1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

libcli/auth: let schannel_check_creds_state() take an access_check callback

This allows the callback to decide if the updated creds should be stored
or not.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-11-26 12:54:02 +01:00 committed by Andreas Schneider
parent e830da448b
commit 2cf8a8ea35
3 changed files with 25 additions and 3 deletions

View File

@ -39,6 +39,11 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
struct netr_Authenticator *return_authenticator,
enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
NTSTATUS (*access_check_cb)(struct netlogon_creds_CredentialState *creds,
NTSTATUS step_status,
bool *store,
void *access_check_private),
void *access_check_private,
struct netlogon_creds_CredentialState **creds_out);
NTSTATUS schannel_get_challenge(struct loadparm_context *lp_ctx,

View File

@ -562,6 +562,11 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
struct netr_Authenticator *return_authenticator,
enum dcerpc_AuthType auth_type,
enum dcerpc_AuthLevel auth_level,
NTSTATUS (*access_check_cb)(struct netlogon_creds_CredentialState *creds,
NTSTATUS step_status,
bool *store,
void *access_check_private),
void *access_check_private,
struct netlogon_creds_CredentialState **creds_out)
{
TALLOC_CTX *tmpctx;
@ -572,6 +577,7 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
char *keystr = NULL;
struct db_record *record;
TDB_DATA key;
bool store = true;
if (creds_out != NULL) {
*creds_out = NULL;
@ -624,14 +630,23 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
return_authenticator,
auth_type,
auth_level);
if (access_check_cb != NULL) {
NTSTATUS step_status = status;
status = access_check_cb(creds,
step_status,
&store,
access_check_private);
}
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
if (store) {
status = schannel_store_session_key_tdb(db_sc, tmpctx, creds);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
if (creds_out) {
*creds_out = talloc_steal(mem_ctx, creds);

View File

@ -600,6 +600,8 @@ NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
return_authenticator,
auth_type,
auth_level,
NULL, /* access_check_cb */
NULL, /* access_check_private */
&creds);
if (!NT_STATUS_IS_OK(nt_status)) {
ZERO_STRUCTP(return_authenticator);