*/
#include "includes.h"
+#include <tevent.h>
+#include "../lib/util/tevent_ntstatus.h"
#include "../lib/util/dlinklist.h"
#include "auth/auth.h"
#include "auth/ntlm/auth_proto.h"
-#include "lib/events/events.h"
#include "param/param.h"
+#include "dsdb/samdb/samdb.h"
+#include "libcli/wbclient/wbclient.h"
+#include "lib/util/samba_modules.h"
+#include "auth/credentials/credentials.h"
+#include "system/kerberos.h"
+#include "auth/kerberos/kerberos.h"
+#include "auth/kerberos/kerberos_util.h"
+#include "libds/common/roles.h"
+
+static NTSTATUS auth_generate_session_info_wrapper(struct auth4_context *auth_context,
+ TALLOC_CTX *mem_ctx,
+ void *server_returned_info,
+ const char *original_user_name,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info);
/***************************************************************************
Set a fixed challenge
***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by)
+_PUBLIC_ NTSTATUS auth_context_set_challenge(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by)
{
auth_ctx->challenge.set_by = talloc_strdup(auth_ctx, set_by);
NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.set_by);
return NT_STATUS_OK;
}
-/***************************************************************************
- Set a fixed challenge
-***************************************************************************/
-bool auth_challenge_may_be_modified(struct auth_context *auth_ctx)
-{
- return auth_ctx->challenge.may_be_modified;
-}
-
/****************************************************************************
Try to get a challenge out of the various authentication modules.
Returns a const char of length 8 bytes.
****************************************************************************/
-_PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, const uint8_t **_chal)
+_PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t chal[8])
{
- NTSTATUS nt_status;
- struct auth_method_context *method;
- if (auth_ctx->challenge.data.length) {
+ if (auth_ctx->challenge.data.length == 8) {
DEBUG(5, ("auth_get_challenge: returning previous challenge by module %s (normal)\n",
auth_ctx->challenge.set_by));
- *_chal = auth_ctx->challenge.data.data;
+ memcpy(chal, auth_ctx->challenge.data.data, 8);
return NT_STATUS_OK;
}
- for (method = auth_ctx->methods; method; method = method->next) {
- DATA_BLOB challenge = data_blob(NULL,0);
-
- nt_status = method->ops->get_challenge(method, auth_ctx, &challenge);
- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
- continue;
- }
-
- NT_STATUS_NOT_OK_RETURN(nt_status);
-
- if (challenge.length != 8) {
- DEBUG(0, ("auth_get_challenge: invalid challenge (length %u) by mothod [%s]\n",
- (unsigned)challenge.length, method->ops->name));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- auth_ctx->challenge.data = challenge;
- auth_ctx->challenge.set_by = method->ops->name;
-
- break;
- }
-
if (!auth_ctx->challenge.set_by) {
- uint8_t chal[8];
generate_random_buffer(chal, 8);
auth_ctx->challenge.data = data_blob_talloc(auth_ctx, chal, 8);
NT_STATUS_HAVE_NO_MEMORY(auth_ctx->challenge.data.data);
auth_ctx->challenge.set_by = "random";
-
- auth_ctx->challenge.may_be_modified = true;
}
DEBUG(10,("auth_get_challenge: challenge set by %s\n",
auth_ctx->challenge.set_by));
- *_chal = auth_ctx->challenge.data.data;
return NT_STATUS_OK;
}
-struct auth_check_password_sync_state {
- bool finished;
- NTSTATUS status;
- struct auth_serversupplied_info *server_info;
-};
+/****************************************************************************
+Used in the gensec_gssapi and gensec_krb5 server-side code, where the
+PAC isn't available, and for tokenGroups in the DSDB stack.
-static void auth_check_password_sync_callback(struct auth_check_password_request *req,
- void *private_data)
+ Supply either a principal or a DN
+****************************************************************************/
+static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
{
- struct auth_check_password_sync_state *s = talloc_get_type(private_data,
- struct auth_check_password_sync_state);
+ NTSTATUS nt_status;
+ struct auth_method_context *method;
+ struct auth_user_info_dc *user_info_dc;
+
+ for (method = auth_ctx->methods; method; method = method->next) {
+ if (!method->ops->get_user_info_dc_principal) {
+ continue;
+ }
+
+ nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
+ if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
+ continue;
+ }
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
- s->finished = true;
- s->status = auth_check_password_recv(req, s, &s->server_info);
+ nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx,
+ user_info_dc,
+ user_info_dc->info->account_name,
+ session_info_flags, session_info);
+ talloc_free(user_info_dc);
+
+ return nt_status;
+ }
+
+ return NT_STATUS_NOT_IMPLEMENTED;
}
/**
* (sync version)
*
* Check a user's password, as given in the user_info struct and return various
- * interesting details in the server_info struct.
+ * interesting details in the user_info_dc struct.
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
*
* @param user_info Contains the user supplied components, including the passwords.
*
- * @param mem_ctx The parent memory context for the server_info structure
+ * @param mem_ctx The parent memory context for the user_info_dc structure
*
- * @param server_info If successful, contains information about the authentication,
+ * @param user_info_dc If successful, contains information about the authentication,
* including a SAM_ACCOUNT struct describing the user.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
**/
-_PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
+_PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
const struct auth_usersupplied_info *user_info,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc,
+ uint8_t *pauthoritative)
{
- struct auth_check_password_sync_state *sync_state;
+ struct tevent_req *subreq;
+ struct tevent_context *ev;
+ bool ok;
NTSTATUS status;
- sync_state = talloc_zero(auth_ctx, struct auth_check_password_sync_state);
- NT_STATUS_HAVE_NO_MEMORY(sync_state);
+ /*TODO: create a new event context here! */
+ ev = auth_ctx->event_ctx;
+
+ subreq = auth_check_password_send(mem_ctx,
+ ev,
+ auth_ctx,
+ user_info);
+ if (subreq == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ok = tevent_req_poll(subreq, ev);
+ if (!ok) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ status = auth_check_password_recv(subreq, mem_ctx,
+ user_info_dc, pauthoritative);
+ TALLOC_FREE(subreq);
+
+ return status;
+}
- auth_check_password_send(auth_ctx, user_info, auth_check_password_sync_callback, sync_state);
+static NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ const struct auth_usersupplied_info *user_info,
+ uint8_t *pauthoritative,
+ void **server_returned_info,
+ DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
+{
+ struct auth_user_info_dc *user_info_dc;
+ NTSTATUS status;
- while (!sync_state->finished) {
- event_loop_once(auth_ctx->event_ctx);
+ status = auth_check_password(auth_ctx, mem_ctx, user_info,
+ &user_info_dc, pauthoritative);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
}
- status = sync_state->status;
+ *server_returned_info = user_info_dc;
- if (NT_STATUS_IS_OK(status)) {
- *server_info = talloc_steal(mem_ctx, sync_state->server_info);
+ if (user_session_key) {
+ DEBUG(10, ("Got NT session key of length %u\n",
+ (unsigned)user_info_dc->user_session_key.length));
+ *user_session_key = user_info_dc->user_session_key;
+ talloc_steal(mem_ctx, user_session_key->data);
+ user_info_dc->user_session_key = data_blob_null;
}
- talloc_free(sync_state);
- return status;
+ if (lm_session_key) {
+ DEBUG(10, ("Got LM session key of length %u\n",
+ (unsigned)user_info_dc->lm_session_key.length));
+ *lm_session_key = user_info_dc->lm_session_key;
+ talloc_steal(mem_ctx, lm_session_key->data);
+ user_info_dc->lm_session_key = data_blob_null;
+ }
+
+ return NT_STATUS_OK;
}
-struct auth_check_password_request {
- struct auth_context *auth_ctx;
+struct auth_check_password_state {
+ struct auth4_context *auth_ctx;
const struct auth_usersupplied_info *user_info;
- struct auth_serversupplied_info *server_info;
+ struct auth_user_info_dc *user_info_dc;
struct auth_method_context *method;
- NTSTATUS status;
- struct {
- void (*fn)(struct auth_check_password_request *req, void *private_data);
- void *private_data;
- } callback;
+ uint8_t authoritative;
};
-static void auth_check_password_async_timed_handler(struct tevent_context *ev, struct tevent_timer *te,
- struct timeval t, void *ptr)
-{
- struct auth_check_password_request *req = talloc_get_type(ptr, struct auth_check_password_request);
- req->status = req->method->ops->check_password(req->method, req, req->user_info, &req->server_info);
- req->callback.fn(req, req->callback.private_data);
-}
-
+static void auth_check_password_async_trigger(struct tevent_context *ev,
+ struct tevent_immediate *im,
+ void *private_data);
/**
* Check a user's Plaintext, LM or NTLM password.
* async send hook
*
* Check a user's password, as given in the user_info struct and return various
- * interesting details in the server_info struct.
+ * interesting details in the user_info_dc struct.
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
+ * @param mem_ctx The memory context the request should operate on
+ *
+ * @param ev The tevent context the request should operate on
+ *
* @param auth_ctx Supplies the challenges and some other data.
* Must be created with make_auth_context(), and the challenges should be
* filled in, either at creation or by calling the challenge geneation
*
* @param user_info Contains the user supplied components, including the passwords.
*
- * @param callback A callback function which will be called when the operation is finished.
- * The callback function needs to call auth_check_password_recv() to get the return values
- *
- * @param private_data A private pointer which will ba passed to the callback function
+ * @return The request handle or NULL on no memory error.
*
**/
-_PUBLIC_ void auth_check_password_send(struct auth_context *auth_ctx,
- const struct auth_usersupplied_info *user_info,
- void (*callback)(struct auth_check_password_request *req, void *private_data),
- void *private_data)
+_PUBLIC_ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct auth4_context *auth_ctx,
+ const struct auth_usersupplied_info *user_info)
{
+ struct tevent_req *req;
+ struct auth_check_password_state *state;
/* if all the modules say 'not for me' this is reasonable */
NTSTATUS nt_status;
- struct auth_method_context *method;
- const uint8_t *challenge;
- struct auth_usersupplied_info *user_info_tmp;
- struct auth_check_password_request *req = NULL;
-
- DEBUG(3, ("auth_check_password_send: Checking password for unmapped user [%s]\\[%s]@[%s]\n",
- user_info->client.domain_name, user_info->client.account_name, user_info->workstation_name));
-
- req = talloc_zero(auth_ctx, struct auth_check_password_request);
- if (!req) {
- callback(NULL, private_data);
- return;
+ uint8_t chal[8];
+ struct tevent_immediate *im;
+
+ DEBUG(3,("auth_check_password_send: "
+ "Checking password for unmapped user [%s]\\[%s]@[%s]\n",
+ user_info->client.domain_name, user_info->client.account_name,
+ user_info->workstation_name));
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct auth_check_password_state);
+ if (req == NULL) {
+ return NULL;
}
- req->auth_ctx = auth_ctx;
- req->user_info = user_info;
- req->callback.fn = callback;
- req->callback.private_data = private_data;
+
+ /*
+ * We are authoritative by default.
+ */
+ state->authoritative = 1;
+ state->auth_ctx = auth_ctx;
+ state->user_info = user_info;
if (!user_info->mapped_state) {
- nt_status = map_user_info(req, lp_workgroup(auth_ctx->lp_ctx), user_info, &user_info_tmp);
- if (!NT_STATUS_IS_OK(nt_status)) goto failed;
+ int server_role = lpcfg_server_role(auth_ctx->lp_ctx);
+ struct auth_usersupplied_info *user_info_tmp;
+
+ nt_status = map_user_info(
+ auth_ctx->sam_ctx, req,
+ server_role == ROLE_ACTIVE_DIRECTORY_DC,
+ lpcfg_workgroup(auth_ctx->lp_ctx),
+ user_info, &user_info_tmp);
+
+ if (tevent_req_nterror(req, nt_status)) {
+ return tevent_req_post(req, ev);
+ }
user_info = user_info_tmp;
- req->user_info = user_info_tmp;
+ state->user_info = user_info_tmp;
}
- DEBUGADD(3,("auth_check_password_send: mapped user is: [%s]\\[%s]@[%s]\n",
- user_info->mapped.domain_name, user_info->mapped.account_name, user_info->workstation_name));
-
- nt_status = auth_get_challenge(auth_ctx, &challenge);
- if (!NT_STATUS_IS_OK(nt_status)) {
- DEBUG(0, ("auth_check_password_send: Invalid challenge (length %u) stored for this auth context set_by %s - cannot continue: %s\n",
- (unsigned)auth_ctx->challenge.data.length, auth_ctx->challenge.set_by, nt_errstr(nt_status)));
- goto failed;
+ DEBUGADD(3,("auth_check_password_send: "
+ "mapped user is: [%s]\\[%s]@[%s]\n",
+ user_info->mapped.domain_name,
+ user_info->mapped.account_name,
+ user_info->workstation_name));
+
+ nt_status = auth_get_challenge(auth_ctx, chal);
+ if (tevent_req_nterror(req, nt_status)) {
+ DEBUG(0,("auth_check_password_send: "
+ "Invalid challenge (length %u) stored for "
+ "this auth context set_by %s - cannot continue: %s\n",
+ (unsigned)auth_ctx->challenge.data.length,
+ auth_ctx->challenge.set_by,
+ nt_errstr(nt_status)));
+ return tevent_req_post(req, ev);
}
if (auth_ctx->challenge.set_by) {
- DEBUG(10, ("auth_check_password_send: auth_context challenge created by %s\n",
- auth_ctx->challenge.set_by));
+ DEBUG(10,("auth_check_password_send: "
+ "auth_context challenge created by %s\n",
+ auth_ctx->challenge.set_by));
}
DEBUG(10, ("auth_check_password_send: challenge is: \n"));
- dump_data(5, auth_ctx->challenge.data.data, auth_ctx->challenge.data.length);
+ dump_data(5, auth_ctx->challenge.data.data,
+ auth_ctx->challenge.data.length);
- nt_status = NT_STATUS_NO_SUCH_USER; /* If all the modules say 'not for me', then this is reasonable */
- for (method = auth_ctx->methods; method; method = method->next) {
- NTSTATUS result;
- struct tevent_timer *te = NULL;
+ im = tevent_create_immediate(state);
+ if (tevent_req_nomem(im, req)) {
+ return tevent_req_post(req, ev);
+ }
+
+ tevent_schedule_immediate(im,
+ auth_ctx->event_ctx,
+ auth_check_password_async_trigger,
+ req);
+ return req;
+}
- /* check if the module wants to chek the password */
- result = method->ops->want_check(method, req, user_info);
- if (NT_STATUS_EQUAL(result, NT_STATUS_NOT_IMPLEMENTED)) {
- DEBUG(11,("auth_check_password_send: %s had nothing to say\n", method->ops->name));
+static void auth_check_password_async_trigger(struct tevent_context *ev,
+ struct tevent_immediate *im,
+ void *private_data)
+{
+ struct tevent_req *req =
+ talloc_get_type_abort(private_data, struct tevent_req);
+ struct auth_check_password_state *state =
+ tevent_req_data(req, struct auth_check_password_state);
+ NTSTATUS status;
+ struct auth_method_context *method;
+
+ status = NT_STATUS_OK;
+
+ for (method=state->auth_ctx->methods; method; method = method->next) {
+
+ /* we fill in state->method here so debug messages in
+ the callers know which method failed */
+ state->method = method;
+
+ /* check if the module wants to check the password */
+ status = method->ops->want_check(method, req, state->user_info);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ DEBUG(11,("auth_check_password_send: "
+ "%s doesn't want to check\n",
+ method->ops->name));
continue;
}
- nt_status = result;
- req->method = method;
-
- if (!NT_STATUS_IS_OK(nt_status)) break;
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
- te = event_add_timed(auth_ctx->event_ctx, req,
- timeval_zero(),
- auth_check_password_async_timed_handler, req);
- if (!te) {
- nt_status = NT_STATUS_NO_MEMORY;
- goto failed;
+ status = method->ops->check_password(method,
+ state,
+ state->user_info,
+ &state->user_info_dc);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ DEBUG(11,("auth_check_password_send: "
+ "%s passes to the next method\n",
+ method->ops->name));
+ continue;
}
+
+ /* the backend has handled the request */
+ break;
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
+ state->authoritative = 0;
+ status = NT_STATUS_NO_SUCH_USER;
+ }
+
+ if (tevent_req_nterror(req, status)) {
return;
}
-failed:
- req->status = nt_status;
- req->callback.fn(req, req->callback.private_data);
+ tevent_req_done(req);
}
/**
* Check a user's Plaintext, LM or NTLM password.
* async receive function
*
- * The return value takes precedence over the contents of the server_info
+ * The return value takes precedence over the contents of the user_info_dc
* struct. When the return is other than NT_STATUS_OK the contents
* of that structure is undefined.
*
*
- * @param req The async auth_check_password state, passes to the callers callback function
+ * @param req The async request state
*
- * @param mem_ctx The parent memory context for the server_info structure
+ * @param mem_ctx The parent memory context for the user_info_dc structure
*
- * @param server_info If successful, contains information about the authentication,
+ * @param user_info_dc If successful, contains information about the authentication,
* including a SAM_ACCOUNT struct describing the user.
*
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
*
**/
-_PUBLIC_ NTSTATUS auth_check_password_recv(struct auth_check_password_request *req,
+_PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info **server_info)
+ struct auth_user_info_dc **user_info_dc,
+ uint8_t *pauthoritative)
+{
+ struct auth_check_password_state *state =
+ tevent_req_data(req, struct auth_check_password_state);
+ NTSTATUS status = NT_STATUS_OK;
+
+ *pauthoritative = state->authoritative;
+
+ if (tevent_req_is_nterror(req, &status)) {
+ /*
+ * Please try not to change this string, it is probably in use
+ * in audit logging tools
+ */
+ DEBUG(2,("auth_check_password_recv: "
+ "%s authentication for user [%s\\%s] "
+ "FAILED with error %s, authoritative=%u\n",
+ (state->method ? state->method->ops->name : "NO_METHOD"),
+ state->user_info->mapped.domain_name,
+ state->user_info->mapped.account_name,
+ nt_errstr(status), state->authoritative));
+
+ log_authentication_event(state->user_info, status,
+ NULL, NULL, NULL, NULL);
+ tevent_req_received(req);
+ return status;
+ }
+
+ DEBUG(5,("auth_check_password_recv: "
+ "%s authentication for user [%s\\%s] succeeded\n",
+ state->method->ops->name,
+ state->user_info_dc->info->domain_name,
+ state->user_info_dc->info->account_name));
+
+ log_authentication_event(state->user_info, status,
+ state->user_info_dc->info->domain_name,
+ state->user_info_dc->info->account_name,
+ NULL,
+ &state->user_info_dc->sids[0]);
+
+ *user_info_dc = talloc_move(mem_ctx, &state->user_info_dc);
+
+ tevent_req_received(req);
+ return NT_STATUS_OK;
+}
+
+ /* Wrapper because we don't want to expose all callers to needing to
+ * know that session_info is generated from the main ldb, and because
+ * we need to break a depenency loop between the DCE/RPC layer and the
+ * generation of unix tokens via IRPC */
+static NTSTATUS auth_generate_session_info_wrapper(struct auth4_context *auth_context,
+ TALLOC_CTX *mem_ctx,
+ void *server_returned_info,
+ const char *original_user_name,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
{
NTSTATUS status;
+ struct auth_user_info_dc *user_info_dc = talloc_get_type_abort(server_returned_info, struct auth_user_info_dc);
- NT_STATUS_HAVE_NO_MEMORY(req);
+ if (user_info_dc->info->authenticated) {
+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
- if (NT_STATUS_IS_OK(req->status)) {
- DEBUG(5,("auth_check_password_recv: %s authentication for user [%s\\%s] succeeded\n",
- req->method->ops->name, req->server_info->domain_name, req->server_info->account_name));
+ status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
+ auth_context->sam_ctx, user_info_dc,
+ session_info_flags, session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
- *server_info = talloc_steal(mem_ctx, req->server_info);
- } else {
- DEBUG(2,("auth_check_password_recv: %s authentication for user [%s\\%s] FAILED with error %s\n",
- (req->method ? req->method->ops->name : "NO_METHOD"),
- req->user_info->mapped.domain_name,
- req->user_info->mapped.account_name,
- nt_errstr(req->status)));
+ if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)
+ && NT_STATUS_IS_OK(status)) {
+ status = auth_session_info_fill_unix(auth_context->event_ctx,
+ auth_context->lp_ctx,
+ original_user_name, *session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(*session_info);
+ }
+ }
+ return status;
+}
+
+/* Wrapper because we don't want to expose all callers to needing to
+ * know anything about the PAC or auth subsystem internal structures
+ * before we output a struct auth session_info */
+static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
+ TALLOC_CTX *mem_ctx,
+ struct smb_krb5_context *smb_krb5_context,
+ DATA_BLOB *pac_blob,
+ const char *principal_name,
+ const struct tsocket_address *remote_address,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ NTSTATUS status;
+ struct auth_user_info_dc *user_info_dc;
+ TALLOC_CTX *tmp_ctx;
+
+ if (!pac_blob) {
+ return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name,
+ NULL, session_info_flags, session_info);
+ }
+
+ tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
+ NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
+
+ status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
+ *pac_blob,
+ smb_krb5_context->krb5_context,
+ &user_info_dc, NULL, NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(tmp_ctx);
+ return status;
+ }
+
+ if (user_info_dc->info->authenticated) {
+ session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
- status = req->status;
- talloc_free(req);
+ status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx,
+ user_info_dc,
+ user_info_dc->info->account_name,
+ session_info_flags, session_info);
+ talloc_free(tmp_ctx);
return status;
}
/***************************************************************************
Make a auth_info struct for the auth subsystem
- - Allow the caller to specify the methods to use
+ - Allow the caller to specify the methods to use, including optionally the SAM to use
***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
- struct tevent_context *ev,
- struct messaging_context *msg,
- struct loadparm_context *lp_ctx,
- struct auth_context **auth_ctx)
+_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char * const *methods,
+ struct tevent_context *ev,
+ struct imessaging_context *msg,
+ struct loadparm_context *lp_ctx,
+ struct ldb_context *sam_ctx,
+ struct auth4_context **auth_ctx)
{
int i;
- struct auth_context *ctx;
+ struct auth4_context *ctx;
- if (!methods) {
- DEBUG(0,("auth_context_create: No auth method list!?\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
+ auth4_init();
if (!ev) {
DEBUG(0,("auth_context_create: called with out event context\n"));
return NT_STATUS_INTERNAL_ERROR;
}
- if (!msg) {
- DEBUG(0,("auth_context_create: called with out messaging context\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
- ctx = talloc(mem_ctx, struct auth_context);
+ ctx = talloc_zero(mem_ctx, struct auth4_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
- ctx->challenge.set_by = NULL;
- ctx->challenge.may_be_modified = false;
ctx->challenge.data = data_blob(NULL, 0);
ctx->methods = NULL;
ctx->event_ctx = ev;
ctx->msg_ctx = msg;
ctx->lp_ctx = lp_ctx;
- for (i=0; methods[i] ; i++) {
+ if (sam_ctx) {
+ ctx->sam_ctx = sam_ctx;
+ } else {
+ ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx), 0);
+ }
+
+ for (i=0; methods && methods[i] ; i++) {
struct auth_method_context *method;
method = talloc(ctx, struct auth_method_context);
}
method->auth_ctx = ctx;
method->depth = i;
- DLIST_ADD_END(ctx->methods, method, struct auth_method_context *);
+ DLIST_ADD_END(ctx->methods, method);
}
- if (!ctx->methods) {
- return NT_STATUS_INTERNAL_ERROR;
- }
+ ctx->check_ntlm_password = auth_check_password_wrapper;
+ ctx->get_ntlm_challenge = auth_get_challenge;
+ ctx->set_ntlm_challenge = auth_context_set_challenge;
+ ctx->generate_session_info = auth_generate_session_info_wrapper;
+ ctx->generate_session_info_pac = auth_generate_session_info_pac;
*auth_ctx = ctx;
return NT_STATUS_OK;
}
+
+const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
+{
+ char **auth_methods = NULL;
+ const char **const_auth_methods = NULL;
+
+ /*
+ * As 'auth methods' is deprecated it will be removed
+ * in future releases again, but for now give
+ * admins the flexibility to configure, the behavior
+ * from Samba 4.6: "auth methods = anonymous sam_ignoredomain",
+ * for a while.
+ */
+ const_auth_methods = lpcfg_auth_methods(lp_ctx);
+ if (const_auth_methods != NULL) {
+ DBG_NOTICE("using deprecated 'auth methods' values.\n");
+ return const_auth_methods;
+ }
+
+ switch (lpcfg_server_role(lp_ctx)) {
+ case ROLE_STANDALONE:
+ auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain", NULL);
+ break;
+ case ROLE_DOMAIN_MEMBER:
+ auth_methods = str_list_make(mem_ctx, "anonymous sam winbind", NULL);
+ break;
+ case ROLE_DOMAIN_BDC:
+ case ROLE_DOMAIN_PDC:
+ case ROLE_ACTIVE_DIRECTORY_DC:
+ auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind_rodc", NULL);
+ break;
+ }
+ return discard_const_p(const char *, auth_methods);
+}
+
/***************************************************************************
Make a auth_info struct for the auth subsystem
- Uses default auth_methods, depending on server role and smb.conf settings
***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
+_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
- struct messaging_context *msg,
+ struct imessaging_context *msg,
struct loadparm_context *lp_ctx,
- struct auth_context **auth_ctx)
+ struct auth4_context **auth_ctx)
{
- const char **auth_methods = NULL;
- switch (lp_server_role(lp_ctx)) {
- case ROLE_STANDALONE:
- auth_methods = lp_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "standalone", NULL);
- break;
- case ROLE_DOMAIN_MEMBER:
- auth_methods = lp_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "member server", NULL);
- break;
- case ROLE_DOMAIN_CONTROLLER:
- auth_methods = lp_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "domain controller", NULL);
- break;
+ NTSTATUS status;
+ const char **auth_methods;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
+ if (!auth_methods) {
+ return NT_STATUS_INVALID_PARAMETER;
}
- return auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, auth_ctx);
+ status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, NULL, auth_ctx);
+ talloc_free(tmp_ctx);
+ return status;
}
+_PUBLIC_ NTSTATUS auth_context_create_for_netlogon(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct imessaging_context *msg,
+ struct loadparm_context *lp_ctx,
+ struct auth4_context **auth_ctx)
+{
+ return auth_context_create(mem_ctx, ev, msg, lp_ctx, auth_ctx);
+}
/* the list of currently registered AUTH backends */
static struct auth_backend {
const struct auth_critical_sizes *auth_interface_version(void)
{
static const struct auth_critical_sizes critical_sizes = {
- AUTH_INTERFACE_VERSION,
+ AUTH4_INTERFACE_VERSION,
sizeof(struct auth_operations),
sizeof(struct auth_method_context),
- sizeof(struct auth_context),
+ sizeof(struct auth4_context),
sizeof(struct auth_usersupplied_info),
- sizeof(struct auth_serversupplied_info)
+ sizeof(struct auth_user_info_dc)
};
return &critical_sizes;
}
-_PUBLIC_ NTSTATUS auth_init(void)
+_PUBLIC_ NTSTATUS auth4_init(void)
{
static bool initialized = false;
- extern NTSTATUS auth_developer_init(void);
- extern NTSTATUS auth_winbind_init(void);
- extern NTSTATUS auth_anonymous_init(void);
- extern NTSTATUS auth_unix_init(void);
- extern NTSTATUS auth_sam_init(void);
- extern NTSTATUS auth_server_init(void);
-
- init_module_fn static_init[] = { STATIC_auth_MODULES };
+#define _MODULE_PROTO(init) extern NTSTATUS init(void);
+ STATIC_auth4_MODULES_PROTO;
+ init_module_fn static_init[] = { STATIC_auth4_MODULES };
if (initialized) return NT_STATUS_OK;
initialized = true;
return NT_STATUS_OK;
}
-
-NTSTATUS server_service_auth_init(void)
-{
- return auth_init();
-}