struct gensec_settings;
struct tevent_context;
struct tevent_req;
+struct smb_krb5_context;
struct gensec_settings {
struct loadparm_context *lp_ctx;
struct auth4_context;
struct auth_session_info;
struct ldb_dn;
+struct smb_krb5_context;
struct auth_operations {
const char *name;
NTSTATUS (*set_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by);
- NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
- struct auth4_context *auth_ctx,
- const char *principal,
- struct ldb_dn *user_dn,
- struct auth_user_info_dc **user_info_dc);
-
NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
struct auth4_context *auth_context,
struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **session_info);
+
+ NTSTATUS (*generate_session_info_pac)(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx_out,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info);
};
/* this structure is used by backends to determine the size of some critical types */
TALLOC_CTX *mem_ctx;
struct gensec_gssapi_state *gensec_gssapi_state
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
- struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
OM_uint32 maj_stat, min_stat;
- DATA_BLOB pac_blob;
- struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
- struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
+ DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
+
+ gss_buffer_desc name_token;
+ char *principal_string;
mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+ maj_stat = gss_display_name (&min_stat,
+ gensec_gssapi_state->client_name,
+ &name_token,
+ NULL);
+ if (GSS_ERROR(maj_stat)) {
+ DEBUG(1, ("GSS display_name failed: %s\n",
+ gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_FOOBAR;
+ }
+
+ principal_string = talloc_strndup(mem_ctx,
+ (const char *)name_token.value,
+ name_token.length);
+
+ gss_release_buffer(&min_stat, &name_token);
+
+ if (!principal_string) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
nt_status = gssapi_obtain_pac_blob(mem_ctx, gensec_gssapi_state->gssapi_context,
gensec_gssapi_state->client_name,
&pac_blob);
* kind...
*/
if (NT_STATUS_IS_OK(nt_status)) {
- pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
- if (!pac_srv_sig) {
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
- pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
- if (!pac_kdc_sig) {
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
- pac_blob,
- gensec_gssapi_state->smb_krb5_context->krb5_context,
- &user_info_dc,
- pac_srv_sig,
- pac_kdc_sig);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return nt_status;
- }
- } else {
- gss_buffer_desc name_token;
- char *principal_string;
-
- maj_stat = gss_display_name (&min_stat,
- gensec_gssapi_state->client_name,
- &name_token,
- NULL);
- if (GSS_ERROR(maj_stat)) {
- DEBUG(1, ("GSS display_name failed: %s\n",
- gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- talloc_free(mem_ctx);
- return NT_STATUS_FOOBAR;
- }
-
- principal_string = talloc_strndup(mem_ctx,
- (const char *)name_token.value,
- name_token.length);
-
- gss_release_buffer(&min_stat, &name_token);
-
- if (!principal_string) {
- talloc_free(mem_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- if (gensec_security->auth_context &&
- !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
- DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
- gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
- gensec_security->auth_context,
- principal_string,
- NULL,
- &user_info_dc);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(mem_ctx);
- return nt_status;
- }
- } else {
- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s\n",
- principal_string,
- gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
- /* references the user_info_dc into the session_info */
- nt_status = gensec_generate_session_info(mem_ctx, gensec_security,
- user_info_dc, &session_info);
+ pac_blob_ptr = &pac_blob;
+ }
+ nt_status = gensec_generate_session_info_pac(mem_ctx,
+ gensec_security,
+ gensec_gssapi_state->smb_krb5_context,
+ pac_blob_ptr, principal_string,
+ gensec_get_remote_address(gensec_security),
+ &session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
return nt_status;
}
- /* Allow torture tests to check the PAC signatures */
- if (session_info->torture) {
- session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig);
- session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig);
- }
-
if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
} else {
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
- struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
- struct PAC_LOGON_INFO *logon_info;
krb5_principal client_principal;
char *principal_string;
- DATA_BLOB pac;
+ DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
krb5_data pac_data;
krb5_error_code ret;
KRB5_AUTHDATA_WIN2K_PAC,
&pac_data);
- if (ret && gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access: %s \n",
- principal_string,
- smb_get_krb5_error_message(context,
- ret, mem_ctx)));
- free(principal_string);
- krb5_free_principal(context, client_principal);
- talloc_free(mem_ctx);
- return NT_STATUS_ACCESS_DENIED;
- } else if (ret) {
+ if (ret) {
/* NO pac */
DEBUG(5, ("krb5_ticket_get_authorization_data_type failed to find PAC: %s\n",
smb_get_krb5_error_message(context,
ret, mem_ctx)));
- if (gensec_security->auth_context &&
- !gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
- DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
- principal_string, smb_get_krb5_error_message(context,
- ret, mem_ctx)));
- nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
- gensec_security->auth_context,
- principal_string,
- NULL, &user_info_dc);
- if (!NT_STATUS_IS_OK(nt_status)) {
- free(principal_string);
- krb5_free_principal(context, client_principal);
- talloc_free(mem_ctx);
- return nt_status;
- }
- } else {
- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
- principal_string));
- free(principal_string);
- krb5_free_principal(context, client_principal);
- talloc_free(mem_ctx);
- return NT_STATUS_ACCESS_DENIED;
- }
} else {
/* Found pac */
- union netr_Validation validation;
-
- pac = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
- if (!pac.data) {
+ pac_blob = data_blob_talloc(mem_ctx, pac_data.data, pac_data.length);
+ if (!pac_blob.data) {
free(principal_string);
krb5_free_principal(context, client_principal);
talloc_free(mem_ctx);
}
/* decode and verify the pac */
- nt_status = kerberos_pac_logon_info(gensec_krb5_state,
- pac,
- gensec_krb5_state->smb_krb5_context->krb5_context,
- NULL, gensec_krb5_state->keyblock,
- client_principal,
- gensec_krb5_state->ticket->ticket.authtime, &logon_info);
+ nt_status = kerberos_decode_pac(gensec_krb5_state,
+ pac_blob,
+ gensec_krb5_state->smb_krb5_context->krb5_context,
+ NULL, gensec_krb5_state->keyblock,
+ client_principal,
+ gensec_krb5_state->ticket->ticket.authtime, NULL);
if (!NT_STATUS_IS_OK(nt_status)) {
free(principal_string);
return nt_status;
}
- validation.sam3 = &logon_info->info3;
- nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
- NULL,
- 3, &validation,
- true, /* This user was authenticated */
- &user_info_dc);
- if (!NT_STATUS_IS_OK(nt_status)) {
- free(principal_string);
- krb5_free_principal(context, client_principal);
- talloc_free(mem_ctx);
- return nt_status;
- }
+ pac_blob_ptr = &pac_blob;
}
+ nt_status = gensec_generate_session_info_pac(mem_ctx,
+ gensec_security,
+ gensec_krb5_state->smb_krb5_context,
+ pac_blob_ptr, principal_string,
+ gensec_get_remote_address(gensec_security),
+ &session_info);
+
free(principal_string);
krb5_free_principal(context, client_principal);
- /* references the user_info_dc into the session_info */
- nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info);
-
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
#include "includes.h"
#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_proto.h"
#include "auth/auth.h"
+#include "auth/credentials/credentials.h"
#include "auth/system_session_proto.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "auth/kerberos/kerberos_util.h"
NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
struct gensec_security *gensec_security,
}
return nt_status;
}
+
+NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out,
+ struct gensec_security *gensec_security,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_string,
+ const struct tsocket_address *remote_address,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS nt_status;
+ uint32_t session_info_flags = 0;
+ TALLOC_CTX *mem_ctx;
+ struct auth_user_info_dc *user_info_dc;
+ struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
+ struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
+
+ if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
+
+ if (!pac_blob) {
+ if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
+ DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
+ principal_string));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
+ principal_string));
+ }
+
+ if (gensec_security->auth_context) {
+ return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
+ mem_ctx_out,
+ smb_krb5_context,
+ pac_blob,
+ principal_string,
+ remote_address,
+ session_info_flags,
+ session_info);
+ } else if (!pac_blob) {
+ DEBUG(0, ("Cannot generate a session_info without either the PAC or the auth_context\n"));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ if (!pac_srv_sig) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
+ if (!pac_kdc_sig) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
+ *pac_blob,
+ smb_krb5_context->krb5_context,
+ &user_info_dc,
+ pac_srv_sig,
+ pac_kdc_sig);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(mem_ctx);
+ return nt_status;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+ nt_status = auth_generate_session_info(mem_ctx_out,
+ NULL,
+ NULL,
+ user_info_dc, session_info_flags,
+ session_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(mem_ctx);
+ return nt_status;
+ }
+
+ if ((*session_info)->torture) {
+ (*session_info)->torture->pac_srv_sig
+ = talloc_steal((*session_info)->torture, pac_srv_sig);
+ (*session_info)->torture->pac_kdc_sig
+ = talloc_steal((*session_info)->torture, pac_kdc_sig);
+ }
+
+ talloc_free(mem_ctx);
+ return nt_status;
+}
bld.SAMBA_SUBSYSTEM('gensec_util',
source='socket.c gensec_tstream.c gensec_util.c',
- deps='tevent-util tevent samba-util LIBTSOCKET',
+ deps='tevent-util tevent samba-util LIBTSOCKET KERBEROS_UTIL',
autoproto='gensec_proto.h')
bld.SAMBA_MODULE('gensec_krb5',
source='gensec_krb5.c',
subsystem='gensec',
init_function='gensec_krb5_init',
- deps='samba-credentials authkrb5 auth_session com_err',
+ deps='samba-credentials authkrb5 auth_session com_err gensec_util',
internal_module=False,
)
source='gensec_gssapi.c',
subsystem='gensec',
init_function='gensec_gssapi_init',
- deps='gssapi samba-credentials authkrb5 com_err'
+ deps='gssapi samba-credentials authkrb5 com_err gensec_util'
)
#include "librpc/gen_ndr/ndr_krb5pac.h"
#include <ldb.h>
#include "auth/auth_sam_reply.h"
+#include "auth/kerberos/kerberos_util.h"
_PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
DATA_BLOB blob,
#include "dsdb/samdb/samdb.h"
#include "libcli/wbclient/wbclient.h"
#include "lib/util/samba_modules.h"
+#include "auth/credentials/credentials.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "auth/kerberos/kerberos_util.h"
+
+static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
+ struct auth4_context *auth_context,
+ struct auth_user_info_dc *user_info_dc,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info);
/***************************************************************************
Set a fixed challenge
Supply either a principal or a DN
****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
- struct auth4_context *auth_ctx,
- const char *principal,
- struct ldb_dn *user_dn,
- struct auth_user_info_dc **user_info_dc)
+static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
{
NTSTATUS nt_status;
struct auth_method_context *method;
+ struct auth_user_info_dc *user_info_dc;
for (method = auth_ctx->methods; method; method = method->next) {
if (!method->ops->get_user_info_dc_principal) {
continue;
}
- nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, user_info_dc);
+ nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
continue;
}
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ nt_status = auth_generate_session_info_wrapper(mem_ctx, auth_ctx,
+ user_info_dc,
+ session_info_flags, session_info);
+ talloc_free(user_info_dc);
return nt_status;
}
return NT_STATUS_OK;
}
-/* Wrapper because we don't want to expose all callers to needing to
- * know that session_info is generated from the main ldb, and because
- * we need to break a depenency loop between the DCE/RPC layer and the
- * generation of unix tokens via IRPC */
+ /* Wrapper because we don't want to expose all callers to needing to
+ * know that session_info is generated from the main ldb, and because
+ * we need to break a depenency loop between the DCE/RPC layer and the
+ * generation of unix tokens via IRPC */
static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
- struct auth4_context *auth_context,
- struct auth_user_info_dc *user_info_dc,
- uint32_t session_info_flags,
- struct auth_session_info **session_info)
+ struct auth4_context *auth_context,
+ struct auth_user_info_dc *user_info_dc,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
{
NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
auth_context->sam_ctx, user_info_dc,
session_info_flags, session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)
&& NT_STATUS_IS_OK(status)) {
return status;
}
+/* Wrapper because we don't want to expose all callers to needing to
+ * know anything about the PAC or auth subsystem internal structures
+ * before we output a struct auth session_info */
+static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx_out,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS status;
+ struct auth_user_info_dc *user_info_dc;
+ TALLOC_CTX *mem_ctx;
+
+ if (!pac_blob) {
+ return auth_generate_session_info_principal(auth_ctx, mem_ctx_out, principal_name,
+ NULL, session_info_flags, session_info);
+ }
+
+ mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
+ *pac_blob,
+ smb_krb5_context->krb5_context,
+ &user_info_dc, NULL, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ if (user_info_dc->info->authenticated) {
+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
+
+ status = auth_generate_session_info_wrapper(mem_ctx_out, auth_ctx,
+ user_info_dc,
+ session_info_flags, session_info);
+ talloc_free(mem_ctx);
+ return status;
+}
+
/***************************************************************************
Make a auth_info struct for the auth subsystem
- Allow the caller to specify the methods to use, including optionally the SAM to use
return NT_STATUS_INTERNAL_ERROR;
}
- ctx = talloc(mem_ctx, struct auth4_context);
+ ctx = talloc_zero(mem_ctx, struct auth4_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
ctx->challenge.set_by = NULL;
ctx->challenge.may_be_modified = false;
ctx->get_challenge = auth_get_challenge;
ctx->set_challenge = auth_context_set_challenge;
ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
- ctx->get_user_info_dc_principal = auth_get_user_info_dc_principal;
ctx->generate_session_info = auth_generate_session_info_wrapper;
+ ctx->generate_session_info_pac = auth_generate_session_info_pac;
*auth_ctx = ctx;
bld.SAMBA_LIBRARY('auth4',
source='auth.c auth_util.c auth_simple.c',
autoproto='auth_proto.h',
- deps='samba-util security samdb samba-credentials tevent-util LIBWBCLIENT_OLD auth_unix_token samba-modules',
+ deps='samba-util security samdb samba-credentials tevent-util LIBWBCLIENT_OLD auth_unix_token samba-modules KERBEROS_UTIL',
private_library=True
)
git.samba.org / kai / samba.git / commitdiff