From 1961d7a4119200b8a4ad7b0207e0cdcf2e10d3f8 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 21 Dec 2010 10:19:53 +1100 Subject: [PATCH] s4-auth rework session_info handling not to require an auth context This reverts a previous move to have this based around the auth subsystem, which just spread auth deps all over unrelated code. Andrew Bartlett --- source4/auth/ntlm/auth.c | 15 ++++++++++++++- source4/auth/session.c | 13 +++++++------ source4/auth/session.h | 7 +++---- source4/auth/system_session.c | 4 ++-- source4/dsdb/samdb/ldb_modules/operational.c | 2 +- source4/samba_tool/gpo.c | 11 +---------- 6 files changed, 28 insertions(+), 24 deletions(-) diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index f7de0201b60..0c6c8ef52c6 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -408,6 +408,19 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, return NT_STATUS_OK; } +/* Wrapper because we don't want to expose all callers to needing to + * know that session_info is generated from the main ldb */ +static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx, + struct auth_context *auth_context, + struct auth_serversupplied_info *server_info, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + return auth_generate_session_info(mem_ctx, auth_context->lp_ctx, + auth_context->sam_ctx, server_info, + session_info_flags, session_info); +} + /*************************************************************************** Make a auth_info struct for the auth subsystem - Allow the caller to specify the methods to use, including optionally the SAM to use @@ -476,7 +489,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char ** ctx->set_challenge = auth_context_set_challenge; ctx->challenge_may_be_modified = auth_challenge_may_be_modified; ctx->get_server_info_principal = auth_get_server_info_principal; - ctx->generate_session_info = auth_generate_session_info; + ctx->generate_session_info = auth_generate_session_info_wrapper; *auth_ctx = ctx; diff --git a/source4/auth/session.c b/source4/auth/session.c index bb6a5946e58..1028aa83201 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -41,7 +41,8 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, } _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, /* Optional if the domain SID is in the NT AUTHORITY domain */ + struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ + struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ struct auth_serversupplied_info *server_info, uint32_t session_info_flags, struct auth_session_info **_session_info) @@ -83,7 +84,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, /* Don't expand nested groups of system, anonymous etc*/ } else if (dom_sid_equal(system_sid, server_info->account_sid)) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (auth_context) { + } else if (sam_ctx) { groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx); if (!groupSIDs) { @@ -119,7 +120,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, account_sid_blob = data_blob_string_const(account_sid_dn); - nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &account_sid_blob, true, filter, + nt_status = authsam_expand_nested_groups(sam_ctx, &account_sid_blob, true, filter, tmp_ctx, &groupSIDs, &num_groupSIDs); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -143,7 +144,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, primary_group_blob = data_blob_string_const(primary_group_dn); - nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &primary_group_blob, true, filter, + nt_status = authsam_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter, tmp_ctx, &groupSIDs, &num_groupSIDs); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -167,7 +168,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, /* This function takes in memberOf values and expands * them, as long as they meet the filter - so only * builtin groups */ - nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &group_blob, true, filter, + nt_status = authsam_expand_nested_groups(sam_ctx, &group_blob, true, filter, tmp_ctx, &groupSIDs, &num_groupSIDs); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); @@ -177,7 +178,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, } nt_status = security_token_create(session_info, - auth_context ? auth_context->lp_ctx : NULL, + lp_ctx, server_info->account_sid, server_info->primary_group_sid, num_groupSIDs, diff --git a/source4/auth/session.h b/source4/auth/session.h index 3de054aef1a..bdcfe7ab935 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -31,7 +31,6 @@ struct auth_session_info { #include "librpc/gen_ndr/netlogon.h" struct tevent_context; -struct auth_context; /* Create a security token for a session SYSTEM (the most * trusted/prvilaged account), including the local machine account as * the off-host credentials */ @@ -41,11 +40,11 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, struct auth_serversupplied_info **_server_info) ; NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, - struct auth_serversupplied_info *server_info, + struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ + struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ + struct auth_serversupplied_info *server_info, uint32_t session_info_flags, struct auth_session_info **_session_info); - NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info); diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index bec22c16005..6e0cd7be5a5 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -194,7 +194,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info); + nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); @@ -445,7 +445,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, } /* references the server_info into the session_info */ - nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info); + nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info); talloc_free(mem_ctx); NT_STATUS_NOT_OK_RETURN(nt_status); diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index d98131113d2..c4c2660f57e 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -167,7 +167,7 @@ static int construct_token_groups(struct ldb_module *module, return LDB_ERR_OPERATIONS_ERROR; } - status = auth_generate_session_info(tmp_ctx, auth_context, server_info, 0, &session_info); + status = auth_generate_session_info(tmp_ctx, auth_context->lp_ctx, ldb, server_info, 0, &session_info); if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { talloc_free(tmp_ctx); return ldb_module_oom(module); diff --git a/source4/samba_tool/gpo.c b/source4/samba_tool/gpo.c index 65838d07123..93aae609834 100644 --- a/source4/samba_tool/gpo.c +++ b/source4/samba_tool/gpo.c @@ -215,7 +215,6 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv) NTSTATUS status; int rv; unsigned int i; - struct auth_context *auth_context; if (argc != 1) { return net_gpo_list_usage(ctx, argc, argv); @@ -267,16 +266,8 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv) return 1; } - /* We do now need an auth context to create a session */ - status = auth_context_create_from_ldb(gp_ctx, gp_ctx->ldb_ctx, &auth_context); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to get an auth context: %s\n", get_friendly_nt_error_msg(status))); - talloc_free(gp_ctx); - return 1; - } - /* The session info will contain the security token for this user */ - status = auth_generate_session_info(gp_ctx, auth_context, server_info, 0, &session_info); + status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, server_info, 0, &session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to generate session information: %s\n", get_friendly_nt_error_msg(status))); talloc_free(gp_ctx);