git.samba.org / metze / samba / wip.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 966e2c2)
require PAC and LOGON_INFO
authorStefan Metzmacher <metze@samba.org>
Mon, 27 Nov 2017 13:18:13 +0000 (14:18 +0100)
committerStefan Metzmacher <metze@samba.org>
Tue, 29 Oct 2019 13:33:03 +0000 (14:33 +0100)
auth/gensec/gensec_util.c patch | blob | history
source3/auth/auth_generic.c patch | blob | history
source3/libads/authdata.c patch | blob | history
source4/auth/ntlm/auth.c patch | blob | history

diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 20c9c2a1fbb745a02b11506202f637d9f53ef686..74cea48feec59991bfcfa82c5d239f7735da8877 100644 (file)
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -45,14 +45,10 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 
        session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
 
-       if (!pac_blob) {
-               if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
-                       DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
-                                 principal_string));
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-               DBG_NOTICE("Unable to find PAC for %s, resorting to local "
-                          "user lookup\n", principal_string);
+       if (pac_blob == NULL) {
+               DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
+                         principal_string));
+               return NT_STATUS_ACCESS_DENIED;
        }
 
        if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 167d4e00367fb007d2fea15034d3b4477bc85b7c..559040d4a557c9ba6aac24e2c4c0a5baf523e953 100644 (file)
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -121,6 +121,11 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
                }
        }
 
+       if (logon_info == NULL) {
+               status = NT_STATUS_ACCESS_DENIED;
+               goto done;
+       }
+
        rc = get_remote_hostname(remote_address,
                                 &rhost,
                                 tmp_ctx);
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 6e6d5b397ffb95279ab090721906254aed0eaee8..4df5fe1b9ec029d792105d0f610897387d048332 100644 (file)
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -89,6 +89,9 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
                                                          pac_blob->length);
 
                auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
+       } else {
+               status = NT_STATUS_ACCESS_DENIED;
+               goto done;
        }
 
        *session_info = talloc_zero(mem_ctx, struct auth_session_info);
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index ead5326705e67ec071ab34fcfce968834ef96f53..b844b3c29b52661cf71a778cbf9b04de2a9a8d02 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -86,48 +86,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
        return NT_STATUS_OK;
 }
 
-/****************************************************************************
-Used in the gensec_gssapi and gensec_krb5 server-side code, where the
-PAC isn't available, and for tokenGroups in the DSDB stack.
-
- Supply either a principal or a DN
-****************************************************************************/
-static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
-                                                 TALLOC_CTX *mem_ctx,
-                                                 const char *principal,
-                                                 struct ldb_dn *user_dn,
-                                                  uint32_t session_info_flags,
-                                                  struct auth_session_info **session_info)
-{
-       NTSTATUS nt_status;
-       struct auth_method_context *method;
-       struct auth_user_info_dc *user_info_dc;
-
-       for (method = auth_ctx->methods; method; method = method->next) {
-               if (!method->ops->get_user_info_dc_principal) {
-                       continue;
-               }
-
-               nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
-               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
-                       continue;
-               }
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       return nt_status;
-               }
-
-               nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx, 
-                                                              user_info_dc,
-                                                              user_info_dc->info->account_name,
-                                                              session_info_flags, session_info);
-               talloc_free(user_info_dc);
-
-               return nt_status;
-       }
-
-       return NT_STATUS_NOT_IMPLEMENTED;
-}
-
 /**
  * Check a user's Plaintext, LM or NTLM password.
  * (sync version)
@@ -657,8 +615,7 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
        TALLOC_CTX *tmp_ctx;
 
        if (!pac_blob) {
-               return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name,
-                                                      NULL, session_info_flags, session_info);
+               return NT_STATUS_ACCESS_DENIED;
        }
 
        tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
Work in progress branches