From 169c6d409f9c1b50b25bc59bcf12515d9a286c56 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 23 Apr 2014 19:00:26 +0200 Subject: [PATCH] s3:auth: allow special SYSTEM and ANONYMOUS handling in auth3_generate_session_info() auth_ctx->generate_session_info() will be used by the SCHANNEL and NCALRPC_AS_SYSTEM gensec modules in future. Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- source3/auth/auth_ntlmssp.c | 45 +++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 45166c094b5..14bce62df09 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -23,6 +23,7 @@ #include "includes.h" #include "auth.h" +#include "libcli/security/security.h" NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, TALLOC_CTX *mem_ctx, @@ -31,10 +32,50 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, uint32_t session_info_flags, struct auth_session_info **session_info) { - struct auth_serversupplied_info *server_info = talloc_get_type_abort(server_returned_info, - struct auth_serversupplied_info); + struct auth_user_info_dc *user_info = NULL; + struct auth_serversupplied_info *server_info = NULL; NTSTATUS nt_status; + /* + * This is a hack, some callers... + * + * Some callers pass auth_user_info_dc, the SCHANNEL and + * NCALRPC_AS_SYSTEM gensec modules. + * + * While the reset passes auth3_check_password() returned. + */ + user_info = talloc_get_type(server_returned_info, + struct auth_user_info_dc); + if (user_info != NULL) { + const struct dom_sid *sid; + int cmp; + + /* + * This should only be called from SCHANNEL or NCALRPC_AS_SYSTEM + */ + if (user_info->num_sids != 1) { + return NT_STATUS_INTERNAL_ERROR; + } + sid = &user_info->sids[PRIMARY_USER_SID_INDEX]; + + cmp = dom_sid_compare(sid, &global_sid_System); + if (cmp == 0) { + return make_session_info_system(mem_ctx, session_info); + } + + cmp = dom_sid_compare(sid, &global_sid_Anonymous); + if (cmp == 0) { + /* + * TODO: use auth_anonymous_session_info() here? + */ + return make_session_info_guest(mem_ctx, session_info); + } + + return NT_STATUS_INTERNAL_ERROR; + } + + server_info = talloc_get_type_abort(server_returned_info, + struct auth_serversupplied_info); nt_status = create_local_token(mem_ctx, server_info, NULL,