sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-12 09:18:10 +03:00
Code
1961d7a411
samba-mirror/source4/auth/system_session.c

538 lines
17 KiB
C
Raw Normal View History

r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
/*
Unix SMB/CIFS implementation.
Authentication utility functions
Copyright (C) Andrew Tridgell 1992-1998
s4:auth Remove event context from anonymous_session() This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-09 11:18:53 +04:00
Copyright (C) Andrew Bartlett 2001-2010
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
Copyright (C) Jeremy Allison 2000-2001
Copyright (C) Rafal Szczesniak 2002
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "libcli/security/security.h"
#include "auth/credentials/credentials.h"
#include "param/param.h"
#include "auth/auth.h" /* for auth_serversupplied_info */
#include "auth/session.h"
#include "auth/system_session_proto.h"
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
/**
* Create the SID list for this user.
*
* @note Specialised version for system sessions that doesn't use the SAM.
*/
static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
s4:auth Change auth_generate_session_info to take flags This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-04-19 09:51:57 +04:00
struct dom_sid *user_sid,
struct dom_sid *group_sid,
unsigned int n_groupSIDs,
struct dom_sid **groupSIDs,
bool is_authenticated,
struct security_token **token)
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
{
struct security_token *ptoken;
s4:auth - make some parts "signed-safe" Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2009-11-07 23:20:12 +03:00
unsigned int i;
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
ptoken = security_token_initialise(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(ptoken);
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 06:15:15 +04:00
ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 5);
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 06:15:15 +04:00
ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid;
ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid;
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
ptoken->privilege_mask = 0;
/*
* Finally add the "standard" SIDs.
* The only difference between guest and "anonymous"
* is the addition of Authenticated_Users.
*/
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 06:15:15 +04:00
if (!dom_sid_parse(SID_WORLD, &ptoken->sids[2])) {
return NT_STATUS_INTERNAL_ERROR;
}
if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[3])) {
return NT_STATUS_INTERNAL_ERROR;
}
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
ptoken->num_sids = 4;
if (is_authenticated) {
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 06:15:15 +04:00
if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[4])) {
return NT_STATUS_INTERNAL_ERROR;
}
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
ptoken->num_sids++;
}
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1;
check_sid_idx < ptoken->num_sids;
check_sid_idx++) {
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 06:15:15 +04:00
if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) {
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
break;
}
}
if (check_sid_idx == ptoken->num_sids) {
s4:security Change struct security_token->sids from struct dom_sid * to struct dom_sid This makes the structure much more like NT_USER_TOKEN in the source3/ code. (The remaining changes are that privilages still need to be merged) Andrew Bartlett
2010-08-20 06:15:15 +04:00
ptoken->sids[ptoken->num_sids++] = *groupSIDs[i];
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
}
}
*token = ptoken;
/* Shortcuts to prevent recursion and avoid lookups */
s4:security Remove use of user_sid and group_sid from struct security_token This makes the structure more like Samba3's NT_USER_TOKEN
2010-08-14 07:30:51 +04:00
if (ptoken->sids == NULL) {
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
ptoken->privilege_mask = 0;
return NT_STATUS_OK;
}
if (security_token_is_system(ptoken)) {
ptoken->privilege_mask = ~0;
s4:auth Remove special case constructor for admin_session() There isn't a good reason why this code is duplicated. Andrew Bartlett
2010-08-14 08:15:49 +04:00
} else if (security_token_is_anonymous(ptoken)) {
ptoken->privilege_mask = 0;
} else if (security_token_has_builtin_administrators(ptoken)) {
ptoken->privilege_mask = ~0;
} else {
/* All other 'users' get a empty priv set so far */
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
ptoken->privilege_mask = 0;
}
s4:auth Allow the simple 'struct auth_session_info' generator for all users This code isn't ideal, but it is better than needing to consult the main SamDB in things like a torture test. Andrew Bartlett
2010-04-13 12:24:43 +04:00
return NT_STATUS_OK;
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
}
s4:auth Change auth_generate_session_info to take an auth context The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-13 06:00:06 +04:00
NTSTATUS auth_generate_simple_session_info(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info *server_info,
struct auth_session_info **_session_info)
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
{
struct auth_session_info *session_info;
NTSTATUS nt_status;
session_info = talloc(mem_ctx, struct auth_session_info);
NT_STATUS_HAVE_NO_MEMORY(session_info);
session_info->server_info = talloc_reference(session_info, server_info);
/* unless set otherwise, the session key is the user session
* key from the auth subsystem */
session_info->session_key = server_info->user_session_key;
nt_status = create_token(session_info,
server_info->account_sid,
server_info->primary_group_sid,
server_info->n_domain_groups,
server_info->domain_groups,
server_info->authenticated,
&session_info->security_token);
NT_STATUS_NOT_OK_RETURN(nt_status);
session_info->credentials = NULL;
*_session_info = session_info;
return NT_STATUS_OK;
}
s4-dsdb: create a static system_session context This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-23 07:19:28 +04:00
/*
prevent the static system session being freed
*/
static int system_session_destructor(struct auth_session_info *info)
{
return -1;
}
r26134: Avoid using samdb-dependent functions in auth_system_session. (This used to be commit 29c1c96fe0f8cd90ef936fcccef0adf8c09f9b46)
2007-11-27 03:14:54 +03:00
Add documentation to session token functions. (This used to be commit ec4a108d1d35cd4bb2170f1bb122546266b9b745)
2008-04-24 16:30:36 +04:00
/* Create a security token for a session SYSTEM (the most
* trusted/prvilaged account), including the local machine account as
* the off-host credentials
*/
s4-loadparm: 2nd half of lp_ to lpcfg_ conversion this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 08:32:42 +04:00
_PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx)
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
{
s4-dsdb: create a static system_session context This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-23 07:19:28 +04:00
static struct auth_session_info *static_session;
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
NTSTATUS nt_status;
s4-dsdb: create a static system_session context This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-23 07:19:28 +04:00
if (static_session) {
return static_session;
}
nt_status = auth_system_session_info(talloc_autofree_context(),
r26252: Specify loadparm_context explicitly when creating sessions. (This used to be commit 7280c1e9415daabb2712db1372e23f9846272ede)
2007-12-03 17:53:28 +03:00
lp_ctx,
s4-dsdb: create a static system_session context This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-23 07:19:28 +04:00
&static_session);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
s4-dsdb: create a static system_session context This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-23 07:19:28 +04:00
talloc_free(static_session);
static_session = NULL;
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
return NULL;
}
s4-dsdb: create a static system_session context This patch adds a system_session cache, preventing us from having to recreate it on every ldb open, and allowing us to detect when the same session is being used in ldb_wrap
2009-10-23 07:19:28 +04:00
talloc_set_destructor(static_session, system_session_destructor);
return static_session;
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
}
s4:auth Remove system_session_anon() from python bindings
2010-08-14 11:45:57 +04:00
NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info)
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
{
NTSTATUS nt_status;
struct auth_serversupplied_info *server_info = NULL;
struct auth_session_info *session_info = NULL;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
s4-loadparm: 2nd half of lp_ to lpcfg_ conversion this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 08:32:42 +04:00
nt_status = auth_system_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
/* references the server_info into the session_info */
s4-auth rework session_info handling not to require an auth context This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21 02:19:53 +03:00
nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
talloc_free(mem_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
session_info->credentials = cli_credentials_init(session_info);
if (!session_info->credentials) {
return NT_STATUS_NO_MEMORY;
}
r26235: Avoid global_loadparm. (This used to be commit e9039782204389cc827e76da319d5ccf6d33be46)
2007-12-02 23:32:08 +03:00
cli_credentials_set_conf(session_info->credentials, lp_ctx);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
s4:auth Remove the system:anonymous parameter used for the LDAP backend This isn't needed any more, and just introduces complexity.
2010-08-14 08:16:41 +04:00
cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
*_session_info = session_info;
return NT_STATUS_OK;
}
r26234: More global_loadparm fixes. (This used to be commit 84892d030de6266fc0f3a699cade960dd5dc37bc)
2007-12-02 23:14:16 +03:00
NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
struct auth_serversupplied_info **_server_info)
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
{
struct auth_serversupplied_info *server_info;
Fix the build.
2008-11-02 07:49:36 +03:00
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
/* is this correct? */
server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->n_domain_groups = 0;
server_info->domain_groups = NULL;
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
data_blob_clear(&server_info->user_session_key);
data_blob_clear(&server_info->lm_session_key);
server_info->account_name = talloc_strdup(server_info, "SYSTEM");
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
server_info->full_name = talloc_strdup(server_info, "System");
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
server_info->logon_script = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
server_info->profile_path = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
server_info->home_directory = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
server_info->home_drive = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
r26234: More global_loadparm fixes. (This used to be commit 84892d030de6266fc0f3a699cade960dd5dc37bc)
2007-12-02 23:14:16 +03:00
server_info->logon_server = talloc_strdup(server_info, netbios_name);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
server_info->last_logon = 0;
server_info->last_logoff = 0;
server_info->acct_expiry = 0;
server_info->last_password_change = 0;
server_info->allow_password_change = 0;
server_info->force_password_change = 0;
server_info->logon_count = 0;
server_info->bad_password_count = 0;
server_info->acct_flags = ACB_NORMAL;
server_info->authenticated = true;
*_server_info = server_info;
return NT_STATUS_OK;
}
Added "admin_session" method. The purpose of admin_session is to be able to execute parts of provisioning as the user Administrator in order to have the correct group and owner in the security descriptors. To be used for provisioning and tests only.
2009-09-03 15:39:40 +04:00
static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
const char *netbios_name,
const char *domain_name,
struct dom_sid *domain_sid,
struct auth_serversupplied_info **_server_info)
{
struct auth_serversupplied_info *server_info;
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
server_info->account_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINISTRATOR);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
server_info->primary_group_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->n_domain_groups = 6;
server_info->domain_groups = talloc_array(server_info, struct dom_sid *, server_info->n_domain_groups);
server_info->domain_groups[0] = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
server_info->domain_groups[1] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINS);
server_info->domain_groups[2] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
server_info->domain_groups[3] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
server_info->domain_groups[4] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_POLICY_ADMINS);
server_info->domain_groups[5] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
/* What should the session key be?*/
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
data_blob_clear(&server_info->user_session_key);
data_blob_clear(&server_info->lm_session_key);
server_info->account_name = talloc_strdup(server_info, "Administrator");
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
server_info->domain_name = talloc_strdup(server_info, domain_name);
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
server_info->full_name = talloc_strdup(server_info, "Administrator");
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
server_info->logon_script = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
server_info->profile_path = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
server_info->home_directory = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
server_info->home_drive = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
server_info->logon_server = talloc_strdup(server_info, netbios_name);
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
server_info->last_logon = 0;
server_info->last_logoff = 0;
server_info->acct_expiry = 0;
server_info->last_password_change = 0;
server_info->allow_password_change = 0;
server_info->force_password_change = 0;
server_info->logon_count = 0;
server_info->bad_password_count = 0;
server_info->acct_flags = ACB_NORMAL;
server_info->authenticated = true;
*_server_info = server_info;
return NT_STATUS_OK;
}
static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct dom_sid *domain_sid,
struct auth_session_info **_session_info)
{
NTSTATUS nt_status;
struct auth_serversupplied_info *server_info = NULL;
struct auth_session_info *session_info = NULL;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
s4-loadparm: 2nd half of lp_ to lpcfg_ conversion this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 08:32:42 +04:00
nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
lpcfg_workgroup(lp_ctx), domain_sid,
Added "admin_session" method. The purpose of admin_session is to be able to execute parts of provisioning as the user Administrator in order to have the correct group and owner in the security descriptors. To be used for provisioning and tests only.
2009-09-03 15:39:40 +04:00
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
session_info = talloc(mem_ctx, struct auth_session_info);
NT_STATUS_HAVE_NO_MEMORY(session_info);
session_info->server_info = talloc_reference(session_info, server_info);
/* unless set otherwise, the session key is the user session
* key from the auth subsystem */
session_info->session_key = server_info->user_session_key;
s4:auth Remove special case constructor for admin_session() There isn't a good reason why this code is duplicated. Andrew Bartlett
2010-08-14 08:15:49 +04:00
nt_status = create_token(session_info,
server_info->account_sid,
server_info->primary_group_sid,
server_info->n_domain_groups,
server_info->domain_groups,
true,
&session_info->security_token);
Added "admin_session" method. The purpose of admin_session is to be able to execute parts of provisioning as the user Administrator in order to have the correct group and owner in the security descriptors. To be used for provisioning and tests only.
2009-09-03 15:39:40 +04:00
NT_STATUS_NOT_OK_RETURN(nt_status);
session_info->credentials = cli_credentials_init(session_info);
if (!session_info->credentials) {
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(session_info->credentials, lp_ctx);
*_session_info = session_info;
return NT_STATUS_OK;
}
_PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
{
NTSTATUS nt_status;
struct auth_session_info *session_info = NULL;
nt_status = auth_domain_admin_session_info(mem_ctx,
lp_ctx,
domain_sid,
&session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
return NULL;
}
return session_info;
}
s4:auth Remove event context from anonymous_session() This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-09 11:18:53 +04:00
_PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info)
{
NTSTATUS nt_status;
struct auth_serversupplied_info *server_info = NULL;
struct auth_session_info *session_info = NULL;
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
nt_status = auth_anonymous_server_info(mem_ctx,
s4-loadparm: 2nd half of lp_ to lpcfg_ conversion this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 08:32:42 +04:00
lpcfg_netbios_name(lp_ctx),
s4:auth Remove event context from anonymous_session() This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-09 11:18:53 +04:00
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
}
/* references the server_info into the session_info */
s4-auth rework session_info handling not to require an auth context This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21 02:19:53 +03:00
nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info);
s4:auth Remove event context from anonymous_session() This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-09 11:18:53 +04:00
talloc_free(mem_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
session_info->credentials = cli_credentials_init(session_info);
if (!session_info->credentials) {
return NT_STATUS_NO_MEMORY;
}
cli_credentials_set_conf(session_info->credentials, lp_ctx);
cli_credentials_set_anonymous(session_info->credentials);
*_session_info = session_info;
return NT_STATUS_OK;
}
_PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
const char *netbios_name,
struct auth_serversupplied_info **_server_info)
{
struct auth_serversupplied_info *server_info;
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
s4:auth Change {anonymous,system}_session to use common session_info generation This also changes the primary group for anonymous to be the anonymous SID, and adds code to detect and ignore this when constructing the token. Andrew Bartlett
2010-08-14 14:33:36 +04:00
/* The anonymous user has only one SID in it's token, but we need to fill something in here */
server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
s4:auth Remove event context from anonymous_session() This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-09 11:18:53 +04:00
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->n_domain_groups = 0;
server_info->domain_groups = NULL;
/* annoying, but the Anonymous really does have a session key... */
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
/* and it is all zeros! */
data_blob_clear(&server_info->user_session_key);
data_blob_clear(&server_info->lm_session_key);
server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
server_info->logon_script = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
server_info->profile_path = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
server_info->home_directory = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
server_info->home_drive = talloc_strdup(server_info, "");
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
server_info->logon_server = talloc_strdup(server_info, netbios_name);
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
server_info->last_logon = 0;
server_info->last_logoff = 0;
server_info->acct_expiry = 0;
server_info->last_password_change = 0;
server_info->allow_password_change = 0;
server_info->force_password_change = 0;
server_info->logon_count = 0;
server_info->bad_password_count = 0;
server_info->acct_flags = ACB_NORMAL;
server_info->authenticated = false;
*_server_info = server_info;
return NT_STATUS_OK;
}
Copy Permalink