s3-auth: Follow auth_ntlmssp and use auth4_context for Session Setup

This patch ensures consistency in behaviour between NTLMSSP and NTLM
session setup handlers.  By calling the same layer that auth_ntlmssp
calls, we can not only allow redirection of all authentication to the
AD DC, we ensure that map to guest and username map handling is
consistent, even in the file server alone.

Andrew Bartlett

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 06aa9c51084fdcde5a74471a1aed7dfcb7c0b29c..21a8642751a61c00857c84ce8bd14675707e2f32 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -347,8 +347,8 @@ bool make_user_info_for_reply(struct auth_usersupplied_info **user_info,
                return false;
        }
 
-       ret = make_user_info_map(
-               user_info, smb_name, client_domain, 
+       ret = make_user_info(
+               user_info, smb_name, smb_name, client_domain, client_domain, 
                get_remote_machine_name(),
                remote_address,
                local_lm_blob.data ? &local_lm_blob : NULL,
@@ -376,14 +376,14 @@ NTSTATUS make_user_info_for_reply_enc(struct auth_usersupplied_info **user_info,
                                      const struct tsocket_address *remote_address,
                                       DATA_BLOB lm_resp, DATA_BLOB nt_resp)
 {
-       return make_user_info_map(user_info, smb_name, 
-                                 client_domain, 
-                                 get_remote_machine_name(),
-                                 remote_address,
-                                 lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
-                                 nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
-                                 NULL, NULL, NULL,
-                                 AUTH_PASSWORD_RESPONSE);
+       return make_user_info(user_info, smb_name, smb_name, 
+                             client_domain, client_domain, 
+                             get_remote_machine_name(),
+                             remote_address,
+                             lm_resp.data && (lm_resp.length > 0) ? &lm_resp : NULL,
+                             nt_resp.data && (nt_resp.length > 0) ? &nt_resp : NULL,
+                             NULL, NULL, NULL,
+                             AUTH_PASSWORD_RESPONSE);
 }
 
 /****************************************************************************

diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h
index bfa649b98bc877aa1f3a6e0a472d047311a39668..5b65711b990f55e4488d1d12f11c358acb4adecf 100644 (file)
--- a/source3/smbd/globals.h
+++ b/source3/smbd/globals.h
@@ -509,7 +509,7 @@ struct smbd_server_connection {
                struct {
                        bool encrypted_passwords;
                        bool spnego;
-                       struct auth_context *auth_context;
+                       struct auth4_context *auth_context;
                        bool done;
                        /*
                         * Size of the data we can receive. Set by us.

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 8a6b509fea04824a36ab4d83c06757cbf0598590..e44ac5cb751cb0f0e0b1c9b091b8bb96ef212896 100644 (file)
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -44,7 +44,7 @@ static void get_challenge(struct smbd_server_connection *sconn, uint8 buff[8])
        }
 
        DEBUG(10, ("get challenge: creating negprot_global_auth_context\n"));
-       nt_status = make_auth_context_subsystem(
+       nt_status = make_auth4_context(
                sconn, &sconn->smb1.negprot.auth_context);
        if (!NT_STATUS_IS_OK(nt_status)) {
                DEBUG(0, ("make_auth_context_subsystem returned %s",

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index da306b97bc732cabe4dfdb6ac4ec769b60671511..b2e1f2421fc8d2a6b97d7151cb936b125f3288f0 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -77,31 +77,33 @@ static int push_signature(uint8 **outbuf)
 ****************************************************************************/
 
 static NTSTATUS check_guest_password(const struct tsocket_address *remote_address,
-                                    struct auth_serversupplied_info **server_info)
+                                    TALLOC_CTX *mem_ctx, 
+                                    struct auth_session_info **session_info)
 {
-       struct auth_context *auth_context;
+       struct auth4_context *auth_context;
        struct auth_usersupplied_info *user_info = NULL;
-
+       uint8_t chal[8];
        NTSTATUS nt_status;
-       static unsigned char chal[8] = { 0, };
 
        DEBUG(3,("Got anonymous request\n"));
 
-       nt_status = make_auth_context_fixed(talloc_tos(), &auth_context, chal);
+       nt_status = make_auth4_context(talloc_tos(), &auth_context);
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }
 
+       auth_context->get_ntlm_challenge(auth_context,
+                                        chal);
+
        if (!make_user_info_guest(remote_address, &user_info)) {
                TALLOC_FREE(auth_context);
                return NT_STATUS_NO_MEMORY;
        }
 
-       nt_status = auth_context->check_ntlm_password(auth_context,
-                                               user_info,
-                                               server_info);
-       TALLOC_FREE(auth_context);
+       nt_status = auth_check_password_session_info(auth_context, 
+                                                    mem_ctx, user_info, session_info);
        free_user_info(&user_info);
+       TALLOC_FREE(auth_context);
        return nt_status;
 }
 
@@ -396,7 +398,6 @@ void reply_sesssetup_and_X(struct smb_request *req)
        const char *native_lanman;
        const char *primary_domain;
        struct auth_usersupplied_info *user_info = NULL;
-       struct auth_serversupplied_info *server_info = NULL;
        struct auth_session_info *session_info = NULL;
        uint16 smb_flag2 = req->flags2;
 
@@ -671,10 +672,10 @@ void reply_sesssetup_and_X(struct smb_request *req)
 
        if (!*user) {
 
-               nt_status = check_guest_password(sconn->remote_address, &server_info);
+               nt_status = check_guest_password(sconn->remote_address, req, &session_info);
 
        } else if (doencrypt) {
-               struct auth_context *negprot_auth_context = NULL;
+               struct auth4_context *negprot_auth_context = NULL;
                negprot_auth_context = sconn->smb1.negprot.auth_context;
                if (!negprot_auth_context) {
                        DEBUG(0, ("reply_sesssetup_and_X:  Attempted encrypted "
@@ -689,15 +690,13 @@ void reply_sesssetup_and_X(struct smb_request *req)
                                                sconn->remote_address,
                                                lm_resp, nt_resp);
                if (NT_STATUS_IS_OK(nt_status)) {
-                       nt_status = negprot_auth_context->check_ntlm_password(
-                                       negprot_auth_context,
-                                       user_info,
-                                       &server_info);
+                       nt_status = auth_check_password_session_info(negprot_auth_context, 
+                                                                    req, user_info, &session_info);
                }
        } else {
-               struct auth_context *plaintext_auth_context = NULL;
+               struct auth4_context *plaintext_auth_context = NULL;
 
-               nt_status = make_auth_context_subsystem(
+               nt_status = make_auth4_context(
                        talloc_tos(), &plaintext_auth_context);
 
                if (NT_STATUS_IS_OK(nt_status)) {
@@ -715,38 +714,16 @@ void reply_sesssetup_and_X(struct smb_request *req)
                        }
 
                        if (NT_STATUS_IS_OK(nt_status)) {
-                               nt_status = plaintext_auth_context->check_ntlm_password(
-                                               plaintext_auth_context,
-                                               user_info,
-                                               &server_info);
-
-                               TALLOC_FREE(plaintext_auth_context);
+                               nt_status = auth_check_password_session_info(plaintext_auth_context, 
+                                                                            req, user_info, &session_info);
                        }
+                       TALLOC_FREE(plaintext_auth_context);
                }
        }
 
        free_user_info(&user_info);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
-               nt_status = do_map_to_guest_server_info(nt_status, &server_info,
-                                                       user, domain);
-       }
-
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               data_blob_free(&nt_resp);
-               data_blob_free(&lm_resp);
-               data_blob_clear_free(&plaintext_password);
-               reply_nterror(req, nt_status_squash(nt_status));
-               END_PROFILE(SMBsesssetupX);
-               return;
-       }
-
-       nt_status = create_local_token(req, server_info, NULL, sub_user, &session_info);
-       TALLOC_FREE(server_info);
-
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               DEBUG(10, ("create_local_token failed: %s\n",
-                          nt_errstr(nt_status)));
                data_blob_free(&nt_resp);
                data_blob_free(&lm_resp);
                data_blob_clear_free(&plaintext_password);