*/
#include "replace.h"
+#include <talloc.h>
+#include "lib/util/talloc_stack.h"
#include "lib/util/debug.h"
#include "lib/util/fault.h"
#include "libcli/security/security_token.h"
/*
return a blank security token
*/
-struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx)
+struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx,
+ enum claims_evaluation_control evaluate_claims)
{
struct security_token *st = talloc_zero(
mem_ctx, struct security_token);
+ st->evaluate_claims = evaluate_claims;
+
return st;
}
/*
return a blank security token
*/
-struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx);
+struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx,
+ enum claims_evaluation_control evaluate_claims);
/****************************************************************************
prints a struct security_token to debug output.
else:
raise TypeError(f"{k} is an invalid keyword argument")
- t = security.token()
+ t = security.token(evaluate_claims=security.CLAIMS_EVALUATION_ALWAYS)
for k, v in norm_args.items():
setattr(t, k, v)
return NT_STATUS_OK;
}
+static struct security_token *init_local_nt_token(TALLOC_CTX *mem_ctx)
+{
+ /*
+ * We do not have a method to populate the claims into this
+ * buffer in the source3/ stack. When that changes, we will
+ * instead this optional based on lp_acl_claims_evaluation()
+ */
+
+ struct security_token *result
+ = security_token_initialise(mem_ctx,
+ CLAIMS_EVALUATION_NEVER);
+
+ if (result == NULL) {
+ DBG_ERR("talloc failed for security_token\n");
+ return NULL;
+ }
+
+ return result;
+}
+
NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
bool is_guest,
const struct netr_SamInfo3 *info3,
DEBUG(10, ("Create local NT token for %s\n",
info3->base.account_name.string));
- usrtok = talloc_zero(mem_ctx, struct security_token);
+ usrtok = init_local_nt_token(mem_ctx);
if (!usrtok) {
- DEBUG(0, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
DEBUG(10, ("Create local NT token for %s\n",
dom_sid_str_buf(user_sid, &buf)));
- if (!(result = talloc_zero(mem_ctx, struct security_token))) {
- DEBUG(0, ("talloc failed\n"));
+ result = init_local_nt_token(mem_ctx);
+ if (result == NULL) {
status = NT_STATUS_NO_MEMORY;
goto err;
}
return nt_status;
}
+/*
+ * This function does not create a full auth_session_info, just enough
+ * for the caller to get the "unix" username
+ */
static NTSTATUS ntlm_auth_generate_session_info(struct auth4_context *auth_context,
TALLOC_CTX *mem_ctx,
void *server_returned_info,
return NT_STATUS_NO_MEMORY;
}
- session_info->security_token = talloc_zero(session_info, struct security_token);
+ /*
+ * This is not a full session_info - it is not created
+ * correctly and misses any claims etc, because all we
+ * actually use in the caller is the unix username.
+ *
+ * Therefore so no claims need to be added and
+ * se_access_check() will never run.
+ */
+ session_info->security_token
+ = security_token_initialise(talloc_tos(),
+ CLAIMS_EVALUATION_INVALID_STATE);
if (session_info->security_token == NULL) {
TALLOC_FREE(session_info);
return NT_STATUS_NO_MEMORY;
return NT_STATUS_OK;
}
- token = talloc_zero(talloc_tos(), struct security_token);
+ /*
+ * This is a limited-use security_token for the purpose of
+ * checking the SID list below, so no claims need to be added
+ * and se_access_check() will never run.
+ */
+ token = security_token_initialise(talloc_tos(),
+ CLAIMS_EVALUATION_INVALID_STATE);
if (token == NULL) {
DEBUG(0, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
#include "param/secrets.h"
#include "auth/auth.h"
#include "lib/tsocket/tsocket.h"
+#include "lib/param/loadparm.h"
/*
connect to the SAM database specified by URL
struct security_token *ptoken;
uint32_t i;
NTSTATUS status;
+ enum claims_evaluation_control evaluate_claims;
- ptoken = security_token_initialise(mem_ctx);
+ /*
+ * Some special-case callers can't supply the lp_ctx, but do
+ * not interact with claims or conditional ACEs
+ */
+ if (lp_ctx == NULL) {
+ evaluate_claims = CLAIMS_EVALUATION_INVALID_STATE;
+ } else {
+ enum acl_claims_evaluation claims_evaultion_setting
+ = lpcfg_acl_claims_evaluation(lp_ctx);
+
+ /*
+ * We are well inside the AD DC, so we do not need to check
+ * the server role etc
+ */
+ switch (claims_evaultion_setting) {
+ case ACL_CLAIMS_EVALUATION_AD_DC_ONLY:
+ evaluate_claims = CLAIMS_EVALUATION_ALWAYS;
+ break;
+ default:
+ evaluate_claims = CLAIMS_EVALUATION_NEVER;
+ }
+ }
+
+ ptoken = security_token_initialise(mem_ctx, evaluate_claims);
NT_STATUS_HAVE_NO_MEMORY(ptoken);
if (num_sids > UINT32_MAX - 6) {
static PyObject *py_token_new(PyTypeObject *self, PyObject *args, PyObject *kwargs)
{
- return pytalloc_steal(self, security_token_initialise(NULL));
-}
+ int evaluate_claims = CLAIMS_EVALUATION_INVALID_STATE;
+ const char *kwnames[] = { "evaluate_claims", NULL };
+
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "|i",
+ discard_const_p(char *, kwnames),
+ &evaluate_claims)) {
+ return NULL;
+ }
+
+ return pytalloc_steal(self, security_token_initialise(NULL, evaluate_claims));
+}
static PyMethodDef py_token_extra_methods[] = {
{ "is_sid", (PyCFunction)py_token_is_sid, METH_VARARGS,