s4:auth Allow the operational module to get a user's tokenGroups from auth

[kai/samba.git] / source4 / auth / ntlm / auth_sam.c

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index e4e56e1219a65c79971af7af49d2ca88c2322d34..6d1ed0ea103428588206ca516fd27e193a880951 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -23,6 +23,8 @@
 #include "system/time.h"
 #include "lib/ldb/include/ldb.h"
 #include "../lib/util/util_ldb.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "libcli/security/security.h"
 #include "auth/auth.h"
 #include "../libcli/auth/ntlm_check.h"
 #include "auth/ntlm/auth_proto.h"
@@ -300,10 +302,14 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 }
 
                                   
-/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */
+/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
+
+ Supply either a principal or a DN
+*/
 NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, 
                                           struct auth_context *auth_context,
                                           const char *principal,
+                                          struct ldb_dn *user_dn,
                                           struct auth_serversupplied_info **server_info)
 {
        NTSTATUS nt_status;
@@ -311,7 +317,6 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
        DATA_BLOB lm_sess_key = data_blob(NULL, 0);
 
        struct ldb_message *msg;
-       struct ldb_context *sam_ctx;
        struct ldb_dn *domain_dn;
        
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@@ -319,21 +324,48 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       sam_ctx = samdb_connect(tmp_ctx, auth_context->event_ctx, auth_context->lp_ctx, 
-                               system_session(auth_context->lp_ctx));
-       if (sam_ctx == NULL) {
-               talloc_free(tmp_ctx);
-               return NT_STATUS_INVALID_SYSTEM_SERVICE;
-       }
+       if (principal) {
+               nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal,
+                                                     user_attrs, &domain_dn, &msg);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       talloc_free(tmp_ctx);
+                       return nt_status;
+               }
+       } else if (user_dn) {
+               struct dom_sid *user_sid, *domain_sid;
+               int ret;
+               /* pull the user attributes */
+               ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn,
+                                     LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
+               if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+                       talloc_free(tmp_ctx);
+                       return NT_STATUS_NO_SUCH_USER;
+               } else if (ret != LDB_SUCCESS) {
+                       talloc_free(tmp_ctx);
+                       return NT_STATUS_INTERNAL_DB_CORRUPTION;
+               }
 
-       nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, 
-                                             user_attrs, &domain_dn, &msg);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               talloc_free(tmp_ctx);
-               return nt_status;
+               user_sid = samdb_result_dom_sid(msg, msg, "objectSid");
+
+               nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL);
+               if (!NT_STATUS_IS_OK(nt_status)) {
+                       return nt_status;
+               }
+
+               domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL,
+                                         "(&(objectSid=%s)(objectClass=domain))",
+                                           ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid));
+               if (!domain_dn) {
+                       DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n",
+                                 dom_sid_string(tmp_ctx, domain_sid)));
+                       return NT_STATUS_NO_SUCH_USER;
+               }
+
+       } else {
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
-       nt_status = authsam_make_server_info(tmp_ctx, sam_ctx, 
+       nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx,
                                             lp_netbios_name(auth_context->lp_ctx),
                                             lp_workgroup(auth_context->lp_ctx),
                                             domain_dn,