sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-29 02:50:28 +03:00
Code

s3-auth use create_local_token() to transform server_info -> session_info

Browse Source 
Before a auth_serversupplied_info struct can be used for
authorization, the local groups and privileges must be calculated.
create_local_token() now copies the server_info, and then sets the
calulated token and unix groups.

Soon, it will also transform the result into an expanded struct
auth_session_info.  Until then, the variable name (server_info vs
session_info provides a clue to the developer about what information
has been entered in the structure).

By moving the calls to create_local_token within the codebase, we
remove duplication, and ensure that the session key (where modified)
is consistently copied into the new structure.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2011-02-11 11:50:37 +11:00
parent 2ec48260ee
commit 17d8f0ad30
9 changed files with 193 additions and 183 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
source3/auth/auth_ntlmssp.c
View File

@ -31,23 +31,16 @@ NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
struct auth_ntlmssp_state *auth_ntlmssp_state,
struct auth_serversupplied_info **session_info)
{
/* Free the current server_info user_session_key and reset it from the
* current ntlmssp_state session_key */
data_blob_free(&auth_ntlmssp_state->server_info->user_session_key);
/* Set up the final session key for the connection */
auth_ntlmssp_state->server_info->user_session_key =
data_blob_talloc(
auth_ntlmssp_state->server_info,
auth_ntlmssp_state->ntlmssp_state->session_key.data,
auth_ntlmssp_state->ntlmssp_state->session_key.length);
if (auth_ntlmssp_state->ntlmssp_state->session_key.length &&
!auth_ntlmssp_state->server_info->user_session_key.data) {
*session_info = NULL;
return NT_STATUS_NO_MEMORY;
NTSTATUS nt_status = create_local_token(mem_ctx,
auth_ntlmssp_state->server_info,
&auth_ntlmssp_state->ntlmssp_state->session_key,
session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
}
/* Steal session_info away from auth_ntlmssp_state */
*session_info = talloc_move(mem_ctx, &auth_ntlmssp_state->server_info);
return NT_STATUS_OK;
return nt_status;
}
/**
@ -156,14 +149,6 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
nt_status = create_local_token(auth_ntlmssp_state->server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
/* Clear out the session keys, and pass them to the caller.
* They will not be used in this form again - instead the
* NTLMSSP code will decide on the final correct session key,

172
source3/auth/auth_util.c
View File

@ -442,11 +442,46 @@ static NTSTATUS log_nt_token(struct security_token *token)
* server_info->sids (the info3/sam groups). Find the unix gids.
*/
NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info *server_info,
DATA_BLOB *session_key,
struct auth_serversupplied_info **session_info_out)
{
NTSTATUS status;
size_t i;
struct dom_sid tmp_sid;
struct auth_serversupplied_info *session_info;
/* Ensure we can't possible take a code path leading to a
* null defref. */
if (!server_info) {
return NT_STATUS_LOGON_FAILURE;
}
session_info = copy_serverinfo(mem_ctx, server_info);
if (!session_info) {
return NT_STATUS_NO_MEMORY;
}
if (session_key) {
data_blob_free(&session_info->user_session_key);
session_info->user_session_key = data_blob_talloc(session_info,
session_key->data,
session_key->length);
if (!session_info->user_session_key.data && session_key->length) {
return NT_STATUS_NO_MEMORY;
}
}
if (session_info->security_token) {
/* Just copy the token, it has already been finalised
* (nasty hack to support a cached guest session_info,
* and a possible strategy for auth_samba4 to pass in
* a finalised session) */
*session_info_out = session_info;
return NT_STATUS_OK;
}
/*
* If winbind is not around, we can not make much use of the SIDs the
@ -455,21 +490,21 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
*/
if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
(server_info->nss_token)) {
status = create_token_from_username(server_info,
server_info->unix_name,
server_info->guest,
&server_info->utok.uid,
&server_info->utok.gid,
&server_info->unix_name,
&server_info->security_token);
(session_info->nss_token)) {
status = create_token_from_username(session_info,
session_info->unix_name,
session_info->guest,
&session_info->utok.uid,
&session_info->utok.gid,
&session_info->unix_name,
&session_info->security_token);
} else {
status = create_local_nt_token_from_info3(server_info,
server_info->guest,
server_info->info3,
&server_info->extra,
&server_info->security_token);
status = create_local_nt_token_from_info3(session_info,
session_info->guest,
session_info->info3,
&session_info->extra,
&session_info->security_token);
}
if (!NT_STATUS_IS_OK(status)) {
@ -478,14 +513,14 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
/* Convert the SIDs to gids. */
server_info->utok.ngroups = 0;
server_info->utok.groups = NULL;
session_info->utok.ngroups = 0;
session_info->utok.groups = NULL;
/* Start at index 1, where the groups start. */
for (i=1; i<server_info->security_token->num_sids; i++) {
for (i=1; i<session_info->security_token->num_sids; i++) {
gid_t gid;
struct dom_sid *sid = &server_info->security_token->sids[i];
struct dom_sid *sid = &session_info->security_token->sids[i];
if (!sid_to_gid(sid, &gid)) {
DEBUG(10, ("Could not convert SID %s to gid, "
@ -493,8 +528,8 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
continue;
}
if (!add_gid_to_array_unique(server_info, gid,
&server_info->utok.groups,
&server_info->utok.ngroups)) {
&session_info->utok.groups,
&session_info->utok.ngroups)) {
return NT_STATUS_NO_MEMORY;
}
}
@ -512,28 +547,33 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
* the nt token.
*/
uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid);
uid_to_unix_users_sid(session_info->utok.uid, &tmp_sid);
add_sid_to_array_unique(server_info->security_token, &tmp_sid,
&server_info->security_token->sids,
&server_info->security_token->num_sids);
add_sid_to_array_unique(session_info->security_token, &tmp_sid,
&session_info->security_token->sids,
&session_info->security_token->num_sids);
for ( i=0; i<server_info->utok.ngroups; i++ ) {
gid_to_unix_groups_sid(server_info->utok.groups[i], &tmp_sid);
add_sid_to_array_unique(server_info->security_token, &tmp_sid,
&server_info->security_token->sids,
&server_info->security_token->num_sids);
for ( i=0; i<session_info->utok.ngroups; i++ ) {
gid_to_unix_groups_sid(session_info->utok.groups[i], &tmp_sid);
add_sid_to_array_unique(session_info->security_token, &tmp_sid,
&session_info->security_token->sids,
&session_info->security_token->num_sids);
}
security_token_debug(DBGC_AUTH, 10, server_info->security_token);
security_token_debug(DBGC_AUTH, 10, session_info->security_token);
debug_unix_user_token(DBGC_AUTH, 10,
server_info->utok.uid,
server_info->utok.gid,
server_info->utok.ngroups,
server_info->utok.groups);
session_info->utok.uid,
session_info->utok.gid,
session_info->utok.ngroups,
session_info->utok.groups);
status = log_nt_token(server_info->security_token);
return status;
status = log_nt_token(session_info->security_token);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
*session_info_out = session_info;
return NT_STATUS_OK;
}
/***************************************************************************
@ -693,10 +733,16 @@ static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
Make (and fill) a user_info struct for a guest login.
This *must* succeed for smbd to start. If there is no mapping entry for
the guest gid, then create one.
The resulting structure is a 'session_info' because
create_local_token() has already been called on it. This is quite
nasty, as the auth subsystem isn't expect this, but the behaviour is
left as-is for now.
***************************************************************************/
static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **session_info)
{
struct auth_serversupplied_info *server_info;
static const char zeros[16] = {0};
const char *guest_account = lp_guestaccount();
const char *domain = global_myname();
@ -720,29 +766,34 @@ static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **ser
status = make_server_info_info3(tmp_ctx,
guest_account,
domain,
server_info,
&server_info,
&info3);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
(*server_info)->guest = True;
server_info->guest = True;
status = create_local_token(*server_info);
/* This should not be done here (we should produce a server
* info, and later construct a session info from it), but for
* now this does not change the previous behaviours */
status = create_local_token(tmp_ctx, server_info, NULL, session_info);
TALLOC_FREE(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(status)));
goto done;
}
talloc_steal(NULL, *session_info);
/* annoying, but the Guest really does have a session key, and it is
all zeros! */
(*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
(*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
(*session_info)->user_session_key = data_blob(zeros, sizeof(zeros));
(*session_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
alpha_strcpy(tmp, (*session_info)->info3->base.account_name.string,
". _-$", sizeof(tmp));
(*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
(*session_info)->sanitized_username = talloc_strdup(*session_info, tmp);
status = NT_STATUS_OK;
done:
@ -766,10 +817,10 @@ static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_SUCH_USER;
}
status = make_serverinfo_from_username(mem_ctx,
pwd->pw_name,
false,
session_info);
status = make_session_info_from_username(mem_ctx,
pwd->pw_name,
false,
session_info);
TALLOC_FREE(pwd);
if (!NT_STATUS_IS_OK(status)) {
return status;
@ -790,13 +841,15 @@ static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
}
/****************************************************************************
Fake a auth_serversupplied_info just from a username
Fake a auth_serversupplied_info just from a username (as a
session_info structure, with create_local_token() already called on
it.
****************************************************************************/
NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
const char *username,
bool is_guest,
struct auth_serversupplied_info **presult)
NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
const char *username,
bool is_guest,
struct auth_serversupplied_info **session_info)
{
struct auth_serversupplied_info *result;
struct passwd *pwd;
@ -818,15 +871,10 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
result->nss_token = true;
result->guest = is_guest;
status = create_local_token(result);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return status;
}
*presult = talloc_steal(mem_ctx, result);
return NT_STATUS_OK;
/* Now turn the server_info into a session_info with the full token etc */
status = create_local_token(mem_ctx, result, NULL, session_info);
talloc_free(result);
return status;
}

20
source3/auth/proto.h
View File

@ -101,7 +101,10 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info) ;
struct samu;
NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
struct samu *sampass);
NTSTATUS create_local_token(struct auth_serversupplied_info *server_info);
NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info *server_info,
DATA_BLOB *session_key,
struct auth_serversupplied_info **session_info_out);
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
uid_t *uid, gid_t *gid,
@ -113,10 +116,10 @@ struct passwd;
NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
char *unix_username,
struct passwd *pwd);
NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
const char *username,
bool is_guest,
struct auth_serversupplied_info **presult);
NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
const char *username,
bool is_guest,
struct auth_serversupplied_info **session_info);
struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
const struct auth_serversupplied_info *src);
bool init_guest_info(void);
@ -258,11 +261,12 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
char **ntdomain,
char **username,
struct passwd **_pw);
NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntuser,
char *ntdomain,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
bool mapped_to_guest, bool username_was_mapped,
struct auth_serversupplied_info **server_info);
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_serversupplied_info **session_info);

43
source3/auth/user_krb5.c
View File

@ -179,19 +179,21 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntuser,
char *ntdomain,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
bool mapped_to_guest, bool username_was_mapped,
struct auth_serversupplied_info **server_info)
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_serversupplied_info **session_info)
{
NTSTATUS status;
struct auth_serversupplied_info *server_info;
if (mapped_to_guest) {
status = make_server_info_guest(mem_ctx, server_info);
status = make_server_info_guest(mem_ctx, &server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_guest failed: %s!\n",
nt_errstr(status)));
@ -204,7 +206,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
status = make_server_info_info3(mem_ctx,
ntuser, ntdomain,
server_info,
&server_info,
&logon_info->info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_info3 failed: %s!\n",
@ -248,28 +250,24 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
return status;
}
/* Steal tmp server info into the server_info pointer. */
*server_info = talloc_move(mem_ctx, &tmp);
/* make_server_info_pw does not set the domain. Without this
* we end up with the local netbios name in substitutions for
* %D. */
if ((*server_info)->info3 != NULL) {
(*server_info)->info3->base.domain.string =
talloc_strdup((*server_info)->info3, ntdomain);
if (server_info->info3 != NULL) {
server_info->info3->base.domain.string =
talloc_strdup(server_info->info3, ntdomain);
}
}
(*server_info)->nss_token |= username_was_mapped;
server_info->nss_token |= username_was_mapped;
if (!mapped_to_guest) {
status = create_local_token(*server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("failed to create local token: %s\n",
nt_errstr(status)));
return status;
}
status = create_local_token(mem_ctx, server_info, session_key, session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("failed to create local token: %s\n",
nt_errstr(status)));
return status;
}
return NT_STATUS_OK;
@ -290,14 +288,15 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_NOT_IMPLEMENTED;
}
NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntuser,
char *ntdomain,
char *username,
struct passwd *pw,
struct PAC_LOGON_INFO *logon_info,
bool mapped_to_guest,
struct auth_serversupplied_info **server_info)
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_serversupplied_info **session_info)
{
return NT_STATUS_NOT_IMPLEMENTED;
}

5
source3/rpc_server/dcesrv_gssapi.c
View File

@ -228,9 +228,10 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
/* TODO: save PAC data in netsamlogon cache ? */
status = make_server_info_krb5(mem_ctx,
status = make_session_info_krb5(mem_ctx,
ntuser, ntdomain, username, pw,
logon_info, is_guest, is_mapped, server_info);
logon_info, is_guest, is_mapped, NULL /* No session key for now */,
server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
nt_errstr(status)));

10
source3/rpc_server/rpc_server.c
View File

@ -88,6 +88,7 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
struct netr_SamInfo3 *info3;
struct auth_user_info_dc *auth_user_info_dc;
struct pipes_struct *p;
struct auth_serversupplied_info *server_info;
NTSTATUS status;
bool ok;
@ -148,7 +149,7 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
status = make_server_info_info3(p,
info3->base.account_name.string,
info3->base.domain.string,
&p->session_info, info3);
&server_info, info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init server info\n"));
TALLOC_FREE(p);
@ -160,7 +161,8 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
* Some internal functions need a local token to determine access to
* resoutrces.
*/
status = create_local_token(p->session_info);
status = create_local_token(p, server_info, &session_info->session_key, &p->session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init local auth token\n"));
TALLOC_FREE(p);
@ -173,10 +175,6 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
* regardless of what we just calculated */
p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token);
/* Also set the session key to the correct value */
p->session_info->user_session_key = session_info->session_key;
p->session_info->user_session_key.data = talloc_move(p->session_info, &session_info->session_key.data);
p->client_id = talloc_zero(p, struct client_address);
if (!p->client_id) {
TALLOC_FREE(p);

6
source3/smbd/service.c
View File

@ -655,8 +655,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
return NT_STATUS_WRONG_PASSWORD;
}
return make_serverinfo_from_username(mem_ctx, user, guest,
presult);
return make_session_info_from_username(mem_ctx, user, guest,
presult);
}
DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
@ -688,7 +688,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
return NT_STATUS_NO_MEMORY;
}
status = make_serverinfo_from_username(
status = make_session_info_from_username(
conn, fuser, conn->session_info->guest,
&forced_serverinfo);
if (!NT_STATUS_IS_OK(status)) {

64
source3/smbd/sesssetup.c
View File

@ -248,7 +248,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
int sess_vuid = req->vuid;
NTSTATUS ret = NT_STATUS_OK;
DATA_BLOB ap_rep, ap_rep_wrapped, response;
struct auth_serversupplied_info *server_info = NULL;
struct auth_serversupplied_info *session_info = NULL;
DATA_BLOB session_key = data_blob_null;
uint8 tok_id[2];
DATA_BLOB nullblob = data_blob_null;
@ -369,15 +369,16 @@ static void reply_spnego_kerberos(struct smb_request *req,
/* reload services so that the new %U is taken into account */
reload_services(sconn->msg_ctx, sconn->sock, True);
ret = make_server_info_krb5(mem_ctx,
user, domain, real_username, pw,
logon_info, map_domainuser_to_guest,
username_was_mapped,
&server_info);
ret = make_session_info_krb5(mem_ctx,
user, domain, real_username, pw,
logon_info, map_domainuser_to_guest,
username_was_mapped,
&session_key,
&session_info);
data_blob_free(&session_key);
if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1, ("make_server_info_krb5 failed!\n"));
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
reply_nterror(req, nt_status_squash(ret));
return;
@ -387,20 +388,13 @@ static void reply_spnego_kerberos(struct smb_request *req,
sess_vuid = register_initial_vuid(sconn);
}
data_blob_free(&server_info->user_session_key);
/* Set the kerberos-derived session key onto the server_info */
server_info->user_session_key = session_key;
talloc_steal(server_info, session_key.data);
session_key = data_blob_null;
/* register_existing_vuid keeps the server info */
/* register_existing_vuid takes ownership of session_key on success,
* no need to free after this on success. A better interface would copy
* it.... */
sess_vuid = register_existing_vuid(sconn, sess_vuid,
server_info, nullblob, user);
session_info, nullblob, user);
reply_outbuf(req, 4, 0);
SSVAL(req->outbuf,smb_uid,sess_vuid);
@ -413,7 +407,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
SSVAL(req->outbuf, smb_vwv3, 0);
if (server_info->guest) {
if (session_info->guest) {
SSVAL(req->outbuf,smb_vwv2,1);
}
@ -1275,6 +1269,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
const char *primary_domain;
struct auth_usersupplied_info *user_info = NULL;
struct auth_serversupplied_info *server_info = NULL;
struct auth_serversupplied_info *session_info = NULL;
uint16 smb_flag2 = req->flags2;
NTSTATUS nt_status;
@ -1622,29 +1617,20 @@ void reply_sesssetup_and_X(struct smb_request *req)
return;
}
/* Ensure we can't possible take a code path leading to a
* null defref. */
if (!server_info) {
reply_nterror(req, nt_status_squash(NT_STATUS_LOGON_FAILURE));
nt_status = create_local_token(req, server_info, NULL, &session_info);
TALLOC_FREE(server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
data_blob_clear_free(&plaintext_password);
reply_nterror(req, nt_status_squash(nt_status));
END_PROFILE(SMBsesssetupX);
return;
}
if (!server_info->security_token) {
nt_status = create_local_token(server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
data_blob_clear_free(&plaintext_password);
reply_nterror(req, nt_status_squash(nt_status));
END_PROFILE(SMBsesssetupX);
return;
}
}
data_blob_clear_free(&plaintext_password);
/* it's ok - setup a reply */
@ -1654,7 +1640,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
/* perhaps grab OS version here?? */
}
if (server_info->guest) {
if (session_info->guest) {
SSVAL(req->outbuf,smb_vwv2,1);
}
@ -1663,7 +1649,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
if (lp_security() == SEC_SHARE) {
sess_vuid = UID_FIELD_INVALID;
TALLOC_FREE(server_info);
TALLOC_FREE(session_info);
} else {
/* Ignore the initial vuid. */
sess_vuid = register_initial_vuid(sconn);
@ -1675,9 +1661,9 @@ void reply_sesssetup_and_X(struct smb_request *req)
END_PROFILE(SMBsesssetupX);
return;
}
/* register_existing_vuid keeps the server info */
/* register_existing_vuid keeps the session_info */
sess_vuid = register_existing_vuid(sconn, sess_vuid,
server_info,
session_info,
nt_resp.data ? nt_resp : lm_resp,
sub_user);
if (sess_vuid == UID_FIELD_INVALID) {

23
source3/smbd/smb2_sesssetup.c
View File

@ -236,11 +236,12 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
/* reload services so that the new %U is taken into account */
reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true);
status = make_server_info_krb5(session,
user, domain, real_username, pw,
logon_info, map_domainuser_to_guest,
username_was_mapped,
&session->session_info);
status = make_session_info_krb5(session,
user, domain, real_username, pw,
logon_info, map_domainuser_to_guest,
username_was_mapped,
&session_key,
&session->session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("smb2: make_server_info_krb5 failed\n"));
goto fail;
@ -259,18 +260,6 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
session->do_signing = false;
}
data_blob_free(&session->session_info->user_session_key);
session->session_info->user_session_key =
data_blob_talloc(
session->session_info,
session_key.data,
session_key.length);
if (session_key.length > 0) {
if (session->session_info->user_session_key.data == NULL) {
status = NT_STATUS_NO_MEMORY;
goto fail;
}
}
session->session_key = session->session_info->user_session_key;
session->compat_vuser = talloc_zero(session, user_struct);