s3:auth: base make_new_session_info_system() on auth_system_user_info_dc() and auth3_create_session_info()

The changes in the resulting token look like this:

           unix_token               : *
               unix_token: struct security_unix_token
                   uid                      : 0x0000000000000000 (0)
                   gid                      : 0x0000000000000000 (0)
-                  ngroups                  : 0x00000000 (0)
-                  groups: ARRAY(0)
+                  ngroups                  : 0x00000001 (1)
+                  groups: ARRAY(1)
+                      groups                   : 0x0000000000000000 (0)

...

                   domain_name              : *
                       domain_name              : 'NT AUTHORITY'
                   dns_domain_name          : NULL
-                  full_name                : NULL
-                  logon_script             : NULL
-                  profile_path             : NULL
-                  home_directory           : NULL
-                  home_drive               : NULL
-                  logon_server             : NULL
+                  full_name                : *
+                      full_name                : 'System'
+                  logon_script             : *
+                      logon_script             : ''
+                  profile_path             : *
+                      profile_path             : ''
+                  home_directory           : *
+                      home_directory           : ''
+                  home_drive               : *
+                      home_drive               : ''
+                  logon_server             : *
+                      logon_server             : 'SLOWSERVER'
                   last_logon               : NTTIME(0)
                   last_logoff              : NTTIME(0)
                   acct_expiry              : NTTIME(0)
                   last_password_change     : NTTIME(0)
                   allow_password_change    : NTTIME(0)
                   force_password_change    : NTTIME(0)
                   logon_count              : 0x0000 (0)
                   bad_password_count       : 0x0000 (0)
-                  acct_flags               : 0x00000000 (0)
+                  acct_flags               : 0x00000010 (16)
                   authenticated            : 0x01 (1)
           unix_info                : *

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

1 files changed, 43 insertions, 80 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index e146ac3f35c..ad14cf6d221 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -37,6 +37,7 @@
 #include "lib/param/loadparm.h"
 #include "../lib/tsocket/tsocket.h"
 #include "rpc_client/util_netlogon.h"
+#include "source4/auth/auth.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_AUTH
@@ -1268,31 +1269,6 @@ done:
 	return status;
 }
 
-static NTSTATUS get_system_info3(TALLOC_CTX *mem_ctx,
-				 struct netr_SamInfo3 *info3)
-{
-	NTSTATUS status;
-
-	/* Set account name */
-	init_lsa_String(&info3->base.account_name, "SYSTEM");
-
-	/* Set domain name */
-	init_lsa_StringLarge(&info3->base.logon_domain, "NT AUTHORITY");
-
-
-	status = dom_sid_split_rid(mem_ctx, &global_sid_System,
-				   &info3->base.domain_sid,
-				   &info3->base.rid);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	/* Primary gid is the same */
-	info3->base.primary_gid = info3->base.rid;
-
-	return NT_STATUS_OK;
-}
-
 static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
 				struct netr_SamInfo3 *info3)
 {
@@ -1426,80 +1402,67 @@ done:
 static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
 					    struct auth_session_info **session_info)
 {
+	TALLOC_CTX *frame = talloc_stackframe();
+	struct auth_user_info_dc *user_info_dc = NULL;
+	uid_t uid = -1;
+	gid_t gid = -1;
+	uint32_t hint_flags = 0;
+	uint32_t session_info_flags = 0;
 	NTSTATUS status;
-	struct auth_serversupplied_info *server_info;
-	TALLOC_CTX *tmp_ctx;
-
-	tmp_ctx = talloc_stackframe();
-	if (tmp_ctx == NULL) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	server_info = make_server_info(tmp_ctx);
-	if (!server_info) {
-		status = NT_STATUS_NO_MEMORY;
-		DEBUG(0, ("failed making server_info\n"));
-		goto done;
-	}
 
-	server_info->info3 = talloc_zero(server_info, struct netr_SamInfo3);
-	if (!server_info->info3) {
-		status = NT_STATUS_NO_MEMORY;
-		DEBUG(0, ("talloc failed setting info3\n"));
-		goto done;
-	}
-
-	status = get_system_info3(server_info, server_info->info3);
+	status = auth_system_user_info_dc(frame, lp_netbios_name(),
+					  &user_info_dc);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("Failed creating system info3 with %s\n",
+		DEBUG(0, ("auth_system_user_info_dc failed: %s\n",
 			  nt_errstr(status)));
 		goto done;
 	}
 
-	server_info->utok.uid = sec_initial_uid();
-	server_info->utok.gid = sec_initial_gid();
-	server_info->unix_name = talloc_asprintf(server_info,
-						 "NT AUTHORITY%cSYSTEM",
-						 *lp_winbind_separator());
-
-	if (!server_info->unix_name) {
-		status = NT_STATUS_NO_MEMORY;
-		DEBUG(0, ("talloc_asprintf failed setting unix_name\n"));
-		goto done;
-	}
+	/*
+	 * Just get the initial uid/gid
+	 * and don't expand the unix groups.
+	 */
+	uid = sec_initial_uid();
+	gid = sec_initial_gid();
+	hint_flags |= AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS;
 
-	server_info->security_token = talloc_zero(server_info, struct security_token);
-	if (!server_info->security_token) {
-		status = NT_STATUS_NO_MEMORY;
-		DEBUG(0, ("talloc failed setting security token\n"));
-		goto done;
-	}
+	/*
+	 * Also avoid sid mapping to gids,
+	 * as well as adding the unix_token uid/gids as
+	 * S-1-22-X-Y SIDs to the nt token.
+	 */
+	hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS;
+	hint_flags |= AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS;
 
-	status = add_sid_to_array_unique(server_info->security_token->sids,
-					 &global_sid_System,
-					 &server_info->security_token->sids,
-					 &server_info->security_token->num_sids);
+	/*
+	 * The unix name will be "NT AUTHORITY+SYSTEM",
+	 * where '+' is the "winbind separator" character.
+	 */
+	hint_flags |= AUTH3_UNIX_HINT_QUALIFIED_NAME;
+	status = auth3_user_info_dc_add_hints(user_info_dc,
+					      uid,
+					      gid,
+					      hint_flags);
 	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("auth3_user_info_dc_add_hints failed: %s\n",
+			  nt_errstr(status)));
 		goto done;
 	}
 
-	/* SYSTEM has all privilages */
-	server_info->security_token->privilege_mask = ~0;
-
-	/* Now turn the server_info into a session_info with the full token etc */
-	status = create_local_token(mem_ctx, server_info, NULL, "SYSTEM", session_info);
-	talloc_free(server_info);
-
+	session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+	session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+	status = auth3_session_info_create(mem_ctx, user_info_dc,
+					   user_info_dc->info->account_name,
+					   session_info_flags,
+					   session_info);
 	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("create_local_token failed: %s\n",
+		DEBUG(0, ("auth3_session_info_create failed: %s\n",
 			  nt_errstr(status)));
 		goto done;
 	}
 
-	talloc_steal(mem_ctx, *session_info);
-
 done:
-	TALLOC_FREE(tmp_ctx);
+	TALLOC_FREE(frame);
 	return status;
 }