r4338: reuse netlogon structs in the krb5 PAC
authorStefan Metzmacher <metze@samba.org>
Thu, 23 Dec 2004 02:23:42 +0000 (02:23 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 18:07:36 +0000 (13:07 -0500)
that simplifies the code a lot...

also add a note: we should fail the krb5 auth if there's no
PAC present (when heimdal is ready for that:-)

metze
(This used to be commit 532641a7003d23b034a253d166482f18c2de6191)

source4/libcli/auth/gensec_krb5.c
source4/librpc/idl/krb5pac.idl

index 88e7cdd2e3191b3caf967487db01b0a6e11f8007..9323580e92ff091cf655181dc4f9dba109cc48a2 100644 (file)
@@ -223,7 +223,7 @@ static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx,
                return status;
        }
 #endif
-       DEBUG(0,("account_name: %s [%s]\n",logon_info->account_name.string, logon_info->full_name.string));
+       DEBUG(0,("account_name: %s [%s]\n",logon_info->info3.base.account_name.string, logon_info->info3.base.full_name.string));
        *logon_info_out = logon_info;
 
        return status;
@@ -609,8 +609,6 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
        struct auth_serversupplied_info *server_info = NULL;
        struct auth_session_info *session_info = NULL;
        struct PAC_LOGON_INFO *logon_info;
-       struct security_token *ptoken;
-       struct dom_sid *sid;
        char *p;
        char *principal;
        const char *username;
@@ -633,119 +631,35 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 
        /* IF we have the PAC - otherwise we need to get this
         * data from elsewere - local ldb, or (TODO) lookup of some
-        * kind... */
+        * kind... 
+        *
+        * when heimdal can generate the PAC, we should fail if there's
+        * no PAC present
+        */
 
        if (NT_STATUS_IS_OK(nt_status)) {
-               nt_status = make_server_info(gensec_krb5_state, &server_info, gensec_krb5_state->peer_principal);
+               union netr_Validation validation;
+               validation.sam3 = &logon_info->info3;
+               nt_status = make_server_info_netlogon_validation(gensec_krb5_state, 
+                                                                username, 
+                                                                &server_info,
+                                                                3,
+                                                                &validation); 
                if (!NT_STATUS_IS_OK(nt_status)) {
                        return nt_status;
                }
-               
-               server_info->guest = False;
-
-               if (logon_info->account_name.string) {
-                       server_info->account_name
-                               = talloc_reference(server_info, 
-                                                  logon_info->account_name.string);
-               } else {
-                       server_info->account_name = talloc_strdup(server_info, username);
-               }
-
-               server_info->domain = talloc_reference(server_info, 
-                                                      logon_info->dom_name.string);
-               server_info->realm = talloc_strdup(server_info, realm);
-               server_info->full_name = talloc_reference(server_info, 
-                                                         logon_info->full_name.string);
-               server_info->logon_script = talloc_reference(server_info, 
-                                                            logon_info->logon_script.string);
-               server_info->profile_path = talloc_reference(server_info, 
-                                                            logon_info->profile_path.string);
-               server_info->home_directory = talloc_reference(server_info, 
-                                                              logon_info->home_directory.string);
-               server_info->home_drive = talloc_reference(server_info, 
-                                                          logon_info->home_drive.string);
-               
-               server_info->logon_count = logon_info->logon_count;
-               /* TODO: bad password count */
-
-               server_info->acct_flags = logon_info->acct_flags;
-
-               if (!server_info->domain || !server_info->account_name || !server_info->realm) {
-                       free_server_info(&server_info);
-                       return NT_STATUS_NO_MEMORY;
-               }
-               
-               /* references the server_info into the session_info */
-               nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       free_server_info(&server_info);
-                       return nt_status;
-               }
-
-               talloc_free(server_info);
-
-               ptoken = security_token_initialise(session_info);
-               if (ptoken == NULL) {
-                       return NT_STATUS_NO_MEMORY;
-               }
-               
-               ptoken->num_sids = 0;           
-               ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, 
-                                             logon_info->groups_count + 2);
-               if (!ptoken->sids) {
-                       return NT_STATUS_NO_MEMORY;
-               }
-               
-               
-               sid = dom_sid_dup(server_info, logon_info->dom_sid);
-               server_info->user_sid = dom_sid_add_rid(server_info, sid, logon_info->user_rid);
-               sid = dom_sid_dup(server_info, logon_info->dom_sid);
-               server_info->primary_group_sid = dom_sid_add_rid(server_info, sid, logon_info->group_rid);
-
-               ptoken->user_sid = server_info->user_sid;
-               ptoken->group_sid = server_info->primary_group_sid;
-               ptoken->sids[0] = talloc_reference(ptoken, ptoken->user_sid);
-               ptoken->num_sids++;
-               ptoken->sids[1] = talloc_reference(ptoken, ptoken->group_sid);
-               ptoken->num_sids++;
-
-               for (;ptoken->num_sids < (logon_info->groups_count + 2); 
-                    ptoken->num_sids++) {
-                       sid = dom_sid_dup(session_info, logon_info->dom_sid);
-                       ptoken->sids[ptoken->num_sids]
-                               = dom_sid_add_rid(session_info, sid, 
-                                                 logon_info->groups[ptoken->num_sids - 2].rid);
-               }
-
-               /* setup any privileges for this token */
-               nt_status = samdb_privilege_setup(ptoken);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       talloc_free(ptoken);
-                       return nt_status;
-               }
-               
-               debug_security_token(DBGC_AUTH, 0, ptoken);
-               
-               session_info->security_token = ptoken;
        } else {
-               TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm);
-               if (!mem_ctx) {
-                       return NT_STATUS_NO_MEMORY;
-               }
                nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info);
                if (!NT_STATUS_IS_OK(nt_status)) {
-                       talloc_free(mem_ctx);
-                       return nt_status;
-               }
-
-               /* references the server_info into the session_info */
-               nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       talloc_free(mem_ctx);
                        return nt_status;
                }
+       }
 
-               talloc_free(mem_ctx);
+       /* references the server_info into the session_info */
+       nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
+       talloc_free(server_info);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               return nt_status;
        }
 
        talloc_free(principal);
index 6efd8526b2e89a26aba185ca195f67f5ed18b0fb..c424f09b7882903348be163109dbf40efc726842 100644 (file)
@@ -8,84 +8,26 @@
   uuid("46746756-7567-7567-5677-756756756756"),
   version(0.0),
   pointer_default(unique),
-  depends(security)
+  depends(security,netlogon)
 ]
 interface krb5pac
 {
        typedef struct {
                NTTIME logon_time;
                [flag(STR_SIZE2|STR_NOTERM|STR_BYTESIZE)] string account_name;
-       } UNKNOWN_TYPE_10;
+       } PAC_UNKNOWN_10;
 
        typedef [flag(NDR_PAHEX)] struct {
                uint32 type;
                uint8 signature[16];
        } PAC_SIGNATURE_DATA;
 
-       typedef struct {
-               uint32 rid;
-               uint32 attrs;
-       } GROUP_MEMBERSHIP;
-
-       typedef struct {
-               dom_sid2 *sid;
-               uint32 attrs;
-       } EXTRA_SIDS;
-
-       typedef struct {
-               [value(strlen_m(r->string)*2)]  uint16 size;
-               [value(r->size)]                uint16 length;
-               unistr_noterm                   *string;
-       } pac_String;
-
-       /* This is awfully similar to a samr_user_info_23, but not identical.
-          Many of the field names have been swiped from there, because it is
-          so similar that they are likely the same, but many have been verified.
-          Some are in a different order, though... */
        typedef struct {
                uint32 unknown[5];
-               NTTIME logon_time;            /* logon time */
-               NTTIME logoff_time;           /* logoff time */
-               NTTIME kickoff_time;          /* kickoff time */
-               NTTIME pass_last_set_time;    /* password last set time */
-               NTTIME pass_can_change_time;  /* password can change time */
-               NTTIME pass_must_change_time; /* password must change time */
-
-               pac_String account_name;
-               pac_String full_name;
-               pac_String logon_script;
-               pac_String profile_path;
-               pac_String home_directory;
-               pac_String home_drive;
-
-               uint16 logon_count; /* number of times user has logged onto domain */
-               uint16 reserved12;
-
-               uint32 user_rid;
-               uint32 group_rid;
-
-               uint32 groups_count;
-               [size_is(groups_count)] GROUP_MEMBERSHIP *groups;
-
-               uint32 user_flags;
-
-               uint32 reserved13[4];
-               pac_String dom_controller;
-               pac_String dom_name;
-
-               dom_sid2 *dom_sid;
-
-               uint32 reserved16[2];
-               uint32 acct_flags;      /* looks like it may be acb_info */
-               uint32 reserved18[7];
-
-               uint32 extra_sids_count;
-               [size_is(extra_sids_count)] EXTRA_SIDS *extra_sids;
-
+               netr_SamInfo3 info3;
                dom_sid2 *res_group_dom_sid;
-
                uint32 res_groups_count;
-               [size_is(res_groups_count)] GROUP_MEMBERSHIP *res_groups;
+               [size_is(res_groups_count)] netr_GroupMembership *res_groups;
        } PAC_LOGON_INFO;
 
        const uint8 PAC_TYPE_LOGON_INFO = 1;
@@ -97,7 +39,7 @@ interface krb5pac
                [case(PAC_TYPE_LOGON_INFO)]     PAC_LOGON_INFO logon_info;
                [case(PAC_TYPE_SRV_CHECKSUM)]   PAC_SIGNATURE_DATA srv_cksum;
                [case(PAC_TYPE_KDC_CHECKSUM)]   PAC_SIGNATURE_DATA kdc_cksum;
-               [case(PAC_TYPE_UNKNOWN_10)]     UNKNOWN_TYPE_10 type_10;
+               [case(PAC_TYPE_UNKNOWN_10)]     PAC_UNKNOWN_10 type_10;
        } PAC_INFO;
 
        typedef struct {