mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
s4-auth Move conversion of security_token to unix_token to auth
This allows us to honour the AUTH_SESSION_INFO_UNIX_TOKEN flag. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
This commit is contained in:
parent
e84b8a72bd
commit
f5963aad18
@ -157,7 +157,9 @@ struct auth_critical_sizes {
|
||||
const struct auth_usersupplied_info *user_info_in,
|
||||
const struct auth_usersupplied_info **user_info_encrypted);
|
||||
|
||||
struct wbc_context;
|
||||
#include "auth/session.h"
|
||||
#include "auth/unix_token_proto.h"
|
||||
#include "auth/system_session_proto.h"
|
||||
#include "libcli/security/security.h"
|
||||
|
||||
|
@ -26,7 +26,7 @@
|
||||
#include "auth/ntlm/auth_proto.h"
|
||||
#include "param/param.h"
|
||||
#include "dsdb/samdb/samdb.h"
|
||||
|
||||
#include "libcli/wbclient/wbclient.h"
|
||||
|
||||
/***************************************************************************
|
||||
Set a fixed challenge
|
||||
@ -407,16 +407,35 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
|
||||
}
|
||||
|
||||
/* Wrapper because we don't want to expose all callers to needing to
|
||||
* know that session_info is generated from the main ldb */
|
||||
* know that session_info is generated from the main ldb, and because we need to break a depenency loop between the DCE/RPC layer and the generation of unix tokens via IRPC */
|
||||
static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
|
||||
struct auth4_context *auth_context,
|
||||
struct auth_user_info_dc *user_info_dc,
|
||||
uint32_t session_info_flags,
|
||||
struct auth_session_info **session_info)
|
||||
{
|
||||
return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
|
||||
NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
|
||||
auth_context->sam_ctx, user_info_dc,
|
||||
session_info_flags, session_info);
|
||||
if ((session_info_flags & AUTH_SESSION_INFO_UNIX_TOKEN)
|
||||
&& NT_STATUS_IS_OK(status)) {
|
||||
struct wbc_context *wbc_ctx = wbc_init(auth_context,
|
||||
auth_context->msg_ctx,
|
||||
auth_context->event_ctx);
|
||||
if (!wbc_ctx) {
|
||||
TALLOC_FREE(*session_info);
|
||||
DEBUG(1, ("Cannot contact winbind to provide unix token"));
|
||||
return NT_STATUS_INVALID_SERVER_STATE;
|
||||
}
|
||||
status = security_token_to_unix_token(*session_info, wbc_ctx,
|
||||
(*session_info)->security_token,
|
||||
&(*session_info)->unix_token);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
TALLOC_FREE(*session_info);
|
||||
}
|
||||
TALLOC_FREE(wbc_ctx);
|
||||
}
|
||||
return status;
|
||||
}
|
||||
|
||||
/***************************************************************************
|
||||
|
@ -51,7 +51,7 @@ bld.SAMBA_MODULE('auth4_unix',
|
||||
bld.SAMBA_LIBRARY('auth4',
|
||||
source='auth.c auth_util.c auth_simple.c',
|
||||
autoproto='auth_proto.h',
|
||||
deps='samba-util security samdb credentials UTIL_TEVENT',
|
||||
deps='samba-util security samdb credentials UTIL_TEVENT LIBWBCLIENT_OLD auth_unix_token',
|
||||
private_library=True
|
||||
)
|
||||
|
||||
|
@ -32,6 +32,7 @@
|
||||
#include "auth/session_proto.h"
|
||||
#include "system/kerberos.h"
|
||||
#include <gssapi/gssapi.h>
|
||||
#include "libcli/wbclient/wbclient.h"
|
||||
|
||||
_PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
|
||||
struct loadparm_context *lp_ctx)
|
||||
@ -335,4 +336,3 @@ void auth_session_info_debug(int dbg_lev,
|
||||
|
||||
security_token_debug(0, dbg_lev, session_info->security_token);
|
||||
}
|
||||
|
||||
|
91
source4/auth/unix_token.c
Normal file
91
source4/auth/unix_token.c
Normal file
@ -0,0 +1,91 @@
|
||||
/*
|
||||
Unix SMB/CIFS implementation.
|
||||
|
||||
Deal with unix elements in the security token
|
||||
|
||||
Copyright (C) Andrew Tridgell 2004
|
||||
Copyright (C) Andrew Bartlett 2011
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
#include "includes.h"
|
||||
#include "auth/auth.h"
|
||||
#include "libcli/wbclient/wbclient.h"
|
||||
|
||||
/*
|
||||
form a security_unix_token from the current security_token
|
||||
*/
|
||||
NTSTATUS security_token_to_unix_token(TALLOC_CTX *mem_ctx,
|
||||
struct wbc_context *wbc_ctx,
|
||||
struct security_token *token,
|
||||
struct security_unix_token **sec)
|
||||
{
|
||||
int i;
|
||||
NTSTATUS status;
|
||||
struct id_map *ids;
|
||||
struct composite_context *ctx;
|
||||
*sec = talloc(mem_ctx, struct security_unix_token);
|
||||
|
||||
/* we can't do unix security without a user and group */
|
||||
if (token->num_sids < 2) {
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
ids = talloc_array(mem_ctx, struct id_map, token->num_sids);
|
||||
NT_STATUS_HAVE_NO_MEMORY(ids);
|
||||
|
||||
(*sec)->ngroups = token->num_sids - 2;
|
||||
(*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
|
||||
NT_STATUS_HAVE_NO_MEMORY((*sec)->groups);
|
||||
|
||||
for (i=0;i<token->num_sids;i++) {
|
||||
ZERO_STRUCT(ids[i].xid);
|
||||
ids[i].sid = &token->sids[i];
|
||||
ids[i].status = ID_UNKNOWN;
|
||||
}
|
||||
|
||||
ctx = wbc_sids_to_xids_send(wbc_ctx, ids, token->num_sids, ids);
|
||||
NT_STATUS_HAVE_NO_MEMORY(ctx);
|
||||
|
||||
status = wbc_sids_to_xids_recv(ctx, &ids);
|
||||
NT_STATUS_NOT_OK_RETURN(status);
|
||||
|
||||
if (ids[0].xid.type == ID_TYPE_BOTH ||
|
||||
ids[0].xid.type == ID_TYPE_UID) {
|
||||
(*sec)->uid = ids[0].xid.id;
|
||||
} else {
|
||||
return NT_STATUS_INVALID_SID;
|
||||
}
|
||||
|
||||
if (ids[1].xid.type == ID_TYPE_BOTH ||
|
||||
ids[1].xid.type == ID_TYPE_GID) {
|
||||
(*sec)->gid = ids[1].xid.id;
|
||||
} else {
|
||||
return NT_STATUS_INVALID_SID;
|
||||
}
|
||||
|
||||
for (i=0;i<(*sec)->ngroups;i++) {
|
||||
if (ids[i+2].xid.type == ID_TYPE_BOTH ||
|
||||
ids[i+2].xid.type == ID_TYPE_GID) {
|
||||
(*sec)->groups[i] = ids[i+2].xid.id;
|
||||
} else {
|
||||
return NT_STATUS_INVALID_SID;
|
||||
}
|
||||
}
|
||||
|
||||
TALLOC_FREE(ids);
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
@ -15,6 +15,12 @@ bld.SAMBA_SUBSYSTEM('auth_session',
|
||||
deps='samdb auth4_sam'
|
||||
)
|
||||
|
||||
bld.SAMBA_SUBSYSTEM('auth_unix_token',
|
||||
source='unix_token.c',
|
||||
autoproto='unix_token_proto.h',
|
||||
public_deps='LIBWBCLIENT_OLD',
|
||||
)
|
||||
|
||||
|
||||
bld.SAMBA_SUBSYSTEM('samba_server_gensec',
|
||||
source='samba_server_gensec.c',
|
||||
|
@ -164,60 +164,10 @@ static NTSTATUS nt_token_to_unix_security(struct ntvfs_module_context *ntvfs,
|
||||
struct security_unix_token **sec)
|
||||
{
|
||||
struct unixuid_private *priv = ntvfs->private_data;
|
||||
int i;
|
||||
NTSTATUS status;
|
||||
struct id_map *ids;
|
||||
struct composite_context *ctx;
|
||||
*sec = talloc(req, struct security_unix_token);
|
||||
|
||||
/* we can't do unix security without a user and group */
|
||||
if (token->num_sids < 2) {
|
||||
return NT_STATUS_ACCESS_DENIED;
|
||||
}
|
||||
|
||||
ids = talloc_array(req, struct id_map, token->num_sids);
|
||||
NT_STATUS_HAVE_NO_MEMORY(ids);
|
||||
|
||||
(*sec)->ngroups = token->num_sids - 2;
|
||||
(*sec)->groups = talloc_array(*sec, gid_t, (*sec)->ngroups);
|
||||
NT_STATUS_HAVE_NO_MEMORY((*sec)->groups);
|
||||
|
||||
for (i=0;i<token->num_sids;i++) {
|
||||
ZERO_STRUCT(ids[i].xid);
|
||||
ids[i].sid = &token->sids[i];
|
||||
ids[i].status = ID_UNKNOWN;
|
||||
}
|
||||
|
||||
ctx = wbc_sids_to_xids_send(priv->wbc_ctx, ids, token->num_sids, ids);
|
||||
NT_STATUS_HAVE_NO_MEMORY(ctx);
|
||||
|
||||
status = wbc_sids_to_xids_recv(ctx, &ids);
|
||||
NT_STATUS_NOT_OK_RETURN(status);
|
||||
|
||||
if (ids[0].xid.type == ID_TYPE_BOTH ||
|
||||
ids[0].xid.type == ID_TYPE_UID) {
|
||||
(*sec)->uid = ids[0].xid.id;
|
||||
} else {
|
||||
return NT_STATUS_INVALID_SID;
|
||||
}
|
||||
|
||||
if (ids[1].xid.type == ID_TYPE_BOTH ||
|
||||
ids[1].xid.type == ID_TYPE_GID) {
|
||||
(*sec)->gid = ids[1].xid.id;
|
||||
} else {
|
||||
return NT_STATUS_INVALID_SID;
|
||||
}
|
||||
|
||||
for (i=0;i<(*sec)->ngroups;i++) {
|
||||
if (ids[i+2].xid.type == ID_TYPE_BOTH ||
|
||||
ids[i+2].xid.type == ID_TYPE_GID) {
|
||||
(*sec)->groups[i] = ids[i+2].xid.id;
|
||||
} else {
|
||||
return NT_STATUS_INVALID_SID;
|
||||
}
|
||||
}
|
||||
|
||||
return NT_STATUS_OK;
|
||||
return security_token_to_unix_token(req,
|
||||
priv->wbc_ctx,
|
||||
token, sec);
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -4,6 +4,6 @@ bld.SAMBA_MODULE('ntvfs_unixuid',
|
||||
source='vfs_unixuid.c',
|
||||
subsystem='ntvfs',
|
||||
init_function='ntvfs_unixuid_init',
|
||||
deps='samdb'
|
||||
deps='auth_unix_token'
|
||||
)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user