auth: Allow auth_samba4 to be forced to run a specific auth module

This will allow new tests to be written to validate winbindd authentication results

Andrew Bartlett

Change-Id: I008eba1de349b17ee4eb9f11be08338557dffecc
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index e1c6475ecab8520f929686acfd28da071cb66542..05c4ddcede46c5e3a7c59ac7731e53fe47a5401b 100644 (file)
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -163,7 +163,7 @@ NTSTATUS make_auth4_context(TALLOC_CTX *mem_ctx, struct auth4_context **auth4_co
        }
 
        if (auth_context->make_auth4_context) {
-               nt_status = auth_context->make_auth4_context(mem_ctx, auth4_context_out);
+               nt_status = auth_context->make_auth4_context(auth_context, mem_ctx, auth4_context_out);
                TALLOC_FREE(tmp_ctx);
                return nt_status;
 
@@ -197,7 +197,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
        }
 
        if (auth_context->prepare_gensec) {
-               nt_status = auth_context->prepare_gensec(tmp_ctx,
+               nt_status = auth_context->prepare_gensec(auth_context, tmp_ctx,
                                                         &gensec_security);
                if (!NT_STATUS_IS_OK(nt_status)) {
                        TALLOC_FREE(tmp_ctx);

diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c
index fcc4c285ea8a453e93ef5a261d4c9b92f0d06599..d9d71512a2baa493fb191244d6afa28a2d3537a7 100644 (file)
--- a/source3/auth/auth_samba4.c
+++ b/source3/auth/auth_samba4.c
@@ -31,7 +31,8 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
 
-static NTSTATUS make_auth4_context_s4(TALLOC_CTX *mem_ctx,
+static NTSTATUS make_auth4_context_s4(const struct auth_context *auth_context,
+                                     TALLOC_CTX *mem_ctx,
                                      struct auth4_context **auth4_context);
 
 static struct idr_context *task_id_tree;
@@ -111,7 +112,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
        struct auth_user_info_dc *user_info_dc;
        struct auth4_context *auth4_context;
 
-       nt_status = make_auth4_context_s4(mem_ctx, &auth4_context);
+       nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context);
        if (!NT_STATUS_IS_OK(nt_status)) {
                TALLOC_FREE(frame);
                goto done;
@@ -178,7 +179,8 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context,
  * token is generated and used in the SMB and LDAP servers, for NTLM
  * and for Kerberos.
  */
-static NTSTATUS prepare_gensec(TALLOC_CTX *mem_ctx,
+static NTSTATUS prepare_gensec(struct auth_context *auth_context,
+                              TALLOC_CTX *mem_ctx,
                               struct gensec_security **gensec_context)
 {
        NTSTATUS status;
@@ -270,7 +272,8 @@ static NTSTATUS prepare_gensec(TALLOC_CTX *mem_ctx,
  * consistency between NTLM logins and NTLMSSP logins, as NTLMSSP is
  * handled by the hook above.
  */
-static NTSTATUS make_auth4_context_s4(TALLOC_CTX *mem_ctx,
+static NTSTATUS make_auth4_context_s4(const struct auth_context *auth_context,
+                                     TALLOC_CTX *mem_ctx,
                                      struct auth4_context **auth4_context)
 {
        NTSTATUS status;
@@ -311,12 +314,17 @@ static NTSTATUS make_auth4_context_s4(TALLOC_CTX *mem_ctx,
        }
        talloc_reparent(frame, msg_ctx, server_id);
 
-       status = auth_context_create(mem_ctx,
-                                       event_ctx,
-                                       msg_ctx,
-                                       lp_ctx,
-                                       auth4_context);
-
+       /* Allow forcing a specific auth4 module */
+       if (!auth_context->forced_samba4_methods) {
+               status = auth_context_create(mem_ctx,
+                                            event_ctx,
+                                            msg_ctx,
+                                            lp_ctx,
+                                            auth4_context);
+       } else {
+               const char * const *forced_auth_methods = (const char * const *)str_list_make(mem_ctx, auth_context->forced_samba4_methods, NULL);
+               status = auth_context_create_methods(mem_ctx, forced_auth_methods, event_ctx, msg_ctx, lp_ctx, NULL, auth4_context);
+       }
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to start auth server code: %s\n", nt_errstr(status)));
                TALLOC_FREE(frame);
@@ -349,6 +357,13 @@ static NTSTATUS auth_init_samba4(struct auth_context *auth_context,
        result->prepare_gensec = prepare_gensec;
        result->make_auth4_context = make_auth4_context_s4;
 
+       if (param && *param) {
+               auth_context->forced_samba4_methods = talloc_strdup(result, param);
+               if (!auth_context->forced_samba4_methods) {
+                       return NT_STATUS_NO_MEMORY;
+               }
+       }
+
         *auth_method = result;
        return NT_STATUS_OK;
 }

diff --git a/source3/include/auth.h b/source3/include/auth.h
index 07f8b9eee1abe548118258c77fba8bbcf32506fb..acae5a83c6cdbfb6770a1c59cf2ad327d02dd976 100644 (file)
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -66,10 +66,14 @@ struct auth_serversupplied_info {
        char *unix_name;
 };
 
-typedef NTSTATUS (*prepare_gensec_fn)(TALLOC_CTX *mem_ctx,
+struct auth_context;
+
+typedef NTSTATUS (*prepare_gensec_fn)(const struct auth_context *auth_context, 
+                                     TALLOC_CTX *mem_ctx,
                                      struct gensec_security **gensec_context);
 
-typedef NTSTATUS (*make_auth4_context_fn)(TALLOC_CTX *mem_ctx,
+typedef NTSTATUS (*make_auth4_context_fn)(const struct auth_context *auth_context, 
+                                         TALLOC_CTX *mem_ctx,
                                          struct auth4_context **auth4_context);
 
 struct auth_context {
@@ -83,6 +87,7 @@ struct auth_context {
 
        prepare_gensec_fn prepare_gensec;
        make_auth4_context_fn make_auth4_context;
+       const char *forced_samba4_methods;
 };
 
 typedef struct auth_methods

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 129f58d31c4d38ec8578db27f827ddcc8c04ef29..0b6b1d358313f3ac054ed313bcb38f02057728fa 100644 (file)
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -130,7 +130,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
                                           struct loadparm_context *lp_ctx,
                                           struct auth_session_info **_session_info) ;
 
-NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
+NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char * const *methods,
                                     struct tevent_context *ev,
                                     struct imessaging_context *msg,
                                     struct loadparm_context *lp_ctx,

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 16c9666c0a214601f33d412df6a2e81cad8f9fcf..642d8684e5941ef50b392113edc1ed45e1ddf1ba 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -520,7 +520,7 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
  Make a auth_info struct for the auth subsystem
  - Allow the caller to specify the methods to use, including optionally the SAM to use
 ***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods, 
+_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char * const *methods, 
                                              struct tevent_context *ev,
                                              struct imessaging_context *msg,
                                              struct loadparm_context *lp_ctx,