r26233: Pass loadparm context when creating krb5 contexts.

[jelmer/samba4-debian.git] / source / auth / auth_util.c

diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 649928ac9b36d239ade0bf0e5795452840c38db1..baecb15f1e3d59c935f9628eecf7552853b9ad3a 100644 (file)
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -9,7 +9,7 @@
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
+   the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
@@ -18,8 +18,7 @@
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 #include "includes.h"
@@ -28,6 +27,7 @@
 #include "libcli/auth/libcli_auth.h"
 #include "dsdb/samdb/samdb.h"
 #include "auth/credentials/credentials.h"
+#include "param/param.h"
 
 /* this default function can be used by mostly all backends
  * which don't want to set a challenge
@@ -43,6 +43,7 @@ NTSTATUS auth_get_challenge_not_implemented(struct auth_method_context *ctx, TAL
 ****************************************************************************/
 
 NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
+                      const char *default_domain,
                       const struct auth_usersupplied_info *user_info,
                       struct auth_usersupplied_info **user_info_mapped)
 {
@@ -58,7 +59,7 @@ NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
        }
        
        /* don't allow "" as a domain, fixes a Win9X bug 
-          where it doens't supply a domain for logon script
+          where it doesn't supply a domain for logon script
           'net use' commands.                                 */
 
        /* Split user@realm names into user and realm components.  This is TODO to fix with proper userprincipalname support */
@@ -73,7 +74,7 @@ NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
                d++;
                domain = d;
        } else {
-               domain = lp_workgroup();
+               domain = default_domain;
        }
 
        *user_info_mapped = talloc(mem_ctx, struct auth_usersupplied_info);
@@ -82,7 +83,7 @@ NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
        }
        talloc_reference(*user_info_mapped, user_info);
        **user_info_mapped = *user_info;
-       (*user_info_mapped)->mapped_state = True;
+       (*user_info_mapped)->mapped_state = true;
        (*user_info_mapped)->mapped.domain_name = talloc_strdup(*user_info_mapped, domain);
        (*user_info_mapped)->mapped.account_name = talloc_strdup(*user_info_mapped, account_name);
        talloc_free(account_name);
@@ -98,7 +99,7 @@ NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
  Create an auth_usersupplied_data structure after appropriate mapping.
 ****************************************************************************/
 
- NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, 
+NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context, 
                           enum auth_password_state to_state,
                           const struct auth_usersupplied_info *user_info_in,
                           const struct auth_usersupplied_info **user_info_encrypted)
@@ -138,8 +139,8 @@ NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
                        }
                        
                        chall_blob = data_blob_talloc(mem_ctx, challenge, 8);
-                       if (lp_client_ntlmv2_auth()) {
-                               DATA_BLOB names_blob = NTLMv2_generate_names_blob(mem_ctx, lp_netbios_name(), lp_workgroup());
+                       if (lp_client_ntlmv2_auth(auth_context->lp_ctx)) {
+                               DATA_BLOB names_blob = NTLMv2_generate_names_blob(mem_ctx, lp_netbios_name(auth_context->lp_ctx), lp_workgroup(auth_context->lp_ctx));
                                DATA_BLOB lmv2_response, ntlmv2_response, lmv2_session_key, ntlmv2_session_key;
                                
                                if (!SMBNTLMv2encrypt_hash(user_info_temp,
@@ -163,7 +164,7 @@ NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
                                SMBOWFencrypt(user_info_in->password.hash.nt->hash, challenge, blob.data);
 
                                user_info_temp->password.response.nt = blob;
-                               if (lp_client_lanman_auth() && user_info_in->password.hash.lanman) {
+                               if (lp_client_lanman_auth(auth_context->lp_ctx) && user_info_in->password.hash.lanman) {
                                        DATA_BLOB lm_blob = data_blob_talloc(mem_ctx, NULL, 24);
                                        SMBOWFencrypt(user_info_in->password.hash.lanman->hash, challenge, blob.data);
                                        user_info_temp->password.response.lanman = lm_blob;
@@ -228,447 +229,6 @@ NTSTATUS map_user_info(TALLOC_CTX *mem_ctx,
        return NT_STATUS_OK;
 }
 
-/***************************************************************************
- Make a server_info struct from the info3 returned by a domain logon 
-***************************************************************************/
-NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
-                                             const char *account_name,
-                                             uint16_t validation_level,
-                                             union netr_Validation *validation,
-                                             struct auth_serversupplied_info **_server_info)
-{
-       struct auth_serversupplied_info *server_info;
-       struct netr_SamBaseInfo *base = NULL;
-       int i;
-
-       switch (validation_level) {
-       case 2:
-               if (!validation || !validation->sam2) {
-                       return NT_STATUS_INVALID_PARAMETER;
-               }
-               base = &validation->sam2->base;
-               break;
-       case 3:
-               if (!validation || !validation->sam3) {
-                       return NT_STATUS_INVALID_PARAMETER;
-               }
-               base = &validation->sam3->base;
-               break;
-       case 6:
-               if (!validation || !validation->sam6) {
-                       return NT_STATUS_INVALID_PARAMETER;
-               }
-               base = &validation->sam6->base;
-               break;
-       default:
-               return NT_STATUS_INVALID_LEVEL;
-       }
-
-       server_info = talloc(mem_ctx, struct auth_serversupplied_info);
-       NT_STATUS_HAVE_NO_MEMORY(server_info);
-
-       /*
-          Here is where we should check the list of
-          trusted domains, and verify that the SID 
-          matches.
-       */
-       server_info->account_sid = dom_sid_add_rid(server_info, base->domain_sid, base->rid);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
-
-
-       server_info->primary_group_sid = dom_sid_add_rid(server_info, base->domain_sid, base->primary_gid);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
-       server_info->n_domain_groups = base->groups.count;
-       if (base->groups.count) {
-               server_info->domain_groups = talloc_array(server_info, struct dom_sid*, base->groups.count);
-               NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups);
-       } else {
-               server_info->domain_groups = NULL;
-       }
-
-       for (i = 0; i < base->groups.count; i++) {
-               server_info->domain_groups[i] = dom_sid_add_rid(server_info, base->domain_sid, base->groups.rids[i].rid);
-               NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]);
-       }
-
-       /* Copy 'other' sids.  We need to do sid filtering here to
-          prevent possible elevation of privileges.  See:
-
-           http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
-         */
-
-       if (validation_level == 3) {
-               struct dom_sid **dgrps = server_info->domain_groups;
-               size_t sidcount = server_info->n_domain_groups + validation->sam3->sidcount;
-               size_t n_dgrps = server_info->n_domain_groups;
-
-               if (validation->sam3->sidcount > 0) {
-                       dgrps = talloc_realloc(server_info, dgrps, struct dom_sid*, sidcount);
-                       NT_STATUS_HAVE_NO_MEMORY(dgrps);
-
-                       for (i = 0; i < validation->sam3->sidcount; i++) {
-                               dgrps[n_dgrps + i] = talloc_reference(dgrps, validation->sam3->sids[i].sid);
-                       }
-               }
-
-               server_info->n_domain_groups = sidcount;
-               server_info->domain_groups = dgrps;
-
-               /* Where are the 'global' sids?... */
-       }
-
-       if (base->account_name.string) {
-               server_info->account_name = talloc_reference(server_info, base->account_name.string);
-       } else {
-               server_info->account_name = talloc_strdup(server_info, account_name);
-               NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
-       }
-
-       server_info->domain_name = talloc_reference(server_info, base->domain.string);
-       server_info->full_name = talloc_reference(server_info, base->full_name.string);
-       server_info->logon_script = talloc_reference(server_info, base->logon_script.string);
-       server_info->profile_path = talloc_reference(server_info, base->profile_path.string);
-       server_info->home_directory = talloc_reference(server_info, base->home_directory.string);
-       server_info->home_drive = talloc_reference(server_info, base->home_drive.string);
-       server_info->logon_server = talloc_reference(server_info, base->logon_server.string);
-       server_info->last_logon = base->last_logon;
-       server_info->last_logoff = base->last_logoff;
-       server_info->acct_expiry = base->acct_expiry;
-       server_info->last_password_change = base->last_password_change;
-       server_info->allow_password_change = base->allow_password_change;
-       server_info->force_password_change = base->force_password_change;
-       server_info->logon_count = base->logon_count;
-       server_info->bad_password_count = base->bad_password_count;
-       server_info->acct_flags = base->acct_flags;
-
-       server_info->authenticated = True;
-
-       /* ensure we are never given NULL session keys */
-
-       if (all_zero(base->key.key, sizeof(base->key.key))) {
-               server_info->user_session_key = data_blob(NULL, 0);
-       } else {
-               server_info->user_session_key = data_blob_talloc(server_info, base->key.key, sizeof(base->key.key));
-               NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
-       }
-
-       if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
-               server_info->lm_session_key = data_blob(NULL, 0);
-       } else {
-               server_info->lm_session_key = data_blob_talloc(server_info, base->LMSessKey.key, sizeof(base->LMSessKey.key));
-               NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
-       }
-
-       *_server_info = server_info;
-       return NT_STATUS_OK;
-}
-
-
-NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **_server_info) 
-{
-       struct auth_serversupplied_info *server_info;
-       server_info = talloc(mem_ctx, struct auth_serversupplied_info);
-       NT_STATUS_HAVE_NO_MEMORY(server_info);
-
-       server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
-
-       /* is this correct? */
-       server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
-       server_info->n_domain_groups = 0;
-       server_info->domain_groups = NULL;
-
-       /* annoying, but the Anonymous really does have a session key, 
-          and it is all zeros! */
-       server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
-
-       server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
-
-       data_blob_clear(&server_info->user_session_key);
-       data_blob_clear(&server_info->lm_session_key);
-
-       server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
-
-       server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
-
-       server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
-
-       server_info->logon_script = talloc_strdup(server_info, "");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
-
-       server_info->profile_path = talloc_strdup(server_info, "");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
-
-       server_info->home_directory = talloc_strdup(server_info, "");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
-
-       server_info->home_drive = talloc_strdup(server_info, "");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
-
-       server_info->logon_server = talloc_strdup(server_info, lp_netbios_name());
-       NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
-
-       server_info->last_logon = 0;
-       server_info->last_logoff = 0;
-       server_info->acct_expiry = 0;
-       server_info->last_password_change = 0;
-       server_info->allow_password_change = 0;
-       server_info->force_password_change = 0;
-
-       server_info->logon_count = 0;
-       server_info->bad_password_count = 0;
-
-       server_info->acct_flags = ACB_NORMAL;
-
-       server_info->authenticated = False;
-
-       *_server_info = server_info;
-
-       return NT_STATUS_OK;
-}
-
-NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info **_server_info) 
-{
-       struct auth_serversupplied_info *server_info;
-       server_info = talloc(mem_ctx, struct auth_serversupplied_info);
-       NT_STATUS_HAVE_NO_MEMORY(server_info);
-
-       server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
-
-       /* is this correct? */
-       server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
-       server_info->n_domain_groups = 0;
-       server_info->domain_groups = NULL;
-
-       /* annoying, but the Anonymous really does have a session key, 
-          and it is all zeros! */
-       server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
-
-       server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
-
-       data_blob_clear(&server_info->user_session_key);
-       data_blob_clear(&server_info->lm_session_key);
-
-       server_info->account_name = talloc_strdup(server_info, "SYSTEM");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
-
-       server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
-
-       server_info->full_name = talloc_strdup(server_info, "System");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
-
-       server_info->logon_script = talloc_strdup(server_info, "");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
-
-       server_info->profile_path = talloc_strdup(server_info, "");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
-
-       server_info->home_directory = talloc_strdup(server_info, "");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
-
-       server_info->home_drive = talloc_strdup(server_info, "");
-       NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
-
-       server_info->logon_server = talloc_strdup(server_info, lp_netbios_name());
-       NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
-
-       server_info->last_logon = 0;
-       server_info->last_logoff = 0;
-       server_info->acct_expiry = 0;
-       server_info->last_password_change = 0;
-       server_info->allow_password_change = 0;
-       server_info->force_password_change = 0;
-
-       server_info->logon_count = 0;
-       server_info->bad_password_count = 0;
-
-       server_info->acct_flags = ACB_NORMAL;
-
-       server_info->authenticated = True;
-
-       *_server_info = server_info;
-
-       return NT_STATUS_OK;
-}
-
-NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, 
-                                   struct auth_serversupplied_info *server_info, 
-                                   struct auth_session_info **_session_info) 
-{
-       struct auth_session_info *session_info;
-       NTSTATUS nt_status;
-
-       session_info = talloc(mem_ctx, struct auth_session_info);
-       NT_STATUS_HAVE_NO_MEMORY(session_info);
-
-       session_info->server_info = talloc_reference(session_info, server_info);
-
-       /* unless set otherwise, the session key is the user session
-        * key from the auth subsystem */ 
-       session_info->session_key = server_info->user_session_key;
-
-       nt_status = security_token_create(session_info,
-                                         server_info->account_sid,
-                                         server_info->primary_group_sid,
-                                         server_info->n_domain_groups,
-                                         server_info->domain_groups,
-                                         server_info->authenticated,
-                                         &session_info->security_token);
-       NT_STATUS_NOT_OK_RETURN(nt_status);
-
-       session_info->credentials = NULL;
-
-       *_session_info = session_info;
-       return NT_STATUS_OK;
-}
-
-NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, 
-                                    struct auth_session_info **_session_info) 
-{
-       NTSTATUS nt_status;
-       struct auth_serversupplied_info *server_info = NULL;
-       struct auth_session_info *session_info = NULL;
-       TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
-       
-       nt_status = auth_anonymous_server_info(mem_ctx,
-                                              &server_info);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               talloc_free(mem_ctx);
-               return nt_status;
-       }
-
-       /* references the server_info into the session_info */
-       nt_status = auth_generate_session_info(parent_ctx, server_info, &session_info);
-       talloc_free(mem_ctx);
-
-       NT_STATUS_NOT_OK_RETURN(nt_status);
-
-       session_info->credentials = cli_credentials_init(session_info);
-       if (!session_info->credentials) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       cli_credentials_set_conf(session_info->credentials);
-       cli_credentials_set_anonymous(session_info->credentials);
-       
-       *_session_info = session_info;
-
-       return NT_STATUS_OK;
-}
-
-struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx) 
-{
-       NTSTATUS nt_status;
-       struct auth_session_info *session_info = NULL;
-       nt_status = auth_anonymous_session_info(mem_ctx, &session_info);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               return NULL;
-       }
-       return session_info;
-}
-
-static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx, 
-                                         BOOL anonymous_credentials, 
-                                         struct auth_session_info **_session_info) 
-{
-       NTSTATUS nt_status;
-       struct auth_serversupplied_info *server_info = NULL;
-       struct auth_session_info *session_info = NULL;
-       TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
-       
-       nt_status = auth_system_server_info(mem_ctx,
-                                           &server_info);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               talloc_free(mem_ctx);
-               return nt_status;
-       }
-
-       /* references the server_info into the session_info */
-       nt_status = auth_generate_session_info(parent_ctx, server_info, &session_info);
-       talloc_free(mem_ctx);
-
-       NT_STATUS_NOT_OK_RETURN(nt_status);
-
-       session_info->credentials = cli_credentials_init(session_info);
-       if (!session_info->credentials) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       cli_credentials_set_conf(session_info->credentials);
-
-       if (anonymous_credentials) {
-               cli_credentials_set_anonymous(session_info->credentials);
-       } else {
-               cli_credentials_set_machine_account_pending(session_info->credentials);
-       }
-       *_session_info = session_info;
-
-       return NT_STATUS_OK;
-}
-
-_PUBLIC_ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, 
-                                          struct auth_session_info **_session_info) 
-{
-       return _auth_system_session_info(parent_ctx, lp_parm_bool(-1,"system","anonymous", False), 
-                                        _session_info);
-}
-
-/*
-  Create a system session, with machine account credentials
-*/
-_PUBLIC_ struct auth_session_info *system_session(TALLOC_CTX *mem_ctx) 
-{
-       NTSTATUS nt_status;
-       struct auth_session_info *session_info = NULL;
-       nt_status = auth_system_session_info(mem_ctx,
-                                            &session_info);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               return NULL;
-       }
-       return session_info;
-}
-
-/*
-  Create a system session, but with anonymous credentials (so we do not need to open secrets.ldb)
-*/
-_PUBLIC_ struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx) 
-{
-       NTSTATUS nt_status;
-       struct auth_session_info *session_info = NULL;
-       nt_status = _auth_system_session_info(mem_ctx, False, &session_info);
-       if (!NT_STATUS_IS_OK(nt_status)) {
-               return NULL;
-       }
-       return session_info;
-}
-
-/****************************************************************************
- prints a struct auth_session_info security token to debug output.
-****************************************************************************/
-void auth_session_info_debug(int dbg_lev, 
-                            const struct auth_session_info *session_info)
-{
-       if (!session_info) {
-               DEBUG(dbg_lev, ("Session Info: (NULL)\n"));
-               return; 
-       }
-
-       security_token_debug(dbg_lev, session_info->security_token);
-}
 
 /**
  * Squash an NT_STATUS in line with security requirements.