source4/auth/gensec/gensec_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth/gensec/gensec.h"
  25 #include "auth/gensec/gensec_proto.h"
  26 #include "auth/auth.h"
  27 #include "auth/credentials/credentials.h"
  28 #include "auth/system_session_proto.h"
  29
  30 NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
  31                                       struct gensec_security *gensec_security,
  32                                       struct auth_user_info_dc *user_info_dc,
  33                                       struct auth_session_info **session_info)
  34 {
  35         NTSTATUS nt_status;
  36         uint32_t session_info_flags = 0;
  37
  38         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
  39                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
  40         }
  41
  42         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
  43         if (user_info_dc->info->authenticated) {
  44                 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
  45         }
  46
  47         if (gensec_security->auth_context) {
  48                 nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
  49                                                                                  user_info_dc,
  50                                                                                  session_info_flags,
  51                                                                                  session_info);
  52         } else {
  53                 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
  54                 return NT_STATUS_INTERNAL_ERROR;
  55         }
  56         return nt_status;
  57 }
  58
  59 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out,
  60                                           struct gensec_security *gensec_security,
  61                                           struct smb_krb5_context *smb_krb5_context,
  62                                           DATA_BLOB *pac_blob,
  63                                           const char *principal_string,
  64                                           const struct tsocket_address *remote_address,
  65                                           struct auth_session_info **session_info)
  66 {
  67         uint32_t session_info_flags = 0;
  68
  69         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
  70                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
  71         }
  72
  73         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
  74
  75         if (!pac_blob) {
  76                 if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
  77                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
  78                                   principal_string));
  79                         return NT_STATUS_ACCESS_DENIED;
  80                 }
  81                 DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
  82                           principal_string));
  83         }
  84
  85         if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
  86                 return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
  87                                                                                 mem_ctx_out,
  88                                                                                 smb_krb5_context,
  89                                                                                 pac_blob,
  90                                                                                 principal_string,
  91                                                                                 remote_address,
  92                                                                                 session_info_flags,
  93                                                                                 session_info);
  94         } else {
  95                 DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
  96                 return NT_STATUS_INTERNAL_ERROR;
  97         }
  98 }