mirror of
https://github.com/samba-team/samba.git
synced 2025-01-08 21:18:16 +03:00
s4-auth Rework auth subsystem to remove struct auth_serversupplied_info
This changes auth_serversupplied_info into the IDL-defined struct auth_user_info_dc. This then in turn contains a struct auth_user_info, which is the only part of the structure that is mainted into the struct session_info. The idea here is to avoid keeping the incomplete results of the authentication (such as session keys, lists of SID memberships etc) in a namespace where it may be confused for the finalised results. Andrew Barltett
This commit is contained in:
parent
f1c0e9532d
commit
a2ce53c1f5
@ -49,41 +49,6 @@ struct loadparm_context;
|
||||
#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
|
||||
#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
|
||||
|
||||
struct auth_serversupplied_info
|
||||
{
|
||||
size_t num_sids;
|
||||
struct dom_sid *sids;
|
||||
|
||||
DATA_BLOB user_session_key;
|
||||
DATA_BLOB lm_session_key;
|
||||
|
||||
const char *account_name;
|
||||
const char *domain_name;
|
||||
|
||||
const char *full_name;
|
||||
const char *logon_script;
|
||||
const char *profile_path;
|
||||
const char *home_directory;
|
||||
const char *home_drive;
|
||||
const char *logon_server;
|
||||
|
||||
NTTIME last_logon;
|
||||
NTTIME last_logoff;
|
||||
NTTIME acct_expiry;
|
||||
NTTIME last_password_change;
|
||||
NTTIME allow_password_change;
|
||||
NTTIME force_password_change;
|
||||
|
||||
uint16_t logon_count;
|
||||
uint16_t bad_password_count;
|
||||
|
||||
uint32_t acct_flags;
|
||||
|
||||
bool authenticated;
|
||||
|
||||
struct PAC_SIGNATURE_DATA pac_srv_sig, pac_kdc_sig;
|
||||
};
|
||||
|
||||
struct auth_method_context;
|
||||
struct auth_check_password_request;
|
||||
struct auth_context;
|
||||
@ -109,14 +74,14 @@ struct auth_operations {
|
||||
|
||||
NTSTATUS (*check_password)(struct auth_method_context *ctx, TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
struct auth_user_info_dc **interim_info);
|
||||
|
||||
/* Lookup a 'server info' return based only on the principal */
|
||||
NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_context,
|
||||
const char *principal,
|
||||
struct ldb_dn *user_dn,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
/* Lookup a 'session info interim' return based only on the principal or DN */
|
||||
NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_context,
|
||||
const char *principal,
|
||||
struct ldb_dn *user_dn,
|
||||
struct auth_user_info_dc **interim_info);
|
||||
};
|
||||
|
||||
struct auth_method_context {
|
||||
@ -155,7 +120,7 @@ struct auth_context {
|
||||
NTSTATUS (*check_password)(struct auth_context *auth_ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
struct auth_user_info_dc **user_info_dc);
|
||||
|
||||
NTSTATUS (*get_challenge)(struct auth_context *auth_ctx, uint8_t chal[8]);
|
||||
|
||||
@ -163,15 +128,15 @@ struct auth_context {
|
||||
|
||||
NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
|
||||
|
||||
NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_ctx,
|
||||
const char *principal,
|
||||
struct ldb_dn *user_dn,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_ctx,
|
||||
const char *principal,
|
||||
struct ldb_dn *user_dn,
|
||||
struct auth_user_info_dc **user_info_dc);
|
||||
|
||||
NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_context,
|
||||
struct auth_serversupplied_info *server_info,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
uint32_t session_info_flags,
|
||||
struct auth_session_info **session_info);
|
||||
};
|
||||
@ -183,7 +148,7 @@ struct auth_critical_sizes {
|
||||
int sizeof_auth_methods;
|
||||
int sizeof_auth_context;
|
||||
int sizeof_auth_usersupplied_info;
|
||||
int sizeof_auth_serversupplied_info;
|
||||
int sizeof_auth_user_info_dc;
|
||||
};
|
||||
|
||||
NTSTATUS encrypt_user_info(TALLOC_CTX *mem_ctx, struct auth_context *auth_context,
|
||||
@ -213,13 +178,13 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
|
||||
TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
|
||||
unsigned int *num_res_sids);
|
||||
struct auth_session_info *system_session(struct loadparm_context *lp_ctx);
|
||||
NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
|
||||
NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
|
||||
const char *netbios_name,
|
||||
const char *domain_name,
|
||||
struct ldb_dn *domain_dn,
|
||||
struct ldb_message *msg,
|
||||
DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
|
||||
struct auth_serversupplied_info **_server_info);
|
||||
struct auth_user_info_dc **_user_info_dc);
|
||||
NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
|
||||
struct loadparm_context *lp_ctx,
|
||||
struct auth_session_info **_session_info) ;
|
||||
@ -243,7 +208,7 @@ NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *l
|
||||
NTSTATUS auth_check_password(struct auth_context *auth_ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
struct auth_user_info_dc **user_info_dc);
|
||||
NTSTATUS auth_init(void);
|
||||
NTSTATUS auth_register(const struct auth_operations *ops);
|
||||
NTSTATUS server_service_auth_init(void);
|
||||
@ -263,16 +228,16 @@ struct tevent_req *auth_check_password_send(TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info);
|
||||
NTSTATUS auth_check_password_recv(struct tevent_req *req,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
struct auth_user_info_dc **user_info_dc);
|
||||
|
||||
bool auth_challenge_may_be_modified(struct auth_context *auth_ctx);
|
||||
NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
|
||||
|
||||
NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
|
||||
NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_ctx,
|
||||
const char *principal,
|
||||
struct ldb_dn *user_dn,
|
||||
struct auth_serversupplied_info **server_info);
|
||||
struct auth_user_info_dc **user_info_dc);
|
||||
|
||||
NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
|
||||
struct tevent_context *event_ctx,
|
||||
|
@ -25,16 +25,17 @@
|
||||
#include "libcli/security/security.h"
|
||||
#include "auth/auth_sam_reply.h"
|
||||
|
||||
NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
|
||||
struct auth_serversupplied_info *server_info,
|
||||
NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
struct netr_SamBaseInfo **_sam)
|
||||
{
|
||||
NTSTATUS status;
|
||||
struct auth_user_info *info;
|
||||
struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo);
|
||||
NT_STATUS_HAVE_NO_MEMORY(sam);
|
||||
|
||||
if (server_info->num_sids > PRIMARY_USER_SID_INDEX) {
|
||||
status = dom_sid_split_rid(sam, &server_info->sids[PRIMARY_USER_SID_INDEX],
|
||||
if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) {
|
||||
status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX],
|
||||
&sam->domain_sid, &sam->rid);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
@ -43,8 +44,8 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
if (server_info->num_sids > PRIMARY_GROUP_SID_INDEX) {
|
||||
status = dom_sid_split_rid(NULL, &server_info->sids[PRIMARY_GROUP_SID_INDEX],
|
||||
if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) {
|
||||
status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX],
|
||||
NULL, &sam->primary_gid);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
@ -56,35 +57,37 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
|
||||
sam->primary_gid = sam->rid;
|
||||
}
|
||||
|
||||
sam->last_logon = server_info->last_logon;
|
||||
sam->last_logoff = server_info->last_logoff;
|
||||
sam->acct_expiry = server_info->acct_expiry;
|
||||
sam->last_password_change = server_info->last_password_change;
|
||||
sam->allow_password_change = server_info->allow_password_change;
|
||||
sam->force_password_change = server_info->force_password_change;
|
||||
info = user_info_dc->info;
|
||||
|
||||
sam->account_name.string = server_info->account_name;
|
||||
sam->full_name.string = server_info->full_name;
|
||||
sam->logon_script.string = server_info->logon_script;
|
||||
sam->profile_path.string = server_info->profile_path;
|
||||
sam->home_directory.string = server_info->home_directory;
|
||||
sam->home_drive.string = server_info->home_drive;
|
||||
sam->last_logon = info->last_logon;
|
||||
sam->last_logoff = info->last_logoff;
|
||||
sam->acct_expiry = info->acct_expiry;
|
||||
sam->last_password_change = info->last_password_change;
|
||||
sam->allow_password_change = info->allow_password_change;
|
||||
sam->force_password_change = info->force_password_change;
|
||||
|
||||
sam->logon_count = server_info->logon_count;
|
||||
sam->account_name.string = info->account_name;
|
||||
sam->full_name.string = info->full_name;
|
||||
sam->logon_script.string = info->logon_script;
|
||||
sam->profile_path.string = info->profile_path;
|
||||
sam->home_directory.string = info->home_directory;
|
||||
sam->home_drive.string = info->home_drive;
|
||||
|
||||
sam->logon_count = info->logon_count;
|
||||
sam->bad_password_count = sam->bad_password_count;
|
||||
sam->groups.count = 0;
|
||||
sam->groups.rids = NULL;
|
||||
|
||||
if (server_info->num_sids > 2) {
|
||||
if (user_info_dc->num_sids > 2) {
|
||||
size_t i;
|
||||
sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute,
|
||||
server_info->num_sids);
|
||||
user_info_dc->num_sids);
|
||||
|
||||
if (sam->groups.rids == NULL)
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
|
||||
for (i=2; i<server_info->num_sids; i++) {
|
||||
struct dom_sid *group_sid = &server_info->sids[i];
|
||||
for (i=2; i<user_info_dc->num_sids; i++) {
|
||||
struct dom_sid *group_sid = &user_info_dc->sids[i];
|
||||
if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
|
||||
/* We handle this elsewhere */
|
||||
continue;
|
||||
@ -99,20 +102,20 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
sam->user_flags = 0; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
|
||||
sam->acct_flags = server_info->acct_flags;
|
||||
sam->logon_server.string = server_info->logon_server;
|
||||
sam->domain.string = server_info->domain_name;
|
||||
sam->acct_flags = user_info_dc->info->acct_flags;
|
||||
sam->logon_server.string = user_info_dc->info->logon_server;
|
||||
sam->domain.string = user_info_dc->info->domain_name;
|
||||
|
||||
ZERO_STRUCT(sam->unknown);
|
||||
|
||||
ZERO_STRUCT(sam->key);
|
||||
if (server_info->user_session_key.length == sizeof(sam->key.key)) {
|
||||
memcpy(sam->key.key, server_info->user_session_key.data, sizeof(sam->key.key));
|
||||
if (user_info_dc->user_session_key.length == sizeof(sam->key.key)) {
|
||||
memcpy(sam->key.key, user_info_dc->user_session_key.data, sizeof(sam->key.key));
|
||||
}
|
||||
|
||||
ZERO_STRUCT(sam->LMSessKey);
|
||||
if (server_info->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
|
||||
memcpy(sam->LMSessKey.key, server_info->lm_session_key.data,
|
||||
if (user_info_dc->lm_session_key.length == sizeof(sam->LMSessKey.key)) {
|
||||
memcpy(sam->LMSessKey.key, user_info_dc->lm_session_key.data,
|
||||
sizeof(sam->LMSessKey.key));
|
||||
}
|
||||
|
||||
@ -122,9 +125,9 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
/* Note that the validity of the _sam3 structure is only as long as
|
||||
* the server_info it was generated from */
|
||||
NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
|
||||
struct auth_serversupplied_info *server_info,
|
||||
* the user_info_dc it was generated from */
|
||||
NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
struct netr_SamInfo3 **_sam3)
|
||||
{
|
||||
struct netr_SamBaseInfo *sam;
|
||||
@ -133,7 +136,7 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
|
||||
size_t i;
|
||||
NT_STATUS_HAVE_NO_MEMORY(sam3);
|
||||
|
||||
status = auth_convert_server_info_sambaseinfo(sam3, server_info, &sam);
|
||||
status = auth_convert_user_info_dc_sambaseinfo(sam3, user_info_dc, &sam);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
talloc_free(sam3);
|
||||
return status;
|
||||
@ -144,15 +147,15 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
|
||||
|
||||
|
||||
sam3->sids = talloc_array(sam, struct netr_SidAttr,
|
||||
server_info->num_sids);
|
||||
user_info_dc->num_sids);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids, sam3);
|
||||
|
||||
/* We don't put the user and group SIDs in there */
|
||||
for (i=2; i<server_info->num_sids; i++) {
|
||||
if (dom_sid_in_domain(sam->domain_sid, &server_info->sids[i])) {
|
||||
for (i=2; i<user_info_dc->num_sids; i++) {
|
||||
if (dom_sid_in_domain(sam->domain_sid, &user_info_dc->sids[i])) {
|
||||
continue;
|
||||
}
|
||||
sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &server_info->sids[i]);
|
||||
sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &user_info_dc->sids[i]);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids[sam3->sidcount].sid, sam3);
|
||||
sam3->sids[sam3->sidcount].attributes =
|
||||
SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
|
||||
@ -169,15 +172,16 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
/**
|
||||
* Make a server_info struct from the info3 returned by a domain logon
|
||||
* Make a user_info_dc struct from the info3 returned by a domain logon
|
||||
*/
|
||||
NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
|
||||
NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
|
||||
const char *account_name,
|
||||
uint16_t validation_level,
|
||||
union netr_Validation *validation,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info *info;
|
||||
struct netr_SamBaseInfo *base = NULL;
|
||||
uint32_t i;
|
||||
|
||||
@ -204,8 +208,8 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_INVALID_LEVEL;
|
||||
}
|
||||
|
||||
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info);
|
||||
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
|
||||
|
||||
/*
|
||||
Here is where we should check the list of
|
||||
@ -223,27 +227,27 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
server_info->num_sids = 2;
|
||||
user_info_dc->num_sids = 2;
|
||||
|
||||
server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids + base->groups.count);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
|
||||
user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids + base->groups.count);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
|
||||
|
||||
server_info->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid;
|
||||
if (!sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], base->rid)) {
|
||||
user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid;
|
||||
if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], base->rid)) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
server_info->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid;
|
||||
if (!sid_append_rid(&server_info->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) {
|
||||
user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid;
|
||||
if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
for (i = 0; i < base->groups.count; i++) {
|
||||
server_info->sids[server_info->num_sids] = *base->domain_sid;
|
||||
if (!sid_append_rid(&server_info->sids[server_info->num_sids], base->groups.rids[i].rid)) {
|
||||
user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid;
|
||||
if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], base->groups.rids[i].rid)) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
server_info->num_sids++;
|
||||
user_info_dc->num_sids++;
|
||||
}
|
||||
|
||||
/* Copy 'other' sids. We need to do sid filtering here to
|
||||
@ -253,7 +257,7 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
|
||||
*/
|
||||
|
||||
if (validation_level == 3) {
|
||||
struct dom_sid *dgrps = server_info->sids;
|
||||
struct dom_sid *dgrps = user_info_dc->sids;
|
||||
size_t sidcount;
|
||||
|
||||
/* The IDL layer would be a better place to check this, but to
|
||||
@ -262,88 +266,88 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
sidcount = server_info->num_sids + validation->sam3->sidcount;
|
||||
sidcount = user_info_dc->num_sids + validation->sam3->sidcount;
|
||||
if (validation->sam3->sidcount > 0) {
|
||||
dgrps = talloc_realloc(server_info, dgrps, struct dom_sid, sidcount);
|
||||
dgrps = talloc_realloc(user_info_dc, dgrps, struct dom_sid, sidcount);
|
||||
NT_STATUS_HAVE_NO_MEMORY(dgrps);
|
||||
|
||||
for (i = 0; i < validation->sam3->sidcount; i++) {
|
||||
if (validation->sam3->sids[i].sid) {
|
||||
dgrps[server_info->num_sids] = *validation->sam3->sids[i].sid;
|
||||
server_info->num_sids++;
|
||||
dgrps[user_info_dc->num_sids] = *validation->sam3->sids[i].sid;
|
||||
user_info_dc->num_sids++;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
server_info->sids = dgrps;
|
||||
user_info_dc->sids = dgrps;
|
||||
|
||||
/* Where are the 'global' sids?... */
|
||||
}
|
||||
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
if (base->account_name.string) {
|
||||
server_info->account_name = talloc_reference(server_info, base->account_name.string);
|
||||
info->account_name = talloc_reference(info, base->account_name.string);
|
||||
} else {
|
||||
server_info->account_name = talloc_strdup(server_info, account_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
|
||||
info->account_name = talloc_strdup(info, account_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->account_name);
|
||||
}
|
||||
|
||||
server_info->domain_name = talloc_reference(server_info, base->domain.string);
|
||||
server_info->full_name = talloc_reference(server_info, base->full_name.string);
|
||||
server_info->logon_script = talloc_reference(server_info, base->logon_script.string);
|
||||
server_info->profile_path = talloc_reference(server_info, base->profile_path.string);
|
||||
server_info->home_directory = talloc_reference(server_info, base->home_directory.string);
|
||||
server_info->home_drive = talloc_reference(server_info, base->home_drive.string);
|
||||
server_info->logon_server = talloc_reference(server_info, base->logon_server.string);
|
||||
server_info->last_logon = base->last_logon;
|
||||
server_info->last_logoff = base->last_logoff;
|
||||
server_info->acct_expiry = base->acct_expiry;
|
||||
server_info->last_password_change = base->last_password_change;
|
||||
server_info->allow_password_change = base->allow_password_change;
|
||||
server_info->force_password_change = base->force_password_change;
|
||||
server_info->logon_count = base->logon_count;
|
||||
server_info->bad_password_count = base->bad_password_count;
|
||||
server_info->acct_flags = base->acct_flags;
|
||||
info->domain_name = talloc_reference(info, base->domain.string);
|
||||
info->full_name = talloc_reference(info, base->full_name.string);
|
||||
info->logon_script = talloc_reference(info, base->logon_script.string);
|
||||
info->profile_path = talloc_reference(info, base->profile_path.string);
|
||||
info->home_directory = talloc_reference(info, base->home_directory.string);
|
||||
info->home_drive = talloc_reference(info, base->home_drive.string);
|
||||
info->logon_server = talloc_reference(info, base->logon_server.string);
|
||||
info->last_logon = base->last_logon;
|
||||
info->last_logoff = base->last_logoff;
|
||||
info->acct_expiry = base->acct_expiry;
|
||||
info->last_password_change = base->last_password_change;
|
||||
info->allow_password_change = base->allow_password_change;
|
||||
info->force_password_change = base->force_password_change;
|
||||
info->logon_count = base->logon_count;
|
||||
info->bad_password_count = base->bad_password_count;
|
||||
info->acct_flags = base->acct_flags;
|
||||
|
||||
server_info->authenticated = true;
|
||||
info->authenticated = true;
|
||||
|
||||
/* ensure we are never given NULL session keys */
|
||||
|
||||
if (all_zero(base->key.key, sizeof(base->key.key))) {
|
||||
server_info->user_session_key = data_blob(NULL, 0);
|
||||
user_info_dc->user_session_key = data_blob(NULL, 0);
|
||||
} else {
|
||||
server_info->user_session_key = data_blob_talloc(server_info, base->key.key, sizeof(base->key.key));
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
|
||||
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, base->key.key, sizeof(base->key.key));
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
|
||||
}
|
||||
|
||||
if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) {
|
||||
server_info->lm_session_key = data_blob(NULL, 0);
|
||||
user_info_dc->lm_session_key = data_blob(NULL, 0);
|
||||
} else {
|
||||
server_info->lm_session_key = data_blob_talloc(server_info, base->LMSessKey.key, sizeof(base->LMSessKey.key));
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
|
||||
user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, base->LMSessKey.key, sizeof(base->LMSessKey.key));
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
|
||||
}
|
||||
|
||||
ZERO_STRUCT(server_info->pac_srv_sig);
|
||||
ZERO_STRUCT(server_info->pac_kdc_sig);
|
||||
|
||||
*_server_info = server_info;
|
||||
*_user_info_dc = user_info_dc;
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
/**
|
||||
* Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon
|
||||
* Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5 logon
|
||||
*/
|
||||
NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
|
||||
NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
|
||||
struct PAC_LOGON_INFO *pac_logon_info,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
uint32_t i;
|
||||
NTSTATUS nt_status;
|
||||
union netr_Validation validation;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
|
||||
validation.sam3 = &pac_logon_info->info3;
|
||||
|
||||
nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3, &validation, &server_info);
|
||||
nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, &user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
return nt_status;
|
||||
}
|
||||
@ -353,7 +357,7 @@ NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
|
||||
/* The IDL layer would be a better place to check this, but to
|
||||
* guard the integer addition below, we double-check */
|
||||
if (pac_logon_info->res_groups.count > 65535) {
|
||||
talloc_free(server_info);
|
||||
talloc_free(user_info_dc);
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
@ -367,20 +371,20 @@ NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
sidcount = server_info->num_sids + pac_logon_info->res_groups.count;
|
||||
server_info->sids
|
||||
= talloc_realloc(server_info, server_info->sids, struct dom_sid, sidcount);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
|
||||
sidcount = user_info_dc->num_sids + pac_logon_info->res_groups.count;
|
||||
user_info_dc->sids
|
||||
= talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc);
|
||||
|
||||
for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
|
||||
server_info->sids[server_info->num_sids] = *pac_logon_info->res_group_dom_sid;
|
||||
if (!sid_append_rid(&server_info->sids[server_info->num_sids],
|
||||
user_info_dc->sids[user_info_dc->num_sids] = *pac_logon_info->res_group_dom_sid;
|
||||
if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
|
||||
pac_logon_info->res_groups.rids[i].rid)) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
server_info->num_sids++;
|
||||
user_info_dc->num_sids++;
|
||||
}
|
||||
}
|
||||
*_server_info = server_info;
|
||||
*_user_info_dc = user_info_dc;
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
@ -1315,17 +1315,17 @@ const char *gensec_get_target_principal(struct gensec_security *gensec_security)
|
||||
|
||||
NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
|
||||
struct gensec_security *gensec_security,
|
||||
struct auth_serversupplied_info *server_info,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
struct auth_session_info **session_info)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
|
||||
if (server_info->authenticated) {
|
||||
if (user_info_dc->info->authenticated) {
|
||||
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
|
||||
}
|
||||
if (gensec_security->auth_context) {
|
||||
nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
|
||||
server_info,
|
||||
user_info_dc,
|
||||
flags,
|
||||
session_info);
|
||||
} else {
|
||||
@ -1333,7 +1333,7 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
|
||||
nt_status = auth_generate_session_info(mem_ctx,
|
||||
NULL,
|
||||
NULL,
|
||||
server_info, flags,
|
||||
user_info_dc, flags,
|
||||
session_info);
|
||||
}
|
||||
return nt_status;
|
||||
|
@ -180,7 +180,7 @@ struct gensec_critical_sizes {
|
||||
struct gensec_security;
|
||||
struct socket_context;
|
||||
struct auth_context;
|
||||
struct auth_serversupplied_info;
|
||||
struct auth_user_info_dc;
|
||||
|
||||
NTSTATUS gensec_socket_init(struct gensec_security *gensec_security,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
|
@ -1257,11 +1257,13 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
|
||||
TALLOC_CTX *mem_ctx;
|
||||
struct gensec_gssapi_state *gensec_gssapi_state
|
||||
= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_user_info_dc *user_info_dc = NULL;
|
||||
struct auth_session_info *session_info = NULL;
|
||||
OM_uint32 maj_stat, min_stat;
|
||||
gss_buffer_desc pac;
|
||||
DATA_BLOB pac_blob;
|
||||
struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
|
||||
struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
|
||||
|
||||
if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length)
|
||||
|| (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements,
|
||||
@ -1292,10 +1294,23 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
|
||||
* kind...
|
||||
*/
|
||||
if (pac_blob.length) {
|
||||
nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
|
||||
pac_blob,
|
||||
gensec_gssapi_state->smb_krb5_context->krb5_context,
|
||||
&server_info);
|
||||
pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
|
||||
if (!pac_srv_sig) {
|
||||
talloc_free(mem_ctx);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
|
||||
if (!pac_kdc_sig) {
|
||||
talloc_free(mem_ctx);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
|
||||
pac_blob,
|
||||
gensec_gssapi_state->smb_krb5_context->krb5_context,
|
||||
&user_info_dc,
|
||||
pac_srv_sig,
|
||||
pac_kdc_sig);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(mem_ctx);
|
||||
return nt_status;
|
||||
@ -1330,11 +1345,11 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
|
||||
!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
|
||||
DEBUG(1, ("Unable to find PAC, resorting to local user lookup: %s\n",
|
||||
gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid)));
|
||||
nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
|
||||
nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
|
||||
gensec_security->auth_context,
|
||||
principal_string,
|
||||
NULL,
|
||||
&server_info);
|
||||
&user_info_dc);
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(mem_ctx);
|
||||
@ -1348,9 +1363,9 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
|
||||
}
|
||||
}
|
||||
|
||||
/* references the server_info into the session_info */
|
||||
/* references the user_info_dc into the session_info */
|
||||
nt_status = gensec_generate_session_info(mem_ctx, gensec_security,
|
||||
server_info, &session_info);
|
||||
user_info_dc, &session_info);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(mem_ctx);
|
||||
return nt_status;
|
||||
@ -1362,6 +1377,12 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
/* Allow torture tests to check the PAC signatures */
|
||||
if (session_info->torture) {
|
||||
session_info->torture->pac_srv_sig = talloc_steal(session_info->torture, pac_srv_sig);
|
||||
session_info->torture->pac_kdc_sig = talloc_steal(session_info->torture, pac_kdc_sig);
|
||||
}
|
||||
|
||||
if (!(gensec_gssapi_state->got_flags & GSS_C_DELEG_FLAG)) {
|
||||
DEBUG(10, ("gensec_gssapi: NO delegated credentials supplied by client\n"));
|
||||
} else {
|
||||
|
@ -603,7 +603,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
|
||||
NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL;
|
||||
struct gensec_krb5_state *gensec_krb5_state = (struct gensec_krb5_state *)gensec_security->private_data;
|
||||
krb5_context context = gensec_krb5_state->smb_krb5_context->krb5_context;
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_user_info_dc *user_info_dc = NULL;
|
||||
struct auth_session_info *session_info = NULL;
|
||||
struct PAC_LOGON_INFO *logon_info;
|
||||
|
||||
@ -663,10 +663,10 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
|
||||
DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup: %s",
|
||||
principal_string, smb_get_krb5_error_message(context,
|
||||
ret, mem_ctx)));
|
||||
nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
|
||||
nt_status = gensec_security->auth_context->get_user_info_dc_principal(mem_ctx,
|
||||
gensec_security->auth_context,
|
||||
principal_string,
|
||||
NULL, &server_info);
|
||||
NULL, &user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
free(principal_string);
|
||||
krb5_free_principal(context, client_principal);
|
||||
@ -709,10 +709,10 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
|
||||
}
|
||||
|
||||
validation.sam3 = &logon_info->info3;
|
||||
nt_status = make_server_info_netlogon_validation(mem_ctx,
|
||||
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
|
||||
NULL,
|
||||
3, &validation,
|
||||
&server_info);
|
||||
&user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
free(principal_string);
|
||||
krb5_free_principal(context, client_principal);
|
||||
@ -724,8 +724,8 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
|
||||
free(principal_string);
|
||||
krb5_free_principal(context, client_principal);
|
||||
|
||||
/* references the server_info into the session_info */
|
||||
nt_status = gensec_generate_session_info(mem_ctx, gensec_security, server_info, &session_info);
|
||||
/* references the user_info_dc into the session_info */
|
||||
nt_status = gensec_generate_session_info(mem_ctx, gensec_security, user_info_dc, &session_info);
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(mem_ctx);
|
||||
|
@ -23,7 +23,7 @@
|
||||
#include "auth/kerberos/krb5_init_context.h"
|
||||
#include "librpc/gen_ndr/krb5pac.h"
|
||||
|
||||
struct auth_serversupplied_info;
|
||||
struct auth_user_info_dc;
|
||||
struct cli_credentials;
|
||||
|
||||
struct ccache_container {
|
||||
@ -134,7 +134,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
|
||||
const krb5_keyblock *service_keyblock,
|
||||
DATA_BLOB *pac);
|
||||
krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
|
||||
struct auth_serversupplied_info *server_info,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
krb5_context context,
|
||||
const krb5_keyblock *krbtgt_keyblock,
|
||||
const krb5_keyblock *service_keyblock,
|
||||
|
@ -524,7 +524,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
|
||||
|
||||
|
||||
krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
|
||||
struct auth_serversupplied_info *server_info,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
krb5_context context,
|
||||
const krb5_keyblock *krbtgt_keyblock,
|
||||
const krb5_keyblock *service_keyblock,
|
||||
@ -612,7 +612,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
|
||||
talloc_free(pac_data);
|
||||
return ENOMEM;
|
||||
}
|
||||
nt_status = auth_convert_server_info_saminfo3(LOGON_INFO, server_info, &sam3);
|
||||
nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc, &sam3);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status)));
|
||||
talloc_free(pac_data);
|
||||
@ -645,10 +645,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
|
||||
return ret;
|
||||
}
|
||||
|
||||
krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
|
||||
krb5_pac pac,
|
||||
krb5_context context,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx,
|
||||
krb5_pac pac,
|
||||
krb5_context context,
|
||||
struct auth_user_info_dc **user_info_dc,
|
||||
struct PAC_SIGNATURE_DATA *pac_srv_sig,
|
||||
struct PAC_SIGNATURE_DATA *pac_kdc_sig)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
enum ndr_err_code ndr_err;
|
||||
@ -658,7 +660,7 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
|
||||
krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in;
|
||||
|
||||
union PAC_INFO info;
|
||||
struct auth_serversupplied_info *server_info_out;
|
||||
struct auth_user_info_dc *user_info_dc_out;
|
||||
|
||||
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||
|
||||
@ -686,62 +688,67 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
/* Pull this right into the normal auth sysstem structures */
|
||||
nt_status = make_server_info_pac(mem_ctx,
|
||||
nt_status = make_user_info_dc_pac(mem_ctx,
|
||||
info.logon_info.info,
|
||||
&server_info_out);
|
||||
&user_info_dc_out);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(tmp_ctx);
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
|
||||
if (ret != 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
if (pac_srv_sig) {
|
||||
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
|
||||
if (ret != 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
|
||||
|
||||
ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, pac_srv_sig,
|
||||
pac_srv_sig,
|
||||
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
|
||||
krb5_data_free(&k5pac_srv_checksum_in);
|
||||
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
nt_status = ndr_map_error2ntstatus(ndr_err);
|
||||
DEBUG(0,("can't parse the KDC signature: %s\n",
|
||||
nt_errstr(nt_status)));
|
||||
return EINVAL;
|
||||
}
|
||||
}
|
||||
|
||||
pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
|
||||
if (pac_kdc_sig) {
|
||||
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
|
||||
if (ret != 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, server_info_out,
|
||||
&server_info_out->pac_srv_sig,
|
||||
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
|
||||
krb5_data_free(&k5pac_srv_checksum_in);
|
||||
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
nt_status = ndr_map_error2ntstatus(ndr_err);
|
||||
DEBUG(0,("can't parse the KDC signature: %s\n",
|
||||
nt_errstr(nt_status)));
|
||||
return EINVAL;
|
||||
pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
|
||||
|
||||
ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, pac_kdc_sig,
|
||||
pac_kdc_sig,
|
||||
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
|
||||
krb5_data_free(&k5pac_kdc_checksum_in);
|
||||
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
nt_status = ndr_map_error2ntstatus(ndr_err);
|
||||
DEBUG(0,("can't parse the KDC signature: %s\n",
|
||||
nt_errstr(nt_status)));
|
||||
return EINVAL;
|
||||
}
|
||||
}
|
||||
|
||||
ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
|
||||
if (ret != 0) {
|
||||
talloc_free(tmp_ctx);
|
||||
return ret;
|
||||
}
|
||||
|
||||
pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
|
||||
|
||||
ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, server_info_out,
|
||||
&server_info_out->pac_kdc_sig,
|
||||
(ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
|
||||
krb5_data_free(&k5pac_kdc_checksum_in);
|
||||
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
|
||||
nt_status = ndr_map_error2ntstatus(ndr_err);
|
||||
DEBUG(0,("can't parse the KDC signature: %s\n",
|
||||
nt_errstr(nt_status)));
|
||||
return EINVAL;
|
||||
}
|
||||
|
||||
*server_info = server_info_out;
|
||||
*user_info_dc = user_info_dc_out;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB pac_blob,
|
||||
krb5_context context,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
NTSTATUS kerberos_pac_blob_to_user_info_dc(TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB pac_blob,
|
||||
krb5_context context,
|
||||
struct auth_user_info_dc **user_info_dc,
|
||||
struct PAC_SIGNATURE_DATA *pac_srv_sig,
|
||||
struct PAC_SIGNATURE_DATA *pac_kdc_sig)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
krb5_pac pac;
|
||||
@ -753,7 +760,7 @@ NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx,
|
||||
}
|
||||
|
||||
|
||||
ret = kerberos_pac_to_server_info(mem_ctx, pac, context, server_info);
|
||||
ret = kerberos_pac_to_user_info_dc(mem_ctx, pac, context, user_info_dc, pac_srv_sig, pac_kdc_sig);
|
||||
krb5_pac_free(context, pac);
|
||||
if (ret) {
|
||||
return map_nt_error_from_unix(ret);
|
||||
|
@ -103,21 +103,21 @@ PAC isn't available, and for tokenGroups in the DSDB stack.
|
||||
|
||||
Supply either a principal or a DN
|
||||
****************************************************************************/
|
||||
_PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
|
||||
_PUBLIC_ NTSTATUS auth_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_ctx,
|
||||
const char *principal,
|
||||
struct ldb_dn *user_dn,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
struct auth_method_context *method;
|
||||
|
||||
for (method = auth_ctx->methods; method; method = method->next) {
|
||||
if (!method->ops->get_server_info_principal) {
|
||||
if (!method->ops->get_user_info_dc_principal) {
|
||||
continue;
|
||||
}
|
||||
|
||||
nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, user_dn, server_info);
|
||||
nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, user_info_dc);
|
||||
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
|
||||
continue;
|
||||
}
|
||||
@ -133,9 +133,9 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
|
||||
* (sync version)
|
||||
*
|
||||
* Check a user's password, as given in the user_info struct and return various
|
||||
* interesting details in the server_info struct.
|
||||
* interesting details in the user_info_dc struct.
|
||||
*
|
||||
* The return value takes precedence over the contents of the server_info
|
||||
* The return value takes precedence over the contents of the user_info_dc
|
||||
* struct. When the return is other than NT_STATUS_OK the contents
|
||||
* of that structure is undefined.
|
||||
*
|
||||
@ -146,9 +146,9 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
|
||||
*
|
||||
* @param user_info Contains the user supplied components, including the passwords.
|
||||
*
|
||||
* @param mem_ctx The parent memory context for the server_info structure
|
||||
* @param mem_ctx The parent memory context for the user_info_dc structure
|
||||
*
|
||||
* @param server_info If successful, contains information about the authentication,
|
||||
* @param user_info_dc If successful, contains information about the authentication,
|
||||
* including a SAM_ACCOUNT struct describing the user.
|
||||
*
|
||||
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
|
||||
@ -158,7 +158,7 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
|
||||
_PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
struct tevent_req *subreq;
|
||||
struct tevent_context *ev;
|
||||
@ -181,7 +181,7 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
|
||||
return NT_STATUS_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
status = auth_check_password_recv(subreq, mem_ctx, server_info);
|
||||
status = auth_check_password_recv(subreq, mem_ctx, user_info_dc);
|
||||
TALLOC_FREE(subreq);
|
||||
|
||||
return status;
|
||||
@ -190,7 +190,7 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
|
||||
struct auth_check_password_state {
|
||||
struct auth_context *auth_ctx;
|
||||
const struct auth_usersupplied_info *user_info;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_method_context *method;
|
||||
};
|
||||
|
||||
@ -202,9 +202,9 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
|
||||
* async send hook
|
||||
*
|
||||
* Check a user's password, as given in the user_info struct and return various
|
||||
* interesting details in the server_info struct.
|
||||
* interesting details in the user_info_dc struct.
|
||||
*
|
||||
* The return value takes precedence over the contents of the server_info
|
||||
* The return value takes precedence over the contents of the user_info_dc
|
||||
* struct. When the return is other than NT_STATUS_OK the contents
|
||||
* of that structure is undefined.
|
||||
*
|
||||
@ -334,7 +334,7 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
|
||||
status = method->ops->check_password(method,
|
||||
state,
|
||||
state->user_info,
|
||||
&state->server_info);
|
||||
&state->user_info_dc);
|
||||
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED)) {
|
||||
/* the backend has handled the request */
|
||||
break;
|
||||
@ -358,16 +358,16 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
|
||||
* Check a user's Plaintext, LM or NTLM password.
|
||||
* async receive function
|
||||
*
|
||||
* The return value takes precedence over the contents of the server_info
|
||||
* The return value takes precedence over the contents of the user_info_dc
|
||||
* struct. When the return is other than NT_STATUS_OK the contents
|
||||
* of that structure is undefined.
|
||||
*
|
||||
*
|
||||
* @param req The async request state
|
||||
*
|
||||
* @param mem_ctx The parent memory context for the server_info structure
|
||||
* @param mem_ctx The parent memory context for the user_info_dc structure
|
||||
*
|
||||
* @param server_info If successful, contains information about the authentication,
|
||||
* @param user_info_dc If successful, contains information about the authentication,
|
||||
* including a SAM_ACCOUNT struct describing the user.
|
||||
*
|
||||
* @return An NTSTATUS with NT_STATUS_OK or an appropriate error.
|
||||
@ -376,7 +376,7 @@ static void auth_check_password_async_trigger(struct tevent_context *ev,
|
||||
|
||||
_PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
struct auth_check_password_state *state =
|
||||
tevent_req_data(req, struct auth_check_password_state);
|
||||
@ -397,10 +397,10 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
|
||||
DEBUG(5,("auth_check_password_recv: "
|
||||
"%s authentication for user [%s\\%s] succeeded\n",
|
||||
state->method->ops->name,
|
||||
state->server_info->domain_name,
|
||||
state->server_info->account_name));
|
||||
state->user_info_dc->info->domain_name,
|
||||
state->user_info_dc->info->account_name));
|
||||
|
||||
*server_info = talloc_move(mem_ctx, &state->server_info);
|
||||
*user_info_dc = talloc_move(mem_ctx, &state->user_info_dc);
|
||||
|
||||
tevent_req_received(req);
|
||||
return NT_STATUS_OK;
|
||||
@ -410,12 +410,12 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
|
||||
* know that session_info is generated from the main ldb */
|
||||
static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_context,
|
||||
struct auth_serversupplied_info *server_info,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
uint32_t session_info_flags,
|
||||
struct auth_session_info **session_info)
|
||||
{
|
||||
return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
|
||||
auth_context->sam_ctx, server_info,
|
||||
auth_context->sam_ctx, user_info_dc,
|
||||
session_info_flags, session_info);
|
||||
}
|
||||
|
||||
@ -477,7 +477,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
|
||||
ctx->get_challenge = auth_get_challenge;
|
||||
ctx->set_challenge = auth_context_set_challenge;
|
||||
ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
|
||||
ctx->get_server_info_principal = auth_get_server_info_principal;
|
||||
ctx->get_user_info_dc_principal = auth_get_user_info_dc_principal;
|
||||
ctx->generate_session_info = auth_generate_session_info_wrapper;
|
||||
|
||||
*auth_ctx = ctx;
|
||||
@ -625,7 +625,7 @@ const struct auth_critical_sizes *auth_interface_version(void)
|
||||
sizeof(struct auth_method_context),
|
||||
sizeof(struct auth_context),
|
||||
sizeof(struct auth_usersupplied_info),
|
||||
sizeof(struct auth_serversupplied_info)
|
||||
sizeof(struct auth_user_info_dc)
|
||||
};
|
||||
|
||||
return &critical_sizes;
|
||||
|
@ -52,9 +52,9 @@ static NTSTATUS anonymous_want_check(struct auth_method_context *ctx,
|
||||
static NTSTATUS anonymous_check_password(struct auth_method_context *ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
return auth_anonymous_server_info(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _server_info);
|
||||
return auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx), _user_info_dc);
|
||||
}
|
||||
|
||||
static const struct auth_operations anonymous_auth_ops = {
|
||||
|
@ -47,10 +47,11 @@ static NTSTATUS name_to_ntstatus_want_check(struct auth_method_context *ctx,
|
||||
static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info *info;
|
||||
uint32_t error_num;
|
||||
const char *user;
|
||||
|
||||
@ -65,62 +66,65 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
|
||||
}
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info);
|
||||
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
|
||||
|
||||
/* This returns a pointer to a struct dom_sid, which is the
|
||||
* same as a 1 element list of struct dom_sid */
|
||||
server_info->num_sids = 1;
|
||||
server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
|
||||
user_info_dc->num_sids = 1;
|
||||
user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
|
||||
|
||||
/* annoying, but the Anonymous really does have a session key,
|
||||
and it is all zeros! */
|
||||
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
|
||||
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
|
||||
|
||||
server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
|
||||
user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
|
||||
|
||||
data_blob_clear(&server_info->user_session_key);
|
||||
data_blob_clear(&server_info->lm_session_key);
|
||||
data_blob_clear(&user_info_dc->user_session_key);
|
||||
data_blob_clear(&user_info_dc->lm_session_key);
|
||||
|
||||
server_info->account_name = talloc_asprintf(server_info, "NAME TO NTSTATUS %s ANONYMOUS LOGON", user);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
|
||||
info->account_name = talloc_asprintf(user_info_dc, "NAME TO NTSTATUS %s ANONYMOUS LOGON", user);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->account_name);
|
||||
|
||||
server_info->full_name = talloc_asprintf(server_info, "NAME TO NTSTATUS %s Anonymous Logon", user);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
|
||||
info->domain_name = talloc_strdup(user_info_dc, "NT AUTHORITY");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
|
||||
|
||||
server_info->logon_script = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
|
||||
info->full_name = talloc_asprintf(user_info_dc, "NAME TO NTSTATUS %s Anonymous Logon", user);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->full_name);
|
||||
|
||||
server_info->profile_path = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
|
||||
info->logon_script = talloc_strdup(user_info_dc, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
|
||||
|
||||
server_info->home_directory = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
|
||||
info->profile_path = talloc_strdup(user_info_dc, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
|
||||
|
||||
server_info->home_drive = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
|
||||
info->home_directory = talloc_strdup(user_info_dc, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
|
||||
|
||||
server_info->last_logon = 0;
|
||||
server_info->last_logoff = 0;
|
||||
server_info->acct_expiry = 0;
|
||||
server_info->last_password_change = 0;
|
||||
server_info->allow_password_change = 0;
|
||||
server_info->force_password_change = 0;
|
||||
info->home_drive = talloc_strdup(user_info_dc, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
|
||||
|
||||
server_info->logon_count = 0;
|
||||
server_info->bad_password_count = 0;
|
||||
info->last_logon = 0;
|
||||
info->last_logoff = 0;
|
||||
info->acct_expiry = 0;
|
||||
info->last_password_change = 0;
|
||||
info->allow_password_change = 0;
|
||||
info->force_password_change = 0;
|
||||
|
||||
server_info->acct_flags = ACB_NORMAL;
|
||||
info->logon_count = 0;
|
||||
info->bad_password_count = 0;
|
||||
|
||||
server_info->authenticated = false;
|
||||
info->acct_flags = ACB_NORMAL;
|
||||
|
||||
*_server_info = server_info;
|
||||
info->authenticated = true;
|
||||
|
||||
*_user_info_dc = user_info_dc;
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
@ -166,7 +170,7 @@ static NTSTATUS fixed_challenge_want_check(struct auth_method_context *ctx,
|
||||
static NTSTATUS fixed_challenge_check_password(struct auth_method_context *ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
/* don't handle any users */
|
||||
return NT_STATUS_NO_SUCH_USER;
|
||||
|
@ -237,7 +237,7 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
|
||||
static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
const char *account_name = user_info->mapped.account_name;
|
||||
@ -280,18 +280,18 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
nt_status = authsam_make_server_info(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
|
||||
nt_status = authsam_make_user_info_dc(tmp_ctx, ctx->auth_ctx->sam_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
|
||||
lpcfg_sam_name(ctx->auth_ctx->lp_ctx),
|
||||
domain_dn,
|
||||
msg,
|
||||
user_sess_key, lm_sess_key,
|
||||
server_info);
|
||||
user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(tmp_ctx);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
talloc_steal(mem_ctx, *server_info);
|
||||
talloc_steal(mem_ctx, *user_info_dc);
|
||||
talloc_free(tmp_ctx);
|
||||
|
||||
return NT_STATUS_OK;
|
||||
@ -354,21 +354,21 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
|
||||
|
||||
|
||||
/* Wrapper for the auth subsystem pointer */
|
||||
static NTSTATUS authsam_get_server_info_principal_wrapper(TALLOC_CTX *mem_ctx,
|
||||
static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
|
||||
struct auth_context *auth_context,
|
||||
const char *principal,
|
||||
struct ldb_dn *user_dn,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
return authsam_get_server_info_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
|
||||
principal, user_dn, server_info);
|
||||
return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
|
||||
principal, user_dn, user_info_dc);
|
||||
}
|
||||
static const struct auth_operations sam_ignoredomain_ops = {
|
||||
.name = "sam_ignoredomain",
|
||||
.get_challenge = auth_get_challenge_not_implemented,
|
||||
.want_check = authsam_ignoredomain_want_check,
|
||||
.check_password = authsam_check_password_internals,
|
||||
.get_server_info_principal = authsam_get_server_info_principal_wrapper
|
||||
.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper
|
||||
};
|
||||
|
||||
static const struct auth_operations sam_ops = {
|
||||
@ -376,7 +376,7 @@ static const struct auth_operations sam_ops = {
|
||||
.get_challenge = auth_get_challenge_not_implemented,
|
||||
.want_check = authsam_want_check,
|
||||
.check_password = authsam_check_password_internals,
|
||||
.get_server_info_principal = authsam_get_server_info_principal_wrapper
|
||||
.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper
|
||||
};
|
||||
|
||||
_PUBLIC_ NTSTATUS auth_sam_init(void)
|
||||
|
@ -111,10 +111,11 @@ static NTSTATUS server_get_challenge(struct auth_method_context *ctx, TALLOC_CTX
|
||||
static NTSTATUS server_check_password(struct auth_method_context *ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info *info;
|
||||
struct cli_credentials *creds;
|
||||
struct smb_composite_sesssetup session_setup;
|
||||
|
||||
@ -156,56 +157,59 @@ static NTSTATUS server_check_password(struct auth_method_context *ctx,
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info);
|
||||
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
|
||||
|
||||
server_info->num_sids = 1;
|
||||
user_info_dc->num_sids = 1;
|
||||
|
||||
/* This returns a pointer to a struct dom_sid, which is the
|
||||
* same as a 1 element list of struct dom_sid */
|
||||
server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
|
||||
user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
|
||||
|
||||
/* annoying, but the Anonymous really does have a session key,
|
||||
and it is all zeros! */
|
||||
server_info->user_session_key = data_blob(NULL, 0);
|
||||
server_info->lm_session_key = data_blob(NULL, 0);
|
||||
user_info_dc->user_session_key = data_blob(NULL, 0);
|
||||
user_info_dc->lm_session_key = data_blob(NULL, 0);
|
||||
|
||||
server_info->account_name = talloc_strdup(server_info, user_info->client.account_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
server_info->domain_name = talloc_strdup(server_info, user_info->client.domain_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
|
||||
info->account_name = talloc_strdup(user_info_dc, user_info->client.account_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->account_name);
|
||||
|
||||
server_info->full_name = NULL;
|
||||
info->domain_name = talloc_strdup(user_info_dc, user_info->client.domain_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
|
||||
|
||||
server_info->logon_script = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
|
||||
info->full_name = NULL;
|
||||
|
||||
server_info->profile_path = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
|
||||
info->logon_script = talloc_strdup(user_info_dc, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
|
||||
|
||||
server_info->home_directory = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
|
||||
info->profile_path = talloc_strdup(user_info_dc, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
|
||||
|
||||
server_info->home_drive = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
|
||||
info->home_directory = talloc_strdup(user_info_dc, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
|
||||
|
||||
server_info->last_logon = 0;
|
||||
server_info->last_logoff = 0;
|
||||
server_info->acct_expiry = 0;
|
||||
server_info->last_password_change = 0;
|
||||
server_info->allow_password_change = 0;
|
||||
server_info->force_password_change = 0;
|
||||
info->home_drive = talloc_strdup(user_info_dc, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
|
||||
|
||||
server_info->logon_count = 0;
|
||||
server_info->bad_password_count = 0;
|
||||
info->last_logon = 0;
|
||||
info->last_logoff = 0;
|
||||
info->acct_expiry = 0;
|
||||
info->last_password_change = 0;
|
||||
info->allow_password_change = 0;
|
||||
info->force_password_change = 0;
|
||||
|
||||
server_info->acct_flags = ACB_NORMAL;
|
||||
info->logon_count = 0;
|
||||
info->bad_password_count = 0;
|
||||
|
||||
server_info->authenticated = false;
|
||||
info->acct_flags = ACB_NORMAL;
|
||||
|
||||
*_server_info = server_info;
|
||||
info->authenticated = false;
|
||||
|
||||
*_user_info_dc = user_info_dc;
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
|
@ -40,7 +40,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
|
||||
{
|
||||
struct auth_context *auth_context;
|
||||
struct auth_usersupplied_info *user_info;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
NTSTATUS nt_status;
|
||||
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||
|
||||
@ -83,7 +83,7 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
|
||||
MSV1_0_CLEARTEXT_PASSWORD_ALLOWED |
|
||||
MSV1_0_CLEARTEXT_PASSWORD_SUPPLIED;
|
||||
|
||||
nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &server_info);
|
||||
nt_status = auth_check_password(auth_context, tmp_ctx, user_info, &user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(tmp_ctx);
|
||||
return nt_status;
|
||||
@ -91,11 +91,11 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
|
||||
|
||||
if (session_info) {
|
||||
uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
|
||||
if (server_info->authenticated) {
|
||||
if (user_info_dc->info->authenticated) {
|
||||
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
|
||||
}
|
||||
nt_status = auth_context->generate_session_info(tmp_ctx, auth_context,
|
||||
server_info,
|
||||
user_info_dc,
|
||||
flags,
|
||||
session_info);
|
||||
|
||||
|
@ -31,68 +31,75 @@
|
||||
/* TODO: look at how to best fill in parms retrieveing a struct passwd info
|
||||
* except in case USER_INFO_DONT_CHECK_UNIX_ACCOUNT is set
|
||||
*/
|
||||
static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx,
|
||||
static NTSTATUS authunix_make_user_info_dc(TALLOC_CTX *mem_ctx,
|
||||
const char *netbios_name,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct passwd *pwd,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info *info;
|
||||
NTSTATUS status;
|
||||
|
||||
/* This is a real, real hack */
|
||||
if (pwd->pw_uid == 0) {
|
||||
status = auth_system_server_info(mem_ctx, netbios_name, &server_info);
|
||||
status = auth_system_user_info_dc(mem_ctx, netbios_name, &user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
server_info->account_name = talloc_steal(server_info, pwd->pw_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
info->account_name = talloc_steal(info, pwd->pw_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->account_name);
|
||||
|
||||
server_info->domain_name = talloc_strdup(server_info, "unix");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
|
||||
info->domain_name = talloc_strdup(info, "unix");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
|
||||
} else {
|
||||
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info);
|
||||
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
|
||||
|
||||
server_info->authenticated = true;
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
info->authenticated = true;
|
||||
|
||||
server_info->account_name = talloc_steal(server_info, pwd->pw_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
|
||||
info->account_name = talloc_steal(info, pwd->pw_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->account_name);
|
||||
|
||||
server_info->domain_name = talloc_strdup(server_info, "unix");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
|
||||
info->domain_name = talloc_strdup(info, "unix");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
|
||||
|
||||
/* This isn't in any way correct.. */
|
||||
server_info->num_sids = 0;
|
||||
server_info->sids = NULL;
|
||||
user_info_dc->num_sids = 0;
|
||||
user_info_dc->sids = NULL;
|
||||
}
|
||||
server_info->user_session_key = data_blob(NULL,0);
|
||||
server_info->lm_session_key = data_blob(NULL,0);
|
||||
user_info_dc->user_session_key = data_blob(NULL,0);
|
||||
user_info_dc->lm_session_key = data_blob(NULL,0);
|
||||
|
||||
server_info->full_name = talloc_steal(server_info, pwd->pw_gecos);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
|
||||
server_info->logon_script = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
|
||||
server_info->profile_path = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
|
||||
server_info->home_directory = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
|
||||
server_info->home_drive = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
|
||||
info->full_name = talloc_steal(info, pwd->pw_gecos);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->full_name);
|
||||
info->logon_script = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
|
||||
info->profile_path = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
|
||||
info->home_directory = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
|
||||
info->home_drive = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
|
||||
|
||||
server_info->last_logon = 0;
|
||||
server_info->last_logoff = 0;
|
||||
server_info->acct_expiry = 0;
|
||||
server_info->last_password_change = 0;
|
||||
server_info->allow_password_change = 0;
|
||||
server_info->force_password_change = 0;
|
||||
server_info->logon_count = 0;
|
||||
server_info->bad_password_count = 0;
|
||||
server_info->acct_flags = 0;
|
||||
info->last_logon = 0;
|
||||
info->last_logoff = 0;
|
||||
info->acct_expiry = 0;
|
||||
info->last_password_change = 0;
|
||||
info->allow_password_change = 0;
|
||||
info->force_password_change = 0;
|
||||
info->logon_count = 0;
|
||||
info->bad_password_count = 0;
|
||||
info->acct_flags = 0;
|
||||
|
||||
*_server_info = server_info;
|
||||
*_user_info_dc = user_info_dc;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
@ -791,7 +798,7 @@ static NTSTATUS authunix_want_check(struct auth_method_context *ctx,
|
||||
static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
TALLOC_CTX *check_ctx;
|
||||
NTSTATUS nt_status;
|
||||
@ -812,8 +819,8 @@ static NTSTATUS authunix_check_password(struct auth_method_context *ctx,
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
nt_status = authunix_make_server_info(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
|
||||
user_info, pwd, server_info);
|
||||
nt_status = authunix_make_user_info_dc(mem_ctx, lpcfg_netbios_name(ctx->auth_ctx->lp_ctx),
|
||||
user_info, pwd, user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(check_ctx);
|
||||
return nt_status;
|
||||
|
@ -131,7 +131,7 @@ struct winbind_check_password_state {
|
||||
static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
NTSTATUS status;
|
||||
struct dcerpc_binding_handle *irpc_handle;
|
||||
@ -214,11 +214,11 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
|
||||
status = dcerpc_winbind_SamLogon_r(irpc_handle, s, &s->req);
|
||||
NT_STATUS_NOT_OK_RETURN(status);
|
||||
|
||||
status = make_server_info_netlogon_validation(mem_ctx,
|
||||
status = make_user_info_dc_netlogon_validation(mem_ctx,
|
||||
user_info->client.account_name,
|
||||
s->req.in.validation_level,
|
||||
&s->req.out.validation,
|
||||
server_info);
|
||||
user_info_dc);
|
||||
NT_STATUS_NOT_OK_RETURN(status);
|
||||
|
||||
return NT_STATUS_OK;
|
||||
@ -231,7 +231,7 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
|
||||
static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const struct auth_usersupplied_info *user_info,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
struct wbcAuthUserParams params;
|
||||
struct wbcAuthUserInfo *info = NULL;
|
||||
@ -301,9 +301,9 @@ static NTSTATUS winbind_check_password_wbclient(struct auth_method_context *ctx,
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
validation.sam3 = &info3;
|
||||
nt_status = make_server_info_netlogon_validation(mem_ctx,
|
||||
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
|
||||
user_info->client.account_name,
|
||||
3, &validation, server_info);
|
||||
3, &validation, user_info_dc);
|
||||
return nt_status;
|
||||
|
||||
}
|
||||
|
@ -27,7 +27,7 @@ struct gensec_ntlmssp_context {
|
||||
struct gensec_security *gensec_security;
|
||||
struct ntlmssp_state *ntlmssp_state;
|
||||
struct auth_context *auth_context;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
};
|
||||
|
||||
struct loadparm_context;
|
||||
|
@ -181,23 +181,23 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
|
||||
nt_status = auth_context->check_password(auth_context,
|
||||
gensec_ntlmssp,
|
||||
user_info,
|
||||
&gensec_ntlmssp->server_info);
|
||||
&gensec_ntlmssp->user_info_dc);
|
||||
talloc_free(user_info);
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
if (gensec_ntlmssp->server_info->user_session_key.length) {
|
||||
if (gensec_ntlmssp->user_info_dc->user_session_key.length) {
|
||||
DEBUG(10, ("Got NT session key of length %u\n",
|
||||
(unsigned)gensec_ntlmssp->server_info->user_session_key.length));
|
||||
*user_session_key = gensec_ntlmssp->server_info->user_session_key;
|
||||
(unsigned)gensec_ntlmssp->user_info_dc->user_session_key.length));
|
||||
*user_session_key = gensec_ntlmssp->user_info_dc->user_session_key;
|
||||
talloc_steal(mem_ctx, user_session_key->data);
|
||||
gensec_ntlmssp->server_info->user_session_key = data_blob_null;
|
||||
gensec_ntlmssp->user_info_dc->user_session_key = data_blob_null;
|
||||
}
|
||||
if (gensec_ntlmssp->server_info->lm_session_key.length) {
|
||||
if (gensec_ntlmssp->user_info_dc->lm_session_key.length) {
|
||||
DEBUG(10, ("Got LM session key of length %u\n",
|
||||
(unsigned)gensec_ntlmssp->server_info->lm_session_key.length));
|
||||
*lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
|
||||
(unsigned)gensec_ntlmssp->user_info_dc->lm_session_key.length));
|
||||
*lm_session_key = gensec_ntlmssp->user_info_dc->lm_session_key;
|
||||
talloc_steal(mem_ctx, lm_session_key->data);
|
||||
gensec_ntlmssp->server_info->lm_session_key = data_blob_null;
|
||||
gensec_ntlmssp->user_info_dc->lm_session_key = data_blob_null;
|
||||
}
|
||||
return nt_status;
|
||||
}
|
||||
@ -223,7 +223,7 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
|
||||
|
||||
nt_status = gensec_generate_session_info(ntlmssp_state,
|
||||
gensec_security,
|
||||
gensec_ntlmssp->server_info,
|
||||
gensec_ntlmssp->user_info_dc,
|
||||
session_info);
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
|
@ -68,7 +68,7 @@ const char *user_attrs[] = {
|
||||
/* check 'allowed workstations' */
|
||||
"userWorkstations",
|
||||
|
||||
/* required for server_info, not access control: */
|
||||
/* required for user_info_dc, not access control: */
|
||||
"displayName",
|
||||
"scriptPath",
|
||||
"profilePath",
|
||||
@ -267,7 +267,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
_PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
|
||||
_PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_context *sam_ctx,
|
||||
const char *netbios_name,
|
||||
const char *domain_name,
|
||||
@ -275,10 +275,11 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
|
||||
struct ldb_message *msg,
|
||||
DATA_BLOB user_sess_key,
|
||||
DATA_BLOB lm_sess_key,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
NTSTATUS status;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info *info;
|
||||
const char *str, *filter;
|
||||
/* SIDs for the account and his primary group */
|
||||
struct dom_sid *account_sid;
|
||||
@ -292,23 +293,23 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
struct ldb_message_element *el;
|
||||
|
||||
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info);
|
||||
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
|
||||
|
||||
tmp_ctx = talloc_new(server_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, server_info);
|
||||
tmp_ctx = talloc_new(user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc, user_info_dc);
|
||||
|
||||
sids = talloc_array(server_info, struct dom_sid, 2);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, server_info);
|
||||
sids = talloc_array(user_info_dc, struct dom_sid, 2);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, user_info_dc);
|
||||
|
||||
num_sids = 2;
|
||||
|
||||
account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info);
|
||||
account_sid = samdb_result_dom_sid(user_info_dc, msg, "objectSid");
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, user_info_dc);
|
||||
|
||||
status = dom_sid_split_rid(tmp_ctx, account_sid, &domain_sid, NULL);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
talloc_free(server_info);
|
||||
talloc_free(user_info_dc);
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -320,13 +321,13 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
|
||||
* for builtin groups later, and not include them in the PAC
|
||||
* on SamLogon validation info */
|
||||
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, server_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, user_info_dc);
|
||||
|
||||
primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, user_info_dc);
|
||||
|
||||
primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, user_info_dc);
|
||||
|
||||
primary_group_blob = data_blob_string_const(primary_group_dn);
|
||||
|
||||
@ -340,9 +341,9 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
|
||||
* 'only childs' flag to true
|
||||
*/
|
||||
status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
|
||||
server_info, &sids, &num_sids);
|
||||
user_info_dc, &sids, &num_sids);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
talloc_free(server_info);
|
||||
talloc_free(user_info_dc);
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -353,113 +354,116 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
|
||||
* them, as long as they meet the filter - so only
|
||||
* domain groups, not builtin groups */
|
||||
status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter,
|
||||
server_info, &sids, &num_sids);
|
||||
user_info_dc, &sids, &num_sids);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
talloc_free(server_info);
|
||||
talloc_free(user_info_dc);
|
||||
return status;
|
||||
}
|
||||
}
|
||||
|
||||
server_info->sids = sids;
|
||||
server_info->num_sids = num_sids;
|
||||
user_info_dc->sids = sids;
|
||||
user_info_dc->num_sids = num_sids;
|
||||
|
||||
server_info->account_name = talloc_steal(server_info,
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
info->account_name = talloc_steal(info,
|
||||
ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
|
||||
|
||||
server_info->domain_name = talloc_strdup(server_info, domain_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_name,
|
||||
server_info);
|
||||
info->domain_name = talloc_strdup(info, domain_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->domain_name,
|
||||
user_info_dc);
|
||||
|
||||
str = ldb_msg_find_attr_as_string(msg, "displayName", "");
|
||||
server_info->full_name = talloc_strdup(server_info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->full_name, server_info);
|
||||
info->full_name = talloc_strdup(info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->full_name, user_info_dc);
|
||||
|
||||
str = ldb_msg_find_attr_as_string(msg, "scriptPath", "");
|
||||
server_info->logon_script = talloc_strdup(server_info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_script,
|
||||
server_info);
|
||||
info->logon_script = talloc_strdup(info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_script,
|
||||
user_info_dc);
|
||||
|
||||
str = ldb_msg_find_attr_as_string(msg, "profilePath", "");
|
||||
server_info->profile_path = talloc_strdup(server_info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->profile_path,
|
||||
server_info);
|
||||
info->profile_path = talloc_strdup(info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->profile_path,
|
||||
user_info_dc);
|
||||
|
||||
str = ldb_msg_find_attr_as_string(msg, "homeDirectory", "");
|
||||
server_info->home_directory = talloc_strdup(server_info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_directory,
|
||||
server_info);
|
||||
info->home_directory = talloc_strdup(info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_directory,
|
||||
user_info_dc);
|
||||
|
||||
str = ldb_msg_find_attr_as_string(msg, "homeDrive", "");
|
||||
server_info->home_drive = talloc_strdup(server_info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_drive, server_info);
|
||||
info->home_drive = talloc_strdup(info, str);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_drive, user_info_dc);
|
||||
|
||||
server_info->logon_server = talloc_strdup(server_info, netbios_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_server,
|
||||
server_info);
|
||||
info->logon_server = talloc_strdup(info, netbios_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_server,
|
||||
user_info_dc);
|
||||
|
||||
server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
|
||||
server_info->last_logoff = samdb_result_last_logoff(msg);
|
||||
server_info->acct_expiry = samdb_result_account_expires(msg);
|
||||
server_info->last_password_change = samdb_result_nttime(msg,
|
||||
info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
|
||||
info->last_logoff = samdb_result_last_logoff(msg);
|
||||
info->acct_expiry = samdb_result_account_expires(msg);
|
||||
info->last_password_change = samdb_result_nttime(msg,
|
||||
"pwdLastSet", 0);
|
||||
server_info->allow_password_change
|
||||
info->allow_password_change
|
||||
= samdb_result_allow_password_change(sam_ctx, mem_ctx,
|
||||
domain_dn, msg, "pwdLastSet");
|
||||
server_info->force_password_change
|
||||
info->force_password_change
|
||||
= samdb_result_force_password_change(sam_ctx, mem_ctx,
|
||||
domain_dn, msg);
|
||||
server_info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0);
|
||||
server_info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount",
|
||||
info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0);
|
||||
info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount",
|
||||
0);
|
||||
|
||||
server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
|
||||
info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
|
||||
msg, domain_dn);
|
||||
|
||||
server_info->user_session_key = data_blob_talloc(server_info,
|
||||
user_info_dc->user_session_key = data_blob_talloc(user_info_dc,
|
||||
user_sess_key.data,
|
||||
user_sess_key.length);
|
||||
if (user_sess_key.data) {
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->user_session_key.data,
|
||||
server_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->user_session_key.data,
|
||||
user_info_dc);
|
||||
}
|
||||
server_info->lm_session_key = data_blob_talloc(server_info,
|
||||
user_info_dc->lm_session_key = data_blob_talloc(user_info_dc,
|
||||
lm_sess_key.data,
|
||||
lm_sess_key.length);
|
||||
if (lm_sess_key.data) {
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->lm_session_key.data,
|
||||
server_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->lm_session_key.data,
|
||||
user_info_dc);
|
||||
}
|
||||
|
||||
if (server_info->acct_flags & ACB_SVRTRUST) {
|
||||
if (info->acct_flags & ACB_SVRTRUST) {
|
||||
/* the SID_NT_ENTERPRISE_DCS SID gets added into the
|
||||
PAC */
|
||||
server_info->sids = talloc_realloc(server_info,
|
||||
server_info->sids,
|
||||
user_info_dc->sids = talloc_realloc(user_info_dc,
|
||||
user_info_dc->sids,
|
||||
struct dom_sid,
|
||||
server_info->num_sids+1);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
|
||||
server_info->sids[server_info->num_sids] = global_sid_Enterprise_DCs;
|
||||
server_info->num_sids++;
|
||||
user_info_dc->num_sids+1);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc);
|
||||
user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs;
|
||||
user_info_dc->num_sids++;
|
||||
}
|
||||
|
||||
if ((server_info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
|
||||
if ((info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
|
||||
(ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) {
|
||||
/* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */
|
||||
server_info->sids = talloc_realloc(server_info,
|
||||
server_info->sids,
|
||||
user_info_dc->sids = talloc_realloc(user_info_dc,
|
||||
user_info_dc->sids,
|
||||
struct dom_sid,
|
||||
server_info->num_sids+1);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
|
||||
server_info->sids[server_info->num_sids] = *domain_sid;
|
||||
sid_append_rid(&server_info->sids[server_info->num_sids],
|
||||
user_info_dc->num_sids+1);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc);
|
||||
user_info_dc->sids[user_info_dc->num_sids] = *domain_sid;
|
||||
sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
|
||||
DOMAIN_RID_ENTERPRISE_READONLY_DCS);
|
||||
server_info->num_sids++;
|
||||
user_info_dc->num_sids++;
|
||||
}
|
||||
|
||||
server_info->authenticated = true;
|
||||
info->authenticated = true;
|
||||
|
||||
talloc_free(tmp_ctx);
|
||||
*_server_info = server_info;
|
||||
*_user_info_dc = user_info_dc;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
@ -504,12 +508,12 @@ NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
|
||||
|
||||
Supply either a principal or a DN
|
||||
*/
|
||||
NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
|
||||
NTSTATUS authsam_get_user_info_dc_principal(TALLOC_CTX *mem_ctx,
|
||||
struct loadparm_context *lp_ctx,
|
||||
struct ldb_context *sam_ctx,
|
||||
const char *principal,
|
||||
struct ldb_dn *user_dn,
|
||||
struct auth_serversupplied_info **server_info)
|
||||
struct auth_user_info_dc **user_info_dc)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
DATA_BLOB user_sess_key = data_blob(NULL, 0);
|
||||
@ -555,7 +559,7 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
|
||||
"(&(objectSid=%s)(objectClass=domain))",
|
||||
ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid));
|
||||
if (!domain_dn) {
|
||||
DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n",
|
||||
DEBUG(3, ("authsam_get_user_info_dc_principal: Failed to find domain with: SID %s\n",
|
||||
dom_sid_string(tmp_ctx, domain_sid)));
|
||||
return NT_STATUS_NO_SUCH_USER;
|
||||
}
|
||||
@ -564,19 +568,19 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
nt_status = authsam_make_server_info(tmp_ctx, sam_ctx,
|
||||
nt_status = authsam_make_user_info_dc(tmp_ctx, sam_ctx,
|
||||
lpcfg_netbios_name(lp_ctx),
|
||||
lpcfg_workgroup(lp_ctx),
|
||||
domain_dn,
|
||||
msg,
|
||||
user_sess_key, lm_sess_key,
|
||||
server_info);
|
||||
user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(tmp_ctx);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
talloc_steal(mem_ctx, *server_info);
|
||||
talloc_steal(mem_ctx, *user_info_dc);
|
||||
talloc_free(tmp_ctx);
|
||||
|
||||
return NT_STATUS_OK;
|
||||
|
@ -44,7 +44,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
|
||||
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
|
||||
struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
|
||||
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
|
||||
struct auth_serversupplied_info *server_info,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
uint32_t session_info_flags,
|
||||
struct auth_session_info **_session_info)
|
||||
{
|
||||
@ -63,11 +63,20 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
|
||||
session_info = talloc(tmp_ctx, struct auth_session_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
|
||||
|
||||
session_info->server_info = talloc_reference(session_info, server_info);
|
||||
session_info->info = talloc_reference(session_info, user_info_dc->info);
|
||||
|
||||
session_info->torture = talloc_zero(session_info, struct auth_user_info_torture);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx);
|
||||
session_info->torture->num_dc_sids = user_info_dc->num_sids;
|
||||
session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx);
|
||||
|
||||
/* unless set otherwise, the session key is the user session
|
||||
* key from the auth subsystem */
|
||||
session_info->session_key = server_info->user_session_key;
|
||||
session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length);
|
||||
if (!session_info->session_key.data && session_info->session_key.length) {
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx);
|
||||
}
|
||||
|
||||
anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx);
|
||||
@ -75,40 +84,40 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
|
||||
system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
|
||||
|
||||
sids = talloc_array(tmp_ctx, struct dom_sid, server_info->num_sids);
|
||||
sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx);
|
||||
if (!sids) {
|
||||
talloc_free(tmp_ctx);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
num_sids = server_info->num_sids;
|
||||
num_sids = user_info_dc->num_sids;
|
||||
|
||||
for (i=0; i < server_info->num_sids; i++) {
|
||||
sids[i] = server_info->sids[i];
|
||||
for (i=0; i < user_info_dc->num_sids; i++) {
|
||||
sids[i] = user_info_dc->sids[i];
|
||||
}
|
||||
|
||||
if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
|
||||
if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
|
||||
/* Don't expand nested groups of system, anonymous etc*/
|
||||
} else if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
|
||||
} else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
|
||||
/* Don't expand nested groups of system, anonymous etc*/
|
||||
} else if (sam_ctx) {
|
||||
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
|
||||
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
|
||||
|
||||
/* Search for each group in the token */
|
||||
for (i = 0; i < server_info->num_sids; i++) {
|
||||
for (i = 0; i < user_info_dc->num_sids; i++) {
|
||||
char *sid_string;
|
||||
const char *sid_dn;
|
||||
DATA_BLOB sid_blob;
|
||||
|
||||
sid_string = dom_sid_string(tmp_ctx,
|
||||
&server_info->sids[i]);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, server_info);
|
||||
&user_info_dc->sids[i]);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
|
||||
|
||||
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
|
||||
talloc_free(sid_string);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, server_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc);
|
||||
sid_blob = data_blob_string_const(sid_dn);
|
||||
|
||||
/* This function takes in memberOf values and expands
|
||||
@ -156,21 +165,21 @@ NTSTATUS authsam_get_session_info_principal(TALLOC_CTX *mem_ctx,
|
||||
struct auth_session_info **session_info)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||
if (!tmp_ctx) {
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
nt_status = authsam_get_server_info_principal(tmp_ctx, lp_ctx, sam_ctx,
|
||||
nt_status = authsam_get_user_info_dc_principal(tmp_ctx, lp_ctx, sam_ctx,
|
||||
principal, user_dn,
|
||||
&server_info);
|
||||
&user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(tmp_ctx);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
nt_status = auth_generate_session_info(tmp_ctx, lp_ctx, sam_ctx,
|
||||
server_info, session_info_flags,
|
||||
user_info_dc, session_info_flags,
|
||||
session_info);
|
||||
|
||||
if (NT_STATUS_IS_OK(nt_status)) {
|
||||
|
@ -23,12 +23,14 @@
|
||||
|
||||
struct auth_session_info {
|
||||
struct security_token *security_token;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info *info;
|
||||
struct auth_user_info_torture *torture;
|
||||
DATA_BLOB session_key;
|
||||
struct cli_credentials *credentials;
|
||||
};
|
||||
|
||||
#include "librpc/gen_ndr/netlogon.h"
|
||||
#include "librpc/gen_ndr/auth.h"
|
||||
|
||||
struct tevent_context;
|
||||
struct ldb_context;
|
||||
@ -38,18 +40,18 @@ struct ldb_dn;
|
||||
* the off-host credentials */
|
||||
struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ;
|
||||
|
||||
NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
|
||||
const char *netbios_name,
|
||||
struct auth_serversupplied_info **_server_info) ;
|
||||
NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
|
||||
const char *netbios_name,
|
||||
struct auth_user_info_dc **interim_info);
|
||||
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
|
||||
struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
|
||||
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
|
||||
struct auth_serversupplied_info *server_info,
|
||||
struct auth_user_info_dc *interim_info,
|
||||
uint32_t session_info_flags,
|
||||
struct auth_session_info **_session_info);
|
||||
struct auth_session_info **session_info);
|
||||
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
|
||||
struct loadparm_context *lp_ctx,
|
||||
struct auth_session_info **_session_info);
|
||||
struct auth_session_info **session_info);
|
||||
/* Produce a session_info for an arbitary DN or principal in the local
|
||||
* DB, assuming the local DB holds all the groups
|
||||
*
|
||||
|
@ -25,7 +25,7 @@
|
||||
#include "libcli/security/security.h"
|
||||
#include "auth/credentials/credentials.h"
|
||||
#include "param/param.h"
|
||||
#include "auth/auth.h" /* for auth_serversupplied_info */
|
||||
#include "auth/auth.h" /* for auth_user_info_dc */
|
||||
#include "auth/session.h"
|
||||
#include "auth/system_session_proto.h"
|
||||
|
||||
@ -68,19 +68,19 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
|
||||
struct auth_session_info **_session_info)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_user_info_dc *user_info_dc = NULL;
|
||||
struct auth_session_info *session_info = NULL;
|
||||
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
|
||||
|
||||
nt_status = auth_system_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
|
||||
&server_info);
|
||||
nt_status = auth_system_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
|
||||
&user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(mem_ctx);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
/* references the server_info into the session_info */
|
||||
nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
|
||||
/* references the user_info_dc into the session_info */
|
||||
nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
|
||||
talloc_free(mem_ctx);
|
||||
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
@ -98,155 +98,163 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info *info;
|
||||
|
||||
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info);
|
||||
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
|
||||
|
||||
/* This returns a pointer to a struct dom_sid, which is the
|
||||
* same as a 1 element list of struct dom_sid */
|
||||
server_info->num_sids = 1;
|
||||
server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
|
||||
user_info_dc->num_sids = 1;
|
||||
user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_SYSTEM);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
|
||||
|
||||
/* annoying, but the Anonymous really does have a session key,
|
||||
and it is all zeros! */
|
||||
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
|
||||
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
|
||||
|
||||
server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
|
||||
user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
|
||||
|
||||
data_blob_clear(&server_info->user_session_key);
|
||||
data_blob_clear(&server_info->lm_session_key);
|
||||
data_blob_clear(&user_info_dc->user_session_key);
|
||||
data_blob_clear(&user_info_dc->lm_session_key);
|
||||
|
||||
server_info->account_name = talloc_strdup(server_info, "SYSTEM");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
|
||||
info->account_name = talloc_strdup(info, "SYSTEM");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->account_name);
|
||||
|
||||
server_info->full_name = talloc_strdup(server_info, "System");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
|
||||
info->domain_name = talloc_strdup(info, "NT AUTHORITY");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
|
||||
|
||||
server_info->logon_script = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
|
||||
info->full_name = talloc_strdup(info, "System");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->full_name);
|
||||
|
||||
server_info->profile_path = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
|
||||
info->logon_script = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
|
||||
|
||||
server_info->home_directory = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
|
||||
info->profile_path = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
|
||||
|
||||
server_info->home_drive = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
|
||||
info->home_directory = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
|
||||
|
||||
server_info->logon_server = talloc_strdup(server_info, netbios_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
|
||||
info->home_drive = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
|
||||
|
||||
server_info->last_logon = 0;
|
||||
server_info->last_logoff = 0;
|
||||
server_info->acct_expiry = 0;
|
||||
server_info->last_password_change = 0;
|
||||
server_info->allow_password_change = 0;
|
||||
server_info->force_password_change = 0;
|
||||
info->logon_server = talloc_strdup(info, netbios_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
|
||||
|
||||
server_info->logon_count = 0;
|
||||
server_info->bad_password_count = 0;
|
||||
info->last_logon = 0;
|
||||
info->last_logoff = 0;
|
||||
info->acct_expiry = 0;
|
||||
info->last_password_change = 0;
|
||||
info->allow_password_change = 0;
|
||||
info->force_password_change = 0;
|
||||
|
||||
server_info->acct_flags = ACB_NORMAL;
|
||||
info->logon_count = 0;
|
||||
info->bad_password_count = 0;
|
||||
|
||||
server_info->authenticated = true;
|
||||
info->acct_flags = ACB_NORMAL;
|
||||
|
||||
*_server_info = server_info;
|
||||
info->authenticated = true;
|
||||
|
||||
*_user_info_dc = user_info_dc;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
|
||||
static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
|
||||
static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
|
||||
const char *netbios_name,
|
||||
const char *domain_name,
|
||||
struct dom_sid *domain_sid,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info *info;
|
||||
|
||||
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info);
|
||||
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
|
||||
|
||||
server_info->num_sids = 7;
|
||||
server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids);
|
||||
user_info_dc->num_sids = 7;
|
||||
user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
|
||||
|
||||
server_info->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
|
||||
sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
|
||||
user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
|
||||
sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
|
||||
|
||||
server_info->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
|
||||
sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS);
|
||||
user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
|
||||
sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS);
|
||||
|
||||
server_info->sids[2] = global_sid_Builtin_Administrators;
|
||||
user_info_dc->sids[2] = global_sid_Builtin_Administrators;
|
||||
|
||||
server_info->sids[3] = *domain_sid;
|
||||
sid_append_rid(&server_info->sids[3], DOMAIN_RID_ADMINS);
|
||||
server_info->sids[4] = *domain_sid;
|
||||
sid_append_rid(&server_info->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
|
||||
server_info->sids[5] = *domain_sid;
|
||||
sid_append_rid(&server_info->sids[5], DOMAIN_RID_POLICY_ADMINS);
|
||||
server_info->sids[6] = *domain_sid;
|
||||
sid_append_rid(&server_info->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
|
||||
user_info_dc->sids[3] = *domain_sid;
|
||||
sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
|
||||
user_info_dc->sids[4] = *domain_sid;
|
||||
sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
|
||||
user_info_dc->sids[5] = *domain_sid;
|
||||
sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
|
||||
user_info_dc->sids[6] = *domain_sid;
|
||||
sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
|
||||
|
||||
/* What should the session key be?*/
|
||||
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
|
||||
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
|
||||
|
||||
server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
|
||||
user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
|
||||
|
||||
data_blob_clear(&server_info->user_session_key);
|
||||
data_blob_clear(&server_info->lm_session_key);
|
||||
data_blob_clear(&user_info_dc->user_session_key);
|
||||
data_blob_clear(&user_info_dc->lm_session_key);
|
||||
|
||||
server_info->account_name = talloc_strdup(server_info, "Administrator");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
server_info->domain_name = talloc_strdup(server_info, domain_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
|
||||
info->account_name = talloc_strdup(info, "Administrator");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->account_name);
|
||||
|
||||
server_info->full_name = talloc_strdup(server_info, "Administrator");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
|
||||
info->domain_name = talloc_strdup(info, domain_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
|
||||
|
||||
server_info->logon_script = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
|
||||
info->full_name = talloc_strdup(info, "Administrator");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->full_name);
|
||||
|
||||
server_info->profile_path = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
|
||||
info->logon_script = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
|
||||
|
||||
server_info->home_directory = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
|
||||
info->profile_path = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
|
||||
|
||||
server_info->home_drive = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
|
||||
info->home_directory = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
|
||||
|
||||
server_info->logon_server = talloc_strdup(server_info, netbios_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
|
||||
info->home_drive = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
|
||||
|
||||
server_info->last_logon = 0;
|
||||
server_info->last_logoff = 0;
|
||||
server_info->acct_expiry = 0;
|
||||
server_info->last_password_change = 0;
|
||||
server_info->allow_password_change = 0;
|
||||
server_info->force_password_change = 0;
|
||||
info->logon_server = talloc_strdup(info, netbios_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
|
||||
|
||||
server_info->logon_count = 0;
|
||||
server_info->bad_password_count = 0;
|
||||
info->last_logon = 0;
|
||||
info->last_logoff = 0;
|
||||
info->acct_expiry = 0;
|
||||
info->last_password_change = 0;
|
||||
info->allow_password_change = 0;
|
||||
info->force_password_change = 0;
|
||||
|
||||
server_info->acct_flags = ACB_NORMAL;
|
||||
info->logon_count = 0;
|
||||
info->bad_password_count = 0;
|
||||
|
||||
server_info->authenticated = true;
|
||||
info->acct_flags = ACB_NORMAL;
|
||||
|
||||
*_server_info = server_info;
|
||||
info->authenticated = true;
|
||||
|
||||
*_user_info_dc = user_info_dc;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
@ -257,21 +265,21 @@ static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
|
||||
struct auth_session_info **session_info)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_user_info_dc *user_info_dc = NULL;
|
||||
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
|
||||
|
||||
nt_status = auth_domain_admin_server_info(mem_ctx, lpcfg_netbios_name(lp_ctx),
|
||||
nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
|
||||
lpcfg_workgroup(lp_ctx), domain_sid,
|
||||
&server_info);
|
||||
&user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(mem_ctx);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, server_info,
|
||||
nt_status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
|
||||
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES|AUTH_SESSION_INFO_AUTHENTICATED|AUTH_SESSION_INFO_DEFAULT_GROUPS,
|
||||
session_info);
|
||||
/* There is already a reference between the sesion_info and server_info */
|
||||
/* There is already a reference between the sesion_info and user_info_dc */
|
||||
if (NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_steal(parent_ctx, *session_info);
|
||||
}
|
||||
@ -298,20 +306,20 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
|
||||
struct auth_session_info **_session_info)
|
||||
{
|
||||
NTSTATUS nt_status;
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_user_info_dc *user_info_dc = NULL;
|
||||
struct auth_session_info *session_info = NULL;
|
||||
TALLOC_CTX *mem_ctx = talloc_new(parent_ctx);
|
||||
|
||||
nt_status = auth_anonymous_server_info(mem_ctx,
|
||||
nt_status = auth_anonymous_user_info_dc(mem_ctx,
|
||||
lpcfg_netbios_name(lp_ctx),
|
||||
&server_info);
|
||||
&user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
talloc_free(mem_ctx);
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
/* references the server_info into the session_info */
|
||||
nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, server_info, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
|
||||
/* references the user_info_dc into the session_info */
|
||||
nt_status = auth_generate_session_info(parent_ctx, NULL, NULL, user_info_dc, AUTH_SESSION_INFO_SIMPLE_PRIVILEGES, &session_info);
|
||||
talloc_free(mem_ctx);
|
||||
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
@ -329,70 +337,74 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
_PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
|
||||
_PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
|
||||
const char *netbios_name,
|
||||
struct auth_serversupplied_info **_server_info)
|
||||
struct auth_user_info_dc **_user_info_dc)
|
||||
{
|
||||
struct auth_serversupplied_info *server_info;
|
||||
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info);
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info *info;
|
||||
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
|
||||
|
||||
/* This returns a pointer to a struct dom_sid, which is the
|
||||
* same as a 1 element list of struct dom_sid */
|
||||
server_info->num_sids = 1;
|
||||
server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
|
||||
user_info_dc->num_sids = 1;
|
||||
user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
|
||||
|
||||
/* annoying, but the Anonymous really does have a session key... */
|
||||
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data);
|
||||
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
|
||||
|
||||
server_info->lm_session_key = data_blob_talloc(server_info, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data);
|
||||
user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, NULL, 16);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->lm_session_key.data);
|
||||
|
||||
/* and it is all zeros! */
|
||||
data_blob_clear(&server_info->user_session_key);
|
||||
data_blob_clear(&server_info->lm_session_key);
|
||||
data_blob_clear(&user_info_dc->user_session_key);
|
||||
data_blob_clear(&user_info_dc->lm_session_key);
|
||||
|
||||
server_info->account_name = talloc_strdup(server_info, "ANONYMOUS LOGON");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->account_name);
|
||||
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
|
||||
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
|
||||
|
||||
server_info->domain_name = talloc_strdup(server_info, "NT AUTHORITY");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
|
||||
info->account_name = talloc_strdup(info, "ANONYMOUS LOGON");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->account_name);
|
||||
|
||||
server_info->full_name = talloc_strdup(server_info, "Anonymous Logon");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
|
||||
info->domain_name = talloc_strdup(info, "NT AUTHORITY");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
|
||||
|
||||
server_info->logon_script = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
|
||||
info->full_name = talloc_strdup(info, "Anonymous Logon");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->full_name);
|
||||
|
||||
server_info->profile_path = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
|
||||
info->logon_script = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
|
||||
|
||||
server_info->home_directory = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
|
||||
info->profile_path = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
|
||||
|
||||
server_info->home_drive = talloc_strdup(server_info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
|
||||
info->home_directory = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
|
||||
|
||||
server_info->logon_server = talloc_strdup(server_info, netbios_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
|
||||
info->home_drive = talloc_strdup(info, "");
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
|
||||
|
||||
server_info->last_logon = 0;
|
||||
server_info->last_logoff = 0;
|
||||
server_info->acct_expiry = 0;
|
||||
server_info->last_password_change = 0;
|
||||
server_info->allow_password_change = 0;
|
||||
server_info->force_password_change = 0;
|
||||
info->logon_server = talloc_strdup(info, netbios_name);
|
||||
NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
|
||||
|
||||
server_info->logon_count = 0;
|
||||
server_info->bad_password_count = 0;
|
||||
info->last_logon = 0;
|
||||
info->last_logoff = 0;
|
||||
info->acct_expiry = 0;
|
||||
info->last_password_change = 0;
|
||||
info->allow_password_change = 0;
|
||||
info->force_password_change = 0;
|
||||
|
||||
server_info->acct_flags = ACB_NORMAL;
|
||||
info->logon_count = 0;
|
||||
info->bad_password_count = 0;
|
||||
|
||||
server_info->authenticated = false;
|
||||
info->acct_flags = ACB_NORMAL;
|
||||
|
||||
*_server_info = server_info;
|
||||
info->authenticated = false;
|
||||
|
||||
*_user_info_dc = user_info_dc;
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
@ -235,6 +235,6 @@ const char *acl_user_name(TALLOC_CTX *mem_ctx, struct ldb_module *module)
|
||||
}
|
||||
|
||||
return talloc_asprintf(mem_ctx, "%s\\%s",
|
||||
session_info->server_info->domain_name,
|
||||
session_info->server_info->account_name);
|
||||
session_info->info->domain_name,
|
||||
session_info->info->account_name);
|
||||
}
|
||||
|
@ -169,7 +169,7 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
|
||||
* seem to be the case here. */
|
||||
ret = gendb_search(kdc->samdb, mem_ctx, NULL, &res, attrs,
|
||||
"(&(objectClass=user)(sAMAccountName=%s))",
|
||||
session_info->server_info->account_name);
|
||||
session_info->info->account_name);
|
||||
if (ret != 1) {
|
||||
return kpasswdd_make_error_reply(kdc, mem_ctx,
|
||||
KRB5_KPASSWD_ACCESSDENIED,
|
||||
@ -197,8 +197,8 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
|
||||
}
|
||||
|
||||
DEBUG(3, ("Changing password of %s\\%s (%s)\n",
|
||||
session_info->server_info->domain_name,
|
||||
session_info->server_info->account_name,
|
||||
session_info->info->domain_name,
|
||||
session_info->info->account_name,
|
||||
dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX])));
|
||||
|
||||
/* Performs the password change */
|
||||
@ -359,8 +359,8 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
|
||||
}
|
||||
|
||||
DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
|
||||
session_info->server_info->domain_name,
|
||||
session_info->server_info->account_name,
|
||||
session_info->info->domain_name,
|
||||
session_info->info->account_name,
|
||||
dom_sid_string(mem_ctx, &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
|
||||
set_password_on_princ));
|
||||
ret = ldb_transaction_start(samdb);
|
||||
|
@ -28,10 +28,11 @@
|
||||
#include "auth/auth_sam_reply.h"
|
||||
#include "kdc/kdc-glue.h"
|
||||
#include "param/param.h"
|
||||
#include "librpc/gen_ndr/ndr_krb5pac.h"
|
||||
|
||||
static
|
||||
NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
|
||||
struct auth_serversupplied_info *info,
|
||||
struct auth_user_info_dc *info,
|
||||
DATA_BLOB *pac_data)
|
||||
{
|
||||
struct netr_SamInfo3 *info3;
|
||||
@ -41,7 +42,7 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
|
||||
|
||||
ZERO_STRUCT(pac_info);
|
||||
|
||||
nt_status = auth_convert_server_info_saminfo3(mem_ctx, info, &info3);
|
||||
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info, &info3);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(1, ("Getting Samba info failed: %s\n",
|
||||
nt_errstr(nt_status)));
|
||||
@ -139,7 +140,7 @@ NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
|
||||
DATA_BLOB **_pac_blob)
|
||||
{
|
||||
struct samba_kdc_entry *p = talloc_get_type(client->ctx, struct samba_kdc_entry);
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
DATA_BLOB *pac_blob;
|
||||
NTSTATUS nt_status;
|
||||
|
||||
@ -154,21 +155,21 @@ NTSTATUS samba_kdc_get_pac_blob(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
|
||||
nt_status = authsam_make_server_info(mem_ctx, p->kdc_db_ctx->samdb,
|
||||
nt_status = authsam_make_user_info_dc(mem_ctx, p->kdc_db_ctx->samdb,
|
||||
lpcfg_netbios_name(p->kdc_db_ctx->lp_ctx),
|
||||
lpcfg_sam_name(p->kdc_db_ctx->lp_ctx),
|
||||
p->realm_dn,
|
||||
p->msg,
|
||||
data_blob(NULL, 0),
|
||||
data_blob(NULL, 0),
|
||||
&server_info);
|
||||
&user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(0, ("Getting user info for PAC failed: %s\n",
|
||||
nt_errstr(nt_status)));
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
nt_status = samba_get_logon_info_pac_blob(mem_ctx, server_info, pac_blob);
|
||||
nt_status = samba_get_logon_info_pac_blob(mem_ctx, user_info_dc, pac_blob);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
DEBUG(0, ("Building PAC failed: %s\n",
|
||||
nt_errstr(nt_status)));
|
||||
@ -183,18 +184,18 @@ NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
|
||||
krb5_context context,
|
||||
krb5_pac *pac, DATA_BLOB *pac_blob)
|
||||
{
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
krb5_error_code ret;
|
||||
NTSTATUS nt_status;
|
||||
|
||||
ret = kerberos_pac_to_server_info(mem_ctx, *pac,
|
||||
context, &server_info);
|
||||
ret = kerberos_pac_to_user_info_dc(mem_ctx, *pac,
|
||||
context, &user_info_dc, NULL, NULL);
|
||||
if (ret) {
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
nt_status = samba_get_logon_info_pac_blob(mem_ctx,
|
||||
server_info, pac_blob);
|
||||
user_info_dc, pac_blob);
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
|
@ -255,6 +255,7 @@ static NTSTATUS ipc_open(struct ntvfs_module_context *ntvfs,
|
||||
const struct tsocket_address *server_addr;
|
||||
int ret;
|
||||
DATA_BLOB delegated_creds = data_blob_null;
|
||||
struct auth_user_info_dc user_info_dc;
|
||||
|
||||
switch (oi->generic.level) {
|
||||
case RAW_OPEN_NTCREATEX:
|
||||
@ -309,9 +310,16 @@ static NTSTATUS ipc_open(struct ntvfs_module_context *ntvfs,
|
||||
state->req = req;
|
||||
state->oi = oi;
|
||||
|
||||
status = auth_convert_server_info_saminfo3(state,
|
||||
req->session_info->server_info,
|
||||
&state->info3);
|
||||
/* Disgusting hack to recreate the user_info_dc that should
|
||||
* not be used that this layer in this way */
|
||||
ZERO_STRUCT(user_info_dc);
|
||||
user_info_dc.info = req->session_info->info;
|
||||
user_info_dc.num_sids = req->session_info->torture->num_dc_sids;
|
||||
user_info_dc.sids = req->session_info->torture->dc_sids;
|
||||
|
||||
status = auth_convert_user_info_dc_saminfo3(state,
|
||||
&user_info_dc,
|
||||
&state->info3);
|
||||
NT_STATUS_NOT_OK_RETURN(status);
|
||||
|
||||
client_addr = ntvfs_get_local_address(ipriv->ntvfs);
|
||||
|
@ -3637,8 +3637,8 @@ static NTSTATUS dcesrv_lsa_GetUserName(struct dcesrv_call_state *dce_call, TALLO
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->account_name);
|
||||
authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->server_info->domain_name);
|
||||
account_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->info->account_name);
|
||||
authority_name = talloc_reference(mem_ctx, dce_call->conn->auth_state.session_info->info->domain_name);
|
||||
|
||||
_account_name = talloc(mem_ctx, struct lsa_String);
|
||||
NT_STATUS_HAVE_NO_MEMORY(_account_name);
|
||||
|
@ -602,7 +602,7 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
|
||||
{
|
||||
struct auth_context *auth_context;
|
||||
struct auth_usersupplied_info *user_info;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
NTSTATUS nt_status;
|
||||
static const char zeros[16];
|
||||
struct netr_SamBaseInfo *sam;
|
||||
@ -734,13 +734,13 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
nt_status = auth_check_password(auth_context, mem_ctx, user_info, &server_info);
|
||||
nt_status = auth_check_password(auth_context, mem_ctx, user_info, &user_info_dc);
|
||||
/* TODO: set *r->out.authoritative = 0 on specific errors */
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
switch (r->in.validation_level) {
|
||||
case 2:
|
||||
nt_status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
|
||||
nt_status = auth_convert_user_info_dc_sambaseinfo(mem_ctx, user_info_dc, &sam);
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
sam2 = talloc_zero(mem_ctx, struct netr_SamInfo2);
|
||||
@ -755,8 +755,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
|
||||
break;
|
||||
|
||||
case 3:
|
||||
nt_status = auth_convert_server_info_saminfo3(mem_ctx,
|
||||
server_info,
|
||||
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
|
||||
user_info_dc,
|
||||
&sam3);
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
@ -766,8 +766,8 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base(struct dcesrv_call_state *dce_cal
|
||||
break;
|
||||
|
||||
case 6:
|
||||
nt_status = auth_convert_server_info_saminfo3(mem_ctx,
|
||||
server_info,
|
||||
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
|
||||
user_info_dc,
|
||||
&sam3);
|
||||
NT_STATUS_NOT_OK_RETURN(nt_status);
|
||||
|
||||
|
@ -208,7 +208,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
|
||||
{
|
||||
struct gp_context *gp_ctx;
|
||||
struct ldb_result *result;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_session_info *session_info;
|
||||
DATA_BLOB dummy = { NULL, 0 };
|
||||
const char **gpos;
|
||||
@ -227,7 +227,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
|
||||
}
|
||||
|
||||
/* Find the user in the directory. We need extended DN's for group expansion
|
||||
* in authsam_make_server_info */
|
||||
* in authsam_make_user_info_dc */
|
||||
rv = dsdb_search(gp_ctx->ldb_ctx,
|
||||
gp_ctx,
|
||||
&result,
|
||||
@ -251,7 +251,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
|
||||
|
||||
/* We need the server info, as this will contain the groups of this
|
||||
* user, needed for a token */
|
||||
status = authsam_make_server_info(gp_ctx,
|
||||
status = authsam_make_user_info_dc(gp_ctx,
|
||||
gp_ctx->ldb_ctx,
|
||||
lpcfg_netbios_name(gp_ctx->lp_ctx),
|
||||
lpcfg_sam_name(gp_ctx->lp_ctx),
|
||||
@ -259,7 +259,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
|
||||
result->msgs[0],
|
||||
dummy,
|
||||
dummy,
|
||||
&server_info);
|
||||
&user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(0, ("Failed to make server information: %s\n", get_friendly_nt_error_msg(status)));
|
||||
talloc_free(gp_ctx);
|
||||
@ -267,7 +267,7 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
|
||||
}
|
||||
|
||||
/* The session info will contain the security token for this user */
|
||||
status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, server_info, 0, &session_info);
|
||||
status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, user_info_dc, 0, &session_info);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
DEBUG(0, ("Failed to generate session information: %s\n", get_friendly_nt_error_msg(status)));
|
||||
talloc_free(gp_ctx);
|
||||
|
@ -59,8 +59,8 @@ static NTSTATUS smbsrv_session_information(struct irpc_message *msg,
|
||||
info->client_ip = client_addr_string;
|
||||
|
||||
info->vuid = sess->vuid;
|
||||
info->account_name = sess->session_info->server_info->account_name;
|
||||
info->domain_name = sess->session_info->server_info->domain_name;
|
||||
info->account_name = sess->session_info->info->account_name;
|
||||
info->domain_name = sess->session_info->info->domain_name;
|
||||
|
||||
info->connect_time = timeval_to_nttime(&sess->statistics.connect_time);
|
||||
info->auth_time = timeval_to_nttime(&sess->statistics.auth_time);
|
||||
|
@ -68,24 +68,24 @@ static void sesssetup_old_send(struct tevent_req *subreq)
|
||||
struct smbsrv_request *req = state->req;
|
||||
|
||||
union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup);
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_user_info_dc *user_info_dc = NULL;
|
||||
struct auth_session_info *session_info;
|
||||
struct smbsrv_session *smb_sess;
|
||||
NTSTATUS status;
|
||||
uint32_t flags;
|
||||
|
||||
status = auth_check_password_recv(subreq, req, &server_info);
|
||||
status = auth_check_password_recv(subreq, req, &user_info_dc);
|
||||
TALLOC_FREE(subreq);
|
||||
if (!NT_STATUS_IS_OK(status)) goto failed;
|
||||
|
||||
flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
|
||||
if (server_info->authenticated) {
|
||||
if (user_info_dc->info->authenticated) {
|
||||
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
|
||||
}
|
||||
/* This references server_info into session_info */
|
||||
/* This references user_info_dc into session_info */
|
||||
status = req->smb_conn->negotiate.auth_context->generate_session_info(req,
|
||||
req->smb_conn->negotiate.auth_context,
|
||||
server_info, flags, &session_info);
|
||||
user_info_dc, flags, &session_info);
|
||||
if (!NT_STATUS_IS_OK(status)) goto failed;
|
||||
|
||||
/* allocate a new session */
|
||||
@ -198,26 +198,25 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
|
||||
struct sesssetup_context *state = tevent_req_callback_data(subreq, struct sesssetup_context);
|
||||
struct smbsrv_request *req = state->req;
|
||||
union smb_sesssetup *sess = talloc_get_type(req->io_ptr, union smb_sesssetup);
|
||||
struct auth_serversupplied_info *server_info = NULL;
|
||||
struct auth_user_info_dc *user_info_dc = NULL;
|
||||
struct auth_session_info *session_info;
|
||||
struct smbsrv_session *smb_sess;
|
||||
|
||||
uint32_t flags;
|
||||
NTSTATUS status;
|
||||
|
||||
status = auth_check_password_recv(subreq, req, &server_info);
|
||||
status = auth_check_password_recv(subreq, req, &user_info_dc);
|
||||
TALLOC_FREE(subreq);
|
||||
if (!NT_STATUS_IS_OK(status)) goto failed;
|
||||
|
||||
flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
|
||||
if (server_info->authenticated) {
|
||||
if (user_info_dc->info->authenticated) {
|
||||
flags |= AUTH_SESSION_INFO_AUTHENTICATED;
|
||||
}
|
||||
|
||||
/* This references server_info into session_info */
|
||||
/* This references user_info_dc into session_info */
|
||||
status = state->auth_context->generate_session_info(req,
|
||||
state->auth_context,
|
||||
server_info,
|
||||
user_info_dc,
|
||||
flags,
|
||||
&session_info);
|
||||
if (!NT_STATUS_IS_OK(status)) goto failed;
|
||||
|
@ -98,7 +98,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
|
||||
DATA_BLOB delegated_creds;
|
||||
|
||||
union netr_Validation val;
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_context *auth_context;
|
||||
uint32_t session_flags = 0;
|
||||
struct dom_sid *anonymous_sid;
|
||||
@ -140,12 +140,12 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
|
||||
if (info3) {
|
||||
val.sam3 = info3;
|
||||
|
||||
status = make_server_info_netlogon_validation(conn,
|
||||
status = make_user_info_dc_netlogon_validation(conn,
|
||||
val.sam3->base.account_name.string,
|
||||
3, &val, &server_info);
|
||||
3, &val, &user_info_dc);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
reason = talloc_asprintf(conn,
|
||||
"make_server_info_netlogon_validation "
|
||||
"make_user_info_dc_netlogon_validation "
|
||||
"returned: %s", nt_errstr(status));
|
||||
goto out;
|
||||
}
|
||||
@ -169,7 +169,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
|
||||
}
|
||||
|
||||
session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
|
||||
if (server_info->num_sids > 1 && !dom_sid_equal(anonymous_sid, &server_info->sids[0])) {
|
||||
if (user_info_dc->num_sids > 1 && !dom_sid_equal(anonymous_sid, &user_info_dc->sids[0])) {
|
||||
session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
|
||||
}
|
||||
|
||||
@ -177,7 +177,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
|
||||
/* setup the session_info on the connection */
|
||||
status = auth_context->generate_session_info(conn,
|
||||
auth_context,
|
||||
server_info,
|
||||
user_info_dc,
|
||||
session_flags,
|
||||
&conn->session_info);
|
||||
talloc_free(auth_context);
|
||||
|
@ -29,6 +29,7 @@
|
||||
#include "torture/torture.h"
|
||||
#include "auth/auth_sam_reply.h"
|
||||
#include "param/param.h"
|
||||
#include "librpc/gen_ndr/ndr_krb5pac.h"
|
||||
|
||||
static bool torture_pac_self_check(struct torture_context *tctx)
|
||||
{
|
||||
@ -48,8 +49,8 @@ static bool torture_pac_self_check(struct torture_context *tctx)
|
||||
|
||||
struct smb_krb5_context *smb_krb5_context;
|
||||
|
||||
struct auth_serversupplied_info *server_info;
|
||||
struct auth_serversupplied_info *server_info_out;
|
||||
struct auth_user_info_dc *user_info_dc;
|
||||
struct auth_user_info_dc *user_info_dc_out;
|
||||
|
||||
krb5_principal client_principal;
|
||||
time_t logon_time = time(NULL);
|
||||
@ -90,18 +91,18 @@ static bool torture_pac_self_check(struct torture_context *tctx)
|
||||
}
|
||||
|
||||
/* We need an input, and this one requires no underlying database */
|
||||
nt_status = auth_anonymous_server_info(mem_ctx, lpcfg_netbios_name(tctx->lp_ctx), &server_info);
|
||||
nt_status = auth_anonymous_user_info_dc(mem_ctx, lpcfg_netbios_name(tctx->lp_ctx), &user_info_dc);
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&server_keyblock);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
torture_fail(tctx, "auth_anonymous_server_info");
|
||||
torture_fail(tctx, "auth_anonymous_user_info_dc");
|
||||
}
|
||||
|
||||
ret = krb5_parse_name_flags(smb_krb5_context->krb5_context,
|
||||
server_info->account_name,
|
||||
user_info_dc->info->account_name,
|
||||
KRB5_PRINCIPAL_PARSE_NO_REALM,
|
||||
&client_principal);
|
||||
if (ret) {
|
||||
@ -114,7 +115,7 @@ static bool torture_pac_self_check(struct torture_context *tctx)
|
||||
|
||||
/* OK, go ahead and make a PAC */
|
||||
ret = kerberos_create_pac(mem_ctx,
|
||||
server_info,
|
||||
user_info_dc,
|
||||
smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock,
|
||||
&server_keyblock,
|
||||
@ -162,14 +163,14 @@ static bool torture_pac_self_check(struct torture_context *tctx)
|
||||
}
|
||||
|
||||
/* Now check we can read it back (using Heimdal's pac parsing) */
|
||||
nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
|
||||
nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
|
||||
tmp_blob,
|
||||
smb_krb5_context->krb5_context,
|
||||
&server_info_out);
|
||||
&user_info_dc_out, NULL, NULL);
|
||||
|
||||
/* The user's SID is the first element in the list */
|
||||
if (!dom_sid_equal(server_info->sids,
|
||||
server_info_out->sids)) {
|
||||
if (!dom_sid_equal(user_info_dc->sids,
|
||||
user_info_dc_out->sids)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
&krbtgt_keyblock);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
@ -180,10 +181,10 @@ static bool torture_pac_self_check(struct torture_context *tctx)
|
||||
torture_fail(tctx,
|
||||
talloc_asprintf(tctx,
|
||||
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
|
||||
dom_sid_string(mem_ctx, server_info->sids),
|
||||
dom_sid_string(mem_ctx, server_info_out->sids)));
|
||||
dom_sid_string(mem_ctx, user_info_dc->sids),
|
||||
dom_sid_string(mem_ctx, user_info_dc_out->sids)));
|
||||
}
|
||||
talloc_free(server_info_out);
|
||||
talloc_free(user_info_dc_out);
|
||||
|
||||
/* Now check that we can read it back (yet again) */
|
||||
nt_status = kerberos_pac_logon_info(mem_ctx,
|
||||
@ -219,10 +220,10 @@ static bool torture_pac_self_check(struct torture_context *tctx)
|
||||
|
||||
/* And make a server info from the samba-parsed PAC */
|
||||
validation.sam3 = &logon_info->info3;
|
||||
nt_status = make_server_info_netlogon_validation(mem_ctx,
|
||||
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
|
||||
"",
|
||||
3, &validation,
|
||||
&server_info_out);
|
||||
&user_info_dc_out);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
torture_fail(tctx,
|
||||
talloc_asprintf(tctx,
|
||||
@ -230,13 +231,13 @@ static bool torture_pac_self_check(struct torture_context *tctx)
|
||||
nt_errstr(nt_status)));
|
||||
}
|
||||
|
||||
if (!dom_sid_equal(server_info->sids,
|
||||
server_info_out->sids)) {
|
||||
if (!dom_sid_equal(user_info_dc->sids,
|
||||
user_info_dc_out->sids)) {
|
||||
torture_fail(tctx,
|
||||
talloc_asprintf(tctx,
|
||||
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
|
||||
dom_sid_string(mem_ctx, server_info->sids),
|
||||
dom_sid_string(mem_ctx, server_info_out->sids)));
|
||||
dom_sid_string(mem_ctx, user_info_dc->sids),
|
||||
dom_sid_string(mem_ctx, user_info_dc_out->sids)));
|
||||
}
|
||||
return true;
|
||||
}
|
||||
@ -298,7 +299,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
|
||||
struct PAC_LOGON_INFO *logon_info;
|
||||
union netr_Validation validation;
|
||||
const char *pac_file, *pac_kdc_key, *pac_member_key;
|
||||
struct auth_serversupplied_info *server_info_out;
|
||||
struct auth_user_info_dc *user_info_dc_out;
|
||||
|
||||
krb5_keyblock server_keyblock;
|
||||
krb5_keyblock krbtgt_keyblock, *krbtgt_keyblock_p;
|
||||
@ -425,10 +426,11 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
|
||||
}
|
||||
|
||||
/* Now check we can read it back (using Heimdal's pac parsing) */
|
||||
nt_status = kerberos_pac_blob_to_server_info(mem_ctx,
|
||||
nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
|
||||
tmp_blob,
|
||||
smb_krb5_context->krb5_context,
|
||||
&server_info_out);
|
||||
&user_info_dc_out,
|
||||
NULL, NULL);
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
@ -445,7 +447,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
|
||||
if (!pac_file &&
|
||||
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
|
||||
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
|
||||
server_info_out->sids)) {
|
||||
user_info_dc_out->sids)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
krbtgt_keyblock_p);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
@ -456,10 +458,10 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
|
||||
talloc_asprintf(tctx,
|
||||
"(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
|
||||
"S-1-5-21-3048156945-3961193616-3706469200-1005",
|
||||
dom_sid_string(mem_ctx, server_info_out->sids)));
|
||||
dom_sid_string(mem_ctx, user_info_dc_out->sids)));
|
||||
}
|
||||
|
||||
talloc_free(server_info_out);
|
||||
talloc_free(user_info_dc_out);
|
||||
|
||||
/* Parse the PAC again, for the logon info this time (using Samba4's parsing) */
|
||||
nt_status = kerberos_pac_logon_info(mem_ctx,
|
||||
@ -484,10 +486,10 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
|
||||
}
|
||||
|
||||
validation.sam3 = &logon_info->info3;
|
||||
nt_status = make_server_info_netlogon_validation(mem_ctx,
|
||||
nt_status = make_user_info_dc_netlogon_validation(mem_ctx,
|
||||
"",
|
||||
3, &validation,
|
||||
&server_info_out);
|
||||
&user_info_dc_out);
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
krbtgt_keyblock_p);
|
||||
@ -504,7 +506,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
|
||||
if (!pac_file &&
|
||||
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
|
||||
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
|
||||
server_info_out->sids)) {
|
||||
user_info_dc_out->sids)) {
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
krbtgt_keyblock_p);
|
||||
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
|
||||
@ -515,7 +517,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
|
||||
talloc_asprintf(tctx,
|
||||
"(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
|
||||
"S-1-5-21-3048156945-3961193616-3706469200-1005",
|
||||
dom_sid_string(mem_ctx, server_info_out->sids)));
|
||||
dom_sid_string(mem_ctx, user_info_dc_out->sids)));
|
||||
}
|
||||
|
||||
if (krbtgt_bytes == NULL) {
|
||||
@ -578,7 +580,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
|
||||
}
|
||||
|
||||
ret = kerberos_create_pac(mem_ctx,
|
||||
server_info_out,
|
||||
user_info_dc_out,
|
||||
smb_krb5_context->krb5_context,
|
||||
krbtgt_keyblock_p,
|
||||
&server_keyblock,
|
||||
|
@ -32,6 +32,7 @@
|
||||
#include "libcli/auth/libcli_auth.h"
|
||||
#include "libcli/security/security.h"
|
||||
#include "librpc/gen_ndr/ndr_netlogon_c.h"
|
||||
#include "librpc/gen_ndr/ndr_krb5pac.h"
|
||||
#include "librpc/gen_ndr/ndr_samr_c.h"
|
||||
#include "param/param.h"
|
||||
|
||||
@ -130,19 +131,22 @@ static bool test_PACVerify(struct torture_context *tctx,
|
||||
|
||||
status = gensec_session_info(gensec_server_context, &session_info);
|
||||
torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed");
|
||||
|
||||
pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
|
||||
pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
|
||||
pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
|
||||
torture_assert(tctx, session_info->torture != NULL, "gensec_session_info failed to fill in torture sub struct");
|
||||
torture_assert(tctx, session_info->torture->pac_srv_sig != NULL, "pac_srv_sig not present");
|
||||
torture_assert(tctx, session_info->torture->pac_kdc_sig != NULL, "pac_kdc_sig not present");
|
||||
|
||||
pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length;
|
||||
pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type;
|
||||
pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length;
|
||||
pac_wrapped_struct.ChecksumAndSignature = payload
|
||||
= data_blob_talloc(tmp_ctx, NULL,
|
||||
pac_wrapped_struct.ChecksumLength
|
||||
+ pac_wrapped_struct.SignatureLength);
|
||||
memcpy(&payload.data[0],
|
||||
session_info->server_info->pac_srv_sig.signature.data,
|
||||
session_info->torture->pac_srv_sig->signature.data,
|
||||
pac_wrapped_struct.ChecksumLength);
|
||||
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
|
||||
session_info->server_info->pac_kdc_sig.signature.data,
|
||||
session_info->torture->pac_kdc_sig->signature.data,
|
||||
pac_wrapped_struct.SignatureLength);
|
||||
|
||||
ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct,
|
||||
@ -160,8 +164,8 @@ static bool test_PACVerify(struct torture_context *tctx,
|
||||
generic.identity_info.parameter_control = 0;
|
||||
generic.identity_info.logon_id_high = 0;
|
||||
generic.identity_info.logon_id_low = 0;
|
||||
generic.identity_info.domain_name.string = session_info->server_info->domain_name;
|
||||
generic.identity_info.account_name.string = session_info->server_info->account_name;
|
||||
generic.identity_info.domain_name.string = session_info->info->domain_name;
|
||||
generic.identity_info.account_name.string = session_info->info->account_name;
|
||||
generic.identity_info.workstation.string = test_machine_name;
|
||||
|
||||
generic.package_name.string = "Kerberos";
|
||||
@ -233,22 +237,22 @@ static bool test_PACVerify(struct torture_context *tctx,
|
||||
&r.out.return_authenticator->cred),
|
||||
"Credential chaining failed");
|
||||
|
||||
pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
|
||||
pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
|
||||
pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length;
|
||||
pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type;
|
||||
|
||||
/* Break the SignatureType */
|
||||
pac_wrapped_struct.SignatureType++;
|
||||
|
||||
pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
|
||||
pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length;
|
||||
pac_wrapped_struct.ChecksumAndSignature = payload
|
||||
= data_blob_talloc(tmp_ctx, NULL,
|
||||
pac_wrapped_struct.ChecksumLength
|
||||
+ pac_wrapped_struct.SignatureLength);
|
||||
memcpy(&payload.data[0],
|
||||
session_info->server_info->pac_srv_sig.signature.data,
|
||||
session_info->torture->pac_srv_sig->signature.data,
|
||||
pac_wrapped_struct.ChecksumLength);
|
||||
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
|
||||
session_info->server_info->pac_kdc_sig.signature.data,
|
||||
session_info->torture->pac_kdc_sig->signature.data,
|
||||
pac_wrapped_struct.SignatureLength);
|
||||
|
||||
ndr_err = ndr_push_struct_blob(&pac_wrapped, tmp_ctx, &pac_wrapped_struct,
|
||||
@ -281,19 +285,19 @@ static bool test_PACVerify(struct torture_context *tctx,
|
||||
torture_assert(tctx, netlogon_creds_client_check(creds, &r.out.return_authenticator->cred),
|
||||
"Credential chaining failed");
|
||||
|
||||
pac_wrapped_struct.ChecksumLength = session_info->server_info->pac_srv_sig.signature.length;
|
||||
pac_wrapped_struct.SignatureType = session_info->server_info->pac_kdc_sig.type;
|
||||
pac_wrapped_struct.SignatureLength = session_info->server_info->pac_kdc_sig.signature.length;
|
||||
pac_wrapped_struct.ChecksumLength = session_info->torture->pac_srv_sig->signature.length;
|
||||
pac_wrapped_struct.SignatureType = session_info->torture->pac_kdc_sig->type;
|
||||
pac_wrapped_struct.SignatureLength = session_info->torture->pac_kdc_sig->signature.length;
|
||||
|
||||
pac_wrapped_struct.ChecksumAndSignature = payload
|
||||
= data_blob_talloc(tmp_ctx, NULL,
|
||||
pac_wrapped_struct.ChecksumLength
|
||||
+ pac_wrapped_struct.SignatureLength);
|
||||
memcpy(&payload.data[0],
|
||||
session_info->server_info->pac_srv_sig.signature.data,
|
||||
session_info->torture->pac_srv_sig->signature.data,
|
||||
pac_wrapped_struct.ChecksumLength);
|
||||
memcpy(&payload.data[pac_wrapped_struct.ChecksumLength],
|
||||
session_info->server_info->pac_kdc_sig.signature.data,
|
||||
session_info->torture->pac_kdc_sig->signature.data,
|
||||
pac_wrapped_struct.SignatureLength);
|
||||
|
||||
/* Break the signature length */
|
||||
@ -405,7 +409,7 @@ static bool test_S2U4Self(struct torture_context *tctx,
|
||||
|
||||
struct auth_session_info *kinit_session_info;
|
||||
struct auth_session_info *s2u4self_session_info;
|
||||
struct auth_serversupplied_info *netlogon_server_info;
|
||||
struct auth_user_info_dc *netlogon_user_info_dc;
|
||||
|
||||
struct netr_NetworkInfo ninfo;
|
||||
DATA_BLOB names_blob, chal, lm_resp, nt_resp;
|
||||
@ -589,31 +593,31 @@ static bool test_S2U4Self(struct torture_context *tctx,
|
||||
&r.out.return_authenticator->cred),
|
||||
"Credential chaining failed");
|
||||
|
||||
status = make_server_info_netlogon_validation(tmp_ctx,
|
||||
status = make_user_info_dc_netlogon_validation(tmp_ctx,
|
||||
ninfo.identity_info.account_name.string,
|
||||
r.in.validation_level,
|
||||
r.out.validation,
|
||||
&netlogon_server_info);
|
||||
&netlogon_user_info_dc);
|
||||
|
||||
torture_assert_ntstatus_ok(tctx, status, "make_server_info_netlogon_validation failed");
|
||||
torture_assert_ntstatus_ok(tctx, status, "make_user_info_dc_netlogon_validation failed");
|
||||
|
||||
torture_assert_str_equal(tctx, netlogon_server_info->account_name == NULL ? "" : netlogon_server_info->account_name,
|
||||
kinit_session_info->server_info->account_name, "Account name differs for kinit-based PAC");
|
||||
torture_assert_str_equal(tctx,netlogon_server_info->account_name == NULL ? "" : netlogon_server_info->account_name,
|
||||
s2u4self_session_info->server_info->account_name, "Account name differs for S2U4Self");
|
||||
torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, kinit_session_info->server_info->full_name, "Full name differs for kinit-based PAC");
|
||||
torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, s2u4self_session_info->server_info->full_name, "Full name differs for S2U4Self");
|
||||
torture_assert_int_equal(tctx, netlogon_server_info->num_sids, kinit_session_info->server_info->num_sids, "Different numbers of domain groups for kinit-based PAC");
|
||||
torture_assert_int_equal(tctx, netlogon_server_info->num_sids, s2u4self_session_info->server_info->num_sids, "Different numbers of domain groups for S2U4Self");
|
||||
torture_assert_str_equal(tctx, netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
|
||||
kinit_session_info->info->account_name, "Account name differs for kinit-based PAC");
|
||||
torture_assert_str_equal(tctx,netlogon_user_info_dc->info->account_name == NULL ? "" : netlogon_user_info_dc->info->account_name,
|
||||
s2u4self_session_info->info->account_name, "Account name differs for S2U4Self");
|
||||
torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, kinit_session_info->info->full_name, "Full name differs for kinit-based PAC");
|
||||
torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, s2u4self_session_info->info->full_name, "Full name differs for S2U4Self");
|
||||
torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids, "Different numbers of domain groups for kinit-based PAC");
|
||||
torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s2u4self_session_info->torture->num_dc_sids, "Different numbers of domain groups for S2U4Self");
|
||||
|
||||
builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
|
||||
|
||||
for (i = 0; i < kinit_session_info->server_info->num_sids; i++) {
|
||||
torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &kinit_session_info->server_info->sids[i]), "Different domain groups for kinit-based PAC");
|
||||
torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &s2u4self_session_info->server_info->sids[i]), "Different domain groups for S2U4Self");
|
||||
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups for S2U4Self");
|
||||
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
|
||||
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_server_info->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
|
||||
for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
|
||||
torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[i]), "Different domain groups for kinit-based PAC");
|
||||
torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s2u4self_session_info->torture->dc_sids[i]), "Different domain groups for S2U4Self");
|
||||
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups for S2U4Self");
|
||||
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
|
||||
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
|
||||
}
|
||||
|
||||
return true;
|
||||
|
@ -707,8 +707,8 @@ static void manage_gensec_request(enum stdio_helper_mode stdio_helper_mode,
|
||||
|
||||
reply_code = "AF";
|
||||
reply_arg = talloc_asprintf(state->gensec_state,
|
||||
"%s%s%s", session_info->server_info->domain_name,
|
||||
lpcfg_winbind_separator(lp_ctx), session_info->server_info->account_name);
|
||||
"%s%s%s", session_info->info->domain_name,
|
||||
lpcfg_winbind_separator(lp_ctx), session_info->info->account_name);
|
||||
talloc_free(session_info);
|
||||
}
|
||||
} else if (state->gensec_state->gensec_role == GENSEC_CLIENT) {
|
||||
|
Loading…
Reference in New Issue
Block a user