The branch, master has been updated via ad8965c s4-dsdb: only enforce the extended dn rules over ldap via 74674e7 s4-dsdb: removed the last use of samdb_search_*() from the dsdb ldb modules via 90110a0 s4-dsdb: removed some more samdb_search_*() calls from samldb.c via 3b7c498 s4-dsdb: replaced another use of samdb_search in a ldb module via 15c8107 s4-dsdb: fixed primaryGroupID to use dsdb_module_search_dn() via 31d644c s4-dsdb: fixed filtering of tokengroups via f33ce41 ldb: new ABI file for 0.9.23 via 60be4a4 s4-kdc: don't ask for an extended DN for krbtgt_dn via 197f4b0 s4-test: added a tokengroups test via 0450ab9 s4-samdb: give a more useful debug when we can't open the privileges db via 8df6504 s4-auth: fixed status return via a0bc538 s4-samba-tool: fixed the gpo command to use the right DN for access checks via a38854f s4-dsdb: minimise the DN in group expansion via 504a3cc ldb: added ldb_dn_minimise() via 74493af s4-dns: renamed DNS_TYPE_ZERO to DNS_TYPE_TOMBSTONE via 27d7f6a s4-dsdb: validate number of extended components via fb704d7 ldb: added ldb_dn_get_extended_comp_num() via 29fb42a s4-samba_tool Added ACL checking to python GPO management tool via 012e570 libcli/security Add python bindings for se_access_check via 5322567 pyldb Simplify python wrappers for struct ldb_val (LdbValue) via edd3b03 s4-auth Add get and set methods for auth_session_info python wrapper via ece6eae s4-auth Add function to obtain any user's session_info from a given LDB via c82269c s4-auth use new dsdb_expand_nested_groups() via cbffc51 s4-dsdb Implement tokenGroups expansion directly in ldb operational module from 99a74ff Fix bug #7909 - map SYNCHRONIZE acl permission statically in zfs_acl vfs module.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ad8965c36446398a63bf698fffeaae3d8ba9ff8b Author: Andrew Tridgell <tri...@samba.org> Date: Fri Jan 14 16:39:28 2011 +1100 s4-dsdb: only enforce the extended dn rules over ldap Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Autobuild-User: Andrew Tridgell <tri...@samba.org> Autobuild-Date: Fri Jan 14 07:23:31 CET 2011 on sn-devel-104 commit 74674e782e9ecb6518bcfb7ca4bb40d44cd63c35 Author: Andrew Tridgell <tri...@samba.org> Date: Fri Jan 14 15:46:32 2011 +1100 s4-dsdb: removed the last use of samdb_search_*() from the dsdb ldb modules Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 90110a0bbcde7bd8280c005777869609357b79ad Author: Andrew Tridgell <tri...@samba.org> Date: Fri Jan 14 15:21:42 2011 +1100 s4-dsdb: removed some more samdb_search_*() calls from samldb.c Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 3b7c49843734720fb31d4fa7d5d14ec0debb5867 Author: Andrew Tridgell <tri...@samba.org> Date: Fri Jan 14 11:47:49 2011 +1100 s4-dsdb: replaced another use of samdb_search in a ldb module we should be using the dsdb_module_search*() calls Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 15c81078682a9ff67ff8c2f5c25fb4fad3a68616 Author: Andrew Tridgell <tri...@samba.org> Date: Fri Jan 14 11:37:09 2011 +1100 s4-dsdb: fixed primaryGroupID to use dsdb_module_search_dn() this avoids using a multi-part extended DN in a search that hits the check in extended_dn_in Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 31d644c7f9a8ac5c142aa08e2338e6b7fa23a54e Author: Andrew Tridgell <tri...@samba.org> Date: Fri Jan 14 10:41:47 2011 +1100 s4-dsdb: fixed filtering of tokengroups builtin groups are shown in user tokenGroups searches Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit f33ce4101e81626c5a2d3d145923642997dda746 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 17:59:14 2011 +1100 ldb: new ABI file for 0.9.23 commit 60be4a4c3729f0a1353947abc4a688c06a94e54d Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 17:40:29 2011 +1100 s4-kdc: don't ask for an extended DN for krbtgt_dn otherwise msg->dn would be non-minimal and would fail in searches Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 197f4b098b31293f092580aa8e177cc6b8bc98c6 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 16:56:13 2011 +1100 s4-test: added a tokengroups test this tests that the remote tokenGroups match the internally calculated ones Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 0450ab9536592965ab39d2ba7c5e431154ae1842 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 16:55:34 2011 +1100 s4-samdb: give a more useful debug when we can't open the privileges db Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 8df6504ffeb0f32d6b53f8607fcc23418bda63bd Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 16:55:05 2011 +1100 s4-auth: fixed status return Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit a0bc538a8f5906e86aa7cc8636ca141794c04514 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 15:09:03 2011 +1100 s4-samba-tool: fixed the gpo command to use the right DN for access checks commit a38854f74b9ab0e54647e1fe28fd85be345766dc Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 12:26:24 2011 +1100 s4-dsdb: minimise the DN in group expansion this DN we have came from an extended DN search, which means it may have multiple extended components. We need to minimise the DN before AD will accept it Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 504a3cc6b36056f8240dae70a2445be1ad8cc6de Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 12:13:42 2011 +1100 ldb: added ldb_dn_minimise() this removes any extraneous components from a DN. For an extended DN, this means removing the string DN and all but the first extended component. This is needed as AD returns "invalid syntax" if you don't use a minimal DN as the base DN for a search. A non-minimal DN also doesn't ever match in a search expression. Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 74493af86f953d209c57649178421929e8061c99 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 11:10:27 2011 +1100 s4-dns: renamed DNS_TYPE_ZERO to DNS_TYPE_TOMBSTONE we now know that these are tombstone records, with a timestamp Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 27d7f6a31203c6ab3c5b1e3d667fc1c4c79d334f Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 11:08:40 2011 +1100 s4-dsdb: validate number of extended components this checks that the number of extended components in a DN is valid, to match MS AD behaviour. We need to do this to ensure that our tools don't try to do operations that will be invalid when used against MS servers Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit fb704d7fc1336ad73f685abd8ac454bbde8ac966 Author: Andrew Tridgell <tri...@samba.org> Date: Thu Jan 13 11:07:15 2011 +1100 ldb: added ldb_dn_get_extended_comp_num() this returns the number of extended components. We need this to validate a DN in the extended_dn_in module Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> commit 29fb42a48b29158dc77682e2f4a42ed0e961c4b2 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jan 11 18:40:54 2011 +1100 s4-samba_tool Added ACL checking to python GPO management tool commit 012e570416de8b48f89216ac1e6b0bba2357ac39 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jan 11 17:39:25 2011 +1100 libcli/security Add python bindings for se_access_check Andrew Bartlett commit 5322567530d588d0f420eeb720c9a2e3225d6007 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jan 11 16:45:39 2011 +1100 pyldb Simplify python wrappers for struct ldb_val (LdbValue) Andrew Bartlett commit edd3b033b861cf9e747c35a2345e714b4b2122a9 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Jan 11 16:43:54 2011 +1100 s4-auth Add get and set methods for auth_session_info python wrapper This allows the session key, security_token and credentials to be manipulated from python. Andrew Bartlett Pair-Programmed-With: Andrew Tridgell <tri...@samba.org> commit ece6eae4d8862a564c581a3f3808c04edab6cb19 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 22 17:17:07 2010 +1100 s4-auth Add function to obtain any user's session_info from a given LDB This will be a building block for a tokenGroups test, which can compare against a remote server (in particular the rootDSE) against what we would calculate the tokenGroups to be. (this meant moving some parts out of the auth_sam code into the containing library) Andrew Bartlett commit c82269cf862b00c987c02aefa78155c142f6d065 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 21 22:35:13 2010 +1100 s4-auth use new dsdb_expand_nested_groups() This isn't quite as good as using tokenGroups, but that is only available for BASE searches, and this isn't how the all the callers work at the moment. Andrew Bartlett commit cbffc513130733ca9e775d99cea8f9a7402f10d0 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 21 22:34:16 2010 +1100 s4-dsdb Implement tokenGroups expansion directly in ldb operational module This removes a silly cross-dependency between the ldb moudle stack and auth/ Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: libcli/security/pysecurity.c | 83 +++++++ libcli/security/wscript_build | 6 + librpc/idl/dnsp.idl | 3 +- source4/auth/ntlm/auth_sam.c | 87 +------- source4/auth/pyauth.c | 130 +++++++++++- source4/auth/sam.c | 235 ++++++++------------ source4/auth/session.c | 51 ++++- source4/auth/session.h | 14 ++ source4/auth/wscript_build | 2 +- source4/dns_server/dlz_bind9.c | 10 +- source4/dsdb/common/util_groups.c | 172 ++++++++++++++ source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 31 +++- source4/dsdb/samdb/ldb_modules/operational.c | 128 ++++++++--- source4/dsdb/samdb/ldb_modules/rootdse.c | 16 +- source4/dsdb/samdb/ldb_modules/samldb.c | 129 ++++++++--- source4/dsdb/samdb/samdb.c | 1 + source4/dsdb/tests/python/token_group.py | 100 +++++++++ source4/dsdb/wscript_build | 2 +- source4/kdc/db-glue.c | 2 +- .../ldb/ABI/{ldb-0.9.22.sigs => ldb-0.9.23.sigs} | 2 + source4/lib/ldb/common/ldb_dn.c | 62 +++++ source4/lib/ldb/include/ldb.h | 11 + source4/lib/ldb/pyldb.c | 21 +-- source4/lib/ldb/wscript | 2 +- source4/scripting/python/samba/netcmd/gpo.py | 43 +++- source4/selftest/tests.py | 1 + 26 files changed, 1006 insertions(+), 338 deletions(-) create mode 100644 libcli/security/pysecurity.c create mode 100644 source4/dsdb/common/util_groups.c create mode 100755 source4/dsdb/tests/python/token_group.py copy source4/lib/ldb/ABI/{ldb-0.9.22.sigs => ldb-0.9.23.sigs} (99%) Changeset truncated at 500 lines: diff --git a/libcli/security/pysecurity.c b/libcli/security/pysecurity.c new file mode 100644 index 0000000..56bdd69 --- /dev/null +++ b/libcli/security/pysecurity.c @@ -0,0 +1,83 @@ +/* + Unix SMB/CIFS implementation. + Copyright (C) Jelmer Vernooij <jel...@samba.org> 2007-2008 + Copyright (C) Andrew Bartlett <abart...@samba.org> 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include <Python.h> +#include "includes.h" +#include "libcli/util/pyerrors.h" +#include "libcli/security/security.h" +#include "pytalloc.h" + +static PyObject *py_se_access_check(PyObject *module, PyObject *args, PyObject *kwargs) +{ + NTSTATUS nt_status; + const char * const kwnames[] = { "security_descriptor", "token", "access_desired", NULL }; + PyObject *py_sec_desc = Py_None; + PyObject *py_security_token = Py_None; + struct security_descriptor *security_descriptor; + struct security_token *security_token; + int access_desired; /* This is an int, because that's what + * we need for the python + * PyArg_ParseTupleAndKeywords */ + uint32_t access_granted; + + if (!PyArg_ParseTupleAndKeywords(args, kwargs, "OOi", + discard_const_p(char *, kwnames), + &py_sec_desc, &py_security_token, &access_desired)) { + return NULL; + } + + security_descriptor = py_talloc_get_type(py_sec_desc, struct security_descriptor); + if (!security_descriptor) { + PyErr_Format(PyExc_TypeError, + "Expected dcerpc.security.descriptor for security_descriptor argument got %s", + talloc_get_name(py_talloc_get_ptr(py_sec_desc))); + return NULL; + } + + security_token = py_talloc_get_type(py_security_token, struct security_token); + if (!security_token) { + PyErr_Format(PyExc_TypeError, + "Expected dcerpc.security.token for token argument, got %s", + talloc_get_name(py_talloc_get_ptr(py_security_token))); + return NULL; + } + + nt_status = se_access_check(security_descriptor, security_token, access_desired, &access_granted); + if (!NT_STATUS_IS_OK(nt_status)) { + PyErr_NTSTATUS_IS_ERR_RAISE(nt_status); + } + + return PyLong_FromLong(access_granted); +} + +static PyMethodDef py_security_methods[] = { + { "access_check", (PyCFunction)py_se_access_check, METH_VARARGS|METH_KEYWORDS, + "access_check(security_descriptor, token, access_desired) -> access_granted. Raises NT_STATUS on error, including on access check failure, returns access granted bitmask"}, + { NULL }, +}; + +void initsecurity(void) +{ + PyObject *m; + + m = Py_InitModule3("security", py_security_methods, + "Security support."); + if (m == NULL) + return; +} diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build index 4b3f46e..ca60a44 100644 --- a/libcli/security/wscript_build +++ b/libcli/security/wscript_build @@ -7,3 +7,9 @@ bld.SAMBA_LIBRARY('security', deps='talloc ndr NDR_SECURITY' ) +if getattr(bld.env, '_SAMBA_BUILD_', 0) == 4: + bld.SAMBA_PYTHON('pysecurity', + source='pysecurity.c', + deps='security', + realname='samba/security.so' + ) diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl index 495a3e2..f8cf1d4 100644 --- a/librpc/idl/dnsp.idl +++ b/librpc/idl/dnsp.idl @@ -24,7 +24,7 @@ import "misc.idl"; interface dnsp { typedef [enum16bit] enum { - DNS_TYPE_ZERO = 0x0, + DNS_TYPE_TOMBSTONE = 0x0, DNS_TYPE_A = 0x1, DNS_TYPE_NS = 0x2, DNS_TYPE_MD = 0x3, @@ -109,6 +109,7 @@ interface dnsp } dnsp_srv; typedef [nodiscriminant,gensize] union { + [case(DNS_TYPE_TOMBSTONE)] NTTIME timestamp; [case(DNS_TYPE_A)] [flag(NDR_BIG_ENDIAN)] ipv4address ipv4; [case(DNS_TYPE_NS)] dnsp_name ns; [case(DNS_TYPE_CNAME)] dnsp_name cname; diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index 259efec..6457132 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -353,87 +353,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx, } -/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack. - - Supply either a principal or a DN -*/ -NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, - struct auth_context *auth_context, - const char *principal, - struct ldb_dn *user_dn, - struct auth_serversupplied_info **server_info) +/* Wrapper for the auth subsystem pointer */ +NTSTATUS authsam_get_server_info_principal_wrapper(TALLOC_CTX *mem_ctx, + struct auth_context *auth_context, + const char *principal, + struct ldb_dn *user_dn, + struct auth_serversupplied_info **server_info) { - NTSTATUS nt_status; - DATA_BLOB user_sess_key = data_blob(NULL, 0); - DATA_BLOB lm_sess_key = data_blob(NULL, 0); - - struct ldb_message *msg; - struct ldb_dn *domain_dn; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - if (!tmp_ctx) { - return NT_STATUS_NO_MEMORY; - } - - if (principal) { - nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal, - user_attrs, &domain_dn, &msg); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - } else if (user_dn) { - struct dom_sid *user_sid, *domain_sid; - int ret; - /* pull the user attributes */ - ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn, - LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)"); - if (ret == LDB_ERR_NO_SUCH_OBJECT) { - talloc_free(tmp_ctx); - return NT_STATUS_NO_SUCH_USER; - } else if (ret != LDB_SUCCESS) { - talloc_free(tmp_ctx); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - user_sid = samdb_result_dom_sid(msg, msg, "objectSid"); - - nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL); - if (!NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - - domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL, - "(&(objectSid=%s)(objectClass=domain))", - ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid)); - if (!domain_dn) { - DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n", - dom_sid_string(tmp_ctx, domain_sid))); - return NT_STATUS_NO_SUCH_USER; - } - - } else { - return NT_STATUS_INVALID_PARAMETER; - } - - nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx, - lpcfg_netbios_name(auth_context->lp_ctx), - lpcfg_workgroup(auth_context->lp_ctx), - domain_dn, - msg, - user_sess_key, lm_sess_key, - server_info); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - - talloc_steal(mem_ctx, *server_info); - talloc_free(tmp_ctx); - - return NT_STATUS_OK; + return authsam_get_server_info_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, + principal, user_dn, server_info); } - static const struct auth_operations sam_ignoredomain_ops = { .name = "sam_ignoredomain", .get_challenge = auth_get_challenge_not_implemented, diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c index 2ef5ebb..c8ab460 100644 --- a/source4/auth/pyauth.c +++ b/source4/auth/pyauth.c @@ -1,7 +1,8 @@ /* Unix SMB/CIFS implementation. Copyright (C) Jelmer Vernooij <jel...@samba.org> 2007-2008 - + Copyright (C) Andrew Bartlett <abart...@samba.org> 2011 + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or @@ -18,17 +19,78 @@ #include <Python.h> #include "includes.h" +#include "libcli/util/pyerrors.h" #include "param/param.h" #include "pyauth.h" +#include "pyldb.h" #include "auth/system_session_proto.h" +#include "auth/auth.h" #include "param/pyparam.h" #include "libcli/security/security.h" +#include "auth/credentials/pycredentials.h" +#include "librpc/rpc/pyrpc_util.h" + +static PyObject *py_auth_session_get_security_token(PyObject *self, void *closure) +{ + struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self); + PyObject *py_security_token; + py_security_token = py_return_ndr_struct("samba.dcerpc.security", "token", + session->security_token, session->security_token); + return py_security_token; +} + +static int py_auth_session_set_security_token(PyObject *self, PyObject *value, void *closure) +{ + struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self); + session->security_token = talloc_reference(session, py_talloc_get_ptr(value)); + return 0; +} + +static PyObject *py_auth_session_get_session_key(PyObject *self, void *closure) +{ + struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self); + return PyString_FromStringAndSize((char *)session->session_key.data, session->session_key.length); +} + +static int py_auth_session_set_session_key(PyObject *self, PyObject *value, void *closure) +{ + DATA_BLOB val; + struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self); + val.data = (uint8_t *)PyString_AsString(value); + val.length = PyString_Size(value); + + session->session_key = data_blob_talloc(session, val.data, val.length); + return 0; +} + +static PyObject *py_auth_session_get_credentials(PyObject *self, void *closure) +{ + struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self); + PyObject *py_credentials; + /* This is evil, as the credentials are not IDL structures */ + py_credentials = py_return_ndr_struct("samba.credentials", "Credentials", session->credentials, session->credentials); + return py_credentials; +} + +static int py_auth_session_set_credentials(PyObject *self, PyObject *value, void *closure) +{ + struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self); + session->credentials = talloc_reference(session, PyCredentials_AsCliCredentials(value)); + return 0; +} +static PyGetSetDef py_auth_session_getset[] = { + { discard_const_p(char, "security_token"), (getter)py_auth_session_get_security_token, (setter)py_auth_session_set_security_token, NULL }, + { discard_const_p(char, "session_key"), (getter)py_auth_session_get_session_key, (setter)py_auth_session_set_session_key, NULL }, + { discard_const_p(char, "credentials"), (getter)py_auth_session_get_credentials, (setter)py_auth_session_set_credentials, NULL }, + { NULL } +}; static PyTypeObject PyAuthSession = { .tp_name = "AuthSession", .tp_basicsize = sizeof(py_talloc_Object), .tp_flags = Py_TPFLAGS_DEFAULT, + .tp_getset = py_auth_session_getset, }; PyObject *PyAuthSession_FromSession(struct auth_session_info *session) @@ -102,9 +164,69 @@ static PyObject *py_admin_session(PyObject *module, PyObject *args) return PyAuthSession_FromSession(session); } +static PyObject *py_user_session(PyObject *module, PyObject *args, PyObject *kwargs) +{ + NTSTATUS nt_status; + struct auth_session_info *session; + TALLOC_CTX *mem_ctx; + const char * const kwnames[] = { "ldb", "lp_ctx", "principal", "dn", "session_info_flags", NULL }; + struct ldb_context *ldb_ctx; + PyObject *py_ldb = Py_None; + PyObject *py_dn = Py_None; + PyObject *py_lp_ctx = Py_None; + struct loadparm_context *lp_ctx = NULL; + struct ldb_dn *user_dn; + char *principal = NULL; + int session_info_flags = 0; /* This is an int, because that's + * what we need for the python + * PyArg_ParseTupleAndKeywords */ + + if (!PyArg_ParseTupleAndKeywords(args, kwargs, "O|OzOi", + discard_const_p(char *, kwnames), + &py_ldb, &py_lp_ctx, &principal, &py_dn, &session_info_flags)) { + return NULL; + } + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + ldb_ctx = PyLdb_AsLdbContext(py_ldb); + + if (py_dn == Py_None) { + user_dn = NULL; + } else { + if (!PyObject_AsDn(ldb_ctx, py_dn, ldb_ctx, &user_dn)) { + talloc_free(mem_ctx); + return NULL; + } + } + + lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx); + if (lp_ctx == NULL) { + talloc_free(mem_ctx); + return NULL; + } + + nt_status = authsam_get_session_info_principal(mem_ctx, lp_ctx, ldb_ctx, principal, user_dn, + session_info_flags, &session); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(mem_ctx); + PyErr_NTSTATUS_IS_ERR_RAISE(nt_status); + } + + talloc_steal(NULL, session); + talloc_free(mem_ctx); + + return PyAuthSession_FromSession(session); +} + static PyMethodDef py_auth_methods[] = { { "system_session", (PyCFunction)py_system_session, METH_VARARGS, NULL }, { "admin_session", (PyCFunction)py_admin_session, METH_VARARGS, NULL }, + { "user_session", (PyCFunction)py_user_session, METH_VARARGS|METH_KEYWORDS, NULL }, { NULL }, }; @@ -126,4 +248,10 @@ void initauth(void) Py_INCREF(&PyAuthSession); PyModule_AddObject(m, "AuthSession", (PyObject *)&PyAuthSession); + +#define ADD_FLAG(val) PyModule_AddObject(m, #val, PyInt_FromLong(val)) + ADD_FLAG(AUTH_SESSION_INFO_DEFAULT_GROUPS); + ADD_FLAG(AUTH_SESSION_INFO_AUTHENTICATED); + ADD_FLAG(AUTH_SESSION_INFO_SIMPLE_PRIVILEGES); + } diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 0da36ea..0a97d81 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -1,7 +1,7 @@ /* Unix SMB/CIFS implementation. Password and authentication handling - Copyright (C) Andrew Bartlett <abart...@samba.org> 2001-2004 + Copyright (C) Andrew Bartlett <abart...@samba.org> 2001-2010 Copyright (C) Gerald Carter 2003 Copyright (C) Stefan Metzmacher 2005 Copyright (C) Matthias Dieter Wallnöfer 2009 @@ -28,6 +28,8 @@ #include "libcli/security/security.h" #include "auth/auth_sam.h" #include "dsdb/common/util.h" +#include "libcli/ldap/ldap_ndr.h" +#include "param/param.h" #define KRBTGT_ATTRS \ /* required for the krb5 kdc */ \ @@ -265,147 +267,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -/* This function tests if a SID structure "sids" contains the SID "sid" */ -static bool sids_contains_sid(const struct dom_sid **sids, - const unsigned int num_sids, - const struct dom_sid *sid) -{ - unsigned int i; - - for (i = 0; i < num_sids; i++) { - if (dom_sid_equal(sids[i], sid)) - return true; - } - return false; -} - - -/* - * This function generates the transitive closure of a given SAM object "dn_val" - * (it basically expands nested memberships). - * If the object isn't located in the "res_sids" structure yet and the - * "only_childs" flag is false, we add it to "res_sids". - * Then we've always to consider the "memberOf" attributes. We invoke the - * function recursively on each of it with the "only_childs" flag set to - * "false". - * The "only_childs" flag is particularly useful if you have a user object and - * want to include all it's groups (referenced with "memberOf") but not itself - * or considering if that object matches the filter. - * - * At the beginning "res_sids" should reference to a NULL pointer. - */ -NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx, - struct ldb_val *dn_val, const bool only_childs, const char *filter, - TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids, - unsigned int *num_res_sids) -{ - const char * const attrs[] = { "memberOf", NULL }; - unsigned int i; - int ret; - bool already_there; - struct ldb_dn *dn; - struct dom_sid sid; - TALLOC_CTX *tmp_ctx; - struct ldb_result *res; - NTSTATUS status; - const struct ldb_message_element *el; - - if (*res_sids == NULL) { - *num_res_sids = 0; - } - - if (!sam_ctx) { - DEBUG(0, ("No SAM available, cannot determine local groups\n")); - return NT_STATUS_INVALID_SYSTEM_SERVICE; - } - - tmp_ctx = talloc_new(res_sids_ctx); - - dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, dn_val); - if (dn == NULL) { - talloc_free(tmp_ctx); - DEBUG(0, (__location__ ": we failed parsing DN %.*s, so we cannot calculate the group token\n", - (int)dn_val->length, dn_val->data)); - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - status = dsdb_get_extended_dn_sid(dn, &sid, "SID"); - if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { - /* If we fail finding a SID then this is no error since it could - * be a non SAM object - e.g. a group with object class - * "groupOfNames" */ - talloc_free(tmp_ctx); - return NT_STATUS_OK; - } else if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, (__location__ ": when parsing DN '%s' we failed to parse it's SID component, so we cannot calculate the group token: %s\n", - ldb_dn_get_extended_linearized(tmp_ctx, dn, 1), - nt_errstr(status))); - talloc_free(tmp_ctx); -- Samba Shared Repository