#include "includes.h"
#include "auth/auth.h"
#include "auth/auth_sam.h"
+#include "auth/credentials/credentials.h"
+#include "auth/credentials/credentials_krb5.h"
#include "libcli/security/security.h"
#include "libcli/auth/libcli_auth.h"
#include "dsdb/samdb/samdb.h"
#include "auth/session_proto.h"
+#include "system/kerberos.h"
+#include <gssapi/gssapi.h>
+#include "libcli/wbclient/wbclient.h"
_PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx)
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
- session_info = talloc(tmp_ctx, struct auth_session_info);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
+ session_info = talloc_zero(tmp_ctx, struct auth_session_info);
+ if (session_info == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
session_info->info = talloc_reference(session_info, user_info_dc->info);
session_info->torture = talloc_zero(session_info, struct auth_user_info_torture);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx);
+ if (session_info->torture == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
session_info->torture->num_dc_sids = user_info_dc->num_sids;
session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx);
+ if (session_info->torture->dc_sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
/* unless set otherwise, the session key is the user session
* key from the auth subsystem */
session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length);
if (!session_info->session_key.data && session_info->session_key.length) {
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx);
+ if (session_info->session_key.data == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
}
anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx);
+ if (anonymous_sid == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
+ if (system_sid == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx);
+ if (sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
if (!sids) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
sids[i] = user_info_dc->sids[i];
}
- if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
+ /*
+ * Finally add the "standard" sids.
+ * The only difference between guest and "anonymous"
+ * is the addition of Authenticated_Users.
+ */
+
+ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 2);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_WORLD, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+
+ if (!dom_sid_parse(SID_NT_NETWORK, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
+
+ if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
+
+
+
+ if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
- } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
+ } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
/* Search for each group in the token */
- for (i = 0; i < user_info_dc->num_sids; i++) {
+ for (i = 0; i < num_sids; i++) {
char *sid_string;
const char *sid_dn;
DATA_BLOB sid_blob;
-
+
sid_string = dom_sid_string(tmp_ctx,
- &user_info_dc->sids[i]);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
+ &sids[i]);
+ if (sid_string == NULL) {
+ TALLOC_FREE(user_info_dc);
+ return NT_STATUS_NO_MEMORY;
+ }
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
talloc_free(sid_string);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc);
+ if (sid_dn == NULL) {
+ TALLOC_FREE(user_info_dc);
+ return NT_STATUS_NO_MEMORY;
+ }
sid_blob = data_blob_string_const(sid_dn);
/* This function takes in memberOf values and expands
sids,
session_info_flags,
&session_info->security_token);
- NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ TALLOC_FREE(tmp_ctx);
+ return nt_status;
+ }
session_info->credentials = NULL;
return NT_STATUS_OK;
}
+
+/* Fill out the auth_session_info with a cli_credentials based on the
+ * auth_session_info we were forwarded over named pipe forwarding.
+ *
+ * NOTE: The stucture members of session_info_transport are stolen
+ * with talloc_move() into auth_session_info for long term use
+ */
+struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
+ struct auth_session_info_transport *session_info_transport,
+ struct loadparm_context *lp_ctx,
+ const char **reason)
+{
+ struct auth_session_info *session_info;
+ session_info = talloc_steal(mem_ctx, session_info_transport->session_info);
+ /*
+ * This is to allow us to check the type of this pointer using
+ * talloc_get_type()
+ */
+ talloc_set_name(session_info, "struct auth_session_info");
+#ifdef HAVE_GSS_IMPORT_CRED
+ if (session_info_transport->exported_gssapi_credentials.length) {
+ struct cli_credentials *creds;
+ OM_uint32 minor_status;
+ gss_buffer_desc cred_token;
+ gss_cred_id_t cred_handle;
+ const char *error_string;
+ int ret;
+
+ DEBUG(10, ("Delegated credentials supplied by client\n"));
+
+ cred_token.value = session_info_transport->exported_gssapi_credentials.data;
+ cred_token.length = session_info_transport->exported_gssapi_credentials.length;
+
+ ret = gss_import_cred(&minor_status,
+ &cred_token,
+ &cred_handle);
+ if (ret != GSS_S_COMPLETE) {
+ *reason = "Internal error in gss_import_cred()";
+ return NULL;
+ }
+
+ creds = cli_credentials_init(session_info);
+ if (!creds) {
+ *reason = "Out of memory in cli_credentials_init()";
+ return NULL;
+ }
+ session_info->credentials = creds;
+
+ cli_credentials_set_conf(creds, lp_ctx);
+ /* Just so we don't segfault trying to get at a username */
+ cli_credentials_set_anonymous(creds);
+
+ ret = cli_credentials_set_client_gss_creds(creds,
+ lp_ctx,
+ cred_handle,
+ CRED_SPECIFIED,
+ &error_string);
+ if (ret) {
+ *reason = talloc_asprintf(mem_ctx,
+ "Failed to set pipe forwarded"
+ "creds: %s\n", error_string);
+ return NULL;
+ }
+
+ /* This credential handle isn't useful for password
+ * authentication, so ensure nobody tries to do that */
+ cli_credentials_set_kerberos_state(creds,
+ CRED_MUST_USE_KERBEROS);
+
+ }
+#endif
+ return session_info;
+}
+
+
+/* Create a auth_session_info_transport from an auth_session_info.
+ *
+ * NOTE: Members of the auth_session_info_transport structure are
+ * talloc_referenced() into this structure, and should not be changed.
+ */
+NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
+ struct auth_session_info *session_info,
+ struct tevent_context *event_ctx,
+ struct loadparm_context *lp_ctx,
+ struct auth_session_info_transport **transport_out)
+{
+
+ struct auth_session_info_transport *session_info_transport
+ = talloc_zero(mem_ctx, struct auth_session_info_transport);
+ if (!session_info_transport) {
+ return NT_STATUS_NO_MEMORY;
+ };
+ session_info_transport->session_info = talloc_reference(session_info_transport, session_info);
+ if (!session_info_transport->session_info) {
+ return NT_STATUS_NO_MEMORY;
+ };
+#ifdef HAVE_GSS_EXPORT_CRED
+ if (session_info->credentials) {
+ struct gssapi_creds_container *gcc;
+ OM_uint32 gret;
+ OM_uint32 minor_status;
+ gss_buffer_desc cred_token;
+ const char *error_string;
+ int ret;
+
+ ret = cli_credentials_get_client_gss_creds(session_info->credentials,
+ event_ctx,
+ lp_ctx,
+ &gcc, &error_string);
+ if (ret != 0) {
+ *transport_out = session_info_transport;
+ return NT_STATUS_OK;
+ }
+
+ gret = gss_export_cred(&minor_status,
+ gcc->creds,
+ &cred_token);
+ if (gret != GSS_S_COMPLETE) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (cred_token.length) {
+ session_info_transport->exported_gssapi_credentials
+ = data_blob_talloc(session_info_transport,
+ cred_token.value,
+ cred_token.length);
+ gss_release_buffer(&minor_status, &cred_token);
+ NT_STATUS_HAVE_NO_MEMORY(session_info_transport->exported_gssapi_credentials.data);
+ }
+ }
+#endif
+ *transport_out = session_info_transport;
+ return NT_STATUS_OK;
+}
+
+
/* Produce a session_info for an arbitary DN or principal in the local
* DB, assuming the local DB holds all the groups
*
security_token_debug(0, dbg_lev, session_info->security_token);
}
-