| blob | fcc4c285ea8a453e93ef5a261d4c9b92f0d06599 |
1 /*
2 Unix SMB/CIFS implementation.
3 Authenticate against Samba4's auth subsystem
4 Copyright (C) Volker Lendecke 2008
5 Copyright (C) Andrew Bartlett 2010
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
31 #undef DBGC_CLASS
32 #define DBGC_CLASS DBGC_AUTH
40 {
43 }
45 /* Return a server_id with a unique task_id element. Free the
46 * returned pointer to de-allocate the task_id via a talloc destructor
47 * (ie, use talloc_free()) */
49 {
56 }
57 }
63 }
66 /* 0 is the default server_id, so we need to start with 1 */
72 }
77 }
79 /*
80 * This module is not an ordinary authentication module. It is really
81 * a way to redirect the whole authentication and authorization stack
82 * to use the source4 auth code, not a way to just handle NTLM
83 * authentication.
84 *
85 * See the comments above each function for how that hook changes the
86 * behaviour.
87 */
89 /*
90 * This hook is currently used by winbindd only, as all other NTLM
91 * logins go via the hooks provided by make_auth4_context_s4() below.
92 *
93 * This is only left in case we find a way that it might become useful
94 * in future. Importantly, this routine returns the information
95 * needed for a NETLOGON SamLogon, not what is needed to establish a
96 * session.
97 *
98 * We expect we may use this hook in the source3/ winbind when this
99 * services the AD DC. It is tested via pdbtest.
100 */
107 {
110 NTSTATUS nt_status;
118 }
120 nt_status = auth_context_set_challenge(auth4_context, auth_context->challenge.data, "auth_samba4");
125 }
132 }
135 user_info_dc,
138 /* We need the strings from the server_info to be valid as long as the info3 is around */
140 }
145 }
149 info3);
155 }
159 done:
162 }
164 /*
165 * Hook to allow the source4 set of GENSEC modules to handle
166 * blob-based authentication mechanisms, without directly linking the
167 * mechanism code.
168 *
169 * This may eventually go away, when the GSSAPI acceptors are merged,
170 * when we will just rely on the make_auth4_context_s4 hook instead.
171 *
172 * Even for NTLMSSP, which has a common module, significant parts of
173 * the behaviour are overridden here, because it uses the source4 NTLM
174 * stack and the source4 mapping between the PAC/SamLogon response and
175 * the local token.
176 *
177 * It is important to override all this to ensure that the exact same
178 * token is generated and used in the SMB and LDAP servers, for NTLM
179 * and for Kerberos.
180 */
183 {
184 NTSTATUS status;
198 }
204 }
211 }
214 lp_ctx,
221 }
225 server_credentials
231 }
236 DEBUG(10, ("Failed to obtain server credentials, perhaps a standalone server?: %s\n", nt_errstr(status)));
239 }
249 }
262 }
264 /*
265 * Hook to allow handling of NTLM authentication for AD operation
266 * without directly linking the s4 auth stack
267 *
268 * This ensures we use the source4 authentication stack, as well as
269 * the authorization stack to create the user's token. This ensures
270 * consistency between NTLM logins and NTLMSSP logins, as NTLMSSP is
271 * handled by the hook above.
272 */
275 {
276 NTSTATUS status;
288 }
294 }
301 }
304 lp_ctx,
311 }
315 event_ctx,
316 msg_ctx,
317 lp_ctx,
318 auth4_context);
324 }
332 }
334 /* module initialisation */
338 {
346 }
354 }
358 {
360 auth_init_samba4);
362 }