The branch, master has been updated via f3501cf s3-smbd: use make_server_info_krb5() in smb2 too. via a413a86 s3-smbd: use make_server_info_krb5() via 08a8e25 s3-auth: add helper to get server_info out of kerberos info from ce60d6d s3-smbd: User helper function to resolve kerberos user for smb2
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit f3501cf8488c77a896b56fb33bfbb68ee13cb1e9 Author: Simo Sorce <i...@samba.org> Date: Thu Aug 26 18:49:49 2010 -0400 s3-smbd: use make_server_info_krb5() in smb2 too. Signed-off-by: Günther Deschner <g...@samba.org> commit a413a86daa25a277ddb068ed5606a604d62d70ef Author: Simo Sorce <i...@samba.org> Date: Thu Aug 26 18:49:28 2010 -0400 s3-smbd: use make_server_info_krb5() Signed-off-by: Günther Deschner <g...@samba.org> commit 08a8e25d6bfc559b56250efcce8e73845de23194 Author: Simo Sorce <i...@samba.org> Date: Thu Aug 26 18:48:46 2010 -0400 s3-auth: add helper to get server_info out of kerberos info Signed-off-by: Günther Deschner <g...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/auth/user_krb5.c | 100 +++++++++++++++++++++++++++++++++++++++++ source3/include/proto.h | 8 +++ source3/smbd/sesssetup.c | 90 +++++-------------------------------- source3/smbd/smb2_sesssetup.c | 83 +++------------------------------ 4 files changed, 127 insertions(+), 154 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index 2cdcdcc..580e71a 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -155,6 +155,93 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } + +NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, + char *ntuser, + char *ntdomain, + char *username, + struct passwd *pw, + struct PAC_LOGON_INFO *logon_info, + bool mapped_to_guest, + struct auth_serversupplied_info **server_info) +{ + NTSTATUS status; + + if (mapped_to_guest) { + status = make_server_info_guest(mem_ctx, server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("make_server_info_guest failed: %s!\n", + nt_errstr(status))); + return status; + } + + } else if (logon_info) { + /* pass the unmapped username here since map_username() + will be called again in make_server_info_info3() */ + + status = make_server_info_info3(mem_ctx, + ntuser, ntdomain, + server_info, + &logon_info->info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("make_server_info_info3 failed: %s!\n", + nt_errstr(status))); + return status; + } + + } else { + /* + * We didn't get a PAC, we have to make up the user + * ourselves. Try to ask the pdb backend to provide + * SID consistency with ntlmssp session setup + */ + struct samu *sampass; + /* The stupid make_server_info_XX functions here + don't take a talloc context. */ + struct auth_serversupplied_info *tmp = NULL; + + sampass = samu_new(talloc_tos()); + if (sampass == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if (pdb_getsampwnam(sampass, username)) { + DEBUG(10, ("found user %s in passdb, calling " + "make_server_info_sam\n", username)); + status = make_server_info_sam(&tmp, sampass); + } else { + /* + * User not in passdb, make it up artificially + */ + DEBUG(10, ("didn't find user %s in passdb, calling " + "make_server_info_pw\n", username)); + status = make_server_info_pw(&tmp, username, pw); + } + TALLOC_FREE(sampass); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("make_server_info_[sam|pw] failed: %s!\n", + nt_errstr(status))); + return status; + } + + /* Steal tmp server info into the server_info pointer. */ + *server_info = talloc_move(mem_ctx, &tmp); + + /* make_server_info_pw does not set the domain. Without this + * we end up with the local netbios name in substitutions for + * %D. */ + + if ((*server_info)->info3 != NULL) { + (*server_info)->info3->base.domain.string = + talloc_strdup((*server_info)->info3, ntdomain); + } + + } + + return NT_STATUS_OK; +} + #else /* HAVE_KRB5 */ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, const char *cli_name, @@ -169,4 +256,17 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, { return NT_STATUS_NOT_IMPLEMENTED; } + +NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, + char *ntuser, + char *ntdomain, + char *username, + struct passwd *pw, + struct PAC_LOGON_INFO *logon_info, + bool mapped_to_guest, + struct auth_serversupplied_info **server_info) +{ + return NT_STATUS_NOT_IMPLEMENTED; +} + #endif /* HAVE_KRB5 */ diff --git a/source3/include/proto.h b/source3/include/proto.h index db31127..7af0d08 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -4867,6 +4867,14 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, char **ntdomain, char **username, struct passwd **_pw); +NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, + char *ntuser, + char *ntdomain, + char *username, + struct passwd *pw, + struct PAC_LOGON_INFO *logon_info, + bool mapped_to_guest, + struct auth_serversupplied_info **server_info); /* The following definitions come from smbd/message.c */ diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index c9b5b8c..58b446d 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -368,85 +368,17 @@ static void reply_spnego_kerberos(struct smb_request *req, /* reload services so that the new %U is taken into account */ reload_services(sconn->msg_ctx, sconn->sock, True); - if (map_domainuser_to_guest) { - ret = make_server_info_guest(NULL, &server_info); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(1, ("make_server_info_guest failed: %s!\n", - nt_errstr(ret))); - data_blob_free(&ap_rep); - data_blob_free(&session_key); - TALLOC_FREE(mem_ctx); - reply_nterror(req, nt_status_squash(ret)); - return; - } - } else if (logon_info) { - /* pass the unmapped username here since map_username() - will be called again from inside make_server_info_info3() */ - - ret = make_server_info_info3(mem_ctx, user, domain, - &server_info, &logon_info->info3); - if (!NT_STATUS_IS_OK(ret)) { - DEBUG(1,("make_server_info_info3 failed: %s!\n", - nt_errstr(ret))); - data_blob_free(&ap_rep); - data_blob_free(&session_key); - TALLOC_FREE(mem_ctx); - reply_nterror(req, nt_status_squash(ret)); - return; - } - - } else { - /* - * We didn't get a PAC, we have to make up the user - * ourselves. Try to ask the pdb backend to provide - * SID consistency with ntlmssp session setup - */ - struct samu *sampass; - - sampass = samu_new(talloc_tos()); - if (sampass == NULL) { - ret = NT_STATUS_NO_MEMORY; - data_blob_free(&ap_rep); - data_blob_free(&session_key); - TALLOC_FREE(mem_ctx); - reply_nterror(req, nt_status_squash(ret)); - return; - } - - if (pdb_getsampwnam(sampass, real_username)) { - DEBUG(10, ("found user %s in passdb, calling " - "make_server_info_sam\n", real_username)); - ret = make_server_info_sam(&server_info, sampass); - TALLOC_FREE(sampass); - } else { - /* - * User not in passdb, make it up artificially - */ - TALLOC_FREE(sampass); - DEBUG(10, ("didn't find user %s in passdb, calling " - "make_server_info_pw\n", real_username)); - ret = make_server_info_pw(&server_info, real_username, - pw); - } - - if ( !NT_STATUS_IS_OK(ret) ) { - DEBUG(1,("make_server_info_[sam|pw] failed: %s!\n", - nt_errstr(ret))); - data_blob_free(&ap_rep); - data_blob_free(&session_key); - TALLOC_FREE(mem_ctx); - reply_nterror(req, nt_status_squash(ret)); - return; - } - - /* make_server_info_pw does not set the domain. Without this - * we end up with the local netbios name in substitutions for - * %D. */ - - if (server_info->info3 != NULL) { - server_info->info3->base.domain.string = - talloc_strdup(server_info->info3, domain); - } + ret = make_server_info_krb5(mem_ctx, + user, domain, real_username, pw, + logon_info, map_domainuser_to_guest, + &server_info); + if (!NT_STATUS_IS_OK(ret)) { + DEBUG(1, ("make_server_info_krb5 failed!\n")); + data_blob_free(&ap_rep); + data_blob_free(&session_key); + TALLOC_FREE(mem_ctx); + reply_nterror(req, nt_status_squash(ret)); + return; } server_info->nss_token |= username_was_mapped; diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 89f9ffe..e025f98 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -233,83 +233,16 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, /* reload services so that the new %U is taken into account */ reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true); - if (map_domainuser_to_guest) { - status = make_server_info_guest(session, - &session->server_info); - if (!NT_STATUS_IS_OK(status) ) { - DEBUG(1,("smb2: make_server_info_guest failed: %s!\n", - nt_errstr(status))); - goto fail; - } - - } else if (logon_info) { - /* pass the unmapped username here since map_username() - will be called again in make_server_info_info3() */ - - status = make_server_info_info3(session, - user, domain, - &session->server_info, - &logon_info->info3); - if (!NT_STATUS_IS_OK(status) ) { - DEBUG(1,("smb2: make_server_info_info3 failed: %s!\n", - nt_errstr(status))); - goto fail; - } - - } else { - /* - * We didn't get a PAC, we have to make up the user - * ourselves. Try to ask the pdb backend to provide - * SID consistency with ntlmssp session setup - */ - struct samu *sampass; - /* The stupid make_server_info_XX functions here - don't take a talloc context. */ - struct auth_serversupplied_info *tmp_server_info = NULL; - - sampass = samu_new(talloc_tos()); - if (sampass == NULL) { - status = NT_STATUS_NO_MEMORY; - goto fail; - } - - if (pdb_getsampwnam(sampass, real_username)) { - DEBUG(10, ("smb2: found user %s in passdb, calling " - "make_server_info_sam\n", real_username)); - status = make_server_info_sam(&tmp_server_info, sampass); - TALLOC_FREE(sampass); - } else { - /* - * User not in passdb, make it up artificially - */ - TALLOC_FREE(sampass); - DEBUG(10, ("smb2: didn't find user %s in passdb, calling " - "make_server_info_pw\n", real_username)); - status = make_server_info_pw(&tmp_server_info, - real_username, pw); - } - - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1,("smb2: make_server_info_[sam|pw] failed: %s!\n", - nt_errstr(status))); - goto fail; - } - - /* Steal tmp_server_info into the session->server_info - pointer. */ - session->server_info = talloc_move(session, &tmp_server_info); - - /* make_server_info_pw does not set the domain. Without this - * we end up with the local netbios name in substitutions for - * %D. */ - - if (session->server_info->info3 != NULL) { - session->server_info->info3->base.domain.string = - talloc_strdup(session->server_info->info3, domain); - } - + status = make_server_info_krb5(session, + user, domain, real_username, pw, + logon_info, map_domainuser_to_guest, + &session->server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("smb2: make_server_info_krb5 failed\n")); + goto fail; } + session->server_info->nss_token |= username_was_mapped; /* we need to build the token for the user. make_server_info_guest() -- Samba Shared Repository