#include "librpc/rpc/dcerpc.h"
#include "auth/credentials/credentials.h"
#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_proto.h"
+#include "auth/auth.h"
+#include "auth/system_session_proto.h"
#include "param/param.h"
+#include "lib/util/tsort.h"
/* the list of currently registered GENSEC backends */
static struct gensec_security_ops **generic_security_ops;
bool gensec_security_ops_enabled(struct gensec_security_ops *ops, struct gensec_security *security)
{
- return lp_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
+ return lpcfg_parm_bool(security->settings->lp_ctx, NULL, "gensec", ops->name, ops->enabled);
}
/* Sometimes we want to force only kerberos, sometimes we want to
@param mem_ctx The parent TALLOC memory context.
@param gensec_security Returned GENSEC context pointer.
@note The mem_ctx is only a parent and may be NULL.
- @note, the auth context is moved to be a child of the
+ @note, the auth context is moved to be a referenced pointer of the
@ gensec_security return
*/
static NTSTATUS gensec_start(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_settings *settings,
- struct auth_context *auth_context,
+ struct auth4_context *auth_context,
struct gensec_security **gensec_security)
{
if (ev == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
- (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+ (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
- (*gensec_security)->ops = NULL;
- (*gensec_security)->local_addr = NULL;
- (*gensec_security)->remote_addr = NULL;
- (*gensec_security)->private_data = NULL;
-
- ZERO_STRUCT((*gensec_security)->target);
-
- (*gensec_security)->subcontext = false;
- (*gensec_security)->want_features = 0;
-
(*gensec_security)->event_ctx = ev;
SMB_ASSERT(settings->lp_ctx != NULL);
(*gensec_security)->settings = talloc_reference(*gensec_security, settings);
- (*gensec_security)->auth_context = talloc_steal(*gensec_security, auth_context);
+
+ /* We need to reference this, not steal, as the caller may be
+ * python, which won't like it if we steal it's object away
+ * from it */
+ (*gensec_security)->auth_context = talloc_reference(*gensec_security, auth_context);
return NT_STATUS_OK;
}
struct gensec_security *parent,
struct gensec_security **gensec_security)
{
- (*gensec_security) = talloc(mem_ctx, struct gensec_security);
+ (*gensec_security) = talloc_zero(mem_ctx, struct gensec_security);
NT_STATUS_HAVE_NO_MEMORY(*gensec_security);
(**gensec_security) = *parent;
return status;
}
+
+
/**
Start the GENSEC system, in server mode, returning a context pointer.
@param mem_ctx The parent TALLOC memory context.
_PUBLIC_ NTSTATUS gensec_server_start(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct gensec_settings *settings,
- struct auth_context *auth_context,
+ struct auth4_context *auth_context,
struct gensec_security **gensec_security)
{
NTSTATUS status;
if (gensec_security->ops->client_start) {
status = gensec_security->ops->client_start(gensec_security);
if (!NT_STATUS_IS_OK(status)) {
- DEBUG(2, ("Failed to start GENSEC client mech %s: %s\n",
+ DEBUG(gensec_security->subcontext?4:2, ("Failed to start GENSEC client mech %s: %s\n",
gensec_security->ops->name, nt_errstr(status)));
}
return status;
}
return oid_string;
}
-
-/**
- * Start a GENSEC sub-mechanism with a specifed mechansim structure, used in SPNEGO
+/**
+ * Start a GENSEC sub-mechanism with a specified mechansim structure, used in SPNEGO
*
*/
return gensec_security->remote_addr;
}
-
/**
* Set the target principal (assuming it it known, say from the SPNEGO reply)
* - ensures it is talloc()ed
*
*/
-NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
+_PUBLIC_ NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal)
{
gensec_security->target.principal = talloc_strdup(gensec_security, principal);
if (!gensec_security->target.principal) {
return NULL;
}
+NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
+ struct gensec_security *gensec_security,
+ struct auth_user_info_dc *user_info_dc,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS nt_status;
+ uint32_t session_info_flags = 0;
+
+ if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ if (user_info_dc->info->authenticated) {
+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
+
+ if (gensec_security->auth_context) {
+ nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
+ user_info_dc,
+ session_info_flags,
+ session_info);
+ } else {
+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+ nt_status = auth_generate_session_info(mem_ctx,
+ NULL,
+ NULL,
+ user_info_dc, session_info_flags,
+ session_info);
+ }
+ return nt_status;
+}
+
/*
register a GENSEC backend.
int gensec_setting_int(struct gensec_settings *settings, const char *mechanism, const char *name, int default_value)
{
- return lp_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
+ return lpcfg_parm_int(settings->lp_ctx, NULL, mechanism, name, default_value);
}
bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism, const char *name, bool default_value)
{
- return lp_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
+ return lpcfg_parm_bool(settings->lp_ctx, NULL, mechanism, name, default_value);
}
/*
initialise the GENSEC subsystem
*/
-_PUBLIC_ NTSTATUS gensec_init(struct loadparm_context *lp_ctx)
+_PUBLIC_ NTSTATUS gensec_init(void)
{
static bool initialized = false;
- extern NTSTATUS gensec_sasl_init(void);
- extern NTSTATUS gensec_krb5_init(void);
- extern NTSTATUS gensec_schannel_init(void);
- extern NTSTATUS gensec_spnego_init(void);
- extern NTSTATUS gensec_gssapi_init(void);
- extern NTSTATUS gensec_ntlmssp_init(void);
-
+#define _MODULE_PROTO(init) extern NTSTATUS init(void);
+ STATIC_gensec_MODULES_PROTO;
init_module_fn static_init[] = { STATIC_gensec_MODULES };
init_module_fn *shared_init;
if (initialized) return NT_STATUS_OK;
initialized = true;
- shared_init = load_samba_modules(NULL, lp_ctx, "gensec");
+ shared_init = load_samba_modules(NULL, "gensec");
run_init_functions(static_init);
run_init_functions(shared_init);
talloc_free(shared_init);
- qsort(generic_security_ops, gensec_num_backends, sizeof(*generic_security_ops), QSORT_CAST sort_gensec);
+ TYPESAFE_QSORT(generic_security_ops, gensec_num_backends, sort_gensec);
return NT_STATUS_OK;
}