source4/auth/gensec/gensec_util.c

   1 /*
   2    Unix SMB/CIFS implementation.
   3
   4    Generic Authentication Interface
   5
   6    Copyright (C) Andrew Tridgell 2003
   7    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2006
   8
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21 */
  22
  23 #include "includes.h"
  24 #include "auth/gensec/gensec.h"
  25 #include "auth/gensec/gensec_proto.h"
  26 #include "auth/auth.h"
  27 #include "auth/credentials/credentials.h"
  28 #include "auth/system_session_proto.h"
  29 #include "system/kerberos.h"
  30 #include "auth/kerberos/kerberos.h"
  31 #include "auth/kerberos/kerberos_util.h"
  32
  33 NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
  34                                       struct gensec_security *gensec_security,
  35                                       struct auth_user_info_dc *user_info_dc,
  36                                       struct auth_session_info **session_info)
  37 {
  38         NTSTATUS nt_status;
  39         uint32_t session_info_flags = 0;
  40
  41         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
  42                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
  43         }
  44
  45         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
  46         if (user_info_dc->info->authenticated) {
  47                 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
  48         }
  49
  50         if (gensec_security->auth_context) {
  51                 nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
  52                                                                                  user_info_dc,
  53                                                                                  session_info_flags,
  54                                                                                  session_info);
  55         } else {
  56                 session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
  57                 nt_status = auth_generate_session_info(mem_ctx,
  58                                                        NULL,
  59                                                        NULL,
  60                                                        user_info_dc, session_info_flags,
  61                                                        session_info);
  62         }
  63         return nt_status;
  64 }
  65
  66 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx_out,
  67                                           struct gensec_security *gensec_security,
  68                                           struct smb_krb5_context *smb_krb5_context,
  69                                           DATA_BLOB *pac_blob,
  70                                           const char *principal_string,
  71                                           const struct tsocket_address *remote_address,
  72                                           struct auth_session_info **session_info)
  73 {
  74         NTSTATUS nt_status;
  75         uint32_t session_info_flags = 0;
  76         TALLOC_CTX *mem_ctx;
  77         struct auth_user_info_dc *user_info_dc;
  78         struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL;
  79         struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL;
  80
  81         if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
  82                 session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
  83         }
  84
  85         session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
  86
  87         if (!pac_blob) {
  88                 if (!gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
  89                         DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
  90                                   principal_string));
  91                         return NT_STATUS_ACCESS_DENIED;
  92                 }
  93                 DEBUG(1, ("Unable to find PAC for %s, resorting to local user lookup\n",
  94                           principal_string));
  95         }
  96
  97         if (gensec_security->auth_context) {
  98                 return gensec_security->auth_context->generate_session_info_pac(gensec_security->auth_context,
  99                                                                                 mem_ctx_out,
 100                                                                                 smb_krb5_context,
 101                                                                                 pac_blob,
 102                                                                                 principal_string,
 103                                                                                 remote_address,
 104                                                                                 session_info_flags,
 105                                                                                 session_info);
 106         } else if (!pac_blob) {
 107                 DEBUG(0, ("Cannot generate a session_info without either the PAC or the auth_context\n"));
 108                 return NT_STATUS_NO_SUCH_USER;
 109         }
 110
 111         mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context");
 112         NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
 113
 114         pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
 115         if (!pac_srv_sig) {
 116                 talloc_free(mem_ctx);
 117                 return NT_STATUS_NO_MEMORY;
 118         }
 119         pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
 120         if (!pac_kdc_sig) {
 121                 talloc_free(mem_ctx);
 122                 return NT_STATUS_NO_MEMORY;
 123         }
 124
 125         nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx,
 126                                                       *pac_blob,
 127                                                       smb_krb5_context->krb5_context,
 128                                                       &user_info_dc,
 129                                                       pac_srv_sig,
 130                                                       pac_kdc_sig);
 131         if (!NT_STATUS_IS_OK(nt_status)) {
 132                 talloc_free(mem_ctx);
 133                 return nt_status;
 134         }
 135
 136         session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
 137         nt_status = auth_generate_session_info(mem_ctx_out,
 138                                                NULL,
 139                                                NULL,
 140                                                user_info_dc, session_info_flags,
 141                                                session_info);
 142         if (!NT_STATUS_IS_OK(nt_status)) {
 143                 talloc_free(mem_ctx);
 144                 return nt_status;
 145         }
 146
 147         if ((*session_info)->torture) {
 148                 (*session_info)->torture->pac_srv_sig
 149                         = talloc_steal((*session_info)->torture, pac_srv_sig);
 150                 (*session_info)->torture->pac_kdc_sig
 151                         = talloc_steal((*session_info)->torture, pac_kdc_sig);
 152         }
 153
 154         talloc_free(mem_ctx);
 155         return nt_status;
 156 }