all_zero(base->key.key, sizeof(base->key.key))) {
- server_info->user_session_key = data_blob(NULL, 0);
+ user_info_dc->user_session_key = data_blob(NULL, 0);
} else {
- server_info->user_session_key = data_blob_talloc(server_info, base->key.key, sizeof(base->key.key));
- NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
+ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, base->key.key, sizeof(base->key.key));
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
}
if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
- server_info->lm_session_key = data_blob(NULL, 0);
+ user_info_dc->lm_session_key = data_blob(NULL, 0);
} else {
- server_info->lm_session_key = data_blob_talloc(server_info, base->LMSessKey.key, sizeof(base->LMSessKey.key));
- NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
+ user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, base->LMSessKey.key, sizeof(base->LMSessKey.key));
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
}
- ZERO_STRUCT(server_info->pac_srv_sig);
- ZERO_STRUCT(server_info->pac_kdc_sig);
-
- *_server_info = server_info;
+ *_user_info_dc = user_info_dc;
return NT_STATUS_OK;
}
/**
- * Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon
+ * Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5 logon
*/
-NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
+NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
struct PAC_LOGON_INFO *pac_logon_info,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
uint32_t i;
NTSTATUS nt_status;
union netr_Validation validation;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
validation.sam3 = &pac_logon_info->info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3, &validation, &server_info);
+ nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
if (pac_logon_info->res_groups.count > 65535) {
- talloc_free(server_info);
+ talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
return NT_STATUS_INVALID_PARAMETER;
}
- sidcount = server_info->num_sids + pac_logon_info->res_groups.count;
- server_info->sids
- = talloc_realloc(server_info, server_info->sids, struct dom_sid, sidcount);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
+ sidcount = user_info_dc->num_sids + pac_logon_info->res_groups.count;
+ user_info_dc->sids
+ = talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc);
for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
- server_info->sids[server_info->num_sids] = *pac_logon_info->res_group_dom_sid;
- if (!sid_append_rid(&server_info->sids[server_info->num_sids],
+ user_info_dc->sids[user_info_dc->num_sids] = *pac_logon_info->res_group_dom_sid;
+ if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
pac_logon_info->res_groups.rids[i].rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
- server_info->num_sids++;
+ user_info_dc->num_sids++;
}
}
- *_server_info = server_info;
+ *_user_info_dc = user_info_dc;
return NT_STATUS_OK;
}
NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (server_info->authenticated) {
+ if (user_info_dc->info->authenticated) {
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
if (gensec_security->auth_context) {
nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
- server_info,
+ user_info_dc,
flags,
session_info);
} else {
nt_status = auth_generate_session_info(mem_ctx,
NULL,
NULL,
- server_info, flags,
+ user_info_dc, flags,
session_info);
}
return nt_status;
struct gensec_security;
struct socket_context;
struct auth_context;
-struct auth_serversupplied_info;
+struct auth_user_info_dc;
NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
TALLOC_CTX *mem_ctx;
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
OM_uint32 maj_stat, min_stat;
gss_buffer_desc pac;
DATA_BLOB pac_blob;
+ struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
+ struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
|| (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
* kind...
*/
if (pac_blob.length) {
- nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
- pac_blob,
- gensec_gssapi_state->smb_krb5_context->krb5_context,
- &server_info);
+ pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ if (!pac_srv_sig) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ if (!pac_kdc_sig) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
+ pac_blob,
+ gensec_gssapi_state->smb_krb5_context->krb5_context,
+ &user_info_dc,
+ pac_srv_sig,
+ pac_kdc_sig);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
+ nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
NULL,
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
}
}
- /* references the server_info into the session_info */
+ /* references the user_info_dc into the session_info */
nt_status = gensec_generate_session_info(mem_ctx, gensec_security,
- server_info, &session_info);
+ user_info_dc, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
return nt_status;
}
+ /* Allow torture tests to check the PAC signatures */
+ if (session_info->torture) {
+ session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig);
+ session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig);
+ }
+
if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
} else {
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
struct PAC_LOGON_INFO *logon_info;
DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
principal_string, smb_get_krb5_error_message(context,
ret, mem_ctx)));
- nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
+ nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
- NULL, &server_info);
+ NULL, &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
}
validation.sam3 = &logon_info->info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx,
+ nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
NULL,
3, &validation,
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
krb5_free_principal(context, client_principal);
free(principal_string);
krb5_free_principal(context, client_principal);
- /* references the server_info into the session_info */
- nt_status = gensec_generate_session_info(mem_ctx, gensec_security, server_info, &session_info);
+ /* references the user_info_dc into the session_info */
+ nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
#include "auth/kerberos/krb5_init_context.h"
#include "librpc/gen_ndr/krb5pac.h"
-struct auth_serversupplied_info;
+struct auth_user_info_dc;
struct cli_credentials;
struct ccache_container {
const krb5_keyblock *service_keyblock,
DATA_BLOB *pac);
krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *service_keyblock,
krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *service_keyblock,
talloc_free(pac_data);
return ENOMEM;
}
- nt_status = auth_convert_server_info_saminfo3(LOGON_INFO, server_info, &sam3);
+ nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc, &sam3);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status)));
talloc_free(pac_data);
return ret;
}
-krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
- krb5_pac pac,
- krb5_context context,
- struct auth_serversupplied_info **server_info)
+krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx,
+ krb5_pac pac,
+ krb5_context context,
+ struct auth_user_info_dc **user_info_dc,
+ struct PAC_SIGNATURE_DATA *pac_srv_sig,
+ struct PAC_SIGNATURE_DATA *pac_kdc_sig)
{
NTSTATUS nt_status;
enum ndr_err_code ndr_err;
krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in;
union PAC_INFO info;
- struct auth_serversupplied_info *server_info_out;
+ struct auth_user_info_dc *user_info_dc_out;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
}
/* Pull this right into the normal auth sysstem structures */
- nt_status = make_server_info_pac(mem_ctx,
+ nt_status = make_user_info_dc_pac(mem_ctx,
info.logon_info.info,
- &server_info_out);
+ &user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return EINVAL;
}
- ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
- if (ret != 0) {
- talloc_free(tmp_ctx);
- return ret;
- }
-
- pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
-
- ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, server_info_out,
- &server_info_out->pac_srv_sig,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
- krb5_data_free(&k5pac_srv_checksum_in);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- nt_status = ndr_map_error2ntstatus(ndr_err);
- DEBUG(0,("can't parse the KDC signature: %s\n",
- nt_errstr(nt_status)));
- return EINVAL;
- }
+ if (pac_srv_sig) {
+ ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
+ if (ret != 0) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
- ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
- if (ret != 0) {
- talloc_free(tmp_ctx);
- return ret;
+ pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
+
+ ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, pac_srv_sig,
+ pac_srv_sig,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
+ krb5_data_free(&k5pac_srv_checksum_in);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ nt_status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't parse the KDC signature: %s\n",
+ nt_errstr(nt_status)));
+ return EINVAL;
+ }
}
- pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
+ if (pac_kdc_sig) {
+ ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
+ if (ret != 0) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
- ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, server_info_out,
- &server_info_out->pac_kdc_sig,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
- krb5_data_free(&k5pac_kdc_checksum_in);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- nt_status = ndr_map_error2ntstatus(ndr_err);
- DEBUG(0,("can't parse the KDC signature: %s\n",
- nt_errstr(nt_status)));
- return EINVAL;
+ pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
+
+ ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, pac_kdc_sig,
+ pac_kdc_sig,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
+ krb5_data_free(&k5pac_kdc_checksum_in);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ nt_status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't parse the KDC signature: %s\n",
+ nt_errstr(nt_status)));
+ return EINVAL;
+ }
}
-
- *server_info = server_info_out;
+ *user_info_dc = user_info_dc_out;
return 0;
}
-NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx,
- DATA_BLOB pac_blob,
- krb5_context context,
- struct auth_serversupplied_info **server_info)
+NTSTATUS kerberos_pac_blob_to_user_info_dc(TALLOC_CTX *mem_ctx,
+ DATA_BLOB pac_blob,
+ krb5_context context,
+ struct auth_user_info_dc **user_info_dc,
+ struct PAC_SIGNATURE_DATA *pac_srv_sig,
+ struct PAC_SIGNATURE_DATA *pac_kdc_sig)
{
krb5_error_code ret;
krb5_pac pac;
}
- ret = kerberos_pac_to_server_info(mem_ctx, pac, context, server_info);
+ ret = kerberos_pac_to_user_info_dc(mem_ctx, pac, context, user_info_dc, pac_srv_sig, pac_kdc_sig);
krb5_pac_free(context, pac);
if (ret) {
return map_nt_error_from_unix(ret);
Supply either a principal or a DN
****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
+_PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
struct auth_context *auth_ctx,
const char *principal,
struct ldb_dn *user_dn,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
NTSTATUS nt_status;
struct auth_method_context *method;
for (method = auth_ctx->methods; method; method = method->next) {
- if (!method->ops->get_server_info_principal) {
+ if (!method->ops->get_user_info_dc_principal) {
continue;
}
- nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, user_dn, server_info);
+ nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, user_info_dc);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
continue;
}
* (sync version)
*
* Check a user's password, as given in the user_info struct and return various
- * interesting details in the server_info struct.
+ * interesting details in the user_info_dc struct.
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
*
* @param user_info Contains the user supplied components, including the passwords.
*
- * @param mem_ctx The parent memory context for the server_info structure
+ * @param mem_ctx The parent memory context for the user_info_dc structure
*
- * @param server_info If successful, contains information about the authentication,
+ * @param user_info_dc If successful, contains information about the authentication,
* including a SAM_ACCOUNT struct describing the user.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
_PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
struct tevent_req *subreq;
struct tevent_context *ev;
return NT_STATUS_INTERNAL_ERROR;
}
- status = auth_check_password_recv(subreq, mem_ctx, server_info);
+ status = auth_check_password_recv(subreq, mem_ctx, user_info_dc);
TALLOC_FREE(subreq);
return status;
struct auth_check_password_state {
struct auth_context *auth_ctx;
const struct auth_usersupplied_info *user_info;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
struct auth_method_context *method;
};
* async send hook
*
* Check a user's password, as given in the user_info struct and return various
- * interesting details in the server_info struct.
+ * interesting details in the user_info_dc struct.
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
status = method->ops->check_password(method,
state,
state->user_info,
- &state->server_info);
+ &state->user_info_dc);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
/* the backend has handled the request */
break;
* Check a user's Plaintext, LM or NTLM password.
* async receive function
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
*
* @param req The async request state
*
- * @param mem_ctx The parent memory context for the server_info structure
+ * @param mem_ctx The parent memory context for the user_info_dc structure
*
- * @param server_info If successful, contains information about the authentication,
+ * @param user_info_dc If successful, contains information about the authentication,
* including a SAM_ACCOUNT struct describing the user.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
_PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
struct auth_check_password_state *state =
tevent_req_data(req, struct auth_check_password_state);
DEBUG(5,("auth_check_password_recv: "
"%s authentication for user [%s\\%s] succeeded\n",
state->method->ops->name,
- state->server_info->domain_name,
- state->server_info->account_name));
+ state->user_info_dc->info->domain_name,
+ state->user_info_dc->info->account_name));
- *server_info = talloc_move(mem_ctx, &state->server_info);
+ *user_info_dc = talloc_move(mem_ctx, &state->user_info_dc);
tevent_req_received(req);
return NT_STATUS_OK;
* know that session_info is generated from the main ldb */
static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
- auth_context->sam_ctx, server_info,
+ auth_context->sam_ctx, user_info_dc,
session_info_flags, session_info);
}
ctx->get_challenge = auth_get_challenge;
ctx->set_challenge = auth_context_set_challenge;
ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
- ctx->get_server_info_principal = auth_get_server_info_principal;
+ ctx->get_user_info_dc_principal = auth_get_user_info_dc_principal;
ctx->generate_session_info = auth_generate_session_info_wrapper;
*auth_ctx = ctx;
sizeof(struct auth_method_context),
sizeof(struct auth_context),
sizeof(struct auth_usersupplied_info),
- sizeof(struct auth_serversupplied_info)
+ sizeof(struct auth_user_info_dc)
};
return &critical_sizes;
static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
- return auth_anonymous_server_info(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _server_info);
+ return auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _user_info_dc);
}
static const struct auth_operations anonymous_auth_ops = {
static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
NTSTATUS nt_status;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info *info;
uint32_t error_num;
const char *user;
}
NT_STATUS_NOT_OK_RETURN(nt_status);
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
- server_info->num_sids = 1;
- server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
- NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
+ user_info_dc->num_sids = 1;
+ user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
- server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
- NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
+ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
- server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
- NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
+ user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
- data_blob_clear(&server_info->user_session_key);
- data_blob_clear(&server_info->lm_session_key);
+ data_blob_clear(&user_info_dc->user_session_key);
+ data_blob_clear(&user_info_dc->lm_session_key);
- server_info->account_name = talloc_asprintf(server_info, "NAME TO NTSTATUS %s ANONYMOUS LOGON", user);
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
- server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ info->account_name = talloc_asprintf(user_info_dc, "NAME TO NTSTATUS %s ANONYMOUS LOGON", user);
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
- server_info->full_name = talloc_asprintf(server_info, "NAME TO NTSTATUS %s Anonymous Logon", user);
- NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
+ info->domain_name = talloc_strdup(user_info_dc, "NT AUTHORITY");
+ NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
- server_info->logon_script = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+ info->full_name = talloc_asprintf(user_info_dc, "NAME TO NTSTATUS %s Anonymous Logon", user);
+ NT_STATUS_HAVE_NO_MEMORY(info->full_name);
- server_info->profile_path = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+ info->logon_script = talloc_strdup(user_info_dc, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
- server_info->home_directory = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+ info->profile_path = talloc_strdup(user_info_dc, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
- server_info->home_drive = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+ info->home_directory = talloc_strdup(user_info_dc, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
- server_info->last_logon = 0;
- server_info->last_logoff = 0;
- server_info->acct_expiry = 0;
- server_info->last_password_change = 0;
- server_info->allow_password_change = 0;
- server_info->force_password_change = 0;
+ info->home_drive = talloc_strdup(user_info_dc, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
- server_info->logon_count = 0;
- server_info->bad_password_count = 0;
+ info->last_logon = 0;
+ info->last_logoff = 0;
+ info->acct_expiry = 0;
+ info->last_password_change = 0;
+ info->allow_password_change = 0;
+ info->force_password_change = 0;
- server_info->acct_flags = ACB_NORMAL;
+ info->logon_count = 0;
+ info->bad_password_count = 0;
- server_info->authenticated = false;
+ info->acct_flags = ACB_NORMAL;
- *_server_info = server_info;
+ info->authenticated = true;
+
+ *_user_info_dc = user_info_dc;
return nt_status;
}
static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
/* don't handle any users */
return NT_STATUS_NO_SUCH_USER;
static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
NTSTATUS nt_status;
const char *account_name = user_info->mapped.account_name;
return nt_status;
}
- nt_status = authsam_make_server_info(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
+ nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
lpcfg_sam_name(ctx->auth_ctx->lp_ctx),
domain_dn,
msg,
user_sess_key, lm_sess_key,
- server_info);
+ user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
- talloc_steal(mem_ctx, *server_info);
+ talloc_steal(mem_ctx, *user_info_dc);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
/* Wrapper for the auth subsystem pointer */
-static NTSTATUS authsam_get_server_info_principal_wrapper(TALLOC_CTX *mem_ctx,
+static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
const char *principal,
struct ldb_dn *user_dn,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
- return authsam_get_server_info_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
- principal, user_dn, server_info);
+ return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
+ principal, user_dn, user_info_dc);
}
static const struct auth_operations sam_ignoredomain_ops = {
.name = "sam_ignoredomain",
.get_challenge = auth_get_challenge_not_implemented,
.want_check = authsam_ignoredomain_want_check,
.check_password = authsam_check_password_internals,
- .get_server_info_principal = authsam_get_server_info_principal_wrapper
+ .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper
};
static const struct auth_operations sam_ops = {
.get_challenge = auth_get_challenge_not_implemented,
.want_check = authsam_want_check,
.check_password = authsam_check_password_internals,
- .get_server_info_principal = authsam_get_server_info_principal_wrapper
+ .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper
};
_PUBLIC_ NTSTATUS auth_sam_init(void)
static NTSTATUS server_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
NTSTATUS nt_status;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info *info;
struct cli_credentials *creds;
struct smb_composite_sesssetup session_setup;
return nt_status;
}
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
- server_info->num_sids = 1;
+ user_info_dc->num_sids = 1;
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
- server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
- NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
+ user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
- server_info->user_session_key = data_blob(NULL, 0);
- server_info->lm_session_key = data_blob(NULL, 0);
+ user_info_dc->user_session_key = data_blob(NULL, 0);
+ user_info_dc->lm_session_key = data_blob(NULL, 0);
- server_info->account_name = talloc_strdup(server_info, user_info->client.account_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
- server_info->domain_name = talloc_strdup(server_info, user_info->client.domain_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ info->account_name = talloc_strdup(user_info_dc, user_info->client.account_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
- server_info->full_name = NULL;
+ info->domain_name = talloc_strdup(user_info_dc, user_info->client.domain_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
- server_info->logon_script = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+ info->full_name = NULL;
- server_info->profile_path = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+ info->logon_script = talloc_strdup(user_info_dc, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
- server_info->home_directory = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+ info->profile_path = talloc_strdup(user_info_dc, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
- server_info->home_drive = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+ info->home_directory = talloc_strdup(user_info_dc, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
- server_info->last_logon = 0;
- server_info->last_logoff = 0;
- server_info->acct_expiry = 0;
- server_info->last_password_change = 0;
- server_info->allow_password_change = 0;
- server_info->force_password_change = 0;
+ info->home_drive = talloc_strdup(user_info_dc, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
- server_info->logon_count = 0;
- server_info->bad_password_count = 0;
+ info->last_logon = 0;
+ info->last_logoff = 0;
+ info->acct_expiry = 0;
+ info->last_password_change = 0;
+ info->allow_password_change = 0;
+ info->force_password_change = 0;
- server_info->acct_flags = ACB_NORMAL;
+ info->logon_count = 0;
+ info->bad_password_count = 0;
- server_info->authenticated = false;
+ info->acct_flags = ACB_NORMAL;
- *_server_info = server_info;
+ info->authenticated = false;
+
+ *_user_info_dc = user_info_dc;
return nt_status;
}
{
struct auth_context *auth_context;
struct auth_usersupplied_info *user_info;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
NTSTATUS nt_status;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
- nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &server_info);
+ nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
if (session_info) {
uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (server_info->authenticated) {
+ if (user_info_dc->info->authenticated) {
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
nt_status = auth_context->generate_session_info(tmp_ctx, auth_context,
- server_info,
+ user_info_dc,
flags,
session_info);
/* TODO: look at how to best fill in parms retrieveing a struct passwd info
* except in case USER_INFO_DONT_CHECK_UNIX_ACCOUNT is set
*/
-static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx,
+static NTSTATUS authunix_make_user_info_dc(TALLOC_CTX *mem_ctx,
const char *netbios_name,
const struct auth_usersupplied_info *user_info,
struct passwd *pwd,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info *info;
NTSTATUS status;
/* This is a real, real hack */
if (pwd->pw_uid == 0) {
- status = auth_system_server_info(mem_ctx, netbios_name, &server_info);
+ status = auth_system_user_info_dc(mem_ctx, netbios_name, &user_info_dc);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
- server_info->account_name = talloc_steal(server_info, pwd->pw_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
+
+ info->account_name = talloc_steal(info, pwd->pw_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
- server_info->domain_name = talloc_strdup(server_info, "unix");
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ info->domain_name = talloc_strdup(info, "unix");
+ NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
} else {
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
- server_info->authenticated = true;
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
+
+ info->authenticated = true;
- server_info->account_name = talloc_steal(server_info, pwd->pw_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+ info->account_name = talloc_steal(info, pwd->pw_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
- server_info->domain_name = talloc_strdup(server_info, "unix");
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ info->domain_name = talloc_strdup(info, "unix");
+ NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
/* This isn't in any way correct.. */
- server_info->num_sids = 0;
- server_info->sids = NULL;
- }
- server_info->user_session_key = data_blob(NULL,0);
- server_info->lm_session_key = data_blob(NULL,0);
-
- server_info->full_name = talloc_steal(server_info, pwd->pw_gecos);
- NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
- server_info->logon_script = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
- server_info->profile_path = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
- server_info->home_directory = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
- server_info->home_drive = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
-
- server_info->last_logon = 0;
- server_info->last_logoff = 0;
- server_info->acct_expiry = 0;
- server_info->last_password_change = 0;
- server_info->allow_password_change = 0;
- server_info->force_password_change = 0;
- server_info->logon_count = 0;
- server_info->bad_password_count = 0;
- server_info->acct_flags = 0;
-
- *_server_info = server_info;
+ user_info_dc->num_sids = 0;
+ user_info_dc->sids = NULL;
+ }
+ user_info_dc->user_session_key = data_blob(NULL,0);
+ user_info_dc->lm_session_key = data_blob(NULL,0);
+
+ info->full_name = talloc_steal(info, pwd->pw_gecos);
+ NT_STATUS_HAVE_NO_MEMORY(info->full_name);
+ info->logon_script = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
+ info->profile_path = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
+ info->home_directory = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
+ info->home_drive = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
+
+ info->last_logon = 0;
+ info->last_logoff = 0;
+ info->acct_expiry = 0;
+ info->last_password_change = 0;
+ info->allow_password_change = 0;
+ info->force_password_change = 0;
+ info->logon_count = 0;
+ info->bad_password_count = 0;
+ info->acct_flags = 0;
+
+ *_user_info_dc = user_info_dc;
return NT_STATUS_OK;
}
static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
TALLOC_CTX *check_ctx;
NTSTATUS nt_status;
return nt_status;
}
- nt_status = authunix_make_server_info(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
- user_info, pwd, server_info);
+ nt_status = authunix_make_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
+ user_info, pwd, user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(check_ctx);
return nt_status;
static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
NTSTATUS status;
struct dcerpc_binding_handle *irpc_handle;
status = dcerpc_winbind_SamLogon_r(irpc_handle, s, &s->req);
NT_STATUS_NOT_OK_RETURN(status);
- status = make_server_info_netlogon_validation(mem_ctx,
+ status = make_user_info_dc_netlogon_validation(mem_ctx,
user_info->client.account_name,
s->req.in.validation_level,
&s->req.out.validation,
- server_info);
+ user_info_dc);
NT_STATUS_NOT_OK_RETURN(status);
return NT_STATUS_OK;
static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
struct wbcAuthUserParams params;
struct wbcAuthUserInfo *info = NULL;
NT_STATUS_NOT_OK_RETURN(nt_status);
validation.sam3 = &info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx,
+ nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
user_info->client.account_name,
- 3, &validation, server_info);
+ 3, &validation, user_info_dc);
return nt_status;
}
struct gensec_security *gensec_security;
struct ntlmssp_state *ntlmssp_state;
struct auth_context *auth_context;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
};
struct loadparm_context;
nt_status = auth_context->check_password(auth_context,
gensec_ntlmssp,
user_info,
- &gensec_ntlmssp->server_info);
+ &gensec_ntlmssp->user_info_dc);
talloc_free(user_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
- if (gensec_ntlmssp->server_info->user_session_key.length) {
+ if (gensec_ntlmssp->user_info_dc->user_session_key.length) {
DEBUG(10, ("Got NT session key of length %u\n",
- (unsigned)gensec_ntlmssp->server_info->user_session_key.length));
- *user_session_key = gensec_ntlmssp->server_info->user_session_key;
+ (unsigned)gensec_ntlmssp->user_info_dc->user_session_key.length));
+ *user_session_key = gensec_ntlmssp->user_info_dc->user_session_key;
talloc_steal(mem_ctx, user_session_key->data);
- gensec_ntlmssp->server_info->user_session_key = data_blob_null;
+ gensec_ntlmssp->user_info_dc->user_session_key = data_blob_null;
}
- if (gensec_ntlmssp->server_info->lm_session_key.length) {
+ if (gensec_ntlmssp->user_info_dc->lm_session_key.length) {
DEBUG(10, ("Got LM session key of length %u\n",
- (unsigned)gensec_ntlmssp->server_info->lm_session_key.length));
- *lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
+ (unsigned)gensec_ntlmssp->user_info_dc->lm_session_key.length));
+ *lm_session_key = gensec_ntlmssp->user_info_dc->lm_session_key;
talloc_steal(mem_ctx, lm_session_key->data);
- gensec_ntlmssp->server_info->lm_session_key = data_blob_null;
+ gensec_ntlmssp->user_info_dc->lm_session_key = data_blob_null;
}
return nt_status;
}
nt_status = gensec_generate_session_info(ntlmssp_state,
gensec_security,
- gensec_ntlmssp->server_info,
+ gensec_ntlmssp->user_info_dc,
session_info);
NT_STATUS_NOT_OK_RETURN(nt_status);
/* check 'allowed workstations' */
"userWorkstations",
- /* required for server_info, not access control: */
+ /* required for user_info_dc, not access control: */
"displayName",
"scriptPath",
"profilePath",
return NT_STATUS_OK;
}
-_PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
+_PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
const char *netbios_name,
const char *domain_name,
struct ldb_message *msg,
DATA_BLOB user_sess_key,
DATA_BLOB lm_sess_key,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
NTSTATUS status;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info *info;
const char *str, *filter;
/* SIDs for the account and his primary group */
struct dom_sid *account_sid;
TALLOC_CTX *tmp_ctx;
struct ldb_message_element *el;
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
- tmp_ctx = talloc_new(server_info);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, server_info);
+ tmp_ctx = talloc_new(user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc, user_info_dc);
- sids = talloc_array(server_info, struct dom_sid, 2);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, server_info);
+ sids = talloc_array(user_info_dc, struct dom_sid, 2);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, user_info_dc);
num_sids = 2;
- account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info);
+ account_sid = samdb_result_dom_sid(user_info_dc, msg, "objectSid");
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, user_info_dc);
status = dom_sid_split_rid(tmp_ctx, account_sid, &domain_sid, NULL);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(server_info);
+ talloc_free(user_info_dc);
return status;
}
* for builtin groups later, and not include them in the PAC
* on SamLogon validation info */
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, server_info);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, user_info_dc);
primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, user_info_dc);
primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, user_info_dc);
primary_group_blob = data_blob_string_const(primary_group_dn);
* 'only childs' flag to true
*/
status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
- server_info, &sids, &num_sids);
+ user_info_dc, &sids, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(server_info);
+ talloc_free(user_info_dc);
return status;
}
* them, as long as they meet the filter - so only
* domain groups, not builtin groups */
status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter,
- server_info, &sids, &num_sids);
+ user_info_dc, &sids, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
- talloc_free(server_info);
+ talloc_free(user_info_dc);
return status;
}
}
- server_info->sids = sids;
- server_info->num_sids = num_sids;
+ user_info_dc->sids = sids;
+ user_info_dc->num_sids = num_sids;
- server_info->account_name = talloc_steal(server_info,
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
+
+ info->account_name = talloc_steal(info,
ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
- server_info->domain_name = talloc_strdup(server_info, domain_name);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_name,
- server_info);
+ info->domain_name = talloc_strdup(info, domain_name);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->domain_name,
+ user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "displayName", "");
- server_info->full_name = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->full_name, server_info);
+ info->full_name = talloc_strdup(info, str);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->full_name, user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "scriptPath", "");
- server_info->logon_script = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_script,
- server_info);
+ info->logon_script = talloc_strdup(info, str);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_script,
+ user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "profilePath", "");
- server_info->profile_path = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->profile_path,
- server_info);
+ info->profile_path = talloc_strdup(info, str);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->profile_path,
+ user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "homeDirectory", "");
- server_info->home_directory = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_directory,
- server_info);
+ info->home_directory = talloc_strdup(info, str);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_directory,
+ user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "homeDrive", "");
- server_info->home_drive = talloc_strdup(server_info, str);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_drive, server_info);
+ info->home_drive = talloc_strdup(info, str);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_drive, user_info_dc);
- server_info->logon_server = talloc_strdup(server_info, netbios_name);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_server,
- server_info);
+ info->logon_server = talloc_strdup(info, netbios_name);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_server,
+ user_info_dc);
- server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
- server_info->last_logoff = samdb_result_last_logoff(msg);
- server_info->acct_expiry = samdb_result_account_expires(msg);
- server_info->last_password_change = samdb_result_nttime(msg,
+ info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
+ info->last_logoff = samdb_result_last_logoff(msg);
+ info->acct_expiry = samdb_result_account_expires(msg);
+ info->last_password_change = samdb_result_nttime(msg,
"pwdLastSet", 0);
- server_info->allow_password_change
+ info->allow_password_change
= samdb_result_allow_password_change(sam_ctx, mem_ctx,
domain_dn, msg, "pwdLastSet");
- server_info->force_password_change
+ info->force_password_change
= samdb_result_force_password_change(sam_ctx, mem_ctx,
domain_dn, msg);
- server_info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0);
- server_info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount",
+ info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0);
+ info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount",
0);
- server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
+ info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
msg, domain_dn);
- server_info->user_session_key = data_blob_talloc(server_info,
+ user_info_dc->user_session_key = data_blob_talloc(user_info_dc,
user_sess_key.data,
user_sess_key.length);
if (user_sess_key.data) {
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->user_session_key.data,
- server_info);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->user_session_key.data,
+ user_info_dc);
}
- server_info->lm_session_key = data_blob_talloc(server_info,
+ user_info_dc->lm_session_key = data_blob_talloc(user_info_dc,
lm_sess_key.data,
lm_sess_key.length);
if (lm_sess_key.data) {
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->lm_session_key.data,
- server_info);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->lm_session_key.data,
+ user_info_dc);
}
- if (server_info->acct_flags & ACB_SVRTRUST) {
+ if (info->acct_flags & ACB_SVRTRUST) {
/* the SID_NT_ENTERPRISE_DCS SID gets added into the
PAC */
- server_info->sids = talloc_realloc(server_info,
- server_info->sids,
+ user_info_dc->sids = talloc_realloc(user_info_dc,
+ user_info_dc->sids,
struct dom_sid,
- server_info->num_sids+1);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
- server_info->sids[server_info->num_sids] = global_sid_Enterprise_DCs;
- server_info->num_sids++;
+ user_info_dc->num_sids+1);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc);
+ user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs;
+ user_info_dc->num_sids++;
}
- if ((server_info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
+ if ((info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
(ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) {
/* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */
- server_info->sids = talloc_realloc(server_info,
- server_info->sids,
+ user_info_dc->sids = talloc_realloc(user_info_dc,
+ user_info_dc->sids,
struct dom_sid,
- server_info->num_sids+1);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
- server_info->sids[server_info->num_sids] = *domain_sid;
- sid_append_rid(&server_info->sids[server_info->num_sids],
+ user_info_dc->num_sids+1);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc);
+ user_info_dc->sids[user_info_dc->num_sids] = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
DOMAIN_RID_ENTERPRISE_READONLY_DCS);
- server_info->num_sids++;
+ user_info_dc->num_sids++;
}
- server_info->authenticated = true;
+ info->authenticated = true;
talloc_free(tmp_ctx);
- *_server_info = server_info;
+ *_user_info_dc = user_info_dc;
return NT_STATUS_OK;
}
Supply either a principal or a DN
*/
-NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
+NTSTATUS authsam_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *sam_ctx,
const char *principal,
struct ldb_dn *user_dn,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
NTSTATUS nt_status;
DATA_BLOB user_sess_key = data_blob(NULL, 0);
"(&(objectSid=%s)(objectClass=domain))",
ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid));
if (!domain_dn) {
- DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n",
+ DEBUG(3, ("authsam_get_user_info_dc_principal: Failed to find domain with: SID %s\n",
dom_sid_string(tmp_ctx, domain_sid)));
return NT_STATUS_NO_SUCH_USER;
}
return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = authsam_make_server_info(tmp_ctx, sam_ctx,
+ nt_status = authsam_make_user_info_dc(tmp_ctx, sam_ctx,
lpcfg_netbios_name(lp_ctx),
lpcfg_workgroup(lp_ctx),
domain_dn,
msg,
user_sess_key, lm_sess_key,
- server_info);
+ user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
- talloc_steal(mem_ctx, *server_info);
+ talloc_steal(mem_ctx, *user_info_dc);
talloc_free(tmp_ctx);
return NT_STATUS_OK;
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **_session_info)
{
session_info = talloc(tmp_ctx, struct auth_session_info);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
- session_info->server_info = talloc_reference(session_info, server_info);
+ session_info->info = talloc_reference(session_info, user_info_dc->info);
+
+ session_info->torture = talloc_zero(session_info, struct auth_user_info_torture);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx);
+ session_info->torture->num_dc_sids = user_info_dc->num_sids;
+ session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx);
/* unless set otherwise, the session key is the user session
* key from the auth subsystem */
- session_info->session_key = server_info->user_session_key;
+ session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length);
+ if (!session_info->session_key.data && session_info->session_key.length) {
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx);
+ }
anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx);
system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
- sids = talloc_array(tmp_ctx, struct dom_sid, server_info->num_sids);
+ sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx);
if (!sids) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- num_sids = server_info->num_sids;
+ num_sids = user_info_dc->num_sids;
- for (i=0; i < server_info->num_sids; i++) {
- sids[i] = server_info->sids[i];
+ for (i=0; i < user_info_dc->num_sids; i++) {
+ sids[i] = user_info_dc->sids[i];
}
- if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
+ if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
- } else if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
+ } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
/* Search for each group in the token */
- for (i = 0; i < server_info->num_sids; i++) {
+ for (i = 0; i < user_info_dc->num_sids; i++) {
char *sid_string;
const char *sid_dn;
DATA_BLOB sid_blob;
sid_string = dom_sid_string(tmp_ctx,
- &server_info->sids[i]);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, server_info);
+ &user_info_dc->sids[i]);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
talloc_free(sid_string);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, server_info);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc);
sid_blob = data_blob_string_const(sid_dn);
/* This function takes in memberOf values and expands
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
- nt_status = authsam_get_server_info_principal(tmp_ctx, lp_ctx, sam_ctx,
+ nt_status = authsam_get_user_info_dc_principal(tmp_ctx, lp_ctx, sam_ctx,
principal, user_dn,
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, sam_ctx,
- server_info, session_info_flags,
+ user_info_dc, session_info_flags,
session_info);
if (NT_STATUS_IS_OK(nt_status)) {
struct auth_session_info {
struct security_token *security_token;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info *info;
+ struct auth_user_info_torture *torture;
DATA_BLOB session_key;
struct cli_credentials *credentials;
};
#include "librpc/gen_ndr/netlogon.h"
+#include "librpc/gen_ndr/auth.h"
struct tevent_context;
struct ldb_context;
* the off-host credentials */
struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ;
-NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
- const char *netbios_name,
- struct auth_serversupplied_info **_server_info) ;
+NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
+ const char *netbios_name,
+ struct auth_user_info_dc **interim_info);
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *interim_info,
uint32_t session_info_flags,
- struct auth_session_info **_session_info);
+ struct auth_session_info **session_info);
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
- struct auth_session_info **_session_info);
+ struct auth_session_info **session_info);
/* Produce a session_info for an arbitary DN or principal in the local
* DB, assuming the local DB holds all the groups
*
#include "libcli/security/security.h"
#include "auth/credentials/credentials.h"
#include "param/param.h"
-#include "auth/auth.h" /* for auth_serversupplied_info */
+#include "auth/auth.h" /* for auth_user_info_dc */
#include "auth/session.h"
#include "auth/system_session_proto.h"
struct auth_session_info **_session_info)
{
NTSTATUS nt_status;
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
- nt_status = auth_system_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
- &server_info);
+ nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
- /* references the server_info into the session_info */
- nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
+ /* references the user_info_dc into the session_info */
+ nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
talloc_free(mem_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
return NT_STATUS_OK;
}
-NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
- struct auth_serversupplied_info **_server_info)
+NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
+ struct auth_user_info_dc **_user_info_dc)
{
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info *info;
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
- server_info->num_sids = 1;
- server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
- NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
+ user_info_dc->num_sids = 1;
+ user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
- server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
- NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
+ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
- server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
- NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
+ user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
- data_blob_clear(&server_info->user_session_key);
- data_blob_clear(&server_info->lm_session_key);
+ data_blob_clear(&user_info_dc->user_session_key);
+ data_blob_clear(&user_info_dc->lm_session_key);
- server_info->account_name = talloc_strdup(server_info, "SYSTEM");
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
- server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ info->account_name = talloc_strdup(info, "SYSTEM");
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
- server_info->full_name = talloc_strdup(server_info, "System");
- NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
+ info->domain_name = talloc_strdup(info, "NT AUTHORITY");
+ NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
- server_info->logon_script = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+ info->full_name = talloc_strdup(info, "System");
+ NT_STATUS_HAVE_NO_MEMORY(info->full_name);
- server_info->profile_path = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+ info->logon_script = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
- server_info->home_directory = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+ info->profile_path = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
- server_info->home_drive = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+ info->home_directory = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
- server_info->logon_server = talloc_strdup(server_info, netbios_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
+ info->home_drive = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
- server_info->last_logon = 0;
- server_info->last_logoff = 0;
- server_info->acct_expiry = 0;
- server_info->last_password_change = 0;
- server_info->allow_password_change = 0;
- server_info->force_password_change = 0;
+ info->logon_server = talloc_strdup(info, netbios_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
- server_info->logon_count = 0;
- server_info->bad_password_count = 0;
+ info->last_logon = 0;
+ info->last_logoff = 0;
+ info->acct_expiry = 0;
+ info->last_password_change = 0;
+ info->allow_password_change = 0;
+ info->force_password_change = 0;
- server_info->acct_flags = ACB_NORMAL;
+ info->logon_count = 0;
+ info->bad_password_count = 0;
- server_info->authenticated = true;
+ info->acct_flags = ACB_NORMAL;
- *_server_info = server_info;
+ info->authenticated = true;
+
+ *_user_info_dc = user_info_dc;
return NT_STATUS_OK;
}
-static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
+static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
const char *netbios_name,
const char *domain_name,
struct dom_sid *domain_sid,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info *info;
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
- server_info->num_sids = 7;
- server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids);
+ user_info_dc->num_sids = 7;
+ user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
- server_info->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
- sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
+ user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
- server_info->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
- sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS);
+ user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS);
- server_info->sids[2] = global_sid_Builtin_Administrators;
+ user_info_dc->sids[2] = global_sid_Builtin_Administrators;
- server_info->sids[3] = *domain_sid;
- sid_append_rid(&server_info->sids[3], DOMAIN_RID_ADMINS);
- server_info->sids[4] = *domain_sid;
- sid_append_rid(&server_info->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
- server_info->sids[5] = *domain_sid;
- sid_append_rid(&server_info->sids[5], DOMAIN_RID_POLICY_ADMINS);
- server_info->sids[6] = *domain_sid;
- sid_append_rid(&server_info->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
+ user_info_dc->sids[3] = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
+ user_info_dc->sids[4] = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
+ user_info_dc->sids[5] = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
+ user_info_dc->sids[6] = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
/* What should the session key be?*/
- server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
- NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
+ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
+
+ user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
- server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
- NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
+ data_blob_clear(&user_info_dc->user_session_key);
+ data_blob_clear(&user_info_dc->lm_session_key);
- data_blob_clear(&server_info->user_session_key);
- data_blob_clear(&server_info->lm_session_key);
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
- server_info->account_name = talloc_strdup(server_info, "Administrator");
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+ info->account_name = talloc_strdup(info, "Administrator");
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
- server_info->domain_name = talloc_strdup(server_info, domain_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ info->domain_name = talloc_strdup(info, domain_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
- server_info->full_name = talloc_strdup(server_info, "Administrator");
- NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
+ info->full_name = talloc_strdup(info, "Administrator");
+ NT_STATUS_HAVE_NO_MEMORY(info->full_name);
- server_info->logon_script = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+ info->logon_script = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
- server_info->profile_path = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+ info->profile_path = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
- server_info->home_directory = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+ info->home_directory = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
- server_info->home_drive = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+ info->home_drive = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
- server_info->logon_server = talloc_strdup(server_info, netbios_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
+ info->logon_server = talloc_strdup(info, netbios_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
- server_info->last_logon = 0;
- server_info->last_logoff = 0;
- server_info->acct_expiry = 0;
- server_info->last_password_change = 0;
- server_info->allow_password_change = 0;
- server_info->force_password_change = 0;
+ info->last_logon = 0;
+ info->last_logoff = 0;
+ info->acct_expiry = 0;
+ info->last_password_change = 0;
+ info->allow_password_change = 0;
+ info->force_password_change = 0;
- server_info->logon_count = 0;
- server_info->bad_password_count = 0;
+ info->logon_count = 0;
+ info->bad_password_count = 0;
- server_info->acct_flags = ACB_NORMAL;
+ info->acct_flags = ACB_NORMAL;
- server_info->authenticated = true;
+ info->authenticated = true;
- *_server_info = server_info;
+ *_user_info_dc = user_info_dc;
return NT_STATUS_OK;
}
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
- nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
+ nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
lpcfg_workgroup(lp_ctx), domain_sid,
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
- nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, server_info,
+ nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
session_info);
- /* There is already a reference between the sesion_info and server_info */
+ /* There is already a reference between the sesion_info and user_info_dc */
if (NT_STATUS_IS_OK(nt_status)) {
talloc_steal(parent_ctx, *session_info);
}
struct auth_session_info **_session_info)
{
NTSTATUS nt_status;
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
- nt_status = auth_anonymous_server_info(mem_ctx,
+ nt_status = auth_anonymous_user_info_dc(mem_ctx,
lpcfg_netbios_name(lp_ctx),
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
- /* references the server_info into the session_info */
- nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
+ /* references the user_info_dc into the session_info */
+ nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
talloc_free(mem_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
return NT_STATUS_OK;
}
-_PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
+_PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
const char *netbios_name,
- struct auth_serversupplied_info **_server_info)
+ struct auth_user_info_dc **_user_info_dc)
{
- struct auth_serversupplied_info *server_info;
- server_info = talloc(mem_ctx, struct auth_serversupplied_info);
- NT_STATUS_HAVE_NO_MEMORY(server_info);
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info *info;
+ user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
- server_info->num_sids = 1;
- server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
- NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
+ user_info_dc->num_sids = 1;
+ user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
/* annoying, but the Anonymous really does have a session key... */
- server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
- NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
+ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
- server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
- NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
+ user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
/* and it is all zeros! */
- data_blob_clear(&server_info->user_session_key);
- data_blob_clear(&server_info->lm_session_key);
+ data_blob_clear(&user_info_dc->user_session_key);
+ data_blob_clear(&user_info_dc->lm_session_key);
+
+ user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
+ NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
- server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
+ info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
+ NT_STATUS_HAVE_NO_MEMORY(info->account_name);
- server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
+ info->domain_name = talloc_strdup(info, "NT AUTHORITY");
+ NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
- server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
- NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
+ info->full_name = talloc_strdup(info, "Anonymous Logon");
+ NT_STATUS_HAVE_NO_MEMORY(info->full_name);
- server_info->logon_script = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
+ info->logon_script = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
- server_info->profile_path = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
+ info->profile_path = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
- server_info->home_directory = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
+ info->home_directory = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
- server_info->home_drive = talloc_strdup(server_info, "");
- NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
+ info->home_drive = talloc_strdup(info, "");
+ NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
- server_info->logon_server = talloc_strdup(server_info, netbios_name);
- NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
+ info->logon_server = talloc_strdup(info, netbios_name);
+ NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
- server_info->last_logon = 0;
- server_info->last_logoff = 0;
- server_info->acct_expiry = 0;
- server_info->last_password_change = 0;
- server_info->allow_password_change = 0;
- server_info->force_password_change = 0;
+ info->last_logon = 0;
+ info->last_logoff = 0;
+ info->acct_expiry = 0;
+ info->last_password_change = 0;
+ info->allow_password_change = 0;
+ info->force_password_change = 0;
- server_info->logon_count = 0;
- server_info->bad_password_count = 0;
+ info->logon_count = 0;
+ info->bad_password_count = 0;
- server_info->acct_flags = ACB_NORMAL;
+ info->acct_flags = ACB_NORMAL;
- server_info->authenticated = false;
+ info->authenticated = false;
- *_server_info = server_info;
+ *_user_info_dc = user_info_dc;
return NT_STATUS_OK;
}
}
return talloc_asprintf(mem_ctx, "%s\\%s",
- session_info->server_info->domain_name,
- session_info->server_info->account_name);
+ session_info->info->domain_name,
+ session_info->info->account_name);
}
* seem to be the case here. */
ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs,
"(&(objectClass=user)(sAMAccountName=%s))",
- session_info->server_info->account_name);
+ session_info->info->account_name);
if (ret != 1) {
return kpasswdd_make_error_reply(kdc, mem_ctx,
KRB5_KPASSWD_ACCESSDENIED,
}
DEBUG(3, ("Changing password of %s\\%s (%s)\n",
- session_info->server_info->domain_name,
- session_info->server_info->account_name,
+ session_info->info->domain_name,
+ session_info->info->account_name,
dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX])));
/* Performs the password change */
}
DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
- session_info->server_info->domain_name,
- session_info->server_info->account_name,
+ session_info->info->domain_name,
+ session_info->info->account_name,
dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
set_password_on_princ));
ret = ldb_transaction_start(samdb);
#include "auth/auth_sam_reply.h"
#include "kdc/kdc-glue.h"
#include "param/param.h"
+#include "librpc/gen_ndr/ndr_krb5pac.h"
static
NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *info,
+ struct auth_user_info_dc *info,
DATA_BLOB *pac_data)
{
struct netr_SamInfo3 *info3;
ZERO_STRUCT(pac_info);
- nt_status = auth_convert_server_info_saminfo3(mem_ctx, info, &info3);
+ nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info, &info3);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Getting Samba info failed: %s\n",
nt_errstr(nt_status)));
DATA_BLOB **_pac_blob)
{
struct samba_kdc_entry *p = talloc_get_type(client->ctx, struct samba_kdc_entry);
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
DATA_BLOB *pac_blob;
NTSTATUS nt_status;
return NT_STATUS_NO_MEMORY;
}
- nt_status = authsam_make_server_info(mem_ctx, p->kdc_db_ctx->samdb,
+ nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb,
lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx),
lpcfg_sam_name(p->kdc_db_ctx->lp_ctx),
p->realm_dn,
p->msg,
data_blob(NULL, 0),
data_blob(NULL, 0),
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Getting user info for PAC failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
- nt_status = samba_get_logon_info_pac_blob(mem_ctx, server_info, pac_blob);
+ nt_status = samba_get_logon_info_pac_blob(mem_ctx, user_info_dc, pac_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Building PAC failed: %s\n",
nt_errstr(nt_status)));
krb5_context context,
krb5_pac *pac, DATA_BLOB *pac_blob)
{
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
krb5_error_code ret;
NTSTATUS nt_status;
- ret = kerberos_pac_to_server_info(mem_ctx, *pac,
- context, &server_info);
+ ret = kerberos_pac_to_user_info_dc(mem_ctx, *pac,
+ context, &user_info_dc, NULL, NULL);
if (ret) {
return NT_STATUS_UNSUCCESSFUL;
}
nt_status = samba_get_logon_info_pac_blob(mem_ctx,
- server_info, pac_blob);
+ user_info_dc, pac_blob);
return nt_status;
}
const struct tsocket_address *server_addr;
int ret;
DATA_BLOB delegated_creds = data_blob_null;
+ struct auth_user_info_dc user_info_dc;
switch (oi->generic.level) {
case RAW_OPEN_NTCREATEX:
state->req = req;
state->oi = oi;
- status = auth_convert_server_info_saminfo3(state,
- req->session_info->server_info,
- &state->info3);
+ /* Disgusting hack to recreate the user_info_dc that should
+ * not be used that this layer in this way */
+ ZERO_STRUCT(user_info_dc);
+ user_info_dc.info = req->session_info->info;
+ user_info_dc.num_sids = req->session_info->torture->num_dc_sids;
+ user_info_dc.sids = req->session_info->torture->dc_sids;
+
+ status = auth_convert_user_info_dc_saminfo3(state,
+ &user_info_dc,
+ &state->info3);
NT_STATUS_NOT_OK_RETURN(status);
client_addr = ntvfs_get_local_address(ipriv->ntvfs);
return NT_STATUS_INVALID_PARAMETER;
}
- account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->account_name);
- authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->domain_name);
+ account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->info->account_name);
+ authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->info->domain_name);
_account_name = talloc(mem_ctx, struct lsa_String);
NT_STATUS_HAVE_NO_MEMORY(_account_name);
{
struct auth_context *auth_context;
struct auth_usersupplied_info *user_info;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
NTSTATUS nt_status;
static const char zeros[16];
struct netr_SamBaseInfo *sam;
return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info);
+ nt_status = auth_check_password(auth_context, mem_ctx, user_info, &user_info_dc);
/* TODO: set *r->out.authoritative = 0 on specific errors */
NT_STATUS_NOT_OK_RETURN(nt_status);
switch (r->in.validation_level) {
case 2:
- nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
+ nt_status = auth_convert_user_info_dc_sambaseinfo(mem_ctx, user_info_dc, &sam);
NT_STATUS_NOT_OK_RETURN(nt_status);
sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2);
break;
case 3:
- nt_status = auth_convert_server_info_saminfo3(mem_ctx,
- server_info,
+ nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
+ user_info_dc,
&sam3);
NT_STATUS_NOT_OK_RETURN(nt_status);
break;
case 6:
- nt_status = auth_convert_server_info_saminfo3(mem_ctx,
- server_info,
+ nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
+ user_info_dc,
&sam3);
NT_STATUS_NOT_OK_RETURN(nt_status);
{
struct gp_context *gp_ctx;
struct ldb_result *result;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
struct auth_session_info *session_info;
DATA_BLOB dummy = { NULL, 0 };
const char **gpos;
}
/* Find the user in the directory. We need extended DN's for group expansion
- * in authsam_make_server_info */
+ * in authsam_make_user_info_dc */
rv = dsdb_search(gp_ctx->ldb_ctx,
gp_ctx,
&result,
/* We need the server info, as this will contain the groups of this
* user, needed for a token */
- status = authsam_make_server_info(gp_ctx,
+ status = authsam_make_user_info_dc(gp_ctx,
gp_ctx->ldb_ctx,
lpcfg_netbios_name(gp_ctx->lp_ctx),
lpcfg_sam_name(gp_ctx->lp_ctx),
result->msgs[0],
dummy,
dummy,
- &server_info);
+ &user_info_dc);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to make server information: %s\n", get_friendly_nt_error_msg(status)));
talloc_free(gp_ctx);
}
/* The session info will contain the security token for this user */
- status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, server_info, 0, &session_info);
+ status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, user_info_dc, 0, &session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to generate session information: %s\n", get_friendly_nt_error_msg(status)));
talloc_free(gp_ctx);
info->client_ip = client_addr_string;
info->vuid = sess->vuid;
- info->account_name = sess->session_info->server_info->account_name;
- info->domain_name = sess->session_info->server_info->domain_name;
+ info->account_name = sess->session_info->info->account_name;
+ info->domain_name = sess->session_info->info->domain_name;
info->connect_time = timeval_to_nttime(&sess->statistics.connect_time);
info->auth_time = timeval_to_nttime(&sess->statistics.auth_time);
struct smbsrv_request *req = state->req;
union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup);
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info;
struct smbsrv_session *smb_sess;
NTSTATUS status;
uint32_t flags;
- status = auth_check_password_recv(subreq, req, &server_info);
+ status = auth_check_password_recv(subreq, req, &user_info_dc);
TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) goto failed;
flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (server_info->authenticated) {
+ if (user_info_dc->info->authenticated) {
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
- /* This references server_info into session_info */
+ /* This references user_info_dc into session_info */
status = req->smb_conn->negotiate.auth_context->generate_session_info(req,
req->smb_conn->negotiate.auth_context,
- server_info, flags, &session_info);
+ user_info_dc, flags, &session_info);
if (!NT_STATUS_IS_OK(status)) goto failed;
/* allocate a new session */
struct sesssetup_context *state = tevent_req_callback_data(subreq, struct sesssetup_context);
struct smbsrv_request *req = state->req;
union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup);
- struct auth_serversupplied_info *server_info = NULL;
+ struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info;
struct smbsrv_session *smb_sess;
uint32_t flags;
NTSTATUS status;
- status = auth_check_password_recv(subreq, req, &server_info);
+ status = auth_check_password_recv(subreq, req, &user_info_dc);
TALLOC_FREE(subreq);
if (!NT_STATUS_IS_OK(status)) goto failed;
flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (server_info->authenticated) {
+ if (user_info_dc->info->authenticated) {
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
-
- /* This references server_info into session_info */
+ /* This references user_info_dc into session_info */
status = state->auth_context->generate_session_info(req,
state->auth_context,
- server_info,
+ user_info_dc,
flags,
&session_info);
if (!NT_STATUS_IS_OK(status)) goto failed;
DATA_BLOB delegated_creds;
union netr_Validation val;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
struct auth_context *auth_context;
uint32_t session_flags = 0;
struct dom_sid *anonymous_sid;
if (info3) {
val.sam3 = info3;
- status = make_server_info_netlogon_validation(conn,
+ status = make_user_info_dc_netlogon_validation(conn,
val.sam3->base.account_name.string,
- 3, &val, &server_info);
+ 3, &val, &user_info_dc);
if (!NT_STATUS_IS_OK(status)) {
reason = talloc_asprintf(conn,
- "make_server_info_netlogon_validation "
+ "make_user_info_dc_netlogon_validation "
"returned: %s", nt_errstr(status));
goto out;
}
}
session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (server_info->num_sids > 1 && !dom_sid_equal(anonymous_sid, &server_info->sids[0])) {
+ if (user_info_dc->num_sids > 1 && !dom_sid_equal(anonymous_sid, &user_info_dc->sids[0])) {
session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
/* setup the session_info on the connection */
status = auth_context->generate_session_info(conn,
auth_context,
- server_info,
+ user_info_dc,
session_flags,
&conn->session_info);
talloc_free(auth_context);
#include "torture/torture.h"
#include "auth/auth_sam_reply.h"
#include "param/param.h"
+#include "librpc/gen_ndr/ndr_krb5pac.h"
static bool torture_pac_self_check(struct torture_context *tctx)
{
struct smb_krb5_context *smb_krb5_context;
- struct auth_serversupplied_info *server_info;
- struct auth_serversupplied_info *server_info_out;
+ struct auth_user_info_dc *user_info_dc;
+ struct auth_user_info_dc *user_info_dc_out;
krb5_principal client_principal;
time_t logon_time = time(NULL);
}
/* We need an input, and this one requires no underlying database */
- nt_status = auth_anonymous_server_info(mem_ctx, lpcfg_netbios_name(tctx->lp_ctx), &server_info);
+ nt_status = auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(tctx->lp_ctx), &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&server_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
- torture_fail(tctx, "auth_anonymous_server_info");
+ torture_fail(tctx, "auth_anonymous_user_info_dc");
}
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
- server_info->account_name,
+ user_info_dc->info->account_name,
KRB5_PRINCIPAL_PARSE_NO_REALM,
&client_principal);
if (ret) {
/* OK, go ahead and make a PAC */
ret = kerberos_create_pac(mem_ctx,
- server_info,
+ user_info_dc,
smb_krb5_context->krb5_context,
&krbtgt_keyblock,
&server_keyblock,
}
/* Now check we can read it back (using Heimdal's pac parsing) */
- nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
+ nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
- &server_info_out);
+ &user_info_dc_out, NULL, NULL);
/* The user's SID is the first element in the list */
- if (!dom_sid_equal(server_info->sids,
- server_info_out->sids)) {
+ if (!dom_sid_equal(user_info_dc->sids,
+ user_info_dc_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
- dom_sid_string(mem_ctx, server_info->sids),
- dom_sid_string(mem_ctx, server_info_out->sids)));
+ dom_sid_string(mem_ctx, user_info_dc->sids),
+ dom_sid_string(mem_ctx, user_info_dc_out->sids)));
}
- talloc_free(server_info_out);
+ talloc_free(user_info_dc_out);
/* Now check that we can read it back (yet again) */
nt_status = kerberos_pac_logon_info(mem_ctx,
/* And make a server info from the samba-parsed PAC */
validation.sam3 = &logon_info->info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx,
+ nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
"",
3, &validation,
- &server_info_out);
+ &user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
torture_fail(tctx,
talloc_asprintf(tctx,
nt_errstr(nt_status)));
}
- if (!dom_sid_equal(server_info->sids,
- server_info_out->sids)) {
+ if (!dom_sid_equal(user_info_dc->sids,
+ user_info_dc_out->sids)) {
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
- dom_sid_string(mem_ctx, server_info->sids),
- dom_sid_string(mem_ctx, server_info_out->sids)));
+ dom_sid_string(mem_ctx, user_info_dc->sids),
+ dom_sid_string(mem_ctx, user_info_dc_out->sids)));
}
return true;
}
struct PAC_LOGON_INFO *logon_info;
union netr_Validation validation;
const char *pac_file, *pac_kdc_key, *pac_member_key;
- struct auth_serversupplied_info *server_info_out;
+ struct auth_user_info_dc *user_info_dc_out;
krb5_keyblock server_keyblock;
krb5_keyblock krbtgt_keyblock, *krbtgt_keyblock_p;
}
/* Now check we can read it back (using Heimdal's pac parsing) */
- nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
+ nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
tmp_blob,
smb_krb5_context->krb5_context,
- &server_info_out);
+ &user_info_dc_out,
+ NULL, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
- server_info_out->sids)) {
+ user_info_dc_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
talloc_asprintf(tctx,
"(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
- dom_sid_string(mem_ctx, server_info_out->sids)));
+ dom_sid_string(mem_ctx, user_info_dc_out->sids)));
}
- talloc_free(server_info_out);
+ talloc_free(user_info_dc_out);
/* Parse the PAC again, for the logon info this time (using Samba4's parsing) */
nt_status = kerberos_pac_logon_info(mem_ctx,
}
validation.sam3 = &logon_info->info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx,
+ nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
"",
3, &validation,
- &server_info_out);
+ &user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
- server_info_out->sids)) {
+ user_info_dc_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
talloc_asprintf(tctx,
"(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
- dom_sid_string(mem_ctx, server_info_out->sids)));
+ dom_sid_string(mem_ctx, user_info_dc_out->sids)));
}
if (krbtgt_bytes == NULL) {
}
ret = kerberos_create_pac(mem_ctx,
- server_info_out,
+ user_info_dc_out,
smb_krb5_context->krb5_context,
krbtgt_keyblock_p,
&server_keyblock,
#include "libcli/auth/libcli_auth.h"
#include "libcli/security/security.h"
#include "librpc/gen_ndr/ndr_netlogon_c.h"
+#include "librpc/gen_ndr/ndr_krb5pac.h"
#include "librpc/gen_ndr/ndr_samr_c.h"
#include "param/param.h"
status = gensec_session_info(gensec_server_context, &session_info);
torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
-
- pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
- pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
- pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
+ torture_assert(tctx, session_info->torture != NULL, "gensec_session_info failed to fill in torture sub struct");
+ torture_assert(tctx, session_info->torture->pac_srv_sig != NULL, "pac_srv_sig not present");
+ torture_assert(tctx, session_info->torture->pac_kdc_sig != NULL, "pac_kdc_sig not present");
+
+ pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length;
+ pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type;
+ pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length;
pac_wrapped_struct.ChecksumAndSignature = payload
= data_blob_talloc(tmp_ctx, NULL,
pac_wrapped_struct.ChecksumLength
+ pac_wrapped_struct.SignatureLength);
memcpy(&payload.data[0],
- session_info->server_info->pac_srv_sig.signature.data,
+ session_info->torture->pac_srv_sig->signature.data,
pac_wrapped_struct.ChecksumLength);
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
- session_info->server_info->pac_kdc_sig.signature.data,
+ session_info->torture->pac_kdc_sig->signature.data,
pac_wrapped_struct.SignatureLength);
ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct,
generic.identity_info.parameter_control = 0;
generic.identity_info.logon_id_high = 0;
generic.identity_info.logon_id_low = 0;
- generic.identity_info.domain_name.string = session_info->server_info->domain_name;
- generic.identity_info.account_name.string = session_info->server_info->account_name;
+ generic.identity_info.domain_name.string = session_info->info->domain_name;
+ generic.identity_info.account_name.string = session_info->info->account_name;
generic.identity_info.workstation.string = test_machine_name;
generic.package_name.string = "Kerberos";
&r.out.return_authenticator->cred),
"Credential chaining failed");
- pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
- pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
+ pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length;
+ pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type;
/* Break the SignatureType */
pac_wrapped_struct.SignatureType++;
- pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
+ pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length;
pac_wrapped_struct.ChecksumAndSignature = payload
= data_blob_talloc(tmp_ctx, NULL,
pac_wrapped_struct.ChecksumLength
+ pac_wrapped_struct.SignatureLength);
memcpy(&payload.data[0],
- session_info->server_info->pac_srv_sig.signature.data,
+ session_info->torture->pac_srv_sig->signature.data,
pac_wrapped_struct.ChecksumLength);
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
- session_info->server_info->pac_kdc_sig.signature.data,
+ session_info->torture->pac_kdc_sig->signature.data,
pac_wrapped_struct.SignatureLength);
ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct,
torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
"Credential chaining failed");
- pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
- pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
- pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
+ pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length;
+ pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type;
+ pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length;
pac_wrapped_struct.ChecksumAndSignature = payload
= data_blob_talloc(tmp_ctx, NULL,
pac_wrapped_struct.ChecksumLength
+ pac_wrapped_struct.SignatureLength);
memcpy(&payload.data[0],
- session_info->server_info->pac_srv_sig.signature.data,
+ session_info->torture->pac_srv_sig->signature.data,
pac_wrapped_struct.ChecksumLength);
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
- session_info->server_info->pac_kdc_sig.signature.data,
+ session_info->torture->pac_kdc_sig->signature.data,
pac_wrapped_struct.SignatureLength);
/* Break the signature length */
struct auth_session_info *kinit_session_info;
struct auth_session_info *s2u4self_session_info;
- struct auth_serversupplied_info *netlogon_server_info;
+ struct auth_user_info_dc *netlogon_user_info_dc;
struct netr_NetworkInfo ninfo;
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
&r.out.return_authenticator->cred),
"Credential chaining failed");
- status = make_server_info_netlogon_validation(tmp_ctx,
+ status = make_user_info_dc_netlogon_validation(tmp_ctx,
ninfo.identity_info.account_name.string,
r.in.validation_level,
r.out.validation,
- &netlogon_server_info);
+ &netlogon_user_info_dc);
- torture_assert_ntstatus_ok(tctx, status, "make_server_info_netlogon_validation failed");
+ torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed");
- torture_assert_str_equal(tctx, netlogon_server_info->account_name == NULL ? "" : netlogon_server_info->account_name,
- kinit_session_info->server_info->account_name, "Account name differs for kinit-based PAC");
- torture_assert_str_equal(tctx,netlogon_server_info->account_name == NULL ? "" : netlogon_server_info->account_name,
- s2u4self_session_info->server_info->account_name, "Account name differs for S2U4Self");
- torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, kinit_session_info->server_info->full_name, "Full name differs for kinit-based PAC");
- torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, s2u4self_session_info->server_info->full_name, "Full name differs for S2U4Self");
- torture_assert_int_equal(tctx, netlogon_server_info->num_sids, kinit_session_info->server_info->num_sids, "Different numbers of domain groups for kinit-based PAC");
- torture_assert_int_equal(tctx, netlogon_server_info->num_sids, s2u4self_session_info->server_info->num_sids, "Different numbers of domain groups for S2U4Self");
+ torture_assert_str_equal(tctx, netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
+ kinit_session_info->info->account_name, "Account name differs for kinit-based PAC");
+ torture_assert_str_equal(tctx,netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
+ s2u4self_session_info->info->account_name, "Account name differs for S2U4Self");
+ torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, kinit_session_info->info->full_name, "Full name differs for kinit-based PAC");
+ torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, s2u4self_session_info->info->full_name, "Full name differs for S2U4Self");
+ torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids, "Different numbers of domain groups for kinit-based PAC");
+ torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s2u4self_session_info->torture->num_dc_sids, "Different numbers of domain groups for S2U4Self");
builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
- for (i = 0; i < kinit_session_info->server_info->num_sids; i++) {
- torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &kinit_session_info->server_info->sids[i]), "Different domain groups for kinit-based PAC");
- torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &s2u4self_session_info->server_info->sids[i]), "Different domain groups for S2U4Self");
- torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups for S2U4Self");
- torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
- torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_server_info->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
+ for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
+ torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[i]), "Different domain groups for kinit-based PAC");
+ torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s2u4self_session_info->torture->dc_sids[i]), "Different domain groups for S2U4Self");
+ torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups for S2U4Self");
+ torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
+ torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
}
return true;
reply_code = "AF";
reply_arg = talloc_asprintf(state->gensec_state,
- "%s%s%s", session_info->server_info->domain_name,
- lpcfg_winbind_separator(lp_ctx), session_info->server_info->account_name);
+ "%s%s%s", session_info->info->domain_name,
+ lpcfg_winbind_separator(lp_ctx), session_info->info->account_name);
talloc_free(session_info);
}
} else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {