2b6d5324eed1c808560a22a1e4390678d93b4253
[samba.git] / source4 / auth / auth_util.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Authentication utility functions
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Andrew Bartlett 2001
6    Copyright (C) Jeremy Allison 2000-2001
7    Copyright (C) Rafal Szczesniak 2002
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 2 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program; if not, write to the Free Software
21    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 */
23
24 #include "includes.h"
25 #include "librpc/gen_ndr/ndr_samr.h"
26 #include "librpc/gen_ndr/ndr_netlogon.h"
27 #include "librpc/gen_ndr/ndr_security.h"
28 #include "auth/auth.h"
29
30 #undef DBGC_CLASS
31 #define DBGC_CLASS DBGC_AUTH
32
33 /****************************************************************************
34  Create an auth_usersupplied_data structure
35 ****************************************************************************/
36 static NTSTATUS make_user_info(TALLOC_CTX *mem_ctx,
37                                struct auth_usersupplied_info **user_info, 
38                                const char *smb_name, 
39                                const char *internal_username,
40                                const char *client_domain, 
41                                const char *domain,
42                                const char *wksta_name, 
43                                DATA_BLOB *lm_password, DATA_BLOB *nt_password,
44                                DATA_BLOB *lm_interactive_password, DATA_BLOB *nt_interactive_password,
45                                DATA_BLOB *plaintext, 
46                                BOOL encrypted)
47 {
48
49         DEBUG(5,("attempting to make a user_info for %s (%s)\n", internal_username, smb_name));
50
51         *user_info = talloc_p(mem_ctx, struct auth_usersupplied_info);
52         if (!user_info) {
53                 return NT_STATUS_NO_MEMORY;
54         }
55
56         ZERO_STRUCTP(*user_info);
57
58         DEBUG(5,("making strings for %s's user_info struct\n", internal_username));
59
60         (*user_info)->smb_name.str = talloc_strdup(*user_info, smb_name);
61         if ((*user_info)->smb_name.str) { 
62                 (*user_info)->smb_name.len = strlen(smb_name);
63         } else {
64                 free_user_info(user_info);
65                 return NT_STATUS_NO_MEMORY;
66         }
67         
68         (*user_info)->internal_username.str = talloc_strdup(*user_info, internal_username);
69         if ((*user_info)->internal_username.str) { 
70                 (*user_info)->internal_username.len = strlen(internal_username);
71         } else {
72                 free_user_info(user_info);
73                 return NT_STATUS_NO_MEMORY;
74         }
75
76         (*user_info)->domain.str = talloc_strdup(*user_info, domain);
77         if ((*user_info)->domain.str) { 
78                 (*user_info)->domain.len = strlen(domain);
79         } else {
80                 free_user_info(user_info);
81                 return NT_STATUS_NO_MEMORY;
82         }
83
84         (*user_info)->client_domain.str = talloc_strdup(*user_info, client_domain);
85         if ((*user_info)->client_domain.str) { 
86                 (*user_info)->client_domain.len = strlen(client_domain);
87         } else {
88                 free_user_info(user_info);
89                 return NT_STATUS_NO_MEMORY;
90         }
91
92         (*user_info)->wksta_name.str = talloc_strdup(*user_info, wksta_name);
93         if ((*user_info)->wksta_name.str) { 
94                 (*user_info)->wksta_name.len = strlen(wksta_name);
95         } else {
96                 free_user_info(user_info);
97                 return NT_STATUS_NO_MEMORY;
98         }
99
100         DEBUG(5,("making blobs for %s's user_info struct\n", internal_username));
101
102         if (lm_password)
103                 (*user_info)->lm_resp = data_blob_talloc(*user_info, 
104                                                          lm_password->data, 
105                                                          lm_password->length);
106         if (nt_password)
107                 (*user_info)->nt_resp = data_blob_talloc(*user_info,
108                                                          nt_password->data, 
109                                                          nt_password->length);
110         if (lm_interactive_password)
111                 (*user_info)->lm_interactive_password = 
112                         data_blob_talloc(*user_info,
113                                          lm_interactive_password->data, 
114                                          lm_interactive_password->length);
115         if (nt_interactive_password)
116                 (*user_info)->nt_interactive_password = 
117                         data_blob_talloc(*user_info, 
118                                          nt_interactive_password->data, 
119                                          nt_interactive_password->length);
120
121         if (plaintext)
122                 (*user_info)->plaintext_password = 
123                         data_blob_talloc(*user_info, 
124                                          plaintext->data, 
125                                          plaintext->length);
126
127         (*user_info)->encrypted = encrypted;
128
129         DEBUG(10,("made an %sencrypted user_info for %s (%s)\n", encrypted ? "":"un" , internal_username, smb_name));
130
131         return NT_STATUS_OK;
132 }
133
134 /****************************************************************************
135  Create an auth_usersupplied_data structure after appropriate mapping.
136 ****************************************************************************/
137
138 NTSTATUS make_user_info_map(TALLOC_CTX *mem_ctx,
139                             struct auth_usersupplied_info **user_info, 
140                             const char *smb_name, 
141                             const char *client_domain, 
142                             const char *wksta_name, 
143                             DATA_BLOB *lm_password, DATA_BLOB *nt_password,
144                             DATA_BLOB *lm_interactive_password, DATA_BLOB *nt_interactive_password,
145                             DATA_BLOB *plaintext, 
146                             BOOL encrypted)
147 {
148         const char *domain;
149         
150         DEBUG(5, ("make_user_info_map: Mapping user [%s]\\[%s] from workstation [%s]\n",
151               client_domain, smb_name, wksta_name));
152         
153         /* don't allow "" as a domain, fixes a Win9X bug 
154            where it doens't supply a domain for logon script
155            'net use' commands.                                 */
156
157         if ( *client_domain )
158                 domain = client_domain;
159         else
160                 domain = lp_workgroup();
161
162         /* we know that it is a trusted domain (and we are allowing
163            them) or it is our domain */
164         
165         return make_user_info(mem_ctx, 
166                               user_info, smb_name, smb_name, 
167                               client_domain, domain, wksta_name, 
168                               lm_password, nt_password,
169                               lm_interactive_password, nt_interactive_password,
170                               plaintext, encrypted);
171 }
172
173 /****************************************************************************
174  Create an auth_usersupplied_data, making the DATA_BLOBs here. 
175  Decrypt and encrypt the passwords.
176 ****************************************************************************/
177
178 NTSTATUS make_user_info_netlogon_network(TALLOC_CTX *mem_ctx,
179                                          struct auth_usersupplied_info **user_info, 
180                                          const char *smb_name, 
181                                          const char *client_domain, 
182                                          const char *wksta_name, 
183                                          const uint8_t *lm_network_password, int lm_password_len,
184                                          const uint8_t *nt_network_password, int nt_password_len)
185 {
186         NTSTATUS nt_status;
187         DATA_BLOB lm_blob = data_blob(lm_network_password, lm_password_len);
188         DATA_BLOB nt_blob = data_blob(nt_network_password, nt_password_len);
189
190         nt_status = make_user_info_map(mem_ctx,
191                                        user_info,
192                                        smb_name, client_domain, 
193                                        wksta_name, 
194                                        lm_password_len ? &lm_blob : NULL, 
195                                        nt_password_len ? &nt_blob : NULL,
196                                        NULL, NULL, NULL,
197                                        True);
198         
199         data_blob_free(&lm_blob);
200         data_blob_free(&nt_blob);
201         return nt_status;
202 }
203
204 /****************************************************************************
205  Create an auth_usersupplied_data, making the DATA_BLOBs here. 
206  Decrypt and encrypt the passwords.
207 ****************************************************************************/
208
209 NTSTATUS make_user_info_netlogon_interactive(TALLOC_CTX *mem_ctx,
210                                              struct auth_usersupplied_info **user_info, 
211                                              const char *smb_name, 
212                                              const char *client_domain, 
213                                              const char *wksta_name, 
214                                              const uint8_t chal[8], 
215                                              const struct samr_Password *lm_interactive_password, 
216                                              const struct samr_Password *nt_interactive_password)
217 {
218         NTSTATUS nt_status;
219         DATA_BLOB local_lm_blob;
220         DATA_BLOB local_nt_blob;
221         
222         DATA_BLOB lm_interactive_blob;
223         DATA_BLOB nt_interactive_blob;
224         uint8_t local_lm_response[24];
225         uint8_t local_nt_response[24];
226         
227         SMBOWFencrypt(lm_interactive_password->hash, chal, local_lm_response);
228         SMBOWFencrypt(nt_interactive_password->hash, chal, local_nt_response);
229         
230         local_lm_blob = data_blob(local_lm_response, 
231                                   sizeof(local_lm_response));
232         lm_interactive_blob = data_blob(lm_interactive_password->hash, 
233                                         sizeof(lm_interactive_password->hash));
234         
235         local_nt_blob = data_blob(local_nt_response, 
236                                   sizeof(local_nt_response));
237         nt_interactive_blob = data_blob(nt_interactive_password->hash, 
238                                         sizeof(nt_interactive_password->hash));
239         
240         nt_status = make_user_info_map(mem_ctx,
241                                        user_info, 
242                                        smb_name, client_domain, 
243                                        wksta_name, 
244                                        &local_lm_blob,
245                                        &local_nt_blob,
246                                        &lm_interactive_blob,
247                                        &nt_interactive_blob,
248                                        NULL,
249                                        True);
250         
251         data_blob_free(&local_lm_blob);
252         data_blob_free(&local_nt_blob);
253         data_blob_free(&lm_interactive_blob);
254         data_blob_free(&nt_interactive_blob);
255         return nt_status;
256 }
257 /****************************************************************************
258  Create an auth_usersupplied_data structure
259 ****************************************************************************/
260
261 NTSTATUS make_user_info_for_reply_enc(TALLOC_CTX *mem_ctx,
262                                       struct auth_usersupplied_info **user_info, 
263                                       const char *smb_name,
264                                       const char *client_domain, 
265                                       const char *remote_machine,
266                                       DATA_BLOB lm_resp, DATA_BLOB nt_resp)
267 {
268         return make_user_info_map(mem_ctx,
269                                   user_info, smb_name, 
270                                   client_domain, 
271                                   remote_machine,
272                                   lm_resp.data ? &lm_resp : NULL, 
273                                   nt_resp.data ? &nt_resp : NULL, 
274                                   NULL, NULL, NULL,
275                                   True);
276 }
277
278 /****************************************************************************
279  Create a guest user_info blob, for anonymous authenticaion.
280 ****************************************************************************/
281
282 BOOL make_user_info_guest(TALLOC_CTX *mem_ctx,
283                           struct auth_usersupplied_info **user_info) 
284 {
285         NTSTATUS nt_status;
286
287         nt_status = make_user_info(mem_ctx,
288                                    user_info, 
289                                    "","", 
290                                    "","", 
291                                    "", 
292                                    NULL, NULL, 
293                                    NULL, NULL, 
294                                    NULL,
295                                    True);
296                               
297         return NT_STATUS_IS_OK(nt_status) ? True : False;
298 }
299
300 /****************************************************************************
301  prints a struct security_token to debug output.
302 ****************************************************************************/
303 void debug_security_token(int dbg_class, int dbg_lev, const struct security_token *token)
304 {
305         TALLOC_CTX *mem_ctx;
306
307         size_t     i;
308         
309         if (!token) {
310                 DEBUGC(dbg_class, dbg_lev, ("Security token: (NULL)\n"));
311                 return;
312         }
313         
314         mem_ctx = talloc_init("debug_security_token()");
315         if (!mem_ctx) {
316                 return;
317         }
318
319         DEBUGC(dbg_class, dbg_lev, ("Security token of user %s\n",
320                                     dom_sid_string(mem_ctx, token->user_sid) ));
321         DEBUGADDC(dbg_class, dbg_lev, ("contains %lu SIDs\n", 
322                                        (unsigned long)token->num_sids));
323         for (i = 0; i < token->num_sids; i++) {
324                 DEBUGADDC(dbg_class, dbg_lev, 
325                           ("SID[%3lu]: %s\n", (unsigned long)i, 
326                            dom_sid_string(mem_ctx, token->sids[i])));
327         }
328
329         talloc_destroy(mem_ctx);
330 }
331
332 /****************************************************************************
333  prints a struct auth_session_info security token to debug output.
334 ****************************************************************************/
335 void debug_session_info(int dbg_class, int dbg_lev, 
336                         const struct auth_session_info *session_info)
337 {
338         if (!session_info) {
339                 DEBUGC(dbg_class, dbg_lev, ("Session Info: (NULL)\n"));
340                 return; 
341         }
342
343         debug_security_token(dbg_class, dbg_lev, session_info->security_token);
344 }
345
346 /****************************************************************************
347  Create the SID list for this user.
348 ****************************************************************************/
349 NTSTATUS create_security_token(TALLOC_CTX *mem_ctx, 
350                                struct dom_sid *user_sid, struct dom_sid *group_sid, 
351                                int n_groupSIDs, struct dom_sid **groupSIDs, 
352                                BOOL is_guest, struct security_token **token)
353 {
354         struct security_token *ptoken;
355         int i;
356         NTSTATUS status;
357
358         ptoken = security_token_initialise(mem_ctx);
359         if (ptoken == NULL) {
360                 return NT_STATUS_NO_MEMORY;
361         }
362
363         ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, n_groupSIDs + 5);
364         if (!ptoken->sids) {
365                 return NT_STATUS_NO_MEMORY;
366         }
367
368         ptoken->user_sid = user_sid;
369         ptoken->group_sid = group_sid;
370         ptoken->privilege_mask = 0;
371
372         ptoken->sids[0] = user_sid;
373         ptoken->sids[1] = group_sid;
374
375         /*
376          * Finally add the "standard" SIDs.
377          * The only difference between guest and "anonymous" (which we
378          * don't really support) is the addition of Authenticated_Users.
379          */
380         ptoken->sids[2] = dom_sid_parse_talloc(mem_ctx, SID_WORLD);
381         ptoken->sids[3] = dom_sid_parse_talloc(mem_ctx, SID_NT_NETWORK);
382         ptoken->sids[4] = dom_sid_parse_talloc(mem_ctx, 
383                                                is_guest?SID_BUILTIN_GUESTS:
384                                                SID_NT_AUTHENTICATED_USERS);
385         ptoken->num_sids = 5;
386
387         for (i = 0; i < n_groupSIDs; i++) {
388                 size_t check_sid_idx;
389                 for (check_sid_idx = 1; 
390                      check_sid_idx < ptoken->num_sids; 
391                      check_sid_idx++) {
392                         if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
393                                 break;
394                         }
395                 }
396                 
397                 if (check_sid_idx == ptoken->num_sids) {
398                         ptoken->sids[ptoken->num_sids++] = groupSIDs[i];
399                 }
400         }
401
402         /* setup the privilege mask for this token */
403         status = samdb_privilege_setup(ptoken);
404         if (!NT_STATUS_IS_OK(status)) {
405                 talloc_free(ptoken);
406                 return status;
407         }
408         
409         debug_security_token(DBGC_AUTH, 10, ptoken);
410         
411         *token = ptoken;
412
413         return NT_STATUS_OK;
414 }
415
416 /***************************************************************************
417  Make a user_info struct
418 ***************************************************************************/
419
420 NTSTATUS make_server_info(const TALLOC_CTX *mem_ctx,
421                           struct auth_serversupplied_info **server_info, 
422                           const char *username)
423 {
424         *server_info = talloc_p(mem_ctx, struct auth_serversupplied_info);
425         if (!*server_info) {
426                 return NT_STATUS_NO_MEMORY;
427         }
428         ZERO_STRUCTP(*server_info);
429         
430         return NT_STATUS_OK;
431 }
432
433 /***************************************************************************
434  Make (and fill) a user_info struct for a guest login.
435 ***************************************************************************/
436 NTSTATUS make_server_info_guest(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **server_info)
437 {
438         NTSTATUS nt_status;
439
440         nt_status = make_server_info(mem_ctx, server_info, "");
441
442         if (!NT_STATUS_IS_OK(nt_status)) {
443                 return nt_status;
444         }
445         
446         (*server_info)->guest = True;
447
448         (*server_info)->user_sid = dom_sid_parse_talloc((*server_info), SID_NT_ANONYMOUS);
449         (*server_info)->primary_group_sid = dom_sid_parse_talloc((*server_info), SID_BUILTIN_GUESTS);
450         (*server_info)->n_domain_groups = 0;
451         (*server_info)->domain_groups = NULL;
452         
453         /* annoying, but the Guest really does have a session key, 
454            and it is all zeros! */
455         (*server_info)->user_session_key = data_blob_talloc(*server_info, NULL, 16);
456         (*server_info)->lm_session_key = data_blob_talloc(*server_info, NULL, 16);
457
458         data_blob_clear(&(*server_info)->user_session_key);
459         data_blob_clear(&(*server_info)->lm_session_key);
460
461         (*server_info)->account_name = "";
462         (*server_info)->domain = "";
463         (*server_info)->full_name = "Anonymous";
464         (*server_info)->logon_script = "";
465         (*server_info)->profile_path = "";
466         (*server_info)->home_directory = "";
467         (*server_info)->home_drive = "";
468
469         (*server_info)->last_logon = 0;
470         (*server_info)->last_logoff = 0;
471         (*server_info)->acct_expiry = 0;
472         (*server_info)->last_password_change = 0;
473         (*server_info)->allow_password_change = 0;
474         (*server_info)->force_password_change = 0;
475
476         (*server_info)->logon_count = 0;
477         (*server_info)->bad_password_count = 0;
478
479         (*server_info)->acct_flags = ACB_NORMAL;
480
481         return nt_status;
482 }
483
484 /***************************************************************************
485  Make a server_info struct from the info3 returned by a domain logon 
486 ***************************************************************************/
487
488 NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, 
489                                               const char *internal_username,
490                                               struct auth_serversupplied_info **server_info, 
491                                               uint16 validation_level, 
492                                               union netr_Validation *validation) 
493 {
494         NTSTATUS nt_status;
495         struct netr_SamBaseInfo *base = NULL;
496         switch (validation_level) {
497         case 2:
498                 if (!validation || !validation->sam2) {
499                         return NT_STATUS_INVALID_PARAMETER;
500                 }
501                 base = &validation->sam2->base;
502                 break;
503         case 3:
504                 if (!validation || !validation->sam3) {
505                         return NT_STATUS_INVALID_PARAMETER;
506                 }
507                 base = &validation->sam3->base;
508                 break;
509         case 6:
510                 if (!validation || !validation->sam6) {
511                         return NT_STATUS_INVALID_PARAMETER;
512                 }
513                 base = &validation->sam6->base;
514                 break;
515         default:
516                 return NT_STATUS_INVALID_LEVEL;
517         }
518
519         nt_status = make_server_info(mem_ctx, server_info, internal_username);
520
521         if (!NT_STATUS_IS_OK(nt_status)) {
522                 return nt_status;
523         }
524         
525         (*server_info)->guest = False;
526
527         /* 
528            Here is where we should check the list of
529            trusted domains, and verify that the SID 
530            matches.
531         */
532
533         (*server_info)->user_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, base->domain_sid), base->rid);
534         (*server_info)->primary_group_sid = dom_sid_add_rid(*server_info, dom_sid_dup(*server_info, base->domain_sid), base->primary_gid);
535
536         (*server_info)->domain_groups = talloc_array_p((*server_info), struct dom_sid*, base->group_count);
537         if (!(*server_info)->domain_groups) {
538                 return NT_STATUS_NO_MEMORY;
539         }
540         
541         for ((*server_info)->n_domain_groups = 0;
542              (*server_info)->n_domain_groups < base->group_count; 
543              (*server_info)->n_domain_groups++) {
544                 struct dom_sid *sid;
545                 sid = dom_sid_dup((*server_info)->domain_groups, base->domain_sid);
546                 if (!sid) {
547                         return NT_STATUS_NO_MEMORY;
548                 }
549                 (*server_info)->domain_groups[(*server_info)->n_domain_groups]
550                         = dom_sid_add_rid(*server_info, sid, 
551                                           base->groupids[(*server_info)->n_domain_groups].rid);
552                 if (!(*server_info)->domain_groups[(*server_info)->n_domain_groups]) {
553                         return NT_STATUS_NO_MEMORY;
554                 }
555         }
556
557         /* Copy 'other' sids.  We need to do sid filtering here to
558            prevent possible elevation of privileges.  See:
559
560            http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
561          */
562
563         if (validation_level == 3) {
564                 int i;
565                 (*server_info)->domain_groups
566                         = talloc_realloc_p((*server_info), 
567                                            (*server_info)->domain_groups, 
568                                            struct dom_sid*, 
569                                            base->group_count + validation->sam3->sidcount);
570                 
571                 if (!(*server_info)->domain_groups) {
572                         return NT_STATUS_NO_MEMORY;
573                 }
574         
575                 for (i = 0; i < validation->sam3->sidcount; i++) {
576                         (*server_info)->domain_groups[(*server_info)->n_domain_groups + i] = 
577                                 dom_sid_dup((*server_info)->domain_groups, 
578                                             validation->sam3->sids[i].sid);
579                 }
580
581                 /* Where are the 'global' sids?... */
582         }
583
584         if (base->account_name.string) {
585                 (*server_info)->account_name = talloc_reference(*server_info, base->account_name.string);
586         } else {
587                 (*server_info)->account_name = talloc_strdup(*server_info, internal_username);
588         }
589         
590         (*server_info)->domain = talloc_reference(*server_info, base->domain.string);
591         (*server_info)->full_name = talloc_reference(*server_info, base->full_name.string);
592         (*server_info)->logon_script = talloc_reference(*server_info, base->logon_script.string);
593         (*server_info)->profile_path = talloc_reference(*server_info, base->profile_path.string);
594         (*server_info)->home_directory = talloc_reference(*server_info, base->home_directory.string);
595         (*server_info)->home_drive = talloc_reference(*server_info, base->home_drive.string);
596         (*server_info)->last_logon = base->last_logon;
597         (*server_info)->last_logoff = base->last_logoff;
598         (*server_info)->acct_expiry = base->acct_expiry;
599         (*server_info)->last_password_change = base->last_password_change;
600         (*server_info)->allow_password_change = base->allow_password_change;
601         (*server_info)->force_password_change = base->force_password_change;
602
603         (*server_info)->logon_count = base->logon_count;
604         (*server_info)->bad_password_count = base->bad_password_count;
605
606         (*server_info)->acct_flags = base->acct_flags;
607
608         /* ensure we are never given NULL session keys */
609         
610         if (all_zero(base->key.key, sizeof(base->key.key))) {
611                 (*server_info)->user_session_key = data_blob(NULL, 0);
612         } else {
613                 (*server_info)->user_session_key = data_blob_talloc((*server_info), base->key.key, sizeof(base->key.key));
614         }
615
616         if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
617                 (*server_info)->lm_session_key = data_blob(NULL, 0);
618         } else {
619                 (*server_info)->lm_session_key = data_blob_talloc((*server_info), base->LMSessKey.key, sizeof(base->LMSessKey.key));
620         }
621         return NT_STATUS_OK;
622 }
623
624 /***************************************************************************
625  Free a user_info struct
626 ***************************************************************************/
627
628 void free_user_info(struct auth_usersupplied_info **user_info)
629 {
630         DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
631         if (*user_info) {
632                 data_blob_clear(&(*user_info)->plaintext_password);
633         }
634
635         talloc_free(*user_info);
636         *user_info = NULL;
637 }
638
639 /***************************************************************************
640  Clear out a server_info struct that has been allocated
641 ***************************************************************************/
642
643 void free_server_info(struct auth_serversupplied_info **server_info)
644 {
645         DEBUG(5,("attempting to free a server_info structure\n"));
646         talloc_free(*server_info);
647         *server_info = NULL;
648 }
649
650 /***************************************************************************
651  Make an auth_methods struct
652 ***************************************************************************/
653
654 BOOL make_auth_methods(struct auth_context *auth_context, struct auth_methods **auth_method) 
655 {
656         if (!auth_context) {
657                 smb_panic("no auth_context supplied to make_auth_methods()!\n");
658         }
659
660         if (!auth_method) {
661                 smb_panic("make_auth_methods: pointer to auth_method pointer is NULL!\n");
662         }
663
664         *auth_method = talloc_p(auth_context, struct auth_methods);
665         if (!*auth_method) {
666                 return False;
667         }
668         ZERO_STRUCTP(*auth_method);
669         
670         return True;
671 }
672
673 NTSTATUS make_session_info(TALLOC_CTX *mem_ctx, 
674                            struct auth_serversupplied_info *server_info, 
675                            struct auth_session_info **session_info) 
676 {
677         NTSTATUS nt_status;
678
679         *session_info = talloc_p(mem_ctx, struct auth_session_info);
680         if (!*session_info) {
681                 return NT_STATUS_NO_MEMORY;
682         }
683         
684         (*session_info)->server_info = server_info;
685         talloc_reference(*session_info, (*session_info)->server_info);
686
687         /* unless set otherwise, the session key is the user session
688          * key from the auth subsystem */
689  
690         (*session_info)->session_key = server_info->user_session_key;
691
692         /* we should search for local groups here */
693         
694         nt_status = create_security_token((*session_info), 
695                                           server_info->user_sid, 
696                                           server_info->primary_group_sid, 
697                                           server_info->n_domain_groups, 
698                                           server_info->domain_groups,
699                                           False, 
700                                           &(*session_info)->security_token);
701         
702         return nt_status;
703 }
704
705 /***************************************************************************
706  Clear out a server_info struct that has been allocated
707 ***************************************************************************/
708
709 void free_session_info(struct auth_session_info **session_info)
710 {
711         DEBUG(5,("attempting to free a session_info structure\n"));
712         talloc_free((*session_info));
713         *session_info = NULL;
714 }
715
716 /**
717  * Squash an NT_STATUS in line with security requirements.
718  * In an attempt to avoid giving the whole game away when users
719  * are authenticating, NT replaces both NT_STATUS_NO_SUCH_USER and 
720  * NT_STATUS_WRONG_PASSWORD with NT_STATUS_LOGON_FAILURE in certain situations 
721  * (session setups in particular).
722  *
723  * @param nt_status NTSTATUS input for squashing.
724  * @return the 'squashed' nt_status
725  **/
726
727 NTSTATUS nt_status_squash(NTSTATUS nt_status)
728 {
729         if NT_STATUS_IS_OK(nt_status) {
730                 return nt_status;               
731         } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
732                 /* Match WinXP and don't give the game away */
733                 return NT_STATUS_LOGON_FAILURE;
734                 
735         } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
736                 /* Match WinXP and don't give the game away */
737                 return NT_STATUS_LOGON_FAILURE;
738         } else {
739                 return nt_status;
740         }  
741 }
742
743
744