#include "auth/ntlm/auth_proto.h"
#include "param/param.h"
#include "dsdb/samdb/samdb.h"
-
+#include "libcli/wbclient/wbclient.h"
/***************************************************************************
Set a fixed challenge
***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by)
+_PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by)
{
auth_ctx->challenge.set_by = talloc_strdup(auth_ctx, set_by);
NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.set_by);
/***************************************************************************
Set a fixed challenge
***************************************************************************/
-_PUBLIC_ bool auth_challenge_may_be_modified(struct auth_context *auth_ctx)
+_PUBLIC_ bool auth_challenge_may_be_modified(struct auth4_context *auth_ctx)
{
return auth_ctx->challenge.may_be_modified;
}
Try to get a challenge out of the various authentication modules.
Returns a const char of length 8 bytes.
****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal[8])
+_PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8])
{
NTSTATUS nt_status;
struct auth_method_context *method;
Supply either a principal or a DN
****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_ctx,
+_PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
+ struct auth4_context *auth_ctx,
const char *principal,
struct ldb_dn *user_dn,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
NTSTATUS nt_status;
struct auth_method_context *method;
for (method = auth_ctx->methods; method; method = method->next) {
- if (!method->ops->get_server_info_principal) {
+ if (!method->ops->get_user_info_dc_principal) {
continue;
}
- nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, user_dn, server_info);
+ nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, user_info_dc);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
continue;
}
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- break;
+ return nt_status;
}
- return NT_STATUS_OK;
+ return NT_STATUS_NOT_IMPLEMENTED;
}
/**
* (sync version)
*
* Check a user's password, as given in the user_info struct and return various
- * interesting details in the server_info struct.
+ * interesting details in the user_info_dc struct.
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
*
* @param user_info Contains the user supplied components, including the passwords.
*
- * @param mem_ctx The parent memory context for the server_info structure
+ * @param mem_ctx The parent memory context for the user_info_dc structure
*
- * @param server_info If successful, contains information about the authentication,
+ * @param user_info_dc If successful, contains information about the authentication,
* including a SAM_ACCOUNT struct describing the user.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
**/
-_PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
+_PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
struct tevent_req *subreq;
struct tevent_context *ev;
return NT_STATUS_INTERNAL_ERROR;
}
- status = auth_check_password_recv(subreq, mem_ctx, server_info);
+ status = auth_check_password_recv(subreq, mem_ctx, user_info_dc);
TALLOC_FREE(subreq);
return status;
}
struct auth_check_password_state {
- struct auth_context *auth_ctx;
+ struct auth4_context *auth_ctx;
const struct auth_usersupplied_info *user_info;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
struct auth_method_context *method;
};
* async send hook
*
* Check a user's password, as given in the user_info struct and return various
- * interesting details in the server_info struct.
+ * interesting details in the user_info_dc struct.
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
_PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- struct auth_context *auth_ctx,
+ struct auth4_context *auth_ctx,
const struct auth_usersupplied_info *user_info)
{
struct tevent_req *req;
status = method->ops->check_password(method,
state,
state->user_info,
- &state->server_info);
+ &state->user_info_dc);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
/* the backend has handled the request */
break;
* Check a user's Plaintext, LM or NTLM password.
* async receive function
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
*
* @param req The async request state
*
- * @param mem_ctx The parent memory context for the server_info structure
+ * @param mem_ctx The parent memory context for the user_info_dc structure
*
- * @param server_info If successful, contains information about the authentication,
+ * @param user_info_dc If successful, contains information about the authentication,
* including a SAM_ACCOUNT struct describing the user.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
_PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc)
{
struct auth_check_password_state *state =
tevent_req_data(req, struct auth_check_password_state);
DEBUG(5,("auth_check_password_recv: "
"%s authentication for user [%s\\%s] succeeded\n",
state->method->ops->name,
- state->server_info->domain_name,
- state->server_info->account_name));
+ state->user_info_dc->info->domain_name,
+ state->user_info_dc->info->account_name));
- *server_info = talloc_move(mem_ctx, &state->server_info);
+ *user_info_dc = talloc_move(mem_ctx, &state->user_info_dc);
tevent_req_received(req);
return NT_STATUS_OK;
}
/* Wrapper because we don't want to expose all callers to needing to
- * know that session_info is generated from the main ldb */
+ * know that session_info is generated from the main ldb, and because we need to break a depenency loop between the DCE/RPC layer and the generation of unix tokens via IRPC */
static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context,
- struct auth_serversupplied_info *server_info,
+ struct auth4_context *auth_context,
+ struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
- return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
- auth_context->sam_ctx, server_info,
- session_info_flags, session_info);
+ NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
+ auth_context->sam_ctx, user_info_dc,
+ session_info_flags, session_info);
+ if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)
+ && NT_STATUS_IS_OK(status)) {
+ struct wbc_context *wbc_ctx = wbc_init(auth_context,
+ auth_context->msg_ctx,
+ auth_context->event_ctx);
+ if (!wbc_ctx) {
+ TALLOC_FREE(*session_info);
+ DEBUG(1, ("Cannot contact winbind to provide unix token"));
+ return NT_STATUS_INVALID_SERVER_STATE;
+ }
+ status = security_token_to_unix_token(*session_info, wbc_ctx,
+ (*session_info)->security_token,
+ &(*session_info)->unix_token);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(*session_info);
+ }
+ TALLOC_FREE(wbc_ctx);
+ }
+ return status;
}
/***************************************************************************
***************************************************************************/
_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
struct tevent_context *ev,
- struct messaging_context *msg,
+ struct imessaging_context *msg,
struct loadparm_context *lp_ctx,
struct ldb_context *sam_ctx,
- struct auth_context **auth_ctx)
+ struct auth4_context **auth_ctx)
{
int i;
- struct auth_context *ctx;
-
- auth_init();
+ struct auth4_context *ctx;
- if (!methods) {
- DEBUG(0,("auth_context_create: No auth method list!?\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
+ auth4_init();
if (!ev) {
DEBUG(0,("auth_context_create: called with out event context\n"));
return NT_STATUS_INTERNAL_ERROR;
}
- ctx = talloc(mem_ctx, struct auth_context);
+ ctx = talloc(mem_ctx, struct auth4_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
ctx->challenge.set_by = NULL;
ctx->challenge.may_be_modified = false;
ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx), 0);
}
- for (i=0; methods[i] ; i++) {
+ for (i=0; methods && methods[i] ; i++) {
struct auth_method_context *method;
method = talloc(ctx, struct auth_method_context);
DLIST_ADD_END(ctx->methods, method, struct auth_method_context *);
}
- if (!ctx->methods) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
ctx->check_password = auth_check_password;
ctx->get_challenge = auth_get_challenge;
ctx->set_challenge = auth_context_set_challenge;
ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
- ctx->get_server_info_principal = auth_get_server_info_principal;
+ ctx->get_user_info_dc_principal = auth_get_user_info_dc_principal;
ctx->generate_session_info = auth_generate_session_info_wrapper;
*auth_ctx = ctx;
return NT_STATUS_OK;
}
-static const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
+const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
- const char **auth_methods = NULL;
+ char **auth_methods = NULL;
+
switch (lpcfg_server_role(lp_ctx)) {
case ROLE_STANDALONE:
- auth_methods = lpcfg_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "standalone", NULL);
+ auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain", NULL);
break;
case ROLE_DOMAIN_MEMBER:
- auth_methods = lpcfg_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "member server", NULL);
+ auth_methods = str_list_make(mem_ctx, "anonymous sam winbind", NULL);
break;
- case ROLE_DOMAIN_CONTROLLER:
- auth_methods = lpcfg_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "domain controller", NULL);
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL);
break;
}
- return auth_methods;
+ return (const char **) auth_methods;
}
/***************************************************************************
***************************************************************************/
_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- struct messaging_context *msg,
+ struct imessaging_context *msg,
struct loadparm_context *lp_ctx,
- struct auth_context **auth_ctx)
+ struct auth4_context **auth_ctx)
{
NTSTATUS status;
const char **auth_methods;
This allows us not to re-open the LDB when we need to do a some authentication logic (such as tokenGroups)
*/
-NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx)
+NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth4_context **auth_ctx)
{
NTSTATUS status;
const char **auth_methods;
const struct auth_critical_sizes *auth_interface_version(void)
{
static const struct auth_critical_sizes critical_sizes = {
- AUTH_INTERFACE_VERSION,
+ AUTH4_INTERFACE_VERSION,
sizeof(struct auth_operations),
sizeof(struct auth_method_context),
- sizeof(struct auth_context),
+ sizeof(struct auth4_context),
sizeof(struct auth_usersupplied_info),
- sizeof(struct auth_serversupplied_info)
+ sizeof(struct auth_user_info_dc)
};
return &critical_sizes;
}
-_PUBLIC_ NTSTATUS auth_init(void)
+_PUBLIC_ NTSTATUS auth4_init(void)
{
static bool initialized = false;
#define _MODULE_PROTO(init) extern NTSTATUS init(void);
- STATIC_auth_MODULES_PROTO;
- init_module_fn static_init[] = { STATIC_auth_MODULES };
+ STATIC_auth4_MODULES_PROTO;
+ init_module_fn static_init[] = { STATIC_auth4_MODULES };
if (initialized) return NT_STATUS_OK;
initialized = true;