struct auth_check_password_request;
struct auth_context;
struct auth_session_info;
+struct ldb_dn;
struct auth_operations {
const char *name;
NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
const char *principal,
+ struct ldb_dn *user_dn,
struct auth_serversupplied_info **server_info);
};
NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context,
- const char *principal,
- struct auth_serversupplied_info **server_info);
+ struct auth_context *auth_ctx,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ struct auth_serversupplied_info **server_info);
NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
struct ldb_message;
struct ldb_context;
-struct ldb_dn;
struct gensec_security;
NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal[8]);
struct tevent_context *ev,
struct messaging_context *msg,
struct loadparm_context *lp_ctx,
+ struct ldb_context *sam_ctx,
struct auth_context **auth_ctx);
NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
struct messaging_context *msg,
struct loadparm_context *lp_ctx,
struct auth_context **auth_ctx);
+NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx);
NTSTATUS auth_check_password(struct auth_context *auth_ctx,
TALLOC_CTX *mem_ctx,
NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
struct auth_context *auth_ctx,
const char *principal,
+ struct ldb_dn *user_dn,
struct auth_serversupplied_info **server_info);
NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
+ NULL,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
- &server_info);
+ NULL, &server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
/****************************************************************************
- Try to get a challenge out of the various authentication modules.
- Returns a const char of length 8 bytes.
+Used in the gensec_gssapi and gensec_krb5 server-side code, where the
+PAC isn't available, and for tokenGroups in the DSDB stack.
+
+ Supply either a principal or a DN
****************************************************************************/
_PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_ctx,
- const char *principal,
- struct auth_serversupplied_info **server_info)
+ struct auth_context *auth_ctx,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
struct auth_method_context *method;
continue;
}
- nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, server_info);
+ nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, user_dn, server_info);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
continue;
}
/***************************************************************************
Make a auth_info struct for the auth subsystem
- - Allow the caller to specify the methods to use
+ - Allow the caller to specify the methods to use, including optionally the SAM to use
***************************************************************************/
_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
- struct tevent_context *ev,
- struct messaging_context *msg,
- struct loadparm_context *lp_ctx,
- struct auth_context **auth_ctx)
+ struct tevent_context *ev,
+ struct messaging_context *msg,
+ struct loadparm_context *lp_ctx,
+ struct ldb_context *sam_ctx,
+ struct auth_context **auth_ctx)
{
int i;
struct auth_context *ctx;
ctx->msg_ctx = msg;
ctx->lp_ctx = lp_ctx;
- ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx));
+ if (sam_ctx) {
+ ctx->sam_ctx = sam_ctx;
+ } else {
+ ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx));
+ }
for (i=0; methods[i] ; i++) {
struct auth_method_context *method;
return NT_STATUS_OK;
}
-/***************************************************************************
- Make a auth_info struct for the auth subsystem
- - Uses default auth_methods, depending on server role and smb.conf settings
-***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct messaging_context *msg,
- struct loadparm_context *lp_ctx,
- struct auth_context **auth_ctx)
+
+static const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
const char **auth_methods = NULL;
switch (lp_server_role(lp_ctx)) {
auth_methods = lp_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "domain controller", NULL);
break;
}
- return auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, auth_ctx);
+ return auth_methods;
}
+/***************************************************************************
+ Make a auth_info struct for the auth subsystem
+ - Uses default auth_methods, depending on server role and smb.conf settings
+***************************************************************************/
+_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct messaging_context *msg,
+ struct loadparm_context *lp_ctx,
+ struct auth_context **auth_ctx)
+{
+ NTSTATUS status;
+ const char **auth_methods;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
+ if (!auth_methods) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, NULL, auth_ctx);
+ talloc_free(tmp_ctx);
+ return status;
+}
+
+/* Create an auth context from an open LDB.
+
+ This allows us not to re-open the LDB when we need to do a some authentication logic (such as tokenGroups)
+
+ */
+NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx)
+{
+ NTSTATUS status;
+ const char **auth_methods;
+ struct loadparm_context *lp_ctx = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context);
+ struct tevent_context *ev = ldb_get_event_context(ldb);
+
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
+ if (!auth_methods) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ status = auth_context_create_methods(mem_ctx, auth_methods, ev, NULL, lp_ctx, ldb, auth_ctx);
+ talloc_free(tmp_ctx);
+ return status;
+}
/* the list of currently registered AUTH backends */
static struct auth_backend {
#include "system/time.h"
#include "lib/ldb/include/ldb.h"
#include "../lib/util/util_ldb.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "libcli/security/security.h"
#include "auth/auth.h"
#include "../libcli/auth/ntlm_check.h"
#include "auth/ntlm/auth_proto.h"
}
-/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */
+/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
+
+ Supply either a principal or a DN
+*/
NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
const char *principal,
+ struct ldb_dn *user_dn,
struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
DATA_BLOB lm_sess_key = data_blob(NULL, 0);
struct ldb_message *msg;
- struct ldb_context *sam_ctx;
struct ldb_dn *domain_dn;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
return NT_STATUS_NO_MEMORY;
}
- sam_ctx = samdb_connect(tmp_ctx, auth_context->event_ctx, auth_context->lp_ctx,
- system_session(auth_context->lp_ctx));
- if (sam_ctx == NULL) {
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
+ if (principal) {
+ nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal,
+ user_attrs, &domain_dn, &msg);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+ } else if (user_dn) {
+ struct dom_sid *user_sid, *domain_sid;
+ int ret;
+ /* pull the user attributes */
+ ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn,
+ LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ } else if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
- nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal,
- user_attrs, &domain_dn, &msg);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(tmp_ctx);
- return nt_status;
+ user_sid = samdb_result_dom_sid(msg, msg, "objectSid");
+
+ nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL,
+ "(&(objectSid=%s)(objectClass=domain))",
+ ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid));
+ if (!domain_dn) {
+ DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n",
+ dom_sid_string(tmp_ctx, domain_sid)));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = authsam_make_server_info(tmp_ctx, sam_ctx,
+ nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx,
lp_netbios_name(auth_context->lp_ctx),
lp_workgroup(auth_context->lp_ctx),
domain_dn,
[MODULE::ldb_operational]
SUBSYSTEM = LIBLDB
CFLAGS = -Ilib/ldb/include
-PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth_sam
+PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth_session auth
INIT_FUNCTION = LDB_MODULE(operational)
# End MODULE ldb_operational
################################################
construct a canonical name from a message
*/
static int construct_canonical_name(struct ldb_module *module,
- struct ldb_message *msg)
+ struct ldb_message *msg, enum ldb_scope scope)
{
char *canonicalName;
canonicalName = ldb_dn_canonical_string(msg, msg->dn);
construct a primary group token for groups from a message
*/
static int construct_primary_group_token(struct ldb_module *module,
- struct ldb_message *msg)
+ struct ldb_message *msg, enum ldb_scope scope)
{
struct ldb_context *ldb;
uint32_t primary_group_token;
construct the token groups for SAM objects from a message
*/
static int construct_token_groups(struct ldb_module *module,
- struct ldb_message *msg)
+ struct ldb_message *msg, enum ldb_scope scope)
{
-#if 0
- struct ldb_context *ldb;
- const struct dom_sid *sid;
+ struct ldb_context *ldb = ldb_module_get_ctx(module);;
+ struct auth_context *auth_context;
+ struct auth_serversupplied_info *server_info;
+ struct auth_session_info *session_info;
+ TALLOC_CTX *tmp_ctx = talloc_new(msg);
+ uint32_t i;
+ int ret;
- ldb = ldb_module_get_ctx(module);
+ NTSTATUS status;
- sid = samdb_result_dom_sid(msg, msg, "objectSid");
- if (sid != NULL) {
- NTSTATUS status;
- uint32_t prim_group_rid;
- struct dom_sid **sids = NULL;
- unsigned int i, num_sids = 0;
- int ret;
-
- prim_group_rid = samdb_result_uint(msg, "primaryGroupID", 0);
- if (prim_group_rid != 0) {
- struct dom_sid *prim_group_sid;
-
- prim_group_sid = dom_sid_add_rid(msg,
- samdb_domain_sid(ldb),
- prim_group_rid);
- if (prim_group_sid == NULL) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
- }
-
- /* onlyChilds = false, we want to consider also the
- * "primaryGroupID" for membership */
- status = authsam_expand_nested_groups(ldb,
- prim_group_sid,
- false, msg,
- &sids, &num_sids);
- if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
- }
- if (!NT_STATUS_IS_OK(status)) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
+ if (scope != LDB_SCOPE_BASE) {
+ ldb_set_errstring(ldb, "Cannot provide tokenGroups attribute, this is not a BASE search");
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
- for (i = 0; i < num_sids; i++) {
- ret = samdb_msg_add_dom_sid(ldb, msg, msg,
- "tokenGroups",
- sids[i]);
- if (ret != LDB_SUCCESS) {
- talloc_free(sids);
- return ret;
- }
- }
+ status = auth_context_create_from_ldb(tmp_ctx, ldb, &auth_context);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+ talloc_free(tmp_ctx);
+ ldb_module_oom(module);
+ return LDB_ERR_OPERATIONS_ERROR;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
- talloc_free(sids);
- }
+ status = auth_get_server_info_principal(tmp_ctx, auth_context, NULL, msg->dn, &server_info);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+ talloc_free(tmp_ctx);
+ ldb_module_oom(module);
+ return LDB_ERR_OPERATIONS_ERROR;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
- sids = NULL;
- num_sids = 0;
+ status = auth_generate_session_info(tmp_ctx, auth_context, server_info, &session_info);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+ talloc_free(tmp_ctx);
+ ldb_module_oom(module);
+ return LDB_ERR_OPERATIONS_ERROR;
+ } else if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
- /* onlyChils = true, we don't want to have the SAM object itself
- * in the result */
- status = authsam_expand_nested_groups(ldb, sid, true, msg,
- &sids, &num_sids);
- if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
- ldb_oom(ldb);
- return LDB_ERR_OPERATIONS_ERROR;
- }
- if (!NT_STATUS_IS_OK(status)) {
- return LDB_ERR_OPERATIONS_ERROR;
- }
+ ret = samdb_msg_add_dom_sid(ldb, msg, msg,
+ "tokenGroups",
+ session_info->security_token->group_sid);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
- for (i = 0; i < num_sids; i++) {
- ret = samdb_msg_add_dom_sid(ldb, msg, msg,
- "tokenGroups", sids[i]);
- if (ret != LDB_SUCCESS) {
- talloc_free(sids);
- return ret;
- }
+ for (i = 0; i < session_info->security_token->num_sids; i++) {
+ ret = samdb_msg_add_dom_sid(ldb, msg, msg,
+ "tokenGroups",
+ session_info->security_token->sids[i]);
+ if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return ret;
}
-
- talloc_free(sids);
}
-#endif
+
return LDB_SUCCESS;
}
construct the parent GUID for an entry from a message
*/
static int construct_parent_guid(struct ldb_module *module,
- struct ldb_message *msg)
+ struct ldb_message *msg, enum ldb_scope scope)
{
struct ldb_result *res;
const struct ldb_val *parent_guid;
construct a subSchemaSubEntry
*/
static int construct_subschema_subentry(struct ldb_module *module,
- struct ldb_message *msg)
+ struct ldb_message *msg, enum ldb_scope scope)
{
struct operational_data *data = talloc_get_type(ldb_module_get_private(module), struct operational_data);
char *subSchemaSubEntry;
const char *attr;
const char *replace;
const char *extra_attr;
- int (*constructor)(struct ldb_module *, struct ldb_message *);
+ int (*constructor)(struct ldb_module *, struct ldb_message *, enum ldb_scope);
} search_sub[] = {
{ "createTimestamp", "whenCreated", NULL , NULL },
{ "modifyTimestamp", "whenChanged", NULL , NULL },
{ "structuralObjectClass", "objectClass", NULL , NULL },
{ "canonicalName", "distinguishedName", NULL , construct_canonical_name },
{ "primaryGroupToken", "objectClass", "objectSid", construct_primary_group_token },
- { "tokenGroups", "objectSid", "primaryGroupID", construct_token_groups },
+ { "tokenGroups", "objectClass", NULL, construct_token_groups },
{ "parentGUID", NULL, NULL, construct_parent_guid },
{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
{ "msDS-isRODC", "objectClass", "objectCategory", construct_msds_isrodc },
*/
static int operational_search_post_process(struct ldb_module *module,
struct ldb_message *msg,
+ enum ldb_scope scope,
const char * const *attrs_from_user,
const char * const *attrs_searched_for,
bool sd_flags_set)
constructor or a simple copy */
constructed_attributes = true;
if (search_sub[i].constructor != NULL) {
- if (search_sub[i].constructor(module, msg) != LDB_SUCCESS) {
+ if (search_sub[i].constructor(module, msg, scope) != LDB_SUCCESS) {
goto failed;
}
} else if (ldb_msg_copy_attr(msg,
struct operational_context {
struct ldb_module *module;
struct ldb_request *req;
-
+ enum ldb_scope scope;
const char * const *attrs;
bool sd_flags_set;
};
attributes that have been asked for */
ret = operational_search_post_process(ac->module,
ares->message,
+ ac->scope,
ac->attrs,
req->op.search.attrs,
ac->sd_flags_set);
ac->module = module;
ac->req = req;
+ ac->scope = req->op.search.scope;
ac->attrs = req->op.search.attrs;
/* FIXME: We must copy the tree and keep the original
source='operational.c',
subsystem='LIBLDB',
init_function='LDB_MODULE(operational)',
- deps='talloc tevent LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth_sam'
+ deps='talloc tevent LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth'
)
ev,
msg,
lp_ctx,
+ NULL,
&auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {