2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "auth/auth.h"
26 #include "libcli/security/security.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "auth/session_proto.h"
31 _PUBLIC_
struct auth_session_info
*anonymous_session(TALLOC_CTX
*mem_ctx
,
32 struct loadparm_context
*lp_ctx
)
35 struct auth_session_info
*session_info
= NULL
;
36 nt_status
= auth_anonymous_session_info(mem_ctx
, lp_ctx
, &session_info
);
37 if (!NT_STATUS_IS_OK(nt_status
)) {
43 _PUBLIC_ NTSTATUS
auth_generate_session_info(TALLOC_CTX
*mem_ctx
,
44 struct auth_context
*auth_context
,
45 struct auth_serversupplied_info
*server_info
,
46 uint32_t session_info_flags
,
47 struct auth_session_info
**_session_info
)
49 return auth_generate_session_info2(mem_ctx
,
50 auth_context
->event_ctx
,
56 _PUBLIC_ NTSTATUS
auth_generate_session_info2(TALLOC_CTX
*mem_ctx
,
57 struct tevent_context
*event_ctx
,
58 struct loadparm_context
*lp_ctx
,
59 struct auth_serversupplied_info
*server_info
,
60 struct auth_session_info
**_session_info
)
62 struct auth_session_info
*session_info
;
64 unsigned int i
, num_groupSIDs
= 0;
65 const char *account_sid_string
;
66 const char *account_sid_dn
;
67 DATA_BLOB account_sid_blob
;
68 const char *primary_group_string
;
69 const char *primary_group_dn
;
70 DATA_BLOB primary_group_blob
;
74 struct dom_sid
**groupSIDs
= NULL
;
75 const struct dom_sid
*dom_sid
;
77 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
78 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
80 if (!auth_context
->sam_ctx
) {
81 DEBUG(0, ("No SAM available, cannot determine local groups\n"));
82 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
85 /* For now, we don't have trusted domains, so we do a very
86 * simple check to see that the user's SID is in *this*
87 * domain, and then trust the user account control. When we
88 * get trusted domains, we should check it's a trusted domain
89 * in this forest. This elaborate check is to try and avoid a
90 * nasty security bug if we forget about this later... */
92 if (server_info
->acct_flags
& ACB_SVRTRUST
) {
93 dom_sid
= samdb_domain_sid(auth_context
->sam_ctx
);
95 if (dom_sid_in_domain(dom_sid
, server_info
->account_sid
)) {
96 session_info_flags
|= AUTH_SESSION_INFO_ENTERPRISE_DC
;
98 DEBUG(2, ("DC %s is not in our domain. "
99 "It will not have Enterprise Domain Controllers membership on this server",
100 server_info
->account_name
));
103 DEBUG(2, ("Could not obtain local domain SID, "
104 "so can not determine if DC %s is a DC of this domain. "
105 "It will not have Enterprise Domain Controllers membership",
106 server_info
->account_name
));
110 groupSIDs
= talloc_array(tmp_ctx
, struct dom_sid
*, server_info
->n_domain_groups
);
111 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs
, tmp_ctx
);
113 talloc_free(tmp_ctx
);
114 return NT_STATUS_NO_MEMORY
;
117 num_groupSIDs
= server_info
->n_domain_groups
;
119 for (i
=0; i
< server_info
->n_domain_groups
; i
++) {
120 groupSIDs
[i
] = server_info
->domain_groups
[i
];
123 filter
= talloc_asprintf(tmp_ctx
, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
124 GROUP_TYPE_BUILTIN_LOCAL_GROUP
);
126 session_info
= talloc(tmp_ctx
, struct auth_session_info
);
127 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info
, tmp_ctx
);
129 session_info
->server_info
= talloc_reference(session_info
, server_info
);
131 /* unless set otherwise, the session key is the user session
132 * key from the auth subsystem */
133 session_info
->session_key
= server_info
->user_session_key
;
135 /* Search for each group in the token */
137 /* Expands the account SID - this function takes in
138 * memberOf-like values, so we fake one up with the
139 * <SID=S-...> format of DN and then let it expand
140 * them, as long as they meet the filter - so only
143 * We already have the primary group in the token, so set
144 * 'only childs' flag to true
146 account_sid_string
= dom_sid_string(tmp_ctx
, server_info
->account_sid
);
147 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_string
, server_info
);
149 account_sid_dn
= talloc_asprintf(tmp_ctx
, "<SID=%s>", account_sid_string
);
150 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_dn
, server_info
);
152 account_sid_blob
= data_blob_string_const(account_sid_dn
);
154 nt_status
= authsam_expand_nested_groups(auth_context
->sam_ctx
, &account_sid_blob
, true, filter
,
155 tmp_ctx
, &groupSIDs
, &num_groupSIDs
);
156 if (!NT_STATUS_IS_OK(nt_status
)) {
157 talloc_free(tmp_ctx
);
161 /* Expands the primary group - this function takes in
162 * memberOf-like values, so we fake one up with the
163 * <SID=S-...> format of DN and then let it expand
164 * them, as long as they meet the filter - so only
167 * We already have the primary group in the token, so set
168 * 'only childs' flag to true
170 primary_group_string
= dom_sid_string(tmp_ctx
, server_info
->primary_group_sid
);
171 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string
, server_info
);
173 primary_group_dn
= talloc_asprintf(tmp_ctx
, "<SID=%s>", primary_group_string
);
174 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn
, server_info
);
176 primary_group_blob
= data_blob_string_const(primary_group_dn
);
178 nt_status
= authsam_expand_nested_groups(auth_context
->sam_ctx
, &primary_group_blob
, true, filter
,
179 tmp_ctx
, &groupSIDs
, &num_groupSIDs
);
180 if (!NT_STATUS_IS_OK(nt_status
)) {
181 talloc_free(tmp_ctx
);
185 for (i
= 0; i
< server_info
->n_domain_groups
; i
++) {
186 const char *group_string
;
187 const char *group_dn
;
188 DATA_BLOB group_blob
;
189 group_string
= dom_sid_string(tmp_ctx
, server_info
->domain_groups
[i
]);
190 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_string
, server_info
);
192 group_dn
= talloc_asprintf(tmp_ctx
, "<SID=%s>", group_string
);
193 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_dn
, server_info
);
195 group_blob
= data_blob_string_const(group_dn
);
197 /* This function takes in memberOf values and expands
198 * them, as long as they meet the filter - so only
200 nt_status
= authsam_expand_nested_groups(auth_context
->sam_ctx
, &group_blob
, true, filter
,
201 tmp_ctx
, &groupSIDs
, &num_groupSIDs
);
202 if (!NT_STATUS_IS_OK(nt_status
)) {
203 talloc_free(tmp_ctx
);
208 nt_status
= security_token_create(session_info
,
211 server_info
->account_sid
,
212 server_info
->primary_group_sid
,
216 &session_info
->security_token
);
217 NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status
, tmp_ctx
);
219 session_info
->credentials
= NULL
;
221 talloc_steal(mem_ctx
, session_info
);
222 *_session_info
= session_info
;
227 * prints a struct auth_session_info security token to debug output.
229 void auth_session_info_debug(int dbg_lev
,
230 const struct auth_session_info
*session_info
)
233 DEBUG(dbg_lev
, ("Session Info: (NULL)\n"));
237 security_token_debug(dbg_lev
, session_info
->security_token
);