sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
Code
a7e9219002
samba-mirror/source4/auth/session.c

339 lines
11 KiB
C
Raw Normal View History

r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
/*
Unix SMB/CIFS implementation.
Authentication utility functions
Copyright (C) Andrew Tridgell 1992-1998
s4:auth Remove event context from anonymous_session() This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-09 11:18:53 +04:00
Copyright (C) Andrew Bartlett 2001-2010
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
Copyright (C) Jeremy Allison 2000-2001
Copyright (C) Rafal Szczesniak 2002
Copyright (C) Stefan Metzmacher 2005
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "auth/auth.h"
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
#include "auth/auth_sam.h"
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09 06:22:16 +03:00
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_krb5.h"
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
#include "libcli/security/security.h"
#include "libcli/auth/libcli_auth.h"
#include "dsdb/samdb/samdb.h"
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
#include "auth/session_proto.h"
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09 06:22:16 +03:00
#include "system/kerberos.h"
#include <gssapi/gssapi.h>
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
Install public header files again and include required prototypes. (This used to be commit 47ffbbf67435904754469544390b67d34c958343)
2008-04-02 06:53:27 +04:00
_PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
s4-loadparm: 2nd half of lp_ to lpcfg_ conversion this converts all callers that use the Samba4 loadparm lp_ calling convention to use the lpcfg_ prefix. Signed-off-by: Andrew Bartlett <abartlet@samba.org>
2010-07-16 08:32:42 +04:00
struct loadparm_context *lp_ctx)
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
{
NTSTATUS nt_status;
struct auth_session_info *session_info = NULL;
s4:auth Remove event context from anonymous_session() This should always return a simple structure with no need to consult a DB, so remove the event context, and simplfy to call helper functions that don't look at privilages. Andrew Bartlett
2010-04-09 11:18:53 +04:00
nt_status = auth_anonymous_session_info(mem_ctx, lp_ctx, &session_info);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
return NULL;
}
return session_info;
}
s4:auth Change auth_generate_session_info to take an auth context The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-13 06:00:06 +04:00
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
s4-auth rework session_info handling not to require an auth context This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21 02:19:53 +03:00
struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
struct auth_user_info_dc *user_info_dc,
s4:auth Change auth_generate_session_info to take flags This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-04-19 09:51:57 +04:00
uint32_t session_info_flags,
s4:auth Change auth_generate_session_info to take an auth context The auth context was in the past only for NTLM authentication, but we need a SAM, an event context and and loadparm context for calculating the local groups too, so re-use that infrustructure we already have in place. However, to avoid problems where we may not have an auth_context (in torture tests, for example), allow a simpler 'session_info' to be generated, by passing this via an indirection in gensec and an generate_session_info() function pointer in the struct auth_context. In the smb_server (for old-style session setups) we need to change the async context to a new 'struct sesssetup_context'. This allows us to use the auth_context in processing the authentication reply . Andrew Bartlett
2010-04-13 06:00:06 +04:00
struct auth_session_info **_session_info)
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
{
struct auth_session_info *session_info;
NTSTATUS nt_status;
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
unsigned int i, num_sids = 0;
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
s4:auth Move BUILTIN group addition into session.c The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-13 16:11:26 +04:00
const char *filter;
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
struct dom_sid *sids = NULL;
s4-auth: removed unused variable dom_sid
2010-09-28 06:45:56 +04:00
const struct dom_sid *anonymous_sid, *system_sid;
s4:auth Move BUILTIN group addition into session.c The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-13 16:11:26 +04:00
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
s4-auth: Always talloc_zero() the struct auth_session_info
2011-04-05 09:57:42 +04:00
session_info = talloc_zero(tmp_ctx, struct auth_session_info);
s4:auth Move BUILTIN group addition into session.c The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-13 16:11:26 +04:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
session_info->info = talloc_reference(session_info, user_info_dc->info);
session_info->torture = talloc_zero(session_info, struct auth_user_info_torture);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx);
session_info->torture->num_dc_sids = user_info_dc->num_sids;
session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
/* unless set otherwise, the session key is the user session
* key from the auth subsystem */
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length);
if (!session_info->session_key.data && session_info->session_key.length) {
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx);
}
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx);
system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids);
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx);
if (!sids) {
s4-auth Ensure that we always copy across domain groups Even if we can't calculate the local groups (because we don't have a local SAM to do it with) we still need to include the domain groups in the session_info token. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
2010-12-21 06:08:34 +03:00
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
num_sids = user_info_dc->num_sids;
s4-auth Ensure that we always copy across domain groups Even if we can't calculate the local groups (because we don't have a local SAM to do it with) we still need to include the domain groups in the session_info token. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
2010-12-21 06:08:34 +03:00
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
for (i=0; i < user_info_dc->num_sids; i++) {
sids[i] = user_info_dc->sids[i];
s4-auth Ensure that we always copy across domain groups Even if we can't calculate the local groups (because we don't have a local SAM to do it with) we still need to include the domain groups in the session_info token. Andrew Bartlett Autobuild-User: Andrew Bartlett <abartlet@samba.org> Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
2010-12-21 06:08:34 +03:00
}
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
/* Don't expand nested groups of system, anonymous etc*/
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
} else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
/* Don't expand nested groups of system, anonymous etc*/
s4-auth rework session_info handling not to require an auth context This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21 02:19:53 +03:00
} else if (sam_ctx) {
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
s4:auth/session.c - suppress a warning when freeing "group_string"
2010-06-30 11:37:08 +04:00
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
/* Search for each group in the token */
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
for (i = 0; i < user_info_dc->num_sids; i++) {
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
char *sid_string;
const char *sid_dn;
DATA_BLOB sid_blob;
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
sid_string = dom_sid_string(tmp_ctx,
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
&user_info_dc->sids[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
talloc_free(sid_string);
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc);
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
sid_blob = data_blob_string_const(sid_dn);
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
/* This function takes in memberOf values and expands
* them, as long as they meet the filter - so only
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
* builtin groups
*
* We already have the SID in the token, so set
* 'only childs' flag to true */
nt_status = dsdb_expand_nested_groups(sam_ctx, &sid_blob, true, filter,
tmp_ctx, &sids, &num_sids);
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
}
s4:auth Move BUILTIN group addition into session.c The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-13 16:11:26 +04:00
}
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
nt_status = security_token_create(session_info,
s4-auth rework session_info handling not to require an auth context This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett
2010-12-21 02:19:53 +03:00
lp_ctx,
s4-auth Remove special case for account_sid from auth_serversupplied_info This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
2011-01-20 15:39:37 +03:00
num_sids,
sids,
s4:auth Change auth_generate_session_info to take flags This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
2010-04-19 09:51:57 +04:00
session_info_flags,
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
&session_info->security_token);
s4:auth Move BUILTIN group addition into session.c The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-13 16:11:26 +04:00
NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
session_info->credentials = NULL;
s4:auth Move BUILTIN group addition into session.c The group list in the PAC does not include 'enterprise DCs' and BUILTIN groups, so we should generate it on each server, not in the list we pass around in the PAC or SamLogon reply. Andrew Bartlett
2010-04-13 16:11:26 +04:00
talloc_steal(mem_ctx, session_info);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
*_session_info = session_info;
s4:auth Avoid doing database lookups for NT AUTHORITY users
2010-08-14 13:55:30 +04:00
talloc_free(tmp_ctx);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
return NT_STATUS_OK;
}
auth: Move auth_session_info into IDL This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-04-05 10:15:27 +04:00
/* Fill out the auth_session_info with a cli_credentials based on the
* auth_session_info we were forwarded over named pipe forwarding.
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09 06:22:16 +03:00
*
* NOTE: The stucture members of session_info_transport are stolen
* with talloc_move() into auth_session_info for long term use
*/
struct auth_session_info *auth_session_info_from_transport(TALLOC_CTX *mem_ctx,
struct auth_session_info_transport *session_info_transport,
struct loadparm_context *lp_ctx,
const char **reason)
{
struct auth_session_info *session_info;
auth: Move auth_session_info into IDL This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-04-05 10:15:27 +04:00
session_info = talloc_steal(mem_ctx, session_info_transport->session_info);
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09 06:22:16 +03:00
if (session_info_transport->exported_gssapi_credentials.length) {
struct cli_credentials *creds;
OM_uint32 minor_status;
gss_buffer_desc cred_token;
gss_cred_id_t cred_handle;
const char *error_string;
int ret;
DEBUG(10, ("Delegated credentials supplied by client\n"));
cred_token.value = session_info_transport->exported_gssapi_credentials.data;
cred_token.length = session_info_transport->exported_gssapi_credentials.length;
ret = gss_import_cred(&minor_status,
&cred_token,
&cred_handle);
if (ret != GSS_S_COMPLETE) {
*reason = "Internal error in gss_import_cred()";
return NULL;
}
creds = cli_credentials_init(session_info);
if (!creds) {
*reason = "Out of memory in cli_credentials_init()";
return NULL;
}
session_info->credentials = creds;
cli_credentials_set_conf(creds, lp_ctx);
/* Just so we don't segfault trying to get at a username */
cli_credentials_set_anonymous(creds);
ret = cli_credentials_set_client_gss_creds(creds,
lp_ctx,
cred_handle,
CRED_SPECIFIED,
&error_string);
if (ret) {
*reason = talloc_asprintf(mem_ctx,
"Failed to set pipe forwarded"
"creds: %s\n", error_string);
return NULL;
}
/* This credential handle isn't useful for password
* authentication, so ensure nobody tries to do that */
cli_credentials_set_kerberos_state(creds,
CRED_MUST_USE_KERBEROS);
}
return session_info;
}
/* Create a auth_session_info_transport from an auth_session_info.
*
auth: Move auth_session_info into IDL This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-04-05 10:15:27 +04:00
* NOTE: Members of the auth_session_info_transport structure are
* talloc_referenced() into this structure, and should not be changed.
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09 06:22:16 +03:00
*/
NTSTATUS auth_session_info_transport_from_session(TALLOC_CTX *mem_ctx,
struct auth_session_info *session_info,
struct tevent_context *event_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info_transport **transport_out)
{
auth: Move auth_session_info into IDL This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-04-05 10:15:27 +04:00
struct auth_session_info_transport *session_info_transport
= talloc_zero(mem_ctx, struct auth_session_info_transport);
if (!session_info_transport) {
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09 06:22:16 +03:00
return NT_STATUS_NO_MEMORY;
auth: Move auth_session_info into IDL This changes auth_session_info_transport to just be a wrapper, rather than a copy that has to be kept in sync. As auth_session_info was already wrapped in python, this required changes to the existing pyauth wrapper and it's users. Andrew Bartlett
2011-04-05 10:15:27 +04:00
};
session_info_transport->session_info = talloc_reference(session_info_transport, session_info);
if (!session_info_transport->session_info) {
return NT_STATUS_NO_MEMORY;
};
libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport This changes the structure being used to convey the current user state from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built structure that matches the internals of the Samba auth subsystem and contains the final group list, as well as the final privilege set and session key. These previously had to be re-created on the server side of the pipe each time. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-09 06:22:16 +03:00
if (session_info->credentials) {
struct gssapi_creds_container *gcc;
OM_uint32 gret;
OM_uint32 minor_status;
gss_buffer_desc cred_token;
const char *error_string;
int ret;
ret = cli_credentials_get_client_gss_creds(session_info->credentials,
event_ctx,
lp_ctx,
&gcc, &error_string);
if (ret != 0) {
*transport_out = session_info_transport;
return NT_STATUS_OK;
}
gret = gss_export_cred(&minor_status,
gcc->creds,
&cred_token);
if (gret != GSS_S_COMPLETE) {
return NT_STATUS_INTERNAL_ERROR;
}
if (cred_token.length) {
session_info_transport->exported_gssapi_credentials
= data_blob_talloc(session_info_transport,
cred_token.value,
cred_token.length);
gss_release_buffer(&minor_status, &cred_token);
NT_STATUS_HAVE_NO_MEMORY(session_info_transport->exported_gssapi_credentials.data);
}
}
*transport_out = session_info_transport;
return NT_STATUS_OK;
}
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
/* Produce a session_info for an arbitary DN or principal in the local
* DB, assuming the local DB holds all the groups
*
* Supply either a principal or a DN
*/
NTSTATUS authsam_get_session_info_principal(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct ldb_context *sam_ctx,
const char *principal,
struct ldb_dn *user_dn,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
struct auth_user_info_dc *user_info_dc;
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (!tmp_ctx) {
return NT_STATUS_NO_MEMORY;
}
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
nt_status = authsam_get_user_info_dc_principal(tmp_ctx, lp_ctx, sam_ctx,
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
principal, user_dn,
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
&user_info_dc);
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, sam_ctx,
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
2011-02-08 08:53:13 +03:00
user_info_dc, session_info_flags,
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
session_info);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_steal(mem_ctx, *session_info);
}
talloc_free(tmp_ctx);
s4-auth: fixed status return Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
2011-01-13 08:55:05 +03:00
return nt_status;
s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett
2010-12-22 09:17:07 +03:00
}
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
/**
* prints a struct auth_session_info security token to debug output.
*/
void auth_session_info_debug(int dbg_lev,
const struct auth_session_info *session_info)
{
if (!session_info) {
DEBUG(dbg_lev, ("Session Info: (NULL)\n"));
return;
}
libcli/security Add debug class to security_token_debug() et al This will allow it to replace functions in source3 that use debug classes. Andrew Bartlett
2010-09-17 09:23:19 +04:00
security_token_debug(0, dbg_lev, session_info->security_token);
r26127: Move session code out of auth_util.c. No longer making it part of auth but making it usable independently will be the next step. (This used to be commit b3fcb8e8103304fede865b02ca5169d5793a571d)
2007-11-26 04:25:20 +03:00
}
Copy Permalink