s4-auth Move conversion of security_token to unix_token to auth
[amitay/samba.git] / source4 / auth / ntlm / auth.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Password and authentication handling
4    Copyright (C) Andrew Bartlett         2001-2002
5    Copyright (C) Stefan Metzmacher       2005
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include <tevent.h>
23 #include "../lib/util/tevent_ntstatus.h"
24 #include "../lib/util/dlinklist.h"
25 #include "auth/auth.h"
26 #include "auth/ntlm/auth_proto.h"
27 #include "param/param.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "libcli/wbclient/wbclient.h"
30
31 /***************************************************************************
32  Set a fixed challenge
33 ***************************************************************************/
34 _PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by) 
35 {
36         auth_ctx->challenge.set_by = talloc_strdup(auth_ctx, set_by);
37         NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.set_by);
38
39         auth_ctx->challenge.data = data_blob_talloc(auth_ctx, chal, 8);
40         NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
41
42         return NT_STATUS_OK;
43 }
44
45 /***************************************************************************
46  Set a fixed challenge
47 ***************************************************************************/
48 _PUBLIC_ bool auth_challenge_may_be_modified(struct auth4_context *auth_ctx)
49 {
50         return auth_ctx->challenge.may_be_modified;
51 }
52
53 /****************************************************************************
54  Try to get a challenge out of the various authentication modules.
55  Returns a const char of length 8 bytes.
56 ****************************************************************************/
57 _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8])
58 {
59         NTSTATUS nt_status;
60         struct auth_method_context *method;
61
62         if (auth_ctx->challenge.data.length == 8) {
63                 DEBUG(5, ("auth_get_challenge: returning previous challenge by module %s (normal)\n", 
64                           auth_ctx->challenge.set_by));
65                 memcpy(chal, auth_ctx->challenge.data.data, 8);
66                 return NT_STATUS_OK;
67         }
68
69         for (method = auth_ctx->methods; method; method = method->next) {
70                 nt_status = method->ops->get_challenge(method, auth_ctx, chal);
71                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
72                         continue;
73                 }
74
75                 NT_STATUS_NOT_OK_RETURN(nt_status);
76
77                 auth_ctx->challenge.data        = data_blob_talloc(auth_ctx, chal, 8);
78                 NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
79                 auth_ctx->challenge.set_by      = method->ops->name;
80
81                 break;
82         }
83
84         if (!auth_ctx->challenge.set_by) {
85                 generate_random_buffer(chal, 8);
86
87                 auth_ctx->challenge.data                = data_blob_talloc(auth_ctx, chal, 8);
88                 NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
89                 auth_ctx->challenge.set_by              = "random";
90
91                 auth_ctx->challenge.may_be_modified     = true;
92         }
93
94         DEBUG(10,("auth_get_challenge: challenge set by %s\n",
95                  auth_ctx->challenge.set_by));
96
97         return NT_STATUS_OK;
98 }
99
100 /****************************************************************************
101 Used in the gensec_gssapi and gensec_krb5 server-side code, where the
102 PAC isn't available, and for tokenGroups in the DSDB stack.
103
104  Supply either a principal or a DN
105 ****************************************************************************/
106 _PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
107                                                  struct auth4_context *auth_ctx,
108                                                  const char *principal,
109                                                  struct ldb_dn *user_dn,
110                                                  struct auth_user_info_dc **user_info_dc)
111 {
112         NTSTATUS nt_status;
113         struct auth_method_context *method;
114
115         for (method = auth_ctx->methods; method; method = method->next) {
116                 if (!method->ops->get_user_info_dc_principal) {
117                         continue;
118                 }
119
120                 nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, user_info_dc);
121                 if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
122                         continue;
123                 }
124
125                 return nt_status;
126         }
127
128         return NT_STATUS_NOT_IMPLEMENTED;
129 }
130
131 /**
132  * Check a user's Plaintext, LM or NTLM password.
133  * (sync version)
134  *
135  * Check a user's password, as given in the user_info struct and return various
136  * interesting details in the user_info_dc struct.
137  *
138  * The return value takes precedence over the contents of the user_info_dc
139  * struct.  When the return is other than NT_STATUS_OK the contents 
140  * of that structure is undefined.
141  *
142  * @param auth_ctx Supplies the challenges and some other data. 
143  *                  Must be created with auth_context_create(), and the challenges should be 
144  *                  filled in, either at creation or by calling the challenge geneation 
145  *                  function auth_get_challenge().  
146  *
147  * @param user_info Contains the user supplied components, including the passwords.
148  *
149  * @param mem_ctx The parent memory context for the user_info_dc structure
150  *
151  * @param user_info_dc If successful, contains information about the authentication,
152  *                    including a SAM_ACCOUNT struct describing the user.
153  *
154  * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
155  *
156  **/
157
158 _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
159                              TALLOC_CTX *mem_ctx,
160                              const struct auth_usersupplied_info *user_info, 
161                              struct auth_user_info_dc **user_info_dc)
162 {
163         struct tevent_req *subreq;
164         struct tevent_context *ev;
165         bool ok;
166         NTSTATUS status;
167
168         /*TODO: create a new event context here! */
169         ev = auth_ctx->event_ctx;
170
171         subreq = auth_check_password_send(mem_ctx,
172                                           ev,
173                                           auth_ctx,
174                                           user_info);
175         if (subreq == NULL) {
176                 return NT_STATUS_NO_MEMORY;
177         }
178
179         ok = tevent_req_poll(subreq, ev);
180         if (!ok) {
181                 return NT_STATUS_INTERNAL_ERROR;
182         }
183
184         status = auth_check_password_recv(subreq, mem_ctx, user_info_dc);
185         TALLOC_FREE(subreq);
186
187         return status;
188 }
189
190 struct auth_check_password_state {
191         struct auth4_context *auth_ctx;
192         const struct auth_usersupplied_info *user_info;
193         struct auth_user_info_dc *user_info_dc;
194         struct auth_method_context *method;
195 };
196
197 static void auth_check_password_async_trigger(struct tevent_context *ev,
198                                               struct tevent_immediate *im,
199                                               void *private_data);
200 /**
201  * Check a user's Plaintext, LM or NTLM password.
202  * async send hook
203  *
204  * Check a user's password, as given in the user_info struct and return various
205  * interesting details in the user_info_dc struct.
206  *
207  * The return value takes precedence over the contents of the user_info_dc
208  * struct.  When the return is other than NT_STATUS_OK the contents 
209  * of that structure is undefined.
210  *
211  * @param mem_ctx The memory context the request should operate on
212  *
213  * @param ev The tevent context the request should operate on
214  *
215  * @param auth_ctx Supplies the challenges and some other data. 
216  *                  Must be created with make_auth_context(), and the challenges should be 
217  *                  filled in, either at creation or by calling the challenge geneation 
218  *                  function auth_get_challenge().  
219  *
220  * @param user_info Contains the user supplied components, including the passwords.
221  *
222  * @return The request handle or NULL on no memory error.
223  *
224  **/
225
226 _PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
227                                 struct tevent_context *ev,
228                                 struct auth4_context *auth_ctx,
229                                 const struct auth_usersupplied_info *user_info)
230 {
231         struct tevent_req *req;
232         struct auth_check_password_state *state;
233         /* if all the modules say 'not for me' this is reasonable */
234         NTSTATUS nt_status;
235         uint8_t chal[8];
236         struct auth_usersupplied_info *user_info_tmp;
237         struct tevent_immediate *im;
238
239         DEBUG(3,("auth_check_password_send: "
240                  "Checking password for unmapped user [%s]\\[%s]@[%s]\n",
241                  user_info->client.domain_name, user_info->client.account_name,
242                  user_info->workstation_name));
243
244         req = tevent_req_create(mem_ctx, &state,
245                                 struct auth_check_password_state);
246         if (req == NULL) {
247                 return NULL;
248         }
249
250         state->auth_ctx         = auth_ctx;
251         state->user_info        = user_info;
252
253         if (!user_info->mapped_state) {
254                 nt_status = map_user_info(req, lpcfg_workgroup(auth_ctx->lp_ctx),
255                                           user_info, &user_info_tmp);
256                 if (tevent_req_nterror(req, nt_status)) {
257                         return tevent_req_post(req, ev);
258                 }
259                 user_info = user_info_tmp;
260                 state->user_info = user_info_tmp;
261         }
262
263         DEBUGADD(3,("auth_check_password_send: "
264                     "mapped user is: [%s]\\[%s]@[%s]\n",
265                     user_info->mapped.domain_name,
266                     user_info->mapped.account_name,
267                     user_info->workstation_name));
268
269         nt_status = auth_get_challenge(auth_ctx, chal);
270         if (tevent_req_nterror(req, nt_status)) {
271                 DEBUG(0,("auth_check_password_send: "
272                          "Invalid challenge (length %u) stored for "
273                          "this auth context set_by %s - cannot continue: %s\n",
274                         (unsigned)auth_ctx->challenge.data.length,
275                         auth_ctx->challenge.set_by,
276                         nt_errstr(nt_status)));
277                 return tevent_req_post(req, ev);
278         }
279
280         if (auth_ctx->challenge.set_by) {
281                 DEBUG(10,("auth_check_password_send: "
282                           "auth_context challenge created by %s\n",
283                           auth_ctx->challenge.set_by));
284         }
285
286         DEBUG(10, ("auth_check_password_send: challenge is: \n"));
287         dump_data(5, auth_ctx->challenge.data.data,
288                   auth_ctx->challenge.data.length);
289
290         im = tevent_create_immediate(state);
291         if (tevent_req_nomem(im, req)) {
292                 return tevent_req_post(req, ev);
293         }
294
295         tevent_schedule_immediate(im,
296                                   auth_ctx->event_ctx,
297                                   auth_check_password_async_trigger,
298                                   req);
299         return req;
300 }
301
302 static void auth_check_password_async_trigger(struct tevent_context *ev,
303                                               struct tevent_immediate *im,
304                                               void *private_data)
305 {
306         struct tevent_req *req =
307                 talloc_get_type_abort(private_data, struct tevent_req);
308         struct auth_check_password_state *state =
309                 tevent_req_data(req, struct auth_check_password_state);
310         NTSTATUS status;
311         struct auth_method_context *method;
312
313         status = NT_STATUS_OK;
314
315         for (method=state->auth_ctx->methods; method; method = method->next) {
316
317                 /* we fill in state->method here so debug messages in
318                    the callers know which method failed */
319                 state->method = method;
320
321                 /* check if the module wants to check the password */
322                 status = method->ops->want_check(method, req, state->user_info);
323                 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
324                         DEBUG(11,("auth_check_password_send: "
325                                   "%s had nothing to say\n",
326                                   method->ops->name));
327                         continue;
328                 }
329
330                 if (tevent_req_nterror(req, status)) {
331                         return;
332                 }
333
334                 status = method->ops->check_password(method,
335                                                      state,
336                                                      state->user_info,
337                                                      &state->user_info_dc);
338                 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
339                         /* the backend has handled the request */
340                         break;
341                 }
342         }
343
344         if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
345                 /* don't expose the NT_STATUS_NOT_IMPLEMENTED
346                    internals */
347                 status = NT_STATUS_NO_SUCH_USER;
348         }
349
350         if (tevent_req_nterror(req, status)) {
351                 return;
352         }
353
354         tevent_req_done(req);
355 }
356
357 /**
358  * Check a user's Plaintext, LM or NTLM password.
359  * async receive function
360  *
361  * The return value takes precedence over the contents of the user_info_dc
362  * struct.  When the return is other than NT_STATUS_OK the contents 
363  * of that structure is undefined.
364  *
365  *
366  * @param req The async request state
367  *
368  * @param mem_ctx The parent memory context for the user_info_dc structure
369  *
370  * @param user_info_dc If successful, contains information about the authentication,
371  *                    including a SAM_ACCOUNT struct describing the user.
372  *
373  * @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
374  *
375  **/
376
377 _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
378                                   TALLOC_CTX *mem_ctx,
379                                   struct auth_user_info_dc **user_info_dc)
380 {
381         struct auth_check_password_state *state =
382                 tevent_req_data(req, struct auth_check_password_state);
383         NTSTATUS status;
384
385         if (tevent_req_is_nterror(req, &status)) {
386                 DEBUG(2,("auth_check_password_recv: "
387                          "%s authentication for user [%s\\%s] "
388                          "FAILED with error %s\n",
389                          (state->method ? state->method->ops->name : "NO_METHOD"),
390                          state->user_info->mapped.domain_name,
391                          state->user_info->mapped.account_name,
392                          nt_errstr(status)));
393                 tevent_req_received(req);
394                 return status;
395         }
396
397         DEBUG(5,("auth_check_password_recv: "
398                  "%s authentication for user [%s\\%s] succeeded\n",
399                  state->method->ops->name,
400                  state->user_info_dc->info->domain_name,
401                  state->user_info_dc->info->account_name));
402
403         *user_info_dc = talloc_move(mem_ctx, &state->user_info_dc);
404
405         tevent_req_received(req);
406         return NT_STATUS_OK;
407 }
408
409 /* Wrapper because we don't want to expose all callers to needing to
410  * know that session_info is generated from the main ldb, and because we need to break a depenency loop between the DCE/RPC layer and the generation of unix tokens via IRPC */
411 static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
412                                                    struct auth4_context *auth_context,
413                                                    struct auth_user_info_dc *user_info_dc,
414                                                    uint32_t session_info_flags,
415                                                    struct auth_session_info **session_info)
416 {
417         NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
418                                                      auth_context->sam_ctx, user_info_dc,
419                                                      session_info_flags, session_info);
420         if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)
421             && NT_STATUS_IS_OK(status)) {
422                 struct wbc_context *wbc_ctx = wbc_init(auth_context,
423                                                        auth_context->msg_ctx,
424                                                        auth_context->event_ctx);
425                 if (!wbc_ctx) {
426                         TALLOC_FREE(*session_info);
427                         DEBUG(1, ("Cannot contact winbind to provide unix token"));
428                         return NT_STATUS_INVALID_SERVER_STATE;
429                 }
430                 status = security_token_to_unix_token(*session_info, wbc_ctx,
431                                                       (*session_info)->security_token,
432                                                       &(*session_info)->unix_token);
433                 if (!NT_STATUS_IS_OK(status)) {
434                         TALLOC_FREE(*session_info);
435                 }
436                 TALLOC_FREE(wbc_ctx);
437         }
438         return status;
439 }
440
441 /***************************************************************************
442  Make a auth_info struct for the auth subsystem
443  - Allow the caller to specify the methods to use, including optionally the SAM to use
444 ***************************************************************************/
445 _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, 
446                                               struct tevent_context *ev,
447                                               struct imessaging_context *msg,
448                                               struct loadparm_context *lp_ctx,
449                                               struct ldb_context *sam_ctx,
450                                               struct auth4_context **auth_ctx)
451 {
452         int i;
453         struct auth4_context *ctx;
454
455         auth4_init();
456
457         if (!ev) {
458                 DEBUG(0,("auth_context_create: called with out event context\n"));
459                 return NT_STATUS_INTERNAL_ERROR;
460         }
461
462         ctx = talloc(mem_ctx, struct auth4_context);
463         NT_STATUS_HAVE_NO_MEMORY(ctx);
464         ctx->challenge.set_by           = NULL;
465         ctx->challenge.may_be_modified  = false;
466         ctx->challenge.data             = data_blob(NULL, 0);
467         ctx->methods                    = NULL;
468         ctx->event_ctx                  = ev;
469         ctx->msg_ctx                    = msg;
470         ctx->lp_ctx                     = lp_ctx;
471
472         if (sam_ctx) {
473                 ctx->sam_ctx = sam_ctx;
474         } else {
475                 ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx), 0);
476         }
477
478         for (i=0; methods && methods[i] ; i++) {
479                 struct auth_method_context *method;
480
481                 method = talloc(ctx, struct auth_method_context);
482                 NT_STATUS_HAVE_NO_MEMORY(method);
483
484                 method->ops = auth_backend_byname(methods[i]);
485                 if (!method->ops) {
486                         DEBUG(1,("auth_context_create: failed to find method=%s\n",
487                                 methods[i]));
488                         return NT_STATUS_INTERNAL_ERROR;
489                 }
490                 method->auth_ctx        = ctx;
491                 method->depth           = i;
492                 DLIST_ADD_END(ctx->methods, method, struct auth_method_context *);
493         }
494
495         ctx->check_password = auth_check_password;
496         ctx->get_challenge = auth_get_challenge;
497         ctx->set_challenge = auth_context_set_challenge;
498         ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
499         ctx->get_user_info_dc_principal = auth_get_user_info_dc_principal;
500         ctx->generate_session_info = auth_generate_session_info_wrapper;
501
502         *auth_ctx = ctx;
503
504         return NT_STATUS_OK;
505 }
506
507 const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
508 {
509         char **auth_methods = NULL;
510
511         switch (lpcfg_server_role(lp_ctx)) {
512         case ROLE_STANDALONE:
513                 auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain", NULL);
514                 break;
515         case ROLE_DOMAIN_MEMBER:
516                 auth_methods = str_list_make(mem_ctx, "anonymous sam winbind", NULL);
517                 break;
518         case ROLE_DOMAIN_BDC:
519         case ROLE_DOMAIN_PDC:
520                 auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL);
521                 break;
522         }
523         return (const char **) auth_methods;
524 }
525
526 /***************************************************************************
527  Make a auth_info struct for the auth subsystem
528  - Uses default auth_methods, depending on server role and smb.conf settings
529 ***************************************************************************/
530 _PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
531                              struct tevent_context *ev,
532                              struct imessaging_context *msg,
533                              struct loadparm_context *lp_ctx,
534                              struct auth4_context **auth_ctx)
535 {
536         NTSTATUS status;
537         const char **auth_methods;
538         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
539         if (!tmp_ctx) {
540                 return NT_STATUS_NO_MEMORY;
541         }
542
543         auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
544         if (!auth_methods) {
545                 return NT_STATUS_INVALID_PARAMETER;
546         }
547         status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, NULL, auth_ctx);
548         talloc_free(tmp_ctx);
549         return status;
550 }
551
552 /* Create an auth context from an open LDB.
553
554    This allows us not to re-open the LDB when we need to do a some authentication logic (such as tokenGroups)
555
556  */
557 NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth4_context **auth_ctx)
558 {
559         NTSTATUS status;
560         const char **auth_methods;
561         struct loadparm_context *lp_ctx = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context);
562         struct tevent_context *ev = ldb_get_event_context(ldb);
563
564         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
565         if (!tmp_ctx) {
566                 return NT_STATUS_NO_MEMORY;
567         }
568
569         auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
570         if (!auth_methods) {
571                 return NT_STATUS_INVALID_PARAMETER;
572         }
573         status = auth_context_create_methods(mem_ctx, auth_methods, ev, NULL, lp_ctx, ldb, auth_ctx);
574         talloc_free(tmp_ctx);
575         return status;
576 }
577
578 /* the list of currently registered AUTH backends */
579 static struct auth_backend {
580         const struct auth_operations *ops;
581 } *backends = NULL;
582 static int num_backends;
583
584 /*
585   register a AUTH backend. 
586
587   The 'name' can be later used by other backends to find the operations
588   structure for this backend.
589 */
590 _PUBLIC_ NTSTATUS auth_register(const struct auth_operations *ops)
591 {
592         struct auth_operations *new_ops;
593         
594         if (auth_backend_byname(ops->name) != NULL) {
595                 /* its already registered! */
596                 DEBUG(0,("AUTH backend '%s' already registered\n", 
597                          ops->name));
598                 return NT_STATUS_OBJECT_NAME_COLLISION;
599         }
600
601         backends = talloc_realloc(talloc_autofree_context(), backends, 
602                                   struct auth_backend, num_backends+1);
603         NT_STATUS_HAVE_NO_MEMORY(backends);
604
605         new_ops = (struct auth_operations *)talloc_memdup(backends, ops, sizeof(*ops));
606         NT_STATUS_HAVE_NO_MEMORY(new_ops);
607         new_ops->name = talloc_strdup(new_ops, ops->name);
608         NT_STATUS_HAVE_NO_MEMORY(new_ops->name);
609
610         backends[num_backends].ops = new_ops;
611
612         num_backends++;
613
614         DEBUG(3,("AUTH backend '%s' registered\n", 
615                  ops->name));
616
617         return NT_STATUS_OK;
618 }
619
620 /*
621   return the operations structure for a named backend of the specified type
622 */
623 const struct auth_operations *auth_backend_byname(const char *name)
624 {
625         int i;
626
627         for (i=0;i<num_backends;i++) {
628                 if (strcmp(backends[i].ops->name, name) == 0) {
629                         return backends[i].ops;
630                 }
631         }
632
633         return NULL;
634 }
635
636 /*
637   return the AUTH interface version, and the size of some critical types
638   This can be used by backends to either detect compilation errors, or provide
639   multiple implementations for different smbd compilation options in one module
640 */
641 const struct auth_critical_sizes *auth_interface_version(void)
642 {
643         static const struct auth_critical_sizes critical_sizes = {
644                 AUTH4_INTERFACE_VERSION,
645                 sizeof(struct auth_operations),
646                 sizeof(struct auth_method_context),
647                 sizeof(struct auth4_context),
648                 sizeof(struct auth_usersupplied_info),
649                 sizeof(struct auth_user_info_dc)
650         };
651
652         return &critical_sizes;
653 }
654
655 _PUBLIC_ NTSTATUS auth4_init(void)
656 {
657         static bool initialized = false;
658 #define _MODULE_PROTO(init) extern NTSTATUS init(void);
659         STATIC_auth4_MODULES_PROTO;
660         init_module_fn static_init[] = { STATIC_auth4_MODULES };
661         
662         if (initialized) return NT_STATUS_OK;
663         initialized = true;
664         
665         run_init_functions(static_init);
666         
667         return NT_STATUS_OK;    
668 }