Revert "Add old functionality back which was removed in commit 589a42e2."
[kai/samba-autobuild/.git] / source4 / auth / session.c
1 /* 
2    Unix SMB/CIFS implementation.
3    Authentication utility functions
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Andrew Bartlett 2001-2010
6    Copyright (C) Jeremy Allison 2000-2001
7    Copyright (C) Rafal Szczesniak 2002
8    Copyright (C) Stefan Metzmacher 2005
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14    
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19    
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "auth/auth.h"
26 #include "libcli/security/security.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "auth/session_proto.h"
30
31 _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, 
32                                             struct loadparm_context *lp_ctx) 
33 {
34         NTSTATUS nt_status;
35         struct auth_session_info *session_info = NULL;
36         nt_status = auth_anonymous_session_info(mem_ctx, lp_ctx, &session_info);
37         if (!NT_STATUS_IS_OK(nt_status)) {
38                 return NULL;
39         }
40         return session_info;
41 }
42
43 _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
44                                              struct auth_context *auth_context,
45                                              struct auth_serversupplied_info *server_info,
46                                              uint32_t session_info_flags,
47                                              struct auth_session_info **_session_info)
48 {
49         struct auth_session_info *session_info;
50         NTSTATUS nt_status;
51         unsigned int i, num_groupSIDs = 0;
52         const char *account_sid_string;
53         const char *account_sid_dn;
54         DATA_BLOB account_sid_blob;
55         const char *primary_group_string;
56         const char *primary_group_dn;
57         DATA_BLOB primary_group_blob;
58
59         const char *filter;
60
61         struct dom_sid **groupSIDs = NULL;
62         const struct dom_sid *dom_sid;
63
64         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
65         NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
66
67         if (!auth_context->sam_ctx) {
68                 DEBUG(0, ("No SAM available, cannot determine local groups\n"));
69                 return NT_STATUS_INVALID_SYSTEM_SERVICE;
70         }
71
72         /* For now, we don't have trusted domains, so we do a very
73          * simple check to see that the user's SID is in *this*
74          * domain, and then trust the user account control.  When we
75          * get trusted domains, we should check it's a trusted domain
76          * in this forest.  This elaborate check is to try and avoid a
77          * nasty security bug if we forget about this later... */
78
79         if (server_info->acct_flags & ACB_SVRTRUST) {
80                 dom_sid = samdb_domain_sid(auth_context->sam_ctx);
81                 if (dom_sid) {
82                         if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
83                                 session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
84                         } else {
85                                 DEBUG(2, ("DC %s is not in our domain.  "
86                                           "It will not have Enterprise Domain Controllers membership on this server",
87                                           server_info->account_name));
88                         }
89                 } else {
90                         DEBUG(2, ("Could not obtain local domain SID, "
91                                   "so can not determine if DC %s is a DC of this domain.  "
92                                   "It will not have Enterprise Domain Controllers membership",
93                                   server_info->account_name));
94                 }
95         }
96
97         groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
98         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
99         if (!groupSIDs) {
100                 talloc_free(tmp_ctx);
101                 return NT_STATUS_NO_MEMORY;
102         }
103
104         num_groupSIDs = server_info->n_domain_groups;
105
106         for (i=0; i < server_info->n_domain_groups; i++) {
107                 groupSIDs[i] = server_info->domain_groups[i];
108         }
109
110         filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
111                                  GROUP_TYPE_BUILTIN_LOCAL_GROUP);
112
113         session_info = talloc(tmp_ctx, struct auth_session_info);
114         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
115
116         session_info->server_info = talloc_reference(session_info, server_info);
117
118         /* unless set otherwise, the session key is the user session
119          * key from the auth subsystem */ 
120         session_info->session_key = server_info->user_session_key;
121
122         /* Search for each group in the token */
123
124         /* Expands the account SID - this function takes in
125          * memberOf-like values, so we fake one up with the
126          * <SID=S-...> format of DN and then let it expand
127          * them, as long as they meet the filter - so only
128          * builtin groups
129          *
130          * We already have the primary group in the token, so set
131          * 'only childs' flag to true
132          */
133         account_sid_string = dom_sid_string(tmp_ctx, server_info->account_sid);
134         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_string, server_info);
135
136         account_sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", account_sid_string);
137         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_dn, server_info);
138
139         account_sid_blob = data_blob_string_const(account_sid_dn);
140
141         nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &account_sid_blob, true, filter,
142                                               tmp_ctx, &groupSIDs, &num_groupSIDs);
143         if (!NT_STATUS_IS_OK(nt_status)) {
144                 talloc_free(tmp_ctx);
145                 return nt_status;
146         }
147
148         /* Expands the primary group - this function takes in
149          * memberOf-like values, so we fake one up with the
150          * <SID=S-...> format of DN and then let it expand
151          * them, as long as they meet the filter - so only
152          * builtin groups
153          *
154          * We already have the primary group in the token, so set
155          * 'only childs' flag to true
156          */
157         primary_group_string = dom_sid_string(tmp_ctx, server_info->primary_group_sid);
158         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
159
160         primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
161         NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info);
162
163         primary_group_blob = data_blob_string_const(primary_group_dn);
164
165         nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &primary_group_blob, true, filter,
166                                               tmp_ctx, &groupSIDs, &num_groupSIDs);
167         if (!NT_STATUS_IS_OK(nt_status)) {
168                 talloc_free(tmp_ctx);
169                 return nt_status;
170         }
171
172         for (i = 0; i < server_info->n_domain_groups; i++) {
173                 const char *group_string;
174                 const char *group_dn;
175                 DATA_BLOB group_blob;
176                 group_string = dom_sid_string(tmp_ctx, server_info->domain_groups[i]);
177                 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_string, server_info);
178
179                 group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", group_string);
180                 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_dn, server_info);
181
182                 group_blob = data_blob_string_const(group_dn);
183
184                 /* This function takes in memberOf values and expands
185                  * them, as long as they meet the filter - so only
186                  * builtin groups */
187                 nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &group_blob, true, filter,
188                                                       tmp_ctx, &groupSIDs, &num_groupSIDs);
189                 if (!NT_STATUS_IS_OK(nt_status)) {
190                         talloc_free(tmp_ctx);
191                         return nt_status;
192                 }
193         }
194
195         nt_status = security_token_create(session_info,
196                                           auth_context->event_ctx,
197                                           auth_context->lp_ctx,
198                                           server_info->account_sid,
199                                           server_info->primary_group_sid,
200                                           num_groupSIDs,
201                                           groupSIDs,
202                                           session_info_flags,
203                                           &session_info->security_token);
204         NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);
205
206         session_info->credentials = NULL;
207
208         talloc_steal(mem_ctx, session_info);
209         *_session_info = session_info;
210         return NT_STATUS_OK;
211 }
212
213 /**
214  * prints a struct auth_session_info security token to debug output.
215  */
216 void auth_session_info_debug(int dbg_lev, 
217                              const struct auth_session_info *session_info)
218 {
219         if (!session_info) {
220                 DEBUG(dbg_lev, ("Session Info: (NULL)\n"));
221                 return; 
222         }
223
224         security_token_debug(dbg_lev, session_info->security_token);
225 }
226