s4-auth Move conversion of security_token to unix_token to auth
authorAndrew Bartlett <abartlet@samba.org>
Thu, 21 Jul 2011 07:06:17 +0000 (17:06 +1000)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 29 Jul 2011 02:24:07 +0000 (04:24 +0200)
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
source4/auth/auth.h
source4/auth/ntlm/auth.c
source4/auth/ntlm/wscript_build
source4/auth/session.c
source4/auth/unix_token.c [new file with mode: 0644]
source4/auth/wscript_build
source4/ntvfs/unixuid/vfs_unixuid.c
source4/ntvfs/unixuid/wscript_build

index caab230a46ed6dcb13ba3b9210d89f6481d8ecb5..ac2327df9dee7e5cc90f8c5e821852a9ae5e701c 100644 (file)
@@ -157,7 +157,9 @@ struct auth_critical_sizes {
                           const struct auth_usersupplied_info *user_info_in,
                           const struct auth_usersupplied_info **user_info_encrypted);
 
                           const struct auth_usersupplied_info *user_info_in,
                           const struct auth_usersupplied_info **user_info_encrypted);
 
+struct wbc_context;
 #include "auth/session.h"
 #include "auth/session.h"
+#include "auth/unix_token_proto.h"
 #include "auth/system_session_proto.h"
 #include "libcli/security/security.h"
 
 #include "auth/system_session_proto.h"
 #include "libcli/security/security.h"
 
index d2464c3cbf6dd4a2dbeb05cd7e0bd000702da0c4..7006125d1629ced441f4d4b3816adaa65a16f1bb 100644 (file)
@@ -26,7 +26,7 @@
 #include "auth/ntlm/auth_proto.h"
 #include "param/param.h"
 #include "dsdb/samdb/samdb.h"
 #include "auth/ntlm/auth_proto.h"
 #include "param/param.h"
 #include "dsdb/samdb/samdb.h"
-
+#include "libcli/wbclient/wbclient.h"
 
 /***************************************************************************
  Set a fixed challenge
 
 /***************************************************************************
  Set a fixed challenge
@@ -407,16 +407,35 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
 }
 
 /* Wrapper because we don't want to expose all callers to needing to
 }
 
 /* Wrapper because we don't want to expose all callers to needing to
- * know that session_info is generated from the main ldb */
+ * know that session_info is generated from the main ldb, and because we need to break a depenency loop between the DCE/RPC layer and the generation of unix tokens via IRPC */
 static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
                                                   struct auth4_context *auth_context,
                                                   struct auth_user_info_dc *user_info_dc,
                                                   uint32_t session_info_flags,
                                                   struct auth_session_info **session_info)
 {
 static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
                                                   struct auth4_context *auth_context,
                                                   struct auth_user_info_dc *user_info_dc,
                                                   uint32_t session_info_flags,
                                                   struct auth_session_info **session_info)
 {
-       return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
-                                         auth_context->sam_ctx, user_info_dc,
-                                         session_info_flags, session_info);
+       NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
+                                                    auth_context->sam_ctx, user_info_dc,
+                                                    session_info_flags, session_info);
+       if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)
+           && NT_STATUS_IS_OK(status)) {
+               struct wbc_context *wbc_ctx = wbc_init(auth_context,
+                                                      auth_context->msg_ctx,
+                                                      auth_context->event_ctx);
+               if (!wbc_ctx) {
+                       TALLOC_FREE(*session_info);
+                       DEBUG(1, ("Cannot contact winbind to provide unix token"));
+                       return NT_STATUS_INVALID_SERVER_STATE;
+               }
+               status = security_token_to_unix_token(*session_info, wbc_ctx,
+                                                     (*session_info)->security_token,
+                                                     &(*session_info)->unix_token);
+               if (!NT_STATUS_IS_OK(status)) {
+                       TALLOC_FREE(*session_info);
+               }
+               TALLOC_FREE(wbc_ctx);
+       }
+       return status;
 }
 
 /***************************************************************************
 }
 
 /***************************************************************************
index d954ec008612a18aaa1a8e840136f79e7b49dd0d..29e54fd3148f6b70eab5a87ba71c8dfc4f66b73f 100644 (file)
@@ -51,7 +51,7 @@ bld.SAMBA_MODULE('auth4_unix',
 bld.SAMBA_LIBRARY('auth4',
        source='auth.c auth_util.c auth_simple.c',
        autoproto='auth_proto.h',
 bld.SAMBA_LIBRARY('auth4',
        source='auth.c auth_util.c auth_simple.c',
        autoproto='auth_proto.h',
-       deps='samba-util security samdb credentials UTIL_TEVENT',
+       deps='samba-util security samdb credentials UTIL_TEVENT LIBWBCLIENT_OLD auth_unix_token',
        private_library=True
        )
 
        private_library=True
        )
 
index 7a4dc5426b0b901ad5fd6c12bb7471a6db077aa1..805659c5a468ae87ff16c58d625f585a91a79d93 100644 (file)
@@ -32,6 +32,7 @@
 #include "auth/session_proto.h"
 #include "system/kerberos.h"
 #include <gssapi/gssapi.h>
 #include "auth/session_proto.h"
 #include "system/kerberos.h"
 #include <gssapi/gssapi.h>
+#include "libcli/wbclient/wbclient.h"
 
 _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, 
                                            struct loadparm_context *lp_ctx)
 
 _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, 
                                            struct loadparm_context *lp_ctx)
@@ -335,4 +336,3 @@ void auth_session_info_debug(int dbg_lev,
 
        security_token_debug(0, dbg_lev, session_info->security_token);
 }
 
        security_token_debug(0, dbg_lev, session_info->security_token);
 }
-
diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c
new file mode 100644 (file)
index 0000000..3cd67ed
--- /dev/null
@@ -0,0 +1,91 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   Deal with unix elements in the security token
+
+   Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Andrew Bartlett 2011
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/auth.h"
+#include "libcli/wbclient/wbclient.h"
+
+/*
+  form a security_unix_token from the current security_token
+*/
+NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx,
+                                     struct wbc_context *wbc_ctx,
+                                     struct security_token *token,
+                                     struct security_unix_token **sec)
+{
+       int i;
+       NTSTATUS status;
+       struct id_map *ids;
+       struct composite_context *ctx;
+       *sec = talloc(mem_ctx, struct security_unix_token);
+
+       /* we can't do unix security without a user and group */
+       if (token->num_sids < 2) {
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+       ids = talloc_array(mem_ctx, struct id_map, token->num_sids);
+       NT_STATUS_HAVE_NO_MEMORY(ids);
+
+       (*sec)->ngroups = token->num_sids - 2;
+       (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
+       NT_STATUS_HAVE_NO_MEMORY((*sec)->groups);
+
+       for (i=0;i<token->num_sids;i++) {
+               ZERO_STRUCT(ids[i].xid);
+               ids[i].sid = &token->sids[i];
+               ids[i].status = ID_UNKNOWN;
+       }
+
+       ctx = wbc_sids_to_xids_send(wbc_ctx, ids, token->num_sids, ids);
+       NT_STATUS_HAVE_NO_MEMORY(ctx);
+
+       status = wbc_sids_to_xids_recv(ctx, &ids);
+       NT_STATUS_NOT_OK_RETURN(status);
+
+       if (ids[0].xid.type == ID_TYPE_BOTH ||
+           ids[0].xid.type == ID_TYPE_UID) {
+               (*sec)->uid = ids[0].xid.id;
+       } else {
+               return NT_STATUS_INVALID_SID;
+       }
+
+       if (ids[1].xid.type == ID_TYPE_BOTH ||
+           ids[1].xid.type == ID_TYPE_GID) {
+               (*sec)->gid = ids[1].xid.id;
+       } else {
+               return NT_STATUS_INVALID_SID;
+       }
+
+       for (i=0;i<(*sec)->ngroups;i++) {
+               if (ids[i+2].xid.type == ID_TYPE_BOTH ||
+                   ids[i+2].xid.type == ID_TYPE_GID) {
+                       (*sec)->groups[i] = ids[i+2].xid.id;
+               } else {
+                       return NT_STATUS_INVALID_SID;
+               }
+       }
+
+       TALLOC_FREE(ids);
+
+       return NT_STATUS_OK;
+}
index d72086e1d93adc997c4d25b9be3686e7ad1d9b60..f7535c414581fef40275217b34063644fa189f6e 100644 (file)
@@ -15,6 +15,12 @@ bld.SAMBA_SUBSYSTEM('auth_session',
        deps='samdb auth4_sam'
        )
 
        deps='samdb auth4_sam'
        )
 
+bld.SAMBA_SUBSYSTEM('auth_unix_token',
+       source='unix_token.c',
+       autoproto='unix_token_proto.h',
+       public_deps='LIBWBCLIENT_OLD',
+       )
+
 
 bld.SAMBA_SUBSYSTEM('samba_server_gensec',
        source='samba_server_gensec.c',
 
 bld.SAMBA_SUBSYSTEM('samba_server_gensec',
        source='samba_server_gensec.c',
index 02b7cb8db52252a89d3e57ae9900329229fa75fd..0221b4391c1de1caa807dc74595e044946bb9dca 100644 (file)
@@ -164,60 +164,10 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
                                          struct security_unix_token **sec)
 {
        struct unixuid_private *priv = ntvfs->private_data;
                                          struct security_unix_token **sec)
 {
        struct unixuid_private *priv = ntvfs->private_data;
-       int i;
-       NTSTATUS status;
-       struct id_map *ids;
-       struct composite_context *ctx;
-       *sec = talloc(req, struct security_unix_token);
-
-       /* we can't do unix security without a user and group */
-       if (token->num_sids < 2) {
-               return NT_STATUS_ACCESS_DENIED;
-       }
-
-       ids = talloc_array(req, struct id_map, token->num_sids);
-       NT_STATUS_HAVE_NO_MEMORY(ids);
-
-       (*sec)->ngroups = token->num_sids - 2;
-       (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
-       NT_STATUS_HAVE_NO_MEMORY((*sec)->groups);
-
-       for (i=0;i<token->num_sids;i++) {
-               ZERO_STRUCT(ids[i].xid);
-               ids[i].sid = &token->sids[i];
-               ids[i].status = ID_UNKNOWN;
-       }
-
-       ctx = wbc_sids_to_xids_send(priv->wbc_ctx, ids, token->num_sids, ids);
-       NT_STATUS_HAVE_NO_MEMORY(ctx);
-
-       status = wbc_sids_to_xids_recv(ctx, &ids);
-       NT_STATUS_NOT_OK_RETURN(status);
 
 
-       if (ids[0].xid.type == ID_TYPE_BOTH ||
-           ids[0].xid.type == ID_TYPE_UID) {
-               (*sec)->uid = ids[0].xid.id;
-       } else {
-               return NT_STATUS_INVALID_SID;
-       }
-
-       if (ids[1].xid.type == ID_TYPE_BOTH ||
-           ids[1].xid.type == ID_TYPE_GID) {
-               (*sec)->gid = ids[1].xid.id;
-       } else {
-               return NT_STATUS_INVALID_SID;
-       }
-
-       for (i=0;i<(*sec)->ngroups;i++) {
-               if (ids[i+2].xid.type == ID_TYPE_BOTH ||
-                   ids[i+2].xid.type == ID_TYPE_GID) {
-                       (*sec)->groups[i] = ids[i+2].xid.id;
-               } else {
-                       return NT_STATUS_INVALID_SID;
-               }
-       }
-
-       return NT_STATUS_OK;
+       return security_token_to_unix_token(req,
+                                           priv->wbc_ctx,
+                                           token, sec);
 }
 
 /*
 }
 
 /*
index fe5620886a97e300b8bf46e801bbb05ecdbbd655..3a7570956b609af1101ea87165977c93c8ea1cec 100644 (file)
@@ -4,6 +4,6 @@ bld.SAMBA_MODULE('ntvfs_unixuid',
        source='vfs_unixuid.c',
        subsystem='ntvfs',
        init_function='ntvfs_unixuid_init',
        source='vfs_unixuid.c',
        subsystem='ntvfs',
        init_function='ntvfs_unixuid_init',
-       deps='samdb'
+       deps='auth_unix_token'
        )
 
        )