The branch, master has been updated
via 330b922 s4/wintest New ESXi configuration file
via fbe6d15 s4-auth Remove special case for account_sid from
auth_serversupplied_info
via cce5231 s4-gensec Add prototype for gensec_ntlmssp_init()
via 084b4e2 libcli/auth move ntlmssp_wrap() and ntlmssp_unwrap() into
common code.
from 039dd96 s4:selftest: mark samba4.nbt.winsreplication.owned as
knownfail
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 330b922bd6a80ccbdc6122012ce1ed273fd3f2e0
Author: Zahari Zahariev <zahari.zahar...@postpath.com>
Date: Thu Jan 20 15:26:18 2011 +0200
s4/wintest New ESXi configuration file
This is a way to use wintest as it is unchanged and work with
ESXi virtualization solution instead of VirtualBox or KVM. As the
virtualization server is a remote Linux like machine I use 'sshpass'
wrapper SSH to execute stop/reset/revert commands.
Autobuild-User: Andrew Bartlett <abart...@samba.org>
Autobuild-Date: Fri Jan 21 00:29:15 CET 2011 on sn-devel-104
commit fbe6d155bf177c610ee549cc534650b0f0700e8a
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 20 23:39:37 2011 +1100
s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **. This is in keeping with
the other sid lists in the security_token etc.
In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.
Andrew Bartlett
commit cce5231b4d4ee9d4918004586bda9d499596d3d4
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 20 16:38:08 2011 +1100
s4-gensec Add prototype for gensec_ntlmssp_init()
Andrew Bartlett
commit 084b4e235e2f500614638cb9c023a5ae8c2e531d
Author: Andrew Bartlett <abart...@samba.org>
Date: Thu Jan 20 16:37:04 2011 +1100
libcli/auth move ntlmssp_wrap() and ntlmssp_unwrap() into common code.
The idea here is to allow the source3/libads/sasl.c code to call this
instead of the lower level ntlmssp_* functions.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
libcli/auth/ntlmssp.h | 8 ++
libcli/auth/ntlmssp_sign.c | 139 +++++++++++++++++++++++
source4/auth/auth.h | 7 +-
source4/auth/auth_sam_reply.c | 152 ++++++++++++++++++--------
source4/auth/ntlm/auth_developer.c | 14 +--
source4/auth/ntlm/auth_server.c | 13 +--
source4/auth/ntlm/auth_unix.c | 6 +-
source4/auth/ntlmssp/ntlmssp.h | 2 +
source4/auth/ntlmssp/ntlmssp_sign.c | 135 ++---------------------
source4/auth/sam.c | 68 +++++------
source4/auth/session.c | 112 +++++--------------
source4/auth/system_session.c | 56 +++++-----
source4/dsdb/common/util_groups.c | 13 +-
source4/dsdb/samdb/ldb_modules/operational.c | 4 +-
source4/dsdb/samdb/samdb.c | 53 ++++------
source4/smbd/service_named_pipe.c | 2 +-
source4/torture/auth/pac.c | 25 ++--
source4/torture/rpc/remote_pac.c | 20 ++--
wintest/conf/zahari-esxi.conf | 46 ++++++++
19 files changed, 464 insertions(+), 411 deletions(-)
create mode 100644 wintest/conf/zahari-esxi.conf
Changeset truncated at 500 lines:
diff --git a/libcli/auth/ntlmssp.h b/libcli/auth/ntlmssp.h
index dead412..495d94f 100644
--- a/libcli/auth/ntlmssp.h
+++ b/libcli/auth/ntlmssp.h
@@ -160,4 +160,12 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state
*ntlmssp_state,
uint8_t *data, size_t length,
const uint8_t *whole_pdu, size_t pdu_length,
const DATA_BLOB *sig);
+NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB *in,
+ DATA_BLOB *out);
+NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_stae,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB *in,
+ DATA_BLOB *out);
NTSTATUS ntlmssp_sign_init(struct ntlmssp_state *ntlmssp_state);
diff --git a/libcli/auth/ntlmssp_sign.c b/libcli/auth/ntlmssp_sign.c
index 3cf1ed7..0e57c07 100644
--- a/libcli/auth/ntlmssp_sign.c
+++ b/libcli/auth/ntlmssp_sign.c
@@ -388,6 +388,145 @@ NTSTATUS ntlmssp_unseal_packet(struct ntlmssp_state
*ntlmssp_state,
return status;
}
+NTSTATUS ntlmssp_wrap(struct ntlmssp_state *ntlmssp_state,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB *in,
+ DATA_BLOB *out)
+{
+ NTSTATUS nt_status;
+ DATA_BLOB sig;
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ *out = data_blob_talloc(out_mem_ctx, NULL, in->length +
NTLMSSP_SIG_SIZE);
+ if (!out->data) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
+
+ nt_status = ntlmssp_seal_packet(ntlmssp_state, out_mem_ctx,
+ out->data + NTLMSSP_SIG_SIZE,
+ out->length - NTLMSSP_SIG_SIZE,
+ out->data + NTLMSSP_SIG_SIZE,
+ out->length - NTLMSSP_SIG_SIZE,
+ &sig);
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
+ talloc_free(sig.data);
+ }
+ return nt_status;
+
+ } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+
+ *out = data_blob_talloc(out_mem_ctx, NULL, in->length +
NTLMSSP_SIG_SIZE);
+ if (!out->data) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ memcpy(out->data + NTLMSSP_SIG_SIZE, in->data, in->length);
+
+ nt_status = ntlmssp_sign_packet(ntlmssp_state, out_mem_ctx,
+ out->data + NTLMSSP_SIG_SIZE,
+ out->length - NTLMSSP_SIG_SIZE,
+ out->data + NTLMSSP_SIG_SIZE,
+ out->length - NTLMSSP_SIG_SIZE,
+ &sig);
+
+ if (NT_STATUS_IS_OK(nt_status)) {
+ memcpy(out->data, sig.data, NTLMSSP_SIG_SIZE);
+ talloc_free(sig.data);
+ }
+ return nt_status;
+ } else {
+ *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
+ if (!out->data) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+ }
+}
+
+NTSTATUS ntlmssp_unwrap(struct ntlmssp_state *ntlmssp_state,
+ TALLOC_CTX *out_mem_ctx,
+ const DATA_BLOB *in,
+ DATA_BLOB *out)
+{
+ DATA_BLOB sig;
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
+ if (in->length < NTLMSSP_SIG_SIZE) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ sig.data = in->data;
+ sig.length = NTLMSSP_SIG_SIZE;
+
+ *out = data_blob_talloc(out_mem_ctx, in->data +
NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
+
+ return ntlmssp_unseal_packet(ntlmssp_state,
+ out->data, out->length,
+ out->data, out->length,
+ &sig);
+
+ } else if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
+ NTSTATUS status;
+ struct ntlmssp_crypt_direction save_direction;
+
+ if (in->length < NTLMSSP_SIG_SIZE) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ sig.data = in->data;
+ sig.length = NTLMSSP_SIG_SIZE;
+ *out = data_blob_talloc(out_mem_ctx, in->data +
NTLMSSP_SIG_SIZE, in->length - NTLMSSP_SIG_SIZE);
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2) {
+ save_direction = ntlmssp_state->crypt->ntlm2.receiving;
+ } else {
+ save_direction = ntlmssp_state->crypt->ntlm;
+ }
+
+ status = ntlmssp_check_packet(ntlmssp_state,
+ out->data, out->length,
+ out->data, out->length,
+ &sig);
+ if (!NT_STATUS_IS_OK(status)) {
+ NTSTATUS check_status = status;
+ /*
+ * The Windows LDAP libraries seems to have a bug
+ * and always use sealing even if only signing was
+ * negotiated. So we need to fallback.
+ */
+
+ if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_NTLM2)
{
+ ntlmssp_state->crypt->ntlm2.receiving =
save_direction;
+ } else {
+ ntlmssp_state->crypt->ntlm = save_direction;
+ }
+
+ status = ntlmssp_unseal_packet(ntlmssp_state,
+ out->data,
+ out->length,
+ out->data,
+ out->length,
+ &sig);
+ if (NT_STATUS_IS_OK(status)) {
+ ntlmssp_state->neg_flags |=
NTLMSSP_NEGOTIATE_SEAL;
+ } else {
+ status = check_status;
+ }
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("NTLMSSP packet check for unwrap failed due
to invalid signature\n"));
+ }
+ return status;
+ } else {
+ *out = data_blob_talloc(out_mem_ctx, in->data, in->length);
+ if (!out->data) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_OK;
+ }
+}
+
/**
Initialise the state for NTLMSSP signing.
*/
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 6d3dede..21790c4 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -50,11 +50,8 @@ struct loadparm_context;
struct auth_serversupplied_info
{
- struct dom_sid *account_sid;
- struct dom_sid *primary_group_sid;
-
- size_t n_domain_groups;
- struct dom_sid **domain_groups;
+ size_t num_sids;
+ struct dom_sid *sids;
DATA_BLOB user_session_key;
DATA_BLOB lm_session_key;
diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c
index 0c03e78..bb2b6eb 100644
--- a/source4/auth/auth_sam_reply.c
+++ b/source4/auth/auth_sam_reply.c
@@ -29,12 +29,32 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX
*mem_ctx,
struct auth_serversupplied_info
*server_info,
struct netr_SamBaseInfo **_sam)
{
+ NTSTATUS status;
struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct
netr_SamBaseInfo);
NT_STATUS_HAVE_NO_MEMORY(sam);
- sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid);
- NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid);
- sam->domain_sid->num_auths--;
+ if (server_info->num_sids > PRIMARY_USER_SID_INDEX) {
+ status = dom_sid_split_rid(sam,
&server_info->sids[PRIMARY_USER_SID_INDEX],
+ &sam->domain_sid, &sam->rid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (server_info->num_sids > PRIMARY_GROUP_SID_INDEX) {
+ status = dom_sid_split_rid(NULL,
&server_info->sids[PRIMARY_GROUP_SID_INDEX],
+ NULL, &sam->primary_gid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ } else {
+ /* if we have to encode something like SYSTEM (with no
+ * second SID in the token) then this is the only
+ * choice */
+ sam->primary_gid = sam->rid;
+ }
sam->last_logon = server_info->last_logon;
sam->last_logoff = server_info->last_logoff;
@@ -52,22 +72,19 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX
*mem_ctx,
sam->logon_count = server_info->logon_count;
sam->bad_password_count = sam->bad_password_count;
- sam->rid =
server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1];
- sam->primary_gid =
server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1];
-
sam->groups.count = 0;
sam->groups.rids = NULL;
- if (server_info->n_domain_groups > 0) {
+ if (server_info->num_sids > 2) {
size_t i;
sam->groups.rids = talloc_array(sam, struct
samr_RidWithAttribute,
- server_info->n_domain_groups);
+ server_info->num_sids);
if (sam->groups.rids == NULL)
return NT_STATUS_NO_MEMORY;
- for (i=0; i<server_info->n_domain_groups; i++) {
- struct dom_sid *group_sid =
server_info->domain_groups[i];
+ for (i=2; i<server_info->num_sids; i++) {
+ struct dom_sid *group_sid = &server_info->sids[i];
if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
/* We handle this elsewhere */
continue;
@@ -116,8 +133,9 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX
*mem_ctx,
size_t i;
NT_STATUS_HAVE_NO_MEMORY(sam3);
- status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info,
&sam);
+ status = auth_convert_server_info_sambaseinfo(sam3, server_info, &sam);
if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(sam3);
return status;
}
sam3->base = *sam;
@@ -126,14 +144,16 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX
*mem_ctx,
sam3->sids = talloc_array(sam, struct netr_SidAttr,
- server_info->n_domain_groups);
- NT_STATUS_HAVE_NO_MEMORY(sam3->sids);
-
- for (i=0; i<server_info->n_domain_groups; i++) {
- if (dom_sid_in_domain(sam->domain_sid,
server_info->domain_groups[i])) {
+ server_info->num_sids);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids, sam3);
+
+ /* We don't put the user and group SIDs in there */
+ for (i=2; i<server_info->num_sids; i++) {
+ if (dom_sid_in_domain(sam->domain_sid, &server_info->sids[i])) {
continue;
}
- sam3->sids[sam3->sidcount].sid =
talloc_reference(sam3->sids,server_info->domain_groups[i]);
+ sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids,
&server_info->sids[i]);
+
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids[sam3->sidcount].sid, sam3);
sam3->sids[sam3->sidcount].attributes =
SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED;
sam3->sidcount += 1;
@@ -192,24 +212,38 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX
*mem_ctx,
trusted domains, and verify that the SID
matches.
*/
- server_info->account_sid = dom_sid_add_rid(server_info,
base->domain_sid, base->rid);
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
+ if (!base->domain_sid) {
+ DEBUG(0, ("Cannot operate on a Netlogon Validation without a
domain SID"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ /* The IDL layer would be a better place to check this, but to
+ * guard the integer addition below, we double-check */
+ if (base->groups.count > 65535) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- server_info->primary_group_sid = dom_sid_add_rid(server_info,
base->domain_sid, base->primary_gid);
- NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
+ server_info->num_sids = 2;
- server_info->n_domain_groups = base->groups.count;
- if (base->groups.count) {
- server_info->domain_groups = talloc_array(server_info, struct
dom_sid*, base->groups.count);
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups);
- } else {
- server_info->domain_groups = NULL;
+ server_info->sids = talloc_array(server_info, struct dom_sid,
server_info->num_sids + base->groups.count);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
+
+ server_info->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid;
+ if (!sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX],
base->rid)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ server_info->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid;
+ if (!sid_append_rid(&server_info->sids[PRIMARY_GROUP_SID_INDEX],
base->primary_gid)) {
+ return NT_STATUS_INVALID_PARAMETER;
}
for (i = 0; i < base->groups.count; i++) {
- server_info->domain_groups[i] =
dom_sid_add_rid(server_info->domain_groups, base->domain_sid,
base->groups.rids[i].rid);
- NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]);
+ server_info->sids[server_info->num_sids] = *base->domain_sid;
+ if (!sid_append_rid(&server_info->sids[server_info->num_sids],
base->groups.rids[i].rid)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ server_info->num_sids++;
}
/* Copy 'other' sids. We need to do sid filtering here to
@@ -219,21 +253,29 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX
*mem_ctx,
*/
if (validation_level == 3) {
- struct dom_sid **dgrps = server_info->domain_groups;
- size_t sidcount = server_info->n_domain_groups +
validation->sam3->sidcount;
- size_t n_dgrps = server_info->n_domain_groups;
+ struct dom_sid *dgrps = server_info->sids;
+ size_t sidcount;
+
+ /* The IDL layer would be a better place to check this, but to
+ * guard the integer addition below, we double-check */
+ if (validation->sam3->sidcount > 65535) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ sidcount = server_info->num_sids + validation->sam3->sidcount;
if (validation->sam3->sidcount > 0) {
- dgrps = talloc_realloc(server_info, dgrps, struct
dom_sid*, sidcount);
+ dgrps = talloc_realloc(server_info, dgrps, struct
dom_sid, sidcount);
NT_STATUS_HAVE_NO_MEMORY(dgrps);
for (i = 0; i < validation->sam3->sidcount; i++) {
- dgrps[n_dgrps + i] = talloc_reference(dgrps,
validation->sam3->sids[i].sid);
+ if (validation->sam3->sids[i].sid) {
+ dgrps[server_info->num_sids] =
*validation->sam3->sids[i].sid;
+ server_info->num_sids++;
+ }
}
}
- server_info->n_domain_groups = sidcount;
- server_info->domain_groups = dgrps;
+ server_info->sids = dgrps;
/* Where are the 'global' sids?... */
}
@@ -307,18 +349,36 @@ NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
}
if (pac_logon_info->res_groups.count > 0) {
- struct dom_sid **rgrps;
- size_t sidcount = server_info->n_domain_groups +
pac_logon_info->res_groups.count;
- server_info->domain_groups = rgrps
- = talloc_realloc(server_info,
server_info->domain_groups, struct dom_sid *, sidcount);
- NT_STATUS_HAVE_NO_MEMORY(rgrps);
+ size_t sidcount;
+ /* The IDL layer would be a better place to check this, but to
+ * guard the integer addition below, we double-check */
+ if (pac_logon_info->res_groups.count > 65535) {
+ talloc_free(server_info);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /*
+ Here is where we should check the list of
+ trusted domains, and verify that the SID
+ matches.
+ */
+ if (!pac_logon_info->res_group_dom_sid) {
+ DEBUG(0, ("Cannot operate on a PAC without a resource
domain SID"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ sidcount = server_info->num_sids +
pac_logon_info->res_groups.count;
+ server_info->sids
+ = talloc_realloc(server_info, server_info->sids, struct
dom_sid, sidcount);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids,
server_info);
for (i = 0; pac_logon_info->res_group_dom_sid && i <
pac_logon_info->res_groups.count; i++) {
- size_t sid_idx = server_info->n_domain_groups + i;
- rgrps[sid_idx]
- = dom_sid_add_rid(rgrps,
pac_logon_info->res_group_dom_sid,
-
pac_logon_info->res_groups.rids[i].rid);
-
NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]);
+ server_info->sids[server_info->num_sids] =
*pac_logon_info->res_group_dom_sid;
+ if
(!sid_append_rid(&server_info->sids[server_info->num_sids],
+
pac_logon_info->res_groups.rids[i].rid)) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ server_info->num_sids++;
}
}
*_server_info = server_info;
diff --git a/source4/auth/ntlm/auth_developer.c
b/source4/auth/ntlm/auth_developer.c
index 96491d6..6384d98 100644
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -68,15 +68,11 @@ static NTSTATUS name_to_ntstatus_check_password(struct
auth_method_context *ctx,
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
- server_info->account_sid = dom_sid_parse_talloc(server_info,
SID_NT_ANONYMOUS);
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
-
- /* is this correct? */
- server_info->primary_group_sid = dom_sid_parse_talloc(server_info,
SID_BUILTIN_GUESTS);
- NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
- server_info->n_domain_groups = 0;
- server_info->domain_groups = NULL;
+ /* This returns a pointer to a struct dom_sid, which is the
+ * same as a 1 element list of struct dom_sid */
+ server_info->num_sids = 1;
+ server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c
index 898e2cc..8e9e73c 100644
--- a/source4/auth/ntlm/auth_server.c
+++ b/source4/auth/ntlm/auth_server.c
@@ -159,15 +159,12 @@ static NTSTATUS server_check_password(struct
auth_method_context *ctx,
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
- server_info->account_sid = dom_sid_parse_talloc(server_info,
SID_NT_ANONYMOUS);
- NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
+ server_info->num_sids = 1;
- /* is this correct? */
- server_info->primary_group_sid = dom_sid_parse_talloc(server_info,
SID_BUILTIN_GUESTS);
- NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
- server_info->n_domain_groups = 0;
- server_info->domain_groups = NULL;
+ /* This returns a pointer to a struct dom_sid, which is the
+ * same as a 1 element list of struct dom_sid */
+ server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
+ NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c
index 1c026f6..ba37e0a 100644
--- a/source4/auth/ntlm/auth_unix.c
+++ b/source4/auth/ntlm/auth_unix.c
@@ -65,10 +65,8 @@ static NTSTATUS authunix_make_server_info(TALLOC_CTX
*mem_ctx,
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
/* This isn't in any way correct.. */
- server_info->account_sid = NULL;
- server_info->primary_group_sid = NULL;
- server_info->n_domain_groups = 0;
- server_info->domain_groups = NULL;
+ server_info->num_sids = 0;
+ server_info->sids = NULL;
}
server_info->user_session_key = data_blob(NULL,0);
server_info->lm_session_key = data_blob(NULL,0);
diff --git a/source4/auth/ntlmssp/ntlmssp.h b/source4/auth/ntlmssp/ntlmssp.h
index 510a7c1..0adf75f 100644
--- a/source4/auth/ntlmssp/ntlmssp.h
+++ b/source4/auth/ntlmssp/ntlmssp.h
@@ -33,4 +33,6 @@ struct gensec_ntlmssp_context {
struct loadparm_context;
struct auth_session_info;
+NTSTATUS gensec_ntlmssp_init(void);
+
#include "auth/ntlmssp/proto.h"
diff --git a/source4/auth/ntlmssp/ntlmssp_sign.c
b/source4/auth/ntlmssp/ntlmssp_sign.c
--
Samba Shared Repository
