static void tstream_npa_connect_unix_done(struct tevent_req *subreq);
struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *directory,
- const char *npipe,
- const struct tsocket_address *client,
- const char *client_name_in,
- const struct tsocket_address *server,
- const char *server_name,
- const struct netr_SamInfo3 *sam_info3,
- DATA_BLOB session_key,
- DATA_BLOB delegated_creds)
+ struct tevent_context *ev,
+ const char *directory,
+ const char *npipe,
+ const struct tsocket_address *client,
+ const char *client_name_in,
+ const struct tsocket_address *server,
+ const char *server_name,
+ const struct auth_session_info_transport *session_info)
{
struct tevent_req *req;
struct tstream_npa_connect_state *state;
int ret;
enum ndr_err_code ndr_err;
char *lower_case_npipe;
- struct named_pipe_auth_req_info3 *info3;
+ struct named_pipe_auth_req_info4 *info4;
req = tevent_req_create(mem_ctx, &state,
struct tstream_npa_connect_state);
goto post;
}
- state->auth_req.level = 3;
- info3 = &state->auth_req.info.info3;
+ state->auth_req.level = 4;
+ info4 = &state->auth_req.info.info4;
- info3->client_name = client_name_in;
- info3->client_addr = tsocket_address_inet_addr_string(client, state);
- if (!info3->client_addr) {
+ info4->client_name = client_name_in;
+ info4->client_addr = tsocket_address_inet_addr_string(client, state);
+ if (!info4->client_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info3->client_port = tsocket_address_inet_port(client);
- if (!info3->client_name) {
- info3->client_name = info3->client_addr;
+ info4->client_port = tsocket_address_inet_port(client);
+ if (!info4->client_name) {
+ info4->client_name = info4->client_addr;
}
- info3->server_addr = tsocket_address_inet_addr_string(server, state);
- if (!info3->server_addr) {
+ info4->server_addr = tsocket_address_inet_addr_string(server, state);
+ if (!info4->server_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info3->server_port = tsocket_address_inet_port(server);
- if (!info3->server_name) {
- info3->server_name = info3->server_addr;
+ info4->server_port = tsocket_address_inet_port(server);
+ if (!info4->server_name) {
+ info4->server_name = info4->server_addr;
}
- info3->sam_info3 = discard_const_p(struct netr_SamInfo3, sam_info3);
- info3->session_key_length = session_key.length;
- info3->session_key = session_key.data;
- info3->gssapi_delegated_creds_length = delegated_creds.length;
- info3->gssapi_delegated_creds = delegated_creds.data;
+ info4->session_info = discard_const_p(struct auth_session_info_transport, session_info);
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(named_pipe_auth_req, &state->auth_req);
npas->unix_stream = talloc_move(stream, &state->unix_stream);
switch (state->auth_rep.level) {
- case 3:
- npas->file_type = state->auth_rep.info.info3.file_type;
- device_state = state->auth_rep.info.info3.device_state;
- allocation_size = state->auth_rep.info.info3.allocation_size;
+ case 4:
+ npas->file_type = state->auth_rep.info.info4.file_type;
+ device_state = state->auth_rep.info.info4.device_state;
+ allocation_size = state->auth_rep.info.info4.allocation_size;
break;
}
char *client_name;
struct tsocket_address *server;
char *server_name;
- struct netr_SamInfo3 *info3;
- DATA_BLOB session_key;
- DATA_BLOB delegated_creds;
+ struct auth_session_info_transport *session_info;
};
static int tstream_npa_accept_next_vector(struct tstream_context *unix_stream,
tevent_req_data(req, struct tstream_npa_accept_state);
struct named_pipe_auth_req *pipe_request;
struct named_pipe_auth_rep pipe_reply;
- struct named_pipe_auth_req_info3 i3;
+ struct named_pipe_auth_req_info4 i4;
enum ndr_err_code ndr_err;
DATA_BLOB out;
int sys_errno;
NDR_PRINT_DEBUG(named_pipe_auth_req, pipe_request);
}
- ZERO_STRUCT(i3);
+ ZERO_STRUCT(i4);
- if (pipe_request->level != 3) {
+ if (pipe_request->level != 4) {
DEBUG(0, ("Unknown level %u\n", pipe_request->level));
pipe_reply.level = 0;
pipe_reply.status = NT_STATUS_INVALID_LEVEL;
goto reply;
}
- pipe_reply.level = 3;
+ pipe_reply.level = 4;
pipe_reply.status = NT_STATUS_OK;
- pipe_reply.info.info3.file_type = state->file_type;
- pipe_reply.info.info3.device_state = state->device_state;
- pipe_reply.info.info3.allocation_size = state->alloc_size;
+ pipe_reply.info.info4.file_type = state->file_type;
+ pipe_reply.info.info4.device_state = state->device_state;
+ pipe_reply.info.info4.allocation_size = state->alloc_size;
- i3 = pipe_request->info.info3;
- if (i3.server_addr == NULL) {
+ i4 = pipe_request->info.info4;
+ if (i4.server_addr == NULL) {
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
DEBUG(2, ("Missing server address\n"));
goto reply;
}
- if (i3.client_addr == NULL) {
+ if (i4.client_addr == NULL) {
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
DEBUG(2, ("Missing client address\n"));
goto reply;
}
state->server_name = discard_const_p(char,
- talloc_move(state, &i3.server_name));
+ talloc_move(state, &i4.server_name));
ret = tsocket_address_inet_from_strings(state, "ip",
- i3.server_addr,
- i3.server_port,
+ i4.server_addr,
+ i4.server_port,
&state->server);
if (ret != 0) {
DEBUG(2, ("Invalid server address[%s:%u] - %s\n",
- i3.server_addr, i3.server_port,
+ i4.server_addr, i4.server_port,
strerror(errno)));
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
goto reply;
}
state->client_name = discard_const_p(char,
- talloc_move(state, &i3.client_name));
+ talloc_move(state, &i4.client_name));
ret = tsocket_address_inet_from_strings(state, "ip",
- i3.client_addr,
- i3.client_port,
+ i4.client_addr,
+ i4.client_port,
&state->client);
if (ret != 0) {
DEBUG(2, ("Invalid server address[%s:%u] - %s\n",
- i3.client_addr, i3.client_port,
+ i4.client_addr, i4.client_port,
strerror(errno)));
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
goto reply;
}
- state->info3 = talloc_move(state, &i3.sam_info3);
- state->session_key.data = talloc_move(state, &i3.session_key);
- state->session_key.length = i3.session_key_length;
-
- state->delegated_creds.data =
- talloc_move(state, &i3.gssapi_delegated_creds);
- state->delegated_creds.length =
- i3.gssapi_delegated_creds_length;
-
+ state->session_info = talloc_move(state, &i4.session_info);
reply:
/* create the output */
ndr_err = ndr_push_struct_blob(&out, state, &pipe_reply,
char **_client_name,
struct tsocket_address **server,
char **server_name,
- struct netr_SamInfo3 **info3,
- DATA_BLOB *session_key,
- DATA_BLOB *delegated_creds,
+ struct auth_session_info_transport **session_info,
const char *location)
{
struct tstream_npa_accept_state *state =
*_client_name = talloc_move(mem_ctx, &state->client_name);
*server = talloc_move(mem_ctx, &state->server);
*server_name = talloc_move(mem_ctx, &state->server_name);
- *info3 = talloc_move(mem_ctx, &state->info3);
- *session_key = state->session_key;
- talloc_steal(mem_ctx, state->session_key.data);
- *delegated_creds = state->delegated_creds;
- talloc_steal(mem_ctx, state->delegated_creds.data);
+ *session_info = talloc_move(mem_ctx, &state->session_info);
tevent_req_received(req);
return 0;
struct tevent_req;
struct tevent_context;
-struct netr_SamInfo3;
+struct auth_session_info_transport;
struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- const char *directory,
- const char *npipe,
- const struct tsocket_address *client,
- const char *client_name_in,
- const struct tsocket_address *server,
- const char *server_name,
- const struct netr_SamInfo3 *info3,
- DATA_BLOB session_key,
- DATA_BLOB delegated_creds);
+ struct tevent_context *ev,
+ const char *directory,
+ const char *npipe,
+ const struct tsocket_address *client,
+ const char *client_name_in,
+ const struct tsocket_address *server,
+ const char *server_name,
+ const struct auth_session_info_transport *session_info);
int _tstream_npa_connect_recv(struct tevent_req *req,
int *perrno,
TALLOC_CTX *mem_ctx,
TALLOC_CTX *mem_ctx,
struct tstream_context **stream,
struct tsocket_address **client,
- char **client_name,
+ char **_client_name,
struct tsocket_address **server,
char **server_name,
- struct netr_SamInfo3 **info3,
- DATA_BLOB *session_key,
- DATA_BLOB *delegated_creds,
+ struct auth_session_info_transport **session_info,
const char *location);
#define tstream_npa_accept_existing_recv(req, perrno, \
mem_ctx, stream, \
client, client_name, \
server, server_name, \
- info3, session_key, \
- delegated_creds) \
+ session_info) \
_tstream_npa_accept_existing_recv(req, perrno, \
mem_ctx, stream, \
client, client_name, \
server, server_name, \
- info3, session_key, \
- delegated_creds, \
+ session_info, \
__location__)
#endif /* NPA_TSTREAM_H */
miscellaneous IDL structures
*/
-import "netlogon.idl";
+import "netlogon.idl", "security.idl", "auth.idl";
[
pointer_default(unique)
[charset(UTF8),string] uint8 *server_name;
[charset(DOS),string] uint8 *server_addr;
uint16 server_port;
- netr_SamInfo3 *sam_info3;
- uint32 session_key_length;
- [size_is(session_key_length)] uint8 *session_key;
- uint32 gssapi_delegated_creds_length;
- [size_is(gssapi_delegated_creds_length)]
- uint8 *gssapi_delegated_creds;
- } named_pipe_auth_req_info3;
+ auth_session_info_transport *session_info;
+ } named_pipe_auth_req_info4;
typedef [switch_type(uint32)] union {
- [case(3)] named_pipe_auth_req_info3 info3;
+ [case(4)] named_pipe_auth_req_info4 info4;
} named_pipe_auth_req_info;
typedef [public,gensize] struct {
uint16 file_type;
uint16 device_state;
hyper allocation_size;
- } named_pipe_auth_rep_info3;
+ } named_pipe_auth_rep_info4;
typedef [switch_type(uint32)] union {
- [case(3)] named_pipe_auth_rep_info3 info3;
+ [case(4)] named_pipe_auth_rep_info4 info4;
} named_pipe_auth_rep_info;
typedef [public,gensize] struct {
public_deps='ndr'
)
+bld.SAMBA_SUBSYSTEM('NDR_AUTH',
+ source='gen_ndr/ndr_auth.c',
+ public_deps='ndr NDR_SECURITY'
+ )
+
bld.SAMBA_SUBSYSTEM('NDR_NAMED_PIPE_AUTH',
source='gen_ndr/ndr_named_pipe_auth.c',
- public_deps='ndr'
+ public_deps='ndr NDR_AUTH'
)
bld.SAMBA_SUBSYSTEM('NDR_DNSSERVER',
$(LIB_EVENTLOG_OBJ) librpc/gen_ndr/srv_eventlog.o
NPA_TSTREAM_OBJ = ../libcli/named_pipe_auth/npa_tstream.o \
- librpc/gen_ndr/ndr_named_pipe_auth.o
+ librpc/gen_ndr/ndr_named_pipe_auth.o \
+ ../auth/auth_sam_reply.o librpc/gen_ndr/ndr_auth.o
RPC_NCACN_NP = rpc_server/srv_pipe_register.o rpc_server/rpc_ncacn_np.o \
rpc_server/rpc_handles.o
#include "../libcli/named_pipe_auth/npa_tstream.h"
#include "rpc_server/rpc_ncacn_np.h"
#include "librpc/gen_ndr/netlogon.h"
+#include "librpc/gen_ndr/auth.h"
+#include "../auth/auth_sam_reply.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
const char *socket_dir;
struct tevent_context *ev;
struct tevent_req *subreq;
- struct netr_SamInfo3 *info3;
+ struct auth_session_info_transport *session_info;
+ struct auth_user_info_dc *user_info_dc;
+ union netr_Validation val;
NTSTATUS status;
bool ok;
int ret;
goto fail;
}
- info3 = talloc_zero(talloc_tos(), struct netr_SamInfo3);
- if (info3 == NULL) {
+ session_info = talloc_zero(talloc_tos(), struct auth_session_info_transport);
+ if (session_info == NULL) {
DEBUG(0, ("talloc failed\n"));
goto fail;
}
- status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3);
+ /* Send the named_pipe_auth server the user's full token */
+ session_info->security_token = server_info->ptok;
+ session_info->session_key = server_info->user_session_key;
+
+ val.sam3 = server_info->info3;
+
+ /* Convert into something we can build a struct
+ * auth_session_info_transport from. Most of the work here
+ * will be to convert the SIDS, which we will then ignore, but
+ * this is the easier way to handle it */
+ status = make_user_info_dc_netlogon_validation(talloc_tos(), "", 3, &val, &user_info_dc);
if (!NT_STATUS_IS_OK(status)) {
- TALLOC_FREE(info3);
- DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n",
- nt_errstr(status)));
+ DEBUG(0, ("conversion of info3 into user_info_dc failed!\n"));
goto fail;
}
+ session_info->info = talloc_move(session_info, &user_info_dc->info);
+ talloc_free(user_info_dc);
+
become_root();
subreq = tstream_npa_connect_send(talloc_tos(), ev,
socket_np_dir,
NULL, /* client_name */
local_address, /* server_addr */
NULL, /* server_name */
- info3,
- server_info->user_session_key,
- data_blob_null /* delegated_creds */);
+ session_info);
if (subreq == NULL) {
unbecome_root();
DEBUG(0, ("tstream_npa_connect_send to %s for pipe %s and "
"user %s\\%s failed\n",
- socket_np_dir, pipe_name, info3->base.domain.string,
- info3->base.account_name.string));
+ socket_np_dir, pipe_name, session_info->info->domain_name,
+ session_info->info->account_name));
goto fail;
}
ok = tevent_req_poll(subreq, ev);
if (!ok) {
DEBUG(0, ("tevent_req_poll to %s for pipe %s and user %s\\%s "
"failed for tstream_npa_connect: %s\n",
- socket_np_dir, pipe_name, info3->base.domain.string,
- info3->base.account_name.string,
+ socket_np_dir, pipe_name, session_info->info->domain_name,
+ session_info->info->account_name,
strerror(errno)));
goto fail;
if (ret != 0) {
DEBUG(0, ("tstream_npa_connect_recv to %s for pipe %s and "
"user %s\\%s failed: %s\n",
- socket_np_dir, pipe_name, info3->base.domain.string,
- info3->base.account_name.string,
+ socket_np_dir, pipe_name, session_info->info->domain_name,
+ session_info->info->account_name,
strerror(sys_errno)));
goto fail;
}
#include "rpc_server/rpc_server.h"
#include "rpc_dce.h"
#include "librpc/gen_ndr/netlogon.h"
+#include "librpc/gen_ndr/auth.h"
#include "registry/reg_parse_prs.h"
#include "lib/tsocket/tsocket.h"
#include "libcli/named_pipe_auth/npa_tstream.h"
+#include "../auth/auth_sam_reply.h"
/* Creates a pipes_struct and initializes it with the information
* sent from the client */
const char *pipe_name,
const struct ndr_syntax_id id,
const char *client_address,
- struct netr_SamInfo3 *info3,
+ struct auth_session_info_transport *session_info,
struct pipes_struct **_p,
int *perrno)
{
+ struct netr_SamInfo3 *info3;
+ struct auth_user_info_dc *auth_user_info_dc;
struct pipes_struct *p;
NTSTATUS status;
bool ok;
p->endian = RPC_LITTLE_ENDIAN;
+ /* Fake up an auth_user_info_dc for now, to make an info3, to make the server_info structure */
+ auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc);
+ if (!auth_user_info_dc) {
+ TALLOC_FREE(p);
+ *perrno = ENOMEM;
+ return -1;
+ }
+
+ auth_user_info_dc->num_sids = session_info->security_token->num_sids;
+ auth_user_info_dc->sids = session_info->security_token->sids;
+ auth_user_info_dc->info = session_info->info;
+ auth_user_info_dc->user_session_key = session_info->session_key;
+
+ /* This creates the input structure that make_server_info_info3 is looking for */
+ status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc,
+ &info3);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n"));
+ TALLOC_FREE(p);
+ *perrno = EINVAL;
+ return -1;
+ }
+
status = make_server_info_info3(p,
info3->base.account_name.string,
info3->base.domain.string,
return -1;
}
+ /* Now override the server_info->ptok with the exact
+ * security_token we were given from the other side,
+ * regardless of what we just calculated */
+ p->server_info->ptok = talloc_move(p->server_info, &session_info->security_token);
+
+ /* Also set the session key to the correct value */
+ p->server_info->user_session_key = session_info->session_key;
+ p->server_info->user_session_key.data = talloc_move(p->server_info, &session_info->session_key.data);
+
p->client_id = talloc_zero(p, struct client_address);
if (!p->client_id) {
TALLOC_FREE(p);
char *client_name;
struct tsocket_address *server;
char *server_name;
- struct netr_SamInfo3 *info3;
- DATA_BLOB session_key;
- DATA_BLOB delegated_creds;
+ struct auth_session_info_transport *session_info;
struct pipes_struct *p;
&npc->client_name,
&npc->server,
&npc->server_name,
- &npc->info3,
- &npc->session_key,
- &npc->delegated_creds);
+ &npc->session_info);
TALLOC_FREE(subreq);
if (ret != 0) {
DEBUG(2, ("Failed to accept named pipe connection! (%s)\n",
ret = make_server_pipes_struct(npc,
npc->pipe_name, npc->pipe_id,
- cli_addr, npc->info3,
+ cli_addr, npc->session_info,
&npc->p, &error);
if (ret != 0) {
DEBUG(2, ("Failed to create pipes_struct! (%s)\n",
#include "includes.h"
#include "auth/auth.h"
#include "auth/auth_sam.h"
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_krb5.h"
#include "libcli/security/security.h"
#include "libcli/auth/libcli_auth.h"
#include "dsdb/samdb/samdb.h"
#include "auth/session_proto.h"
+#include "system/kerberos.h"
+#include <gssapi/gssapi.h>
_PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx)
return NT_STATUS_OK;
}
+/* Create a session_info structure from the
+ * auth_session_info_transport we were forwarded over named pipe
+ * forwarding.
+ *
+ * NOTE: The stucture members of session_info_transport are stolen
+ * with talloc_move() into auth_session_info for long term use
+ */
+struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
+ struct auth_session_info_transport *session_info_transport,
+ struct loadparm_context *lp_ctx,
+ const char **reason)
+{
+ struct auth_session_info *session_info;
+ session_info = talloc_zero(mem_ctx, struct auth_session_info);
+ if (!session_info) {
+ *reason = "failed to allocate session_info";
+ return NULL;
+ }
+
+ session_info->security_token = talloc_move(session_info, &session_info_transport->security_token);
+ session_info->info = talloc_move(session_info, &session_info_transport->info);
+ session_info->session_key = session_info_transport->session_key;
+ session_info->session_key.data = talloc_move(session_info, &session_info_transport->session_key.data);
+
+ if (session_info_transport->exported_gssapi_credentials.length) {
+ struct cli_credentials *creds;
+ OM_uint32 minor_status;
+ gss_buffer_desc cred_token;
+ gss_cred_id_t cred_handle;
+ const char *error_string;
+ int ret;
+
+ DEBUG(10, ("Delegated credentials supplied by client\n"));
+
+ cred_token.value = session_info_transport->exported_gssapi_credentials.data;
+ cred_token.length = session_info_transport->exported_gssapi_credentials.length;
+
+ ret = gss_import_cred(&minor_status,
+ &cred_token,
+ &cred_handle);
+ if (ret != GSS_S_COMPLETE) {
+ *reason = "Internal error in gss_import_cred()";
+ return NULL;
+ }
+
+ creds = cli_credentials_init(session_info);
+ if (!creds) {
+ *reason = "Out of memory in cli_credentials_init()";
+ return NULL;
+ }
+ session_info->credentials = creds;
+
+ cli_credentials_set_conf(creds, lp_ctx);
+ /* Just so we don't segfault trying to get at a username */
+ cli_credentials_set_anonymous(creds);
+
+ ret = cli_credentials_set_client_gss_creds(creds,
+ lp_ctx,
+ cred_handle,
+ CRED_SPECIFIED,
+ &error_string);
+ if (ret) {
+ *reason = talloc_asprintf(mem_ctx,
+ "Failed to set pipe forwarded"
+ "creds: %s\n", error_string);
+ return NULL;
+ }
+
+ /* This credential handle isn't useful for password
+ * authentication, so ensure nobody tries to do that */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_MUST_USE_KERBEROS);
+
+ }
+
+ return session_info;
+}
+
+
+/* Create a auth_session_info_transport from an auth_session_info.
+ *
+ * NOTE: Members of the auth_session_info_transport structure are not talloc_referenced, but simply assigned. They are only valid for the lifetime of the struct auth_session_info
+ *
+ * This isn't normally an issue, as the auth_session_info has a very long typical life
+ */
+NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
+ struct auth_session_info *session_info,
+ struct tevent_context *event_ctx,
+ struct loadparm_context *lp_ctx,
+ struct auth_session_info_transport **transport_out)
+{
+
+ struct auth_session_info_transport *session_info_transport = talloc_zero(mem_ctx, struct auth_session_info_transport);
+ session_info_transport->security_token = talloc_reference(session_info, session_info->security_token);
+ NT_STATUS_HAVE_NO_MEMORY(session_info_transport->security_token);
+
+ session_info_transport->info = talloc_reference(session_info, session_info->info);
+ NT_STATUS_HAVE_NO_MEMORY(session_info_transport->info);
+
+ session_info_transport->session_key = session_info->session_key;
+ session_info_transport->session_key.data = talloc_reference(session_info, session_info->session_key.data);
+ if (!session_info_transport->session_key.data && session_info->session_key.length) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (session_info->credentials) {
+ struct gssapi_creds_container *gcc;
+ OM_uint32 gret;
+ OM_uint32 minor_status;
+ gss_buffer_desc cred_token;
+ const char *error_string;
+ int ret;
+
+ ret = cli_credentials_get_client_gss_creds(session_info->credentials,
+ event_ctx,
+ lp_ctx,
+ &gcc, &error_string);
+ if (ret != 0) {
+ *transport_out = session_info_transport;
+ return NT_STATUS_OK;
+ }
+
+ gret = gss_export_cred(&minor_status,
+ gcc->creds,
+ &cred_token);
+ if (gret != GSS_S_COMPLETE) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (cred_token.length) {
+ session_info_transport->exported_gssapi_credentials
+ = data_blob_talloc(session_info_transport,
+ cred_token.value,
+ cred_token.length);
+ gss_release_buffer(&minor_status, &cred_token);
+ NT_STATUS_HAVE_NO_MEMORY(session_info_transport->exported_gssapi_credentials.data);
+ }
+ }
+ *transport_out = session_info_transport;
+ return NT_STATUS_OK;
+}
+
+
/* Produce a session_info for an arbitary DN or principal in the local
* DB, assuming the local DB holds all the groups
*
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **session_info);
+struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
+ struct auth_session_info_transport *session_info_transport,
+ struct loadparm_context *lp_ctx,
+ const char **reason);
+NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
+ struct auth_session_info *session_info,
+ struct tevent_context *event_ctx,
+ struct loadparm_context *lp_ctx,
+ struct auth_session_info_transport **transport_out);
+
/* Produce a session_info for an arbitary DN or principal in the local
* DB, assuming the local DB holds all the groups
*
struct pipe_state *p;
struct ntvfs_request *req;
union smb_open *oi;
- struct netr_SamInfo3 *info3;
+ struct auth_session_info_transport *session_info_transport;
};
static void ipc_open_done(struct tevent_req *subreq);
const char *directory;
const struct tsocket_address *client_addr;
const struct tsocket_address *server_addr;
- int ret;
- DATA_BLOB delegated_creds = data_blob_null;
- struct auth_user_info_dc user_info_dc;
switch (oi->generic.level) {
case RAW_OPEN_NTCREATEX:
state->req = req;
state->oi = oi;
- /* Disgusting hack to recreate the user_info_dc that should
- * not be used that this layer in this way */
- ZERO_STRUCT(user_info_dc);
- user_info_dc.info = req->session_info->info;
- user_info_dc.num_sids = req->session_info->torture->num_dc_sids;
- user_info_dc.sids = req->session_info->torture->dc_sids;
+ status = auth_session_info_transport_from_session(state,
+ req->session_info,
+ ipriv->ntvfs->ctx->event_ctx,
+ ipriv->ntvfs->ctx->lp_ctx,
+ &state->session_info_transport);
- status = auth_convert_user_info_dc_saminfo3(state,
- &user_info_dc,
- &state->info3);
NT_STATUS_NOT_OK_RETURN(status);
client_addr = ntvfs_get_local_address(ipriv->ntvfs);
server_addr = ntvfs_get_remote_address(ipriv->ntvfs);
- if (req->session_info->credentials) {
- struct gssapi_creds_container *gcc;
- OM_uint32 gret;
- OM_uint32 minor_status;
- gss_buffer_desc cred_token;
- const char *error_string;
-
- ret = cli_credentials_get_client_gss_creds(req->session_info->credentials,
- ipriv->ntvfs->ctx->event_ctx,
- ipriv->ntvfs->ctx->lp_ctx,
- &gcc, &error_string);
- if (ret) {
- goto skip;
- }
-
- gret = gss_export_cred(&minor_status,
- gcc->creds,
- &cred_token);
- if (gret != GSS_S_COMPLETE) {
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- if (cred_token.length) {
- delegated_creds = data_blob_talloc(req,
- cred_token.value,
- cred_token.length);
- gss_release_buffer(&minor_status, &cred_token);
- NT_STATUS_HAVE_NO_MEMORY(delegated_creds.data);
- }
- }
-
-skip:
-
subreq = tstream_npa_connect_send(p,
ipriv->ntvfs->ctx->event_ctx,
directory,
NULL,
server_addr,
NULL,
- state->info3,
- req->session_info->session_key,
- delegated_creds);
+ state->session_info_transport);
NT_STATUS_HAVE_NO_MEMORY(subreq);
tevent_req_set_callback(subreq, ipc_open_done, state);
#include "system/passwd.h"
#include "system/network.h"
#include "libcli/raw/smb.h"
-#include "auth/credentials/credentials.h"
-#include "auth/credentials/credentials_krb5.h"
+#include "auth/session.h"
#include "libcli/security/security.h"
#include "libcli/named_pipe_auth/npa_tstream.h"
char *client_name;
struct tsocket_address *server;
char *server_name;
- struct netr_SamInfo3 *info3;
- DATA_BLOB session_key;
- DATA_BLOB delegated_creds;
-
- union netr_Validation val;
- struct auth_user_info_dc *user_info_dc;
- struct auth_context *auth_context;
- uint32_t session_flags = 0;
- struct dom_sid *anonymous_sid;
+ struct auth_session_info_transport *session_info_transport;
const char *reason = NULL;
TALLOC_CTX *tmp_ctx;
- NTSTATUS status;
int error;
int ret;
}
ret = tstream_npa_accept_existing_recv(subreq, &error, tmp_ctx,
- &conn->tstream,
- &client,
- &client_name,
- &server,
- &server_name,
- &info3,
- &session_key,
- &delegated_creds);
+ &conn->tstream,
+ &client,
+ &client_name,
+ &server,
+ &server_name,
+ &session_info_transport);
TALLOC_FREE(subreq);
if (ret != 0) {
reason = talloc_asprintf(conn,
client_name, tsocket_address_string(client, tmp_ctx),
server_name, tsocket_address_string(server, tmp_ctx)));
- if (info3) {
- val.sam3 = info3;
-
- status = make_user_info_dc_netlogon_validation(conn,
- val.sam3->base.account_name.string,
- 3, &val, &user_info_dc);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "make_user_info_dc_netlogon_validation "
- "returned: %s", nt_errstr(status));
- goto out;
- }
-
- status = auth_context_create(conn, conn->event.ctx,
- conn->msg_ctx, conn->lp_ctx,
- &auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "auth_context_create returned: %s",
- nt_errstr(status));
- goto out;
- }
-
- anonymous_sid = dom_sid_parse_talloc(auth_context,
- SID_NT_ANONYMOUS);
- if (anonymous_sid == NULL) {
- talloc_free(auth_context);
- reason = "Failed to parse Anonymous SID ";
- goto out;
- }
-
- session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (user_info_dc->num_sids > 1 && !dom_sid_equal(anonymous_sid, &user_info_dc->sids[0])) {
- session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
- }
-
-
- /* setup the session_info on the connection */
- status = auth_context->generate_session_info(conn,
- auth_context,
- user_info_dc,
- session_flags,
- &conn->session_info);
- talloc_free(auth_context);
- if (!NT_STATUS_IS_OK(status)) {
- reason = talloc_asprintf(conn,
- "auth_generate_session_info "
- "returned: %s", nt_errstr(status));
- goto out;
- }
- }
-
- if (session_key.length) {
- conn->session_info->session_key = session_key;
- talloc_steal(conn->session_info, session_key.data);
- }
-
- if (delegated_creds.length) {
- struct cli_credentials *creds;
- OM_uint32 minor_status;
- gss_buffer_desc cred_token;
- gss_cred_id_t cred_handle;
- const char *error_string;
-
- DEBUG(10, ("Delegated credentials supplied by client\n"));
-
- cred_token.value = delegated_creds.data;
- cred_token.length = delegated_creds.length;
-
- ret = gss_import_cred(&minor_status,
- &cred_token,
- &cred_handle);
- if (ret != GSS_S_COMPLETE) {
- reason = "Internal error in gss_import_cred()";
- goto out;
- }
-
- creds = cli_credentials_init(conn->session_info);
- if (!creds) {
- reason = "Out of memory in cli_credentials_init()";
- goto out;
- }
- conn->session_info->credentials = creds;
-
- cli_credentials_set_conf(creds, conn->lp_ctx);
- /* Just so we don't segfault trying to get at a username */
- cli_credentials_set_anonymous(creds);
-
- ret = cli_credentials_set_client_gss_creds(creds,
- conn->lp_ctx,
- cred_handle,
- CRED_SPECIFIED,
- &error_string);
- if (ret) {
- reason = talloc_asprintf(conn,
- "Failed to set pipe forwarded"
- "creds: %s\n", error_string);
- goto out;
- }
-
- /* This credential handle isn't useful for password
- * authentication, so ensure nobody tries to do that */
- cli_credentials_set_kerberos_state(creds,
- CRED_MUST_USE_KERBEROS);
-
+ conn->session_info = auth_session_info_from_transport(conn, session_info_transport,
+ conn->lp_ctx,
+ &reason);
+ if (!conn->session_info) {
+ goto out;
}
/*
git.samba.org / bbaumbach / samba-autobuild / .git / commitdiff