From f5963aad18de80e837448cbc29feb52081897667 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 21 Jul 2011 17:06:17 +1000 Subject: [PATCH] s4-auth Move conversion of security_token to unix_token to auth This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell --- source4/auth/auth.h | 2 + source4/auth/ntlm/auth.c | 29 +++++++-- source4/auth/ntlm/wscript_build | 2 +- source4/auth/session.c | 2 +- source4/auth/unix_token.c | 91 +++++++++++++++++++++++++++++ source4/auth/wscript_build | 6 ++ source4/ntvfs/unixuid/vfs_unixuid.c | 56 +----------------- source4/ntvfs/unixuid/wscript_build | 2 +- 8 files changed, 129 insertions(+), 61 deletions(-) create mode 100644 source4/auth/unix_token.c diff --git a/source4/auth/auth.h b/source4/auth/auth.h index caab230a46e..ac2327df9de 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -157,7 +157,9 @@ struct auth_critical_sizes { const struct auth_usersupplied_info *user_info_in, const struct auth_usersupplied_info **user_info_encrypted); +struct wbc_context; #include "auth/session.h" +#include "auth/unix_token_proto.h" #include "auth/system_session_proto.h" #include "libcli/security/security.h" diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index d2464c3cbf6..7006125d162 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -26,7 +26,7 @@ #include "auth/ntlm/auth_proto.h" #include "param/param.h" #include "dsdb/samdb/samdb.h" - +#include "libcli/wbclient/wbclient.h" /*************************************************************************** Set a fixed challenge @@ -407,16 +407,35 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, } /* Wrapper because we don't want to expose all callers to needing to - * know that session_info is generated from the main ldb */ + * know that session_info is generated from the main ldb, and because we need to break a depenency loop between the DCE/RPC layer and the generation of unix tokens via IRPC */ static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context, struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **session_info) { - return auth_generate_session_info(mem_ctx, auth_context->lp_ctx, - auth_context->sam_ctx, user_info_dc, - session_info_flags, session_info); + NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx, + auth_context->sam_ctx, user_info_dc, + session_info_flags, session_info); + if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN) + && NT_STATUS_IS_OK(status)) { + struct wbc_context *wbc_ctx = wbc_init(auth_context, + auth_context->msg_ctx, + auth_context->event_ctx); + if (!wbc_ctx) { + TALLOC_FREE(*session_info); + DEBUG(1, ("Cannot contact winbind to provide unix token")); + return NT_STATUS_INVALID_SERVER_STATE; + } + status = security_token_to_unix_token(*session_info, wbc_ctx, + (*session_info)->security_token, + &(*session_info)->unix_token); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(*session_info); + } + TALLOC_FREE(wbc_ctx); + } + return status; } /*************************************************************************** diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build index d954ec00861..29e54fd3148 100644 --- a/source4/auth/ntlm/wscript_build +++ b/source4/auth/ntlm/wscript_build @@ -51,7 +51,7 @@ bld.SAMBA_MODULE('auth4_unix', bld.SAMBA_LIBRARY('auth4', source='auth.c auth_util.c auth_simple.c', autoproto='auth_proto.h', - deps='samba-util security samdb credentials UTIL_TEVENT', + deps='samba-util security samdb credentials UTIL_TEVENT LIBWBCLIENT_OLD auth_unix_token', private_library=True ) diff --git a/source4/auth/session.c b/source4/auth/session.c index 7a4dc5426b0..805659c5a46 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -32,6 +32,7 @@ #include "auth/session_proto.h" #include "system/kerberos.h" #include +#include "libcli/wbclient/wbclient.h" _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) @@ -335,4 +336,3 @@ void auth_session_info_debug(int dbg_lev, security_token_debug(0, dbg_lev, session_info->security_token); } - diff --git a/source4/auth/unix_token.c b/source4/auth/unix_token.c new file mode 100644 index 00000000000..3cd67ed79a8 --- /dev/null +++ b/source4/auth/unix_token.c @@ -0,0 +1,91 @@ +/* + Unix SMB/CIFS implementation. + + Deal with unix elements in the security token + + Copyright (C) Andrew Tridgell 2004 + Copyright (C) Andrew Bartlett 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" +#include "auth/auth.h" +#include "libcli/wbclient/wbclient.h" + +/* + form a security_unix_token from the current security_token +*/ +NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx, + struct wbc_context *wbc_ctx, + struct security_token *token, + struct security_unix_token **sec) +{ + int i; + NTSTATUS status; + struct id_map *ids; + struct composite_context *ctx; + *sec = talloc(mem_ctx, struct security_unix_token); + + /* we can't do unix security without a user and group */ + if (token->num_sids < 2) { + return NT_STATUS_ACCESS_DENIED; + } + + ids = talloc_array(mem_ctx, struct id_map, token->num_sids); + NT_STATUS_HAVE_NO_MEMORY(ids); + + (*sec)->ngroups = token->num_sids - 2; + (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups); + NT_STATUS_HAVE_NO_MEMORY((*sec)->groups); + + for (i=0;inum_sids;i++) { + ZERO_STRUCT(ids[i].xid); + ids[i].sid = &token->sids[i]; + ids[i].status = ID_UNKNOWN; + } + + ctx = wbc_sids_to_xids_send(wbc_ctx, ids, token->num_sids, ids); + NT_STATUS_HAVE_NO_MEMORY(ctx); + + status = wbc_sids_to_xids_recv(ctx, &ids); + NT_STATUS_NOT_OK_RETURN(status); + + if (ids[0].xid.type == ID_TYPE_BOTH || + ids[0].xid.type == ID_TYPE_UID) { + (*sec)->uid = ids[0].xid.id; + } else { + return NT_STATUS_INVALID_SID; + } + + if (ids[1].xid.type == ID_TYPE_BOTH || + ids[1].xid.type == ID_TYPE_GID) { + (*sec)->gid = ids[1].xid.id; + } else { + return NT_STATUS_INVALID_SID; + } + + for (i=0;i<(*sec)->ngroups;i++) { + if (ids[i+2].xid.type == ID_TYPE_BOTH || + ids[i+2].xid.type == ID_TYPE_GID) { + (*sec)->groups[i] = ids[i+2].xid.id; + } else { + return NT_STATUS_INVALID_SID; + } + } + + TALLOC_FREE(ids); + + return NT_STATUS_OK; +} diff --git a/source4/auth/wscript_build b/source4/auth/wscript_build index d72086e1d93..f7535c41458 100644 --- a/source4/auth/wscript_build +++ b/source4/auth/wscript_build @@ -15,6 +15,12 @@ bld.SAMBA_SUBSYSTEM('auth_session', deps='samdb auth4_sam' ) +bld.SAMBA_SUBSYSTEM('auth_unix_token', + source='unix_token.c', + autoproto='unix_token_proto.h', + public_deps='LIBWBCLIENT_OLD', + ) + bld.SAMBA_SUBSYSTEM('samba_server_gensec', source='samba_server_gensec.c', diff --git a/source4/ntvfs/unixuid/vfs_unixuid.c b/source4/ntvfs/unixuid/vfs_unixuid.c index 02b7cb8db52..0221b4391c1 100644 --- a/source4/ntvfs/unixuid/vfs_unixuid.c +++ b/source4/ntvfs/unixuid/vfs_unixuid.c @@ -164,60 +164,10 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs, struct security_unix_token **sec) { struct unixuid_private *priv = ntvfs->private_data; - int i; - NTSTATUS status; - struct id_map *ids; - struct composite_context *ctx; - *sec = talloc(req, struct security_unix_token); - - /* we can't do unix security without a user and group */ - if (token->num_sids < 2) { - return NT_STATUS_ACCESS_DENIED; - } - - ids = talloc_array(req, struct id_map, token->num_sids); - NT_STATUS_HAVE_NO_MEMORY(ids); - - (*sec)->ngroups = token->num_sids - 2; - (*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups); - NT_STATUS_HAVE_NO_MEMORY((*sec)->groups); - - for (i=0;inum_sids;i++) { - ZERO_STRUCT(ids[i].xid); - ids[i].sid = &token->sids[i]; - ids[i].status = ID_UNKNOWN; - } - - ctx = wbc_sids_to_xids_send(priv->wbc_ctx, ids, token->num_sids, ids); - NT_STATUS_HAVE_NO_MEMORY(ctx); - - status = wbc_sids_to_xids_recv(ctx, &ids); - NT_STATUS_NOT_OK_RETURN(status); - if (ids[0].xid.type == ID_TYPE_BOTH || - ids[0].xid.type == ID_TYPE_UID) { - (*sec)->uid = ids[0].xid.id; - } else { - return NT_STATUS_INVALID_SID; - } - - if (ids[1].xid.type == ID_TYPE_BOTH || - ids[1].xid.type == ID_TYPE_GID) { - (*sec)->gid = ids[1].xid.id; - } else { - return NT_STATUS_INVALID_SID; - } - - for (i=0;i<(*sec)->ngroups;i++) { - if (ids[i+2].xid.type == ID_TYPE_BOTH || - ids[i+2].xid.type == ID_TYPE_GID) { - (*sec)->groups[i] = ids[i+2].xid.id; - } else { - return NT_STATUS_INVALID_SID; - } - } - - return NT_STATUS_OK; + return security_token_to_unix_token(req, + priv->wbc_ctx, + token, sec); } /* diff --git a/source4/ntvfs/unixuid/wscript_build b/source4/ntvfs/unixuid/wscript_build index fe5620886a9..3a7570956b6 100644 --- a/source4/ntvfs/unixuid/wscript_build +++ b/source4/ntvfs/unixuid/wscript_build @@ -4,6 +4,6 @@ bld.SAMBA_MODULE('ntvfs_unixuid', source='vfs_unixuid.c', subsystem='ntvfs', init_function='ntvfs_unixuid_init', - deps='samdb' + deps='auth_unix_token' ) -- 2.34.1