diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-05-09 14:30:40 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2023-05-18 01:03:37 +0000 |
commit | e2e752b5461ab3806d8ac9165ee82a77dff6a063 (patch) | |
tree | 9dd0cd987c29112d3d04b3ad315414b96902ff01 | |
parent | 024e5f7e92acd81a53e95b0652c08688e54d251a (diff) | |
download | samba-e2e752b5461ab3806d8ac9165ee82a77dff6a063.tar.gz |
s4:auth: Split out new function to generate a security token
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | source4/auth/session.c | 120 | ||||
-rw-r--r-- | source4/auth/session.h | 6 |
2 files changed, 82 insertions, 44 deletions
diff --git a/source4/auth/session.c b/source4/auth/session.c index 2e28bc15c6d..bac644d443c 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -49,54 +49,26 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx, return session_info; } -_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ - struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ - const struct auth_user_info_dc *user_info_dc, - uint32_t session_info_flags, - struct auth_session_info **_session_info) +_PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */ + struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ + const struct auth_user_info_dc *user_info_dc, + uint32_t session_info_flags, + struct security_token **_security_token) { - struct auth_session_info *session_info; + struct security_token *security_token = NULL; NTSTATUS nt_status; - uint32_t i, num_sids = 0; - - const char *filter; - + uint32_t i; + uint32_t num_sids = 0; + const char *filter = NULL; struct auth_SidAttr *sids = NULL; - const struct dom_sid *anonymous_sid, *system_sid; + const struct dom_sid *anonymous_sid = NULL; + const struct dom_sid *system_sid = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); - - session_info = talloc_zero(tmp_ctx, struct auth_session_info); - if (session_info == NULL) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - session_info->info = talloc_reference(session_info, user_info_dc->info); - - session_info->torture = talloc_zero(session_info, struct auth_user_info_torture); - if (session_info->torture == NULL) { - TALLOC_FREE(tmp_ctx); + if (tmp_ctx == NULL) { return NT_STATUS_NO_MEMORY; } - session_info->torture->num_dc_sids = user_info_dc->num_sids; - session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids); - if (session_info->torture->dc_sids == NULL) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - - /* unless set otherwise, the session key is the user session - * key from the auth subsystem */ - session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length); - if (!session_info->session_key.data && session_info->session_key.length) { - if (session_info->session_key.data == NULL) { - TALLOC_FREE(tmp_ctx); - return NT_STATUS_NO_MEMORY; - } - } anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS); if (anonymous_sid == NULL) { @@ -176,7 +148,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, /* Don't expand nested groups of system, anonymous etc*/ } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX].sid)) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (sam_ctx) { + } else if (sam_ctx != NULL) { filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:"LDB_OID_COMPARATOR_AND":=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP); @@ -211,12 +183,72 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, } } - nt_status = security_token_create(session_info, + nt_status = security_token_create(mem_ctx, lp_ctx, num_sids, sids, session_info_flags, - &session_info->security_token); + &security_token); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(tmp_ctx); + return nt_status; + } + + talloc_steal(mem_ctx, security_token); + *_security_token = security_token; + talloc_free(tmp_ctx); + return NT_STATUS_OK; +} + +_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ + struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ + const struct auth_user_info_dc *user_info_dc, + uint32_t session_info_flags, + struct auth_session_info **_session_info) +{ + struct auth_session_info *session_info; + NTSTATUS nt_status; + + TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); + + session_info = talloc_zero(tmp_ctx, struct auth_session_info); + if (session_info == NULL) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + session_info->info = talloc_reference(session_info, user_info_dc->info); + + session_info->torture = talloc_zero(session_info, struct auth_user_info_torture); + if (session_info->torture == NULL) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + session_info->torture->num_dc_sids = user_info_dc->num_sids; + session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids); + if (session_info->torture->dc_sids == NULL) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* unless set otherwise, the session key is the user session + * key from the auth subsystem */ + session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length); + if (!session_info->session_key.data && session_info->session_key.length) { + if (session_info->session_key.data == NULL) { + TALLOC_FREE(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + } + + nt_status = auth_generate_security_token(session_info, + lp_ctx, + sam_ctx, + user_info_dc, + session_info_flags, + &session_info->security_token); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(tmp_ctx); return nt_status; diff --git a/source4/auth/session.h b/source4/auth/session.h index 2d42396a556..ef736b58e31 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -36,6 +36,12 @@ struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ; NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, struct auth_user_info_dc **interim_info); +NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */ + struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ + const struct auth_user_info_dc *user_info_dc, + uint32_t session_info_flags, + struct security_token **_security_token); NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ |