From a83feb2fe3e00241c340cdcab5674a250a1858ce Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 21 Jan 2009 10:43:15 +0100 Subject: [PATCH] s4:auth: move make_server_info_netlogon_validation() function arround metze --- source4/auth/auth_sam_reply.c | 139 +++++++++++++++++++++++++++++ source4/auth/gensec/gensec_krb5.c | 2 +- source4/auth/ntlm/auth_winbind.c | 2 +- source4/auth/session.c | 140 ------------------------------ source4/auth/session.h | 5 -- source4/smbd/service_named_pipe.c | 1 + source4/torture/auth/pac.c | 2 +- 7 files changed, 143 insertions(+), 148 deletions(-) diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c index 839553632ed..dfa76234b4b 100644 --- a/source4/auth/auth_sam_reply.c +++ b/source4/auth/auth_sam_reply.c @@ -147,3 +147,142 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/** + * Make a server_info struct from the info3 returned by a domain logon + */ +NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, + const char *account_name, + uint16_t validation_level, + union netr_Validation *validation, + struct auth_serversupplied_info **_server_info) +{ + struct auth_serversupplied_info *server_info; + struct netr_SamBaseInfo *base = NULL; + int i; + + switch (validation_level) { + case 2: + if (!validation || !validation->sam2) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam2->base; + break; + case 3: + if (!validation || !validation->sam3) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam3->base; + break; + case 6: + if (!validation || !validation->sam6) { + return NT_STATUS_INVALID_PARAMETER; + } + base = &validation->sam6->base; + break; + default: + return NT_STATUS_INVALID_LEVEL; + } + + server_info = talloc(mem_ctx, struct auth_serversupplied_info); + NT_STATUS_HAVE_NO_MEMORY(server_info); + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + server_info->account_sid = dom_sid_add_rid(server_info, base->domain_sid, base->rid); + NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); + + + server_info->primary_group_sid = dom_sid_add_rid(server_info, base->domain_sid, base->primary_gid); + NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); + + server_info->n_domain_groups = base->groups.count; + if (base->groups.count) { + server_info->domain_groups = talloc_array(server_info, struct dom_sid*, base->groups.count); + NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups); + } else { + server_info->domain_groups = NULL; + } + + for (i = 0; i < base->groups.count; i++) { + server_info->domain_groups[i] = dom_sid_add_rid(server_info, base->domain_sid, base->groups.rids[i].rid); + NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]); + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + if (validation_level == 3) { + struct dom_sid **dgrps = server_info->domain_groups; + size_t sidcount = server_info->n_domain_groups + validation->sam3->sidcount; + size_t n_dgrps = server_info->n_domain_groups; + + if (validation->sam3->sidcount > 0) { + dgrps = talloc_realloc(server_info, dgrps, struct dom_sid*, sidcount); + NT_STATUS_HAVE_NO_MEMORY(dgrps); + + for (i = 0; i < validation->sam3->sidcount; i++) { + dgrps[n_dgrps + i] = talloc_reference(dgrps, validation->sam3->sids[i].sid); + } + } + + server_info->n_domain_groups = sidcount; + server_info->domain_groups = dgrps; + + /* Where are the 'global' sids?... */ + } + + if (base->account_name.string) { + server_info->account_name = talloc_reference(server_info, base->account_name.string); + } else { + server_info->account_name = talloc_strdup(server_info, account_name); + NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); + } + + server_info->domain_name = talloc_reference(server_info, base->domain.string); + server_info->full_name = talloc_reference(server_info, base->full_name.string); + server_info->logon_script = talloc_reference(server_info, base->logon_script.string); + server_info->profile_path = talloc_reference(server_info, base->profile_path.string); + server_info->home_directory = talloc_reference(server_info, base->home_directory.string); + server_info->home_drive = talloc_reference(server_info, base->home_drive.string); + server_info->logon_server = talloc_reference(server_info, base->logon_server.string); + server_info->last_logon = base->last_logon; + server_info->last_logoff = base->last_logoff; + server_info->acct_expiry = base->acct_expiry; + server_info->last_password_change = base->last_password_change; + server_info->allow_password_change = base->allow_password_change; + server_info->force_password_change = base->force_password_change; + server_info->logon_count = base->logon_count; + server_info->bad_password_count = base->bad_password_count; + server_info->acct_flags = base->acct_flags; + + server_info->authenticated = true; + + /* ensure we are never given NULL session keys */ + + if (all_zero(base->key.key, sizeof(base->key.key))) { + server_info->user_session_key = data_blob(NULL, 0); + } else { + server_info->user_session_key = data_blob_talloc(server_info, base->key.key, sizeof(base->key.key)); + NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); + } + + if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) { + server_info->lm_session_key = data_blob(NULL, 0); + } else { + server_info->lm_session_key = data_blob_talloc(server_info, base->LMSessKey.key, sizeof(base->LMSessKey.key)); + NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); + } + + ZERO_STRUCT(server_info->pac_srv_sig); + ZERO_STRUCT(server_info->pac_kdc_sig); + + *_server_info = server_info; + return NT_STATUS_OK; +} + diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c index 16867366a48..6c6b9289177 100644 --- a/source4/auth/gensec/gensec_krb5.c +++ b/source4/auth/gensec/gensec_krb5.c @@ -30,7 +30,6 @@ #include "auth/auth.h" #include "lib/ldb/include/ldb.h" #include "auth/auth_sam.h" -#include "system/network.h" #include "lib/socket/socket.h" #include "librpc/rpc/dcerpc.h" #include "auth/credentials/credentials.h" @@ -39,6 +38,7 @@ #include "auth/gensec/gensec_proto.h" #include "param/param.h" #include "auth/session_proto.h" +#include "auth/auth_sam_reply.h" enum GENSEC_KRB5_STATE { GENSEC_KRB5_SERVER_START, diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index ac63b242e49..bf75ad9eca5 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -24,7 +24,7 @@ #include "includes.h" #include "auth/auth.h" #include "auth/ntlm/auth_proto.h" -#include "auth/session_proto.h" +#include "auth/auth_sam_reply.h" #include "nsswitch/winbind_client.h" #include "librpc/gen_ndr/ndr_netlogon.h" #include "librpc/gen_ndr/ndr_winbind.h" diff --git a/source4/auth/session.c b/source4/auth/session.c index 885b2b96c2e..ef5646fd37e 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -201,143 +201,3 @@ void auth_session_info_debug(int dbg_lev, security_token_debug(dbg_lev, session_info->security_token); } -/** - * Make a server_info struct from the info3 returned by a domain logon - */ -_PUBLIC_ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, - const char *account_name, - uint16_t validation_level, - union netr_Validation *validation, - struct auth_serversupplied_info **_server_info) -{ - struct auth_serversupplied_info *server_info; - struct netr_SamBaseInfo *base = NULL; - int i; - - switch (validation_level) { - case 2: - if (!validation || !validation->sam2) { - return NT_STATUS_INVALID_PARAMETER; - } - base = &validation->sam2->base; - break; - case 3: - if (!validation || !validation->sam3) { - return NT_STATUS_INVALID_PARAMETER; - } - base = &validation->sam3->base; - break; - case 6: - if (!validation || !validation->sam6) { - return NT_STATUS_INVALID_PARAMETER; - } - base = &validation->sam6->base; - break; - default: - return NT_STATUS_INVALID_LEVEL; - } - - server_info = talloc(mem_ctx, struct auth_serversupplied_info); - NT_STATUS_HAVE_NO_MEMORY(server_info); - - /* - Here is where we should check the list of - trusted domains, and verify that the SID - matches. - */ - server_info->account_sid = dom_sid_add_rid(server_info, base->domain_sid, base->rid); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); - - - server_info->primary_group_sid = dom_sid_add_rid(server_info, base->domain_sid, base->primary_gid); - NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); - - server_info->n_domain_groups = base->groups.count; - if (base->groups.count) { - server_info->domain_groups = talloc_array(server_info, struct dom_sid*, base->groups.count); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups); - } else { - server_info->domain_groups = NULL; - } - - for (i = 0; i < base->groups.count; i++) { - server_info->domain_groups[i] = dom_sid_add_rid(server_info, base->domain_sid, base->groups.rids[i].rid); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]); - } - - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - - if (validation_level == 3) { - struct dom_sid **dgrps = server_info->domain_groups; - size_t sidcount = server_info->n_domain_groups + validation->sam3->sidcount; - size_t n_dgrps = server_info->n_domain_groups; - - if (validation->sam3->sidcount > 0) { - dgrps = talloc_realloc(server_info, dgrps, struct dom_sid*, sidcount); - NT_STATUS_HAVE_NO_MEMORY(dgrps); - - for (i = 0; i < validation->sam3->sidcount; i++) { - dgrps[n_dgrps + i] = talloc_reference(dgrps, validation->sam3->sids[i].sid); - } - } - - server_info->n_domain_groups = sidcount; - server_info->domain_groups = dgrps; - - /* Where are the 'global' sids?... */ - } - - if (base->account_name.string) { - server_info->account_name = talloc_reference(server_info, base->account_name.string); - } else { - server_info->account_name = talloc_strdup(server_info, account_name); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_name); - } - - server_info->domain_name = talloc_reference(server_info, base->domain.string); - server_info->full_name = talloc_reference(server_info, base->full_name.string); - server_info->logon_script = talloc_reference(server_info, base->logon_script.string); - server_info->profile_path = talloc_reference(server_info, base->profile_path.string); - server_info->home_directory = talloc_reference(server_info, base->home_directory.string); - server_info->home_drive = talloc_reference(server_info, base->home_drive.string); - server_info->logon_server = talloc_reference(server_info, base->logon_server.string); - server_info->last_logon = base->last_logon; - server_info->last_logoff = base->last_logoff; - server_info->acct_expiry = base->acct_expiry; - server_info->last_password_change = base->last_password_change; - server_info->allow_password_change = base->allow_password_change; - server_info->force_password_change = base->force_password_change; - server_info->logon_count = base->logon_count; - server_info->bad_password_count = base->bad_password_count; - server_info->acct_flags = base->acct_flags; - - server_info->authenticated = true; - - /* ensure we are never given NULL session keys */ - - if (all_zero(base->key.key, sizeof(base->key.key))) { - server_info->user_session_key = data_blob(NULL, 0); - } else { - server_info->user_session_key = data_blob_talloc(server_info, base->key.key, sizeof(base->key.key)); - NT_STATUS_HAVE_NO_MEMORY(server_info->user_session_key.data); - } - - if (all_zero(base->LMSessKey.key, sizeof(base->LMSessKey.key))) { - server_info->lm_session_key = data_blob(NULL, 0); - } else { - server_info->lm_session_key = data_blob_talloc(server_info, base->LMSessKey.key, sizeof(base->LMSessKey.key)); - NT_STATUS_HAVE_NO_MEMORY(server_info->lm_session_key.data); - } - - ZERO_STRUCT(server_info->pac_srv_sig); - ZERO_STRUCT(server_info->pac_kdc_sig); - - *_server_info = server_info; - return NT_STATUS_OK; -} - - diff --git a/source4/auth/session.h b/source4/auth/session.h index bdb63ec4a2b..15570c4414f 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -53,11 +53,6 @@ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info *server_info, struct auth_session_info **_session_info) ; -NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, - const char *account_name, - uint16_t validation_level, - union netr_Validation *validation, - struct auth_serversupplied_info **_server_info); NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, struct tevent_context *ev_ctx, struct loadparm_context *lp_ctx, diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c index 02b71de7c3f..e3c0908a150 100644 --- a/source4/smbd/service_named_pipe.c +++ b/source4/smbd/service_named_pipe.c @@ -25,6 +25,7 @@ #include "smbd/service.h" #include "param/param.h" #include "auth/session.h" +#include "auth/auth_sam_reply.h" #include "lib/stream/packet.h" #include "librpc/gen_ndr/ndr_named_pipe_auth.h" #include "system/passwd.h" diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index f6f2fcb4989..fd54863686c 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -28,7 +28,7 @@ #include "samba3/samba3.h" #include "libcli/security/security.h" #include "torture/torture.h" -#include "auth/session_proto.h" +#include "auth/auth_sam_reply.h" static bool torture_pac_self_check(struct torture_context *tctx) { -- 2.34.1