-/*
+/*
Unix SMB/CIFS implementation.
Authentication utility functions
Copyright (C) Andrew Tridgell 1992-1998
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
-_PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
+_PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx)
{
NTSTATUS nt_status;
struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
const struct auth_user_info_dc *user_info_dc,
+ const struct auth_user_info_dc *device_info_dc,
+ const struct auth_claims auth_claims,
uint32_t session_info_flags,
struct security_token **_security_token)
{
NTSTATUS nt_status;
uint32_t i;
uint32_t num_sids = 0;
+ uint32_t num_device_sids = 0;
const char *filter = NULL;
struct auth_SidAttr *sids = NULL;
+ struct auth_SidAttr *device_sids = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
}
}
+ if (device_info_dc != NULL) {
+ /*
+ * Make a copy of the device SIDs in case we need to add extra SIDs on
+ * the end. One can never have too much copying.
+ */
+ num_device_sids = device_info_dc->num_sids;
+ device_sids = talloc_array(tmp_ctx,
+ struct auth_SidAttr,
+ num_device_sids);
+ if (device_sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < num_device_sids; i++) {
+ device_sids[i] = device_info_dc->sids[i];
+ }
+
+ if (session_info_flags & AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS) {
+ device_sids = talloc_realloc(tmp_ctx,
+ device_sids,
+ struct auth_SidAttr,
+ num_device_sids + 2);
+ if (device_sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ device_sids[num_device_sids++] = (struct auth_SidAttr) {
+ .sid = global_sid_World,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
+ device_sids[num_device_sids++] = (struct auth_SidAttr) {
+ .sid = global_sid_Network,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
+ }
+
+ if (session_info_flags & AUTH_SESSION_INFO_DEVICE_AUTHENTICATED) {
+ device_sids = talloc_realloc(tmp_ctx,
+ device_sids,
+ struct auth_SidAttr,
+ num_device_sids + 1);
+ if (device_sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ device_sids[num_device_sids++] = (struct auth_SidAttr) {
+ .sid = global_sid_Authenticated_Users,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
+ }
+ }
+
nt_status = security_token_create(mem_ctx,
lp_ctx,
num_sids,
sids,
- 0 /* num_device_sids */,
- NULL /* device_sids */,
- (struct auth_claims) {},
+ num_device_sids,
+ device_sids,
+ auth_claims,
session_info_flags,
&security_token);
if (!NT_STATUS_IS_OK(nt_status)) {
lp_ctx,
sam_ctx,
user_info_dc,
+ NULL /*device_info_dc */,
+ (struct auth_claims) {},
session_info_flags,
&session_info->security_token);
if (!NT_STATUS_IS_OK(nt_status)) {
}
nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, sam_ctx,
- user_info_dc, session_info_flags,
+ user_info_dc,
+ session_info_flags,
session_info);
if (NT_STATUS_IS_OK(nt_status)) {
/**
* prints a struct auth_session_info security token to debug output.
*/
-void auth_session_info_debug(int dbg_lev,
+void auth_session_info_debug(int dbg_lev,
const struct auth_session_info *session_info)
{
if (!session_info) {
DEBUG(dbg_lev, ("Session Info: (NULL)\n"));
- return;
+ return;
}
security_token_debug(DBGC_AUTH, dbg_lev,
return NT_STATUS_NO_MEMORY;
}
- metadata_ndr = talloc_zero(tmp_ctx, struct CLAIMS_SET_METADATA_NDR);
+ metadata_ndr = talloc(tmp_ctx, struct CLAIMS_SET_METADATA_NDR);
if (metadata_ndr == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- metadata = talloc_zero(metadata_ndr, struct CLAIMS_SET_METADATA);
+ metadata = talloc(metadata_ndr, struct CLAIMS_SET_METADATA);
if (metadata == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- claims_set_info = talloc_zero(metadata, struct CLAIMS_SET_NDR);
+ claims_set_info = talloc(metadata, struct CLAIMS_SET_NDR);
if (claims_set_info == NULL) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- metadata_ndr->claims.metadata = metadata;
+ *metadata_ndr = (struct CLAIMS_SET_METADATA_NDR) {
+ .claims.metadata = metadata,
+ };
- metadata->claims_set = claims_set_info;
- metadata->compression_format = CLAIMS_COMPRESSION_FORMAT_XPRESS_HUFF;
+ *metadata = (struct CLAIMS_SET_METADATA) {
+ .claims_set = claims_set_info,
+ .compression_format = CLAIMS_COMPRESSION_FORMAT_XPRESS_HUFF,
+ };
- claims_set_info->claims.claims = claims_set;
+ *claims_set_info = (struct CLAIMS_SET_NDR) {
+ .claims.claims = claims_set,
+ };
ndr_err = ndr_push_struct_blob(claims_blob, mem_ctx, metadata_ndr,
(ndr_push_flags_fn_t)ndr_push_CLAIMS_SET_METADATA_NDR);
* From a ‘claims_data’ structure, return an encoded claims blob that can be put
* into a PAC.
*/
-NTSTATUS claims_data_encoded_claims_set(struct claims_data *claims_data,
+NTSTATUS claims_data_encoded_claims_set(TALLOC_CTX *mem_ctx,
+ struct claims_data *claims_data,
DATA_BLOB *encoded_claims_set_out)
{
+ uint8_t *data = NULL;
+ size_t len;
+
if (encoded_claims_set_out == NULL) {
return NT_STATUS_INVALID_PARAMETER;
}
claims_data->flags |= CLAIMS_DATA_ENCODED_CLAIMS_PRESENT;
}
- *encoded_claims_set_out = claims_data->encoded_claims_set;
+ if (claims_data->encoded_claims_set.data != NULL) {
+ data = talloc_reference(mem_ctx, claims_data->encoded_claims_set.data);
+ if (data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ len = claims_data->encoded_claims_set.length;
+
+ *encoded_claims_set_out = data_blob_const(data, len);
return NT_STATUS_OK;
}