sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Code

s3:auth use info3 in auth_serversupplied_info

Browse Source 
Signed-off-by: Günther Deschner <gd@samba.org>
This commit is contained in:
Simo Sorce 2010-05-27 03:41:56 -04:00 committed by Günther Deschner
parent 6713f3d945
commit d9cffc01be
18 changed files with 167 additions and 614 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

407
source3/auth/auth_util.c
View File

@ -455,7 +455,7 @@ static NTSTATUS log_nt_token(NT_USER_TOKEN *token)
}
/*
* Create the token to use from server_info->sam_account and
* Create the token to use from server_info->info3 and
* server_info->sids (the info3/sam groups). Find the unix gids.
*/
@ -464,6 +464,7 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
NTSTATUS status;
size_t i;
struct dom_sid tmp_sid;
struct dom_sid user_sid;
/*
* If winbind is not around, we can not make much use of the SIDs the
@ -482,9 +483,13 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
&server_info->ptok);
} else {
sid_compose(&user_sid,
server_info->info3->base.domain_sid,
server_info->info3->base.rid);
server_info->ptok = create_local_nt_token(
server_info,
pdb_get_user_sid(server_info->sam_account),
&user_sid,
server_info->guest,
server_info->num_sids, server_info->sids);
status = server_info->ptok ?
@ -592,7 +597,16 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
return NT_STATUS_NO_MEMORY;
}
result->sam_account = sampass;
status = samu_to_SamInfo3(result, sampass,
global_myname(), &result->info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("Failed to convert samu to info3: %s\n",
nt_errstr(status)));
TALLOC_FREE(sampass);
TALLOC_FREE(result);
return status;
}
result->unix_name = talloc_strdup(result, unix_username);
result->sanitized_username = sanitize_username(result, unix_username);
@ -614,10 +628,13 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
nt_errstr(status)));
TALLOC_FREE(sampass);
TALLOC_FREE(result);
return status;
}
TALLOC_FREE(sampass);
/*
* The SID returned in server_info->sam_account is based
* on our SAM sid even though for a pure UNIX account this should
@ -661,6 +678,7 @@ NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
return NT_STATUS_NO_SUCH_USER;
}
/* FIXME: add to info3 too ? */
status = add_sid_to_array_unique(result, &u_sid,
&result->sids,
&result->num_sids);
@ -812,13 +830,8 @@ struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
dst->lm_session_key = data_blob_talloc(dst, src->lm_session_key.data,
src->lm_session_key.length);
dst->sam_account = samu_new(NULL);
if (!dst->sam_account) {
TALLOC_FREE(dst);
return NULL;
}
if (!pdb_copy_sam_account(dst->sam_account, src->sam_account)) {
dst->info3 = copy_netr_SamInfo3(dst, src->info3);
if (!dst->info3) {
TALLOC_FREE(dst);
return NULL;
}
@ -901,15 +914,12 @@ bool copy_current_user(struct current_user *dst, struct current_user *src)
/***************************************************************************
Purely internal function for make_server_info_info3
Fill the sam account from getpwnam
***************************************************************************/
static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
const char *domain,
const char *username,
char **found_username,
uid_t *uid, gid_t *gid,
struct samu *account,
bool *username_was_mapped)
static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
const char *username, char **found_username,
uid_t *uid, gid_t *gid,
bool *username_was_mapped)
{
struct smbd_server_connection *sconn = smbd_server_conn;
NTSTATUS nt_status;
@ -923,7 +933,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
fstr_sprintf(dom_user, "%s%c%s", domain, *lp_winbind_separator(),
lower_username);
/* Get the passwd struct. Try to create the account is necessary. */
/* Get the passwd struct. Try to create the account if necessary. */
*username_was_mapped = map_username(sconn, dom_user);
@ -941,10 +951,6 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx,
*found_username = talloc_strdup( mem_ctx, real_username );
DEBUG(5,("fill_sam_account: located username was [%s]\n", *found_username));
nt_status = samu_set_unix( account, passwd );
TALLOC_FREE(passwd);
return nt_status;
@ -1051,7 +1057,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
char *found_username = NULL;
const char *nt_domain;
const char *nt_username;
struct samu *sam_account = NULL;
struct dom_sid user_sid;
struct dom_sid group_sid;
bool username_was_mapped;
@ -1090,8 +1095,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
nt_domain = domain;
}
/* try to fill the SAM account.. If getpwnam() fails, then try the
add user script (2.2.x behavior).
/* If getpwnam() fails try the add user script (2.2.x behavior).
We use the _unmapped_ username here in an attempt to provide
consistent username mapping behavior between kerberos and NTLM[SSP]
@ -1102,129 +1106,18 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
that is how the current code is designed. Making the change here
is the least disruptive place. -- jerry */
if ( !(sam_account = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
}
/* this call will try to create the user if necessary */
nt_status = fill_sam_account(mem_ctx, nt_domain, sent_nt_username,
&found_username, &uid, &gid, sam_account,
nt_status = check_account(mem_ctx, nt_domain, sent_nt_username,
&found_username, &uid, &gid,
&username_was_mapped);
/* if we still don't have a valid unix account check for
'map to guest = bad uid' */
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE( sam_account );
if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
make_server_info_guest(NULL, server_info);
return NT_STATUS_OK;
}
return nt_status;
}
if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_UNSUCCESSFUL;
}
if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_UNSUCCESSFUL;
}
if (!pdb_set_fullname(sam_account,
info3->base.full_name.string,
PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_logon_script(sam_account,
info3->base.logon_script.string,
PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_profile_path(sam_account,
info3->base.profile_path.string,
PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_homedir(sam_account,
info3->base.home_directory.string,
PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_dir_drive(sam_account,
info3->base.home_drive.string,
PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_acct_ctrl(sam_account, info3->base.acct_flags, PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_pass_last_set_time(
sam_account,
nt_time_to_unix(info3->base.last_password_change),
PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_pass_can_change_time(
sam_account,
nt_time_to_unix(info3->base.allow_password_change),
PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_pass_must_change_time(
sam_account,
nt_time_to_unix(info3->base.force_password_change),
PDB_CHANGED)) {
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
result = make_server_info(NULL);
if (result == NULL) {
DEBUG(4, ("make_server_info failed!\n"));
TALLOC_FREE(sam_account);
return NT_STATUS_NO_MEMORY;
}
/* save this here to _net_sam_logon() doesn't fail (it assumes a
valid struct samu) */
result->sam_account = sam_account;
result->unix_name = talloc_strdup(result, found_username);
result->sanitized_username = sanitize_username(result,
@ -1234,6 +1127,9 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
/* copy in the info3 */
result->info3 = copy_netr_SamInfo3(result, info3);
/* Fill in the unix info we found on the way */
result->utok.uid = uid;
@ -1294,237 +1190,16 @@ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
const struct wbcAuthUserInfo *info,
struct auth_serversupplied_info **server_info)
{
static const char zeros[16] = {0, };
struct netr_SamInfo3 *info3;
NTSTATUS nt_status = NT_STATUS_OK;
char *found_username = NULL;
const char *nt_domain;
const char *nt_username;
struct samu *sam_account = NULL;
struct dom_sid user_sid;
struct dom_sid group_sid;
bool username_was_mapped;
uint32_t i;
uid_t uid = (uid_t)-1;
gid_t gid = (gid_t)-1;
struct auth_serversupplied_info *result;
result = make_server_info(NULL);
if (result == NULL) {
DEBUG(4, ("make_server_info failed!\n"));
info3 = wbcAuthUserInfo_to_netr_SamInfo3(mem_ctx, info);
if (!info3) {
return NT_STATUS_NO_MEMORY;
}
/*
Here is where we should check the list of
trusted domains, and verify that the SID
matches.
*/
memcpy(&user_sid, &info->sids[0].sid, sizeof(user_sid));
memcpy(&group_sid, &info->sids[1].sid, sizeof(group_sid));
if (info->account_name) {
nt_username = talloc_strdup(result, info->account_name);
} else {
/* If the server didn't give us one, just use the one we sent
* them */
nt_username = talloc_strdup(result, sent_nt_username);
}
if (!nt_username) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (info->domain_name) {
nt_domain = talloc_strdup(result, info->domain_name);
} else {
/* If the server didn't give us one, just use the one we sent
* them */
nt_domain = talloc_strdup(result, domain);
}
if (!nt_domain) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
/* try to fill the SAM account.. If getpwnam() fails, then try the
add user script (2.2.x behavior).
We use the _unmapped_ username here in an attempt to provide
consistent username mapping behavior between kerberos and NTLM[SSP]
authentication in domain mode security. I.E. Username mapping
should be applied to the fully qualified username
(e.g. DOMAIN\user) and not just the login name. Yes this means we
called map_username() unnecessarily in make_user_info_map() but
that is how the current code is designed. Making the change here
is the least disruptive place. -- jerry */
if ( !(sam_account = samu_new( result )) ) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
/* this call will try to create the user if necessary */
nt_status = fill_sam_account(result, nt_domain, sent_nt_username,
&found_username, &uid, &gid, sam_account,
&username_was_mapped);
/* if we still don't have a valid unix account check for
'map to guest = bad uid' */
if (!NT_STATUS_IS_OK(nt_status)) {
TALLOC_FREE( result );
if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
make_server_info_guest(NULL, server_info);
return NT_STATUS_OK;
}
return nt_status;
}
if (!pdb_set_nt_username(sam_account, nt_username, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_username(sam_account, nt_username, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_domain(sam_account, nt_domain, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_user_sid(sam_account, &user_sid, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_UNSUCCESSFUL;
}
if (!pdb_set_group_sid(sam_account, &group_sid, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_UNSUCCESSFUL;
}
if (!pdb_set_fullname(sam_account, info->full_name, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_logon_script(sam_account, info->logon_script, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_profile_path(sam_account, info->profile_path, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_homedir(sam_account, info->home_directory, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_dir_drive(sam_account, info->home_drive, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_acct_ctrl(sam_account, info->acct_flags, PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_pass_last_set_time(
sam_account,
nt_time_to_unix(info->pass_last_set_time),
PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_pass_can_change_time(
sam_account,
nt_time_to_unix(info->pass_can_change_time),
PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
if (!pdb_set_pass_must_change_time(
sam_account,
nt_time_to_unix(info->pass_must_change_time),
PDB_CHANGED)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
/* save this here to _net_sam_logon() doesn't fail (it assumes a
valid struct samu) */
result->sam_account = sam_account;
result->unix_name = talloc_strdup(result, found_username);
result->sanitized_username = sanitize_username(result,
result->unix_name);
result->login_server = talloc_strdup(result, info->logon_server);
if ((result->unix_name == NULL)
|| (result->sanitized_username == NULL)
|| (result->login_server == NULL)) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
/* Fill in the unix info we found on the way */
result->utok.uid = uid;
result->utok.gid = gid;
/* Create a 'combined' list of all SIDs we might want in the SD */
result->num_sids = info->num_sids - 2;
result->sids = talloc_array(result, struct dom_sid, result->num_sids);
if (result->sids == NULL) {
TALLOC_FREE(result);
return NT_STATUS_NO_MEMORY;
}
for (i=0; i < result->num_sids; i++) {
memcpy(&result->sids[i], &info->sids[i+2].sid, sizeof(result->sids[i]));
}
/* Ensure the primary group sid is at position 0. */
sort_sid_array_for_smbd(result, &group_sid);
/* ensure we are never given NULL session keys */
if (memcmp(info->user_session_key, zeros, sizeof(zeros)) == 0) {
result->user_session_key = data_blob_null;
} else {
result->user_session_key = data_blob_talloc(
result, info->user_session_key,
sizeof(info->user_session_key));
}
if (memcmp(info->lm_session_key, zeros, 8) == 0) {
result->lm_session_key = data_blob_null;
} else {
result->lm_session_key = data_blob_talloc(
result, info->lm_session_key,
sizeof(info->lm_session_key));
}
result->nss_token |= username_was_mapped;
*server_info = result;
return NT_STATUS_OK;
return make_server_info_info3(mem_ctx,
sent_nt_username, domain,
server_info, info3);
}
/**

295
source3/auth/server_info.c
View File

@ -23,9 +23,10 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
/* FIXME: do we really still need this ? */
static int server_info_dtor(struct auth_serversupplied_info *server_info)
{
TALLOC_FREE(server_info->sam_account);
TALLOC_FREE(server_info->info3);
ZERO_STRUCTP(server_info);
return 0;
}
@ -55,191 +56,6 @@ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx)
return result;
}
/*******************************************************************
gets a domain user's groups from their already-calculated NT_USER_TOKEN
********************************************************************/
static NTSTATUS nt_token_to_group_list(TALLOC_CTX *mem_ctx,
const struct dom_sid *domain_sid,
size_t num_sids,
const struct dom_sid *sids,
int *numgroups,
struct samr_RidWithAttribute **pgids)
{
int i;
*numgroups=0;
*pgids = NULL;
for (i=0; i<num_sids; i++) {
struct samr_RidWithAttribute gid;
if (!sid_peek_check_rid(domain_sid, &sids[i], &gid.rid)) {
continue;
}
gid.attributes = (SE_GROUP_MANDATORY|SE_GROUP_ENABLED_BY_DEFAULT|
SE_GROUP_ENABLED);
ADD_TO_ARRAY(mem_ctx, struct samr_RidWithAttribute,
gid, pgids, numgroups);
if (*pgids == NULL) {
return NT_STATUS_NO_MEMORY;
}
}
return NT_STATUS_OK;
}
/****************************************************************************
inits a netr_SamBaseInfo structure from an auth_serversupplied_info.
*****************************************************************************/
static NTSTATUS serverinfo_to_SamInfo_base(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info *server_info,
uint8_t *pipe_session_key,
size_t pipe_session_key_len,
struct netr_SamBaseInfo *base)
{
struct samu *sampw;
struct samr_RidWithAttribute *gids = NULL;
const struct dom_sid *user_sid = NULL;
const struct dom_sid *group_sid = NULL;
struct dom_sid domain_sid;
uint32 user_rid, group_rid;
NTSTATUS status;
int num_gids = 0;
const char *my_name;
struct netr_UserSessionKey user_session_key;
struct netr_LMSessionKey lm_session_key;
NTTIME last_logon, last_logoff, acct_expiry, last_password_change;
NTTIME allow_password_change, force_password_change;
struct samr_RidWithAttributeArray groups;
int i;
struct dom_sid2 *sid = NULL;
ZERO_STRUCT(user_session_key);
ZERO_STRUCT(lm_session_key);
sampw = server_info->sam_account;
user_sid = pdb_get_user_sid(sampw);
group_sid = pdb_get_group_sid(sampw);
if (pipe_session_key && pipe_session_key_len != 16) {
DEBUG(0,("serverinfo_to_SamInfo3: invalid "
"pipe_session_key_len[%zu] != 16\n",
pipe_session_key_len));
return NT_STATUS_INTERNAL_ERROR;
}
if ((user_sid == NULL) || (group_sid == NULL)) {
DEBUG(1, ("_netr_LogonSamLogon: User without group or user SID\n"));
return NT_STATUS_UNSUCCESSFUL;
}
sid_copy(&domain_sid, user_sid);
sid_split_rid(&domain_sid, &user_rid);
sid = sid_dup_talloc(mem_ctx, &domain_sid);
if (!sid) {
return NT_STATUS_NO_MEMORY;
}
if (!sid_peek_check_rid(&domain_sid, group_sid, &group_rid)) {
DEBUG(1, ("_netr_LogonSamLogon: user %s\\%s has user sid "
"%s\n but group sid %s.\n"
"The conflicting domain portions are not "
"supported for NETLOGON calls\n",
pdb_get_domain(sampw),
pdb_get_username(sampw),
sid_string_dbg(user_sid),
sid_string_dbg(group_sid)));
return NT_STATUS_UNSUCCESSFUL;
}
if(server_info->login_server) {
my_name = server_info->login_server;
} else {
my_name = global_myname();
}
status = nt_token_to_group_list(mem_ctx, &domain_sid,
server_info->num_sids,
server_info->sids,
&num_gids, &gids);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (server_info->user_session_key.length) {
memcpy(user_session_key.key,
server_info->user_session_key.data,
MIN(sizeof(user_session_key.key),
server_info->user_session_key.length));
if (pipe_session_key) {
arcfour_crypt(user_session_key.key, pipe_session_key, 16);
}
}
if (server_info->lm_session_key.length) {
memcpy(lm_session_key.key,
server_info->lm_session_key.data,
MIN(sizeof(lm_session_key.key),
server_info->lm_session_key.length));
if (pipe_session_key) {
arcfour_crypt(lm_session_key.key, pipe_session_key, 8);
}
}
groups.count = num_gids;
groups.rids = TALLOC_ARRAY(mem_ctx, struct samr_RidWithAttribute, groups.count);
if (!groups.rids) {
return NT_STATUS_NO_MEMORY;
}
for (i=0; i < groups.count; i++) {
groups.rids[i].rid = gids[i].rid;
groups.rids[i].attributes = gids[i].attributes;
}
unix_to_nt_time(&last_logon, pdb_get_logon_time(sampw));
unix_to_nt_time(&last_logoff, get_time_t_max());
unix_to_nt_time(&acct_expiry, get_time_t_max());
unix_to_nt_time(&last_password_change, pdb_get_pass_last_set_time(sampw));
unix_to_nt_time(&allow_password_change, pdb_get_pass_can_change_time(sampw));
unix_to_nt_time(&force_password_change, pdb_get_pass_must_change_time(sampw));
base->last_logon = last_logon;
base->last_logoff = last_logoff;
base->acct_expiry = acct_expiry;
base->last_password_change = last_password_change;
base->allow_password_change = allow_password_change;
base->force_password_change = force_password_change;
base->account_name.string = talloc_strdup(mem_ctx, pdb_get_username(sampw));
base->full_name.string = talloc_strdup(mem_ctx, pdb_get_fullname(sampw));
base->logon_script.string = talloc_strdup(mem_ctx, pdb_get_logon_script(sampw));
base->profile_path.string = talloc_strdup(mem_ctx, pdb_get_profile_path(sampw));
base->home_directory.string = talloc_strdup(mem_ctx, pdb_get_homedir(sampw));
base->home_drive.string = talloc_strdup(mem_ctx, pdb_get_dir_drive(sampw));
base->logon_count = 0; /* ?? */
base->bad_password_count = 0; /* ?? */
base->rid = user_rid;
base->primary_gid = group_rid;
base->groups = groups;
base->user_flags = NETLOGON_EXTRA_SIDS;
base->key = user_session_key;
base->logon_server.string = talloc_strdup(mem_ctx, my_name);
base->domain.string = talloc_strdup(mem_ctx, pdb_get_domain(sampw));
base->domain_sid = sid;
base->LMSessKey = lm_session_key;
base->acct_flags = pdb_get_acct_ctrl(sampw);
ZERO_STRUCT(user_session_key);
ZERO_STRUCT(lm_session_key);
return NT_STATUS_OK;
}
/****************************************************************************
inits a netr_SamInfo2 structure from an auth_serversupplied_info. sam2 must
already be initialized and is used as the talloc parent for its members.
@ -250,17 +66,36 @@ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
size_t pipe_session_key_len,
struct netr_SamInfo2 *sam2)
{
NTSTATUS status;
struct netr_SamInfo3 *info3;
status = serverinfo_to_SamInfo_base(sam2,
server_info,
pipe_session_key,
pipe_session_key_len,
&sam2->base);
if (!NT_STATUS_IS_OK(status)) {
return status;
info3 = copy_netr_SamInfo3(sam2, server_info->info3);
if (!info3) {
return NT_STATUS_NO_MEMORY;
}
if (server_info->user_session_key.length) {
memcpy(info3->base.key.key,
server_info->user_session_key.data,
MIN(sizeof(info3->base.key.key),
server_info->user_session_key.length));
if (pipe_session_key) {
arcfour_crypt(info3->base.key.key,
pipe_session_key, 16);
}
}
if (server_info->lm_session_key.length) {
memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
if (pipe_session_key) {
arcfour_crypt(info3->base.LMSessKey.key,
pipe_session_key, 8);
}
}
sam2->base = info3->base;
return NT_STATUS_OK;
}
@ -274,17 +109,36 @@ NTSTATUS serverinfo_to_SamInfo3(struct auth_serversupplied_info *server_info,
size_t pipe_session_key_len,
struct netr_SamInfo3 *sam3)
{
NTSTATUS status;
struct netr_SamInfo3 *info3;
status = serverinfo_to_SamInfo_base(sam3,
server_info,
pipe_session_key,
pipe_session_key_len,
&sam3->base);
if (!NT_STATUS_IS_OK(status)) {
return status;
info3 = copy_netr_SamInfo3(sam3, server_info->info3);
if (!info3) {
return NT_STATUS_NO_MEMORY;
}
if (server_info->user_session_key.length) {
memcpy(info3->base.key.key,
server_info->user_session_key.data,
MIN(sizeof(info3->base.key.key),
server_info->user_session_key.length));
if (pipe_session_key) {
arcfour_crypt(info3->base.key.key,
pipe_session_key, 16);
}
}
if (server_info->lm_session_key.length) {
memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
if (pipe_session_key) {
arcfour_crypt(info3->base.LMSessKey.key,
pipe_session_key, 8);
}
}
sam3->base = info3->base;
sam3->sidcount = 0;
sam3->sids = NULL;
@ -301,8 +155,8 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
size_t pipe_session_key_len,
struct netr_SamInfo6 *sam6)
{
NTSTATUS status;
struct pdb_domain_info *dominfo;
struct netr_SamInfo3 *info3;
if ((pdb_capabilities() & PDB_CAP_ADS) == 0) {
DEBUG(10,("Not adding validation info level 6 "
@ -315,15 +169,34 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
return NT_STATUS_NO_MEMORY;
}
status = serverinfo_to_SamInfo_base(sam6,
server_info,
pipe_session_key,
pipe_session_key_len,
&sam6->base);
if (!NT_STATUS_IS_OK(status)) {
return status;
info3 = copy_netr_SamInfo3(sam6, server_info->info3);
if (!info3) {
return NT_STATUS_NO_MEMORY;
}
if (server_info->user_session_key.length) {
memcpy(info3->base.key.key,
server_info->user_session_key.data,
MIN(sizeof(info3->base.key.key),
server_info->user_session_key.length));
if (pipe_session_key) {
arcfour_crypt(info3->base.key.key,
pipe_session_key, 16);
}
}
if (server_info->lm_session_key.length) {
memcpy(info3->base.LMSessKey.key,
server_info->lm_session_key.data,
MIN(sizeof(info3->base.LMSessKey.key),
server_info->lm_session_key.length));
if (pipe_session_key) {
arcfour_crypt(info3->base.LMSessKey.key,
pipe_session_key, 8);
}
}
sam6->base = info3->base;
sam6->sidcount = 0;
sam6->sids = NULL;
@ -333,7 +206,7 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
}
sam6->principle.string = talloc_asprintf(sam6, "%s@%s",
pdb_get_username(server_info->sam_account),
sam6->base.account_name.string,
sam6->dns_domainname.string);
if (sam6->principle.string == NULL) {
return NT_STATUS_NO_MEMORY;

9
source3/auth/server_info_sam.c
View File

@ -77,7 +77,13 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
return NT_STATUS_NO_SUCH_USER;
}
result->sam_account = sampass;
status = samu_to_SamInfo3(result, sampass,
global_myname(), &result->info3);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return status;
}
result->unix_name = pwd->pw_name;
/* Ensure that we keep pwd->pw_name, because we will free pwd below */
talloc_steal(result, pwd->pw_name);
@ -128,7 +134,6 @@ NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10, ("pdb_enum_group_memberships failed: %s\n",
nt_errstr(status)));
result->sam_account = NULL; /* Don't free on error exit. */
TALLOC_FREE(result);
return status;
}

2
source3/include/auth.h
View File

@ -58,7 +58,7 @@ struct auth_serversupplied_info {
char *login_server; /* which server authorized the login? */
struct samu *sam_account;
struct netr_SamInfo3 *info3;
void *pam_handle;

2
source3/modules/vfs_expand_msdfs.c
View File

@ -147,7 +147,7 @@ static char *expand_msdfs_target(TALLOC_CTX *ctx,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
targethost);
DEBUG(10, ("Expanded targethost to %s\n", targethost));

2
source3/modules/vfs_full_audit.c
View File

@ -396,7 +396,7 @@ static char *audit_prefix(TALLOC_CTX *ctx, connection_struct *conn)
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
prefix);
TALLOC_FREE(prefix);
return result;

2
source3/modules/vfs_recycle.c
View File

@ -467,7 +467,7 @@ static int recycle_unlink(vfs_handle_struct *handle,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
recycle_repository(handle));
ALLOC_CHECK(repository, done);
/* shouldn't we allow absolute path names here? --metze */

6
source3/modules/vfs_smb_traffic_analyzer.c
View File

@ -356,8 +356,8 @@ static char *smb_traffic_analyzer_create_string( TALLOC_CTX *ctx,
(unsigned int) strlen(handle->conn->connectpath),
handle->conn->connectpath,
(unsigned int)
strlen(pdb_get_domain(handle->conn->server_info->sam_account)),
pdb_get_domain(handle->conn->server_info->sam_account),
strlen(handle->conn->server_info->info3->base.domain.string),
handle->conn->server_info->info3->base.domain.string,
(unsigned int) strlen(timestr),
timestr);
@ -460,7 +460,7 @@ static void smb_traffic_analyzer_send_data(vfs_handle_struct *handle,
"\"%04d-%02d-%02d %02d:%02d:%02d.%03d\"\n",
(unsigned int) s_data->len,
username,
pdb_get_domain(handle->conn->server_info->sam_account),
handle->conn->server_info->info3->base.domain.string,
Write ? 'W' : 'R',
handle->conn->connectpath,
s_data->filename,

2
source3/printing/printing.c
View File

@ -2487,7 +2487,7 @@ uint32 print_job_start(struct auth_serversupplied_info *server_info, int snum,
standard_sub_advanced(sharename, server_info->sanitized_username,
path, server_info->utok.gid,
server_info->sanitized_username,
pdb_get_domain(server_info->sam_account),
server_info->info3->base.domain.string,
pjob.user, sizeof(pjob.user)-1);
/* ensure NULL termination */
pjob.user[sizeof(pjob.user)-1] = '\0';

2
source3/rpc_server/srv_lsa_nt.c
View File

@ -1654,7 +1654,7 @@ NTSTATUS _lsa_GetUserName(pipes_struct *p,
}
} else {
username = p->server_info->sanitized_username;
domname = pdb_get_domain(p->server_info->sam_account);
domname = p->server_info->info3->base.domain.string;
}
account_name = TALLOC_P(p->mem_ctx, struct lsa_String);

2
source3/rpc_server/srv_netlog_nt.c
View File

@ -194,7 +194,7 @@ WERROR _netr_LogonControl2Ex(pipes_struct *p,
return WERR_INVALID_PARAM;
}
acct_ctrl = pdb_get_acct_ctrl(p->server_info->sam_account);
acct_ctrl = p->server_info->info3->base.acct_flags;
switch (r->in.function_code) {
case NETLOGON_CONTROL_TC_VERIFY:

9
source3/smbd/lanman.c
View File

@ -113,7 +113,7 @@ static int CopyExpanded(connection_struct *conn,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
buf);
if (!buf) {
*p_space_remaining = 0;
@ -164,7 +164,7 @@ static int StrlenExpanded(connection_struct *conn, int snum, char *s)
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
buf);
if (!buf) {
return 0;
@ -4455,8 +4455,9 @@ static bool api_WWkstaUserLogon(connection_struct *conn,uint16 vuid,
}
PACKS(&desc,"z",lp_workgroup());/* domain */
PACKS(&desc,"z", vuser ? pdb_get_logon_script(
vuser->server_info->sam_account) : ""); /* script path */
PACKS(&desc,"z", vuser ?
vuser->server_info->info3->base.logon_script.string
: ""); /* script path */
PACKI(&desc,"D",0x00000000); /* reserved */
}

6
source3/smbd/password.c
View File

@ -274,12 +274,12 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
(unsigned int)vuser->server_info->utok.gid,
vuser->server_info->unix_name,
vuser->server_info->sanitized_username,
pdb_get_domain(vuser->server_info->sam_account),
vuser->server_info->info3->base.domain.string,
vuser->server_info->guest ));
DEBUG(3, ("register_existing_vuid: User name: %s\t"
"Real name: %s\n", vuser->server_info->unix_name,
pdb_get_fullname(vuser->server_info->sam_account)));
vuser->server_info->info3->base.full_name.string));
if (!vuser->server_info->ptok) {
DEBUG(1, ("register_existing_vuid: server_info does not "
@ -324,7 +324,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
set_current_user_info(
vuser->server_info->sanitized_username,
vuser->server_info->unix_name,
pdb_get_domain(vuser->server_info->sam_account));
vuser->server_info->info3->base.domain.string);
return vuser->vuid;

3
source3/smbd/process.c
View File

@ -1451,8 +1451,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
set_current_user_info(
vuser->server_info->sanitized_username,
vuser->server_info->unix_name,
pdb_get_domain(vuser->server_info
->sam_account));
vuser->server_info->info3->base.domain.string);
}
}
}

12
source3/smbd/service.c
View File

@ -589,7 +589,7 @@ static NTSTATUS create_connection_server_info(struct smbd_server_connection *sco
}
} else {
if (!user_ok_token(vuid_serverinfo->unix_name,
pdb_get_domain(vuid_serverinfo->sam_account),
vuid_serverinfo->info3->base.domain.string,
vuid_serverinfo->ptok, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
@ -788,7 +788,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
lp_pathname(snum));
if (!s) {
*pstatus = NT_STATUS_NO_MEMORY;
@ -915,7 +915,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
lp_rootpreexec(snum));
DEBUG(5,("cmd=%s\n",cmd));
ret = smbrun(cmd,NULL);
@ -953,7 +953,7 @@ connection_struct *make_connection_snum(struct smbd_server_connection *sconn,
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
lp_preexec(snum));
ret = smbrun(cmd,NULL);
TALLOC_FREE(cmd);
@ -1257,7 +1257,7 @@ void close_cnum(connection_struct *conn, uint16 vuid)
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
lp_postexec(SNUM(conn)));
smbrun(cmd,NULL);
TALLOC_FREE(cmd);
@ -1273,7 +1273,7 @@ void close_cnum(connection_struct *conn, uint16 vuid)
conn->connectpath,
conn->server_info->utok.gid,
conn->server_info->sanitized_username,
pdb_get_domain(conn->server_info->sam_account),
conn->server_info->info3->base.domain.string,
lp_rootpostexec(SNUM(conn)));
smbrun(cmd,NULL);
TALLOC_FREE(cmd);

6
source3/smbd/sesssetup.c
View File

@ -529,9 +529,9 @@ static void reply_spnego_kerberos(struct smb_request *req,
* we end up with the local netbios name in substitutions for
* %D. */
if (server_info->sam_account != NULL) {
pdb_set_domain(server_info->sam_account,
domain, PDB_SET);
if (server_info->info3 != NULL) {
server_info->info3->base.domain.string =
talloc_strdup(server_info->info3, domain);
}
}

8
source3/smbd/smb2_sesssetup.c
View File

@ -371,9 +371,9 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
* we end up with the local netbios name in substitutions for
* %D. */
if (session->server_info->sam_account != NULL) {
pdb_set_domain(session->server_info->sam_account,
domain, PDB_SET);
if (session->server_info->info3 != NULL) {
session->server_info->info3->base.domain.string =
talloc_strdup(session->server_info->info3, domain);
}
}
@ -979,7 +979,7 @@ NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
set_current_user_info(session->server_info->sanitized_username,
session->server_info->unix_name,
pdb_get_domain(session->server_info->sam_account));
session->server_info->info3->base.domain.string);
req->session = session;

6
source3/smbd/uid.c
View File

@ -104,13 +104,13 @@ static bool check_user_ok(connection_struct *conn,
}
if (!user_ok_token(server_info->unix_name,
pdb_get_domain(server_info->sam_account),
server_info->info3->base.domain.string,
server_info->ptok, snum))
return(False);
readonly_share = is_share_read_only_for_token(
server_info->unix_name,
pdb_get_domain(server_info->sam_account),
server_info->info3->base.domain.string,
server_info->ptok,
conn);
@ -132,7 +132,7 @@ static bool check_user_ok(connection_struct *conn,
admin_user = token_contains_name_in_list(
server_info->unix_name,
pdb_get_domain(server_info->sam_account),
server_info->info3->base.domain.string,
NULL, server_info->ptok, lp_admin_users(snum));
if (valid_vuid) {