2 Unix SMB/CIFS implementation.
3 Authentication utility functions
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Andrew Bartlett 2001-2010
6 Copyright (C) Jeremy Allison 2000-2001
7 Copyright (C) Rafal Szczesniak 2002
8 Copyright (C) Stefan Metzmacher 2005
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License as published by
12 the Free Software Foundation; either version 3 of the License, or
13 (at your option) any later version.
15 This program is distributed in the hope that it will be useful,
16 but WITHOUT ANY WARRANTY; without even the implied warranty of
17 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 GNU General Public License for more details.
20 You should have received a copy of the GNU General Public License
21 along with this program. If not, see <http://www.gnu.org/licenses/>.
25 #include "auth/auth.h"
26 #include "libcli/security/security.h"
27 #include "libcli/auth/libcli_auth.h"
28 #include "dsdb/samdb/samdb.h"
29 #include "auth/session_proto.h"
31 _PUBLIC_
struct auth_session_info
*anonymous_session(TALLOC_CTX
*mem_ctx
,
32 struct loadparm_context
*lp_ctx
)
35 struct auth_session_info
*session_info
= NULL
;
36 nt_status
= auth_anonymous_session_info(mem_ctx
, lp_ctx
, &session_info
);
37 if (!NT_STATUS_IS_OK(nt_status
)) {
43 _PUBLIC_ NTSTATUS
auth_generate_session_info(TALLOC_CTX
*mem_ctx
,
44 struct auth_context
*auth_context
,
45 struct auth_serversupplied_info
*server_info
,
46 uint32_t session_info_flags
,
47 struct auth_session_info
**_session_info
)
49 struct auth_session_info
*session_info
;
51 unsigned int i
, num_groupSIDs
= 0;
52 const char *account_sid_string
;
53 const char *account_sid_dn
;
54 DATA_BLOB account_sid_blob
;
55 const char *primary_group_string
;
56 const char *primary_group_dn
;
57 DATA_BLOB primary_group_blob
;
61 struct dom_sid
**groupSIDs
= NULL
;
62 const struct dom_sid
*dom_sid
;
64 TALLOC_CTX
*tmp_ctx
= talloc_new(mem_ctx
);
65 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx
);
67 if (!auth_context
->sam_ctx
) {
68 DEBUG(0, ("No SAM available, cannot determine local groups\n"));
69 return NT_STATUS_INVALID_SYSTEM_SERVICE
;
72 /* For now, we don't have trusted domains, so we do a very
73 * simple check to see that the user's SID is in *this*
74 * domain, and then trust the user account control. When we
75 * get trusted domains, we should check it's a trusted domain
76 * in this forest. This elaborate check is to try and avoid a
77 * nasty security bug if we forget about this later... */
79 if (server_info
->acct_flags
& ACB_SVRTRUST
) {
80 dom_sid
= samdb_domain_sid(auth_context
->sam_ctx
);
82 if (dom_sid_in_domain(dom_sid
, server_info
->account_sid
)) {
83 session_info_flags
|= AUTH_SESSION_INFO_ENTERPRISE_DC
;
85 DEBUG(2, ("DC %s is not in our domain. "
86 "It will not have Enterprise Domain Controllers membership on this server",
87 server_info
->account_name
));
90 DEBUG(2, ("Could not obtain local domain SID, "
91 "so can not determine if DC %s is a DC of this domain. "
92 "It will not have Enterprise Domain Controllers membership",
93 server_info
->account_name
));
97 groupSIDs
= talloc_array(tmp_ctx
, struct dom_sid
*, server_info
->n_domain_groups
);
98 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs
, tmp_ctx
);
100 talloc_free(tmp_ctx
);
101 return NT_STATUS_NO_MEMORY
;
104 num_groupSIDs
= server_info
->n_domain_groups
;
106 for (i
=0; i
< server_info
->n_domain_groups
; i
++) {
107 groupSIDs
[i
] = server_info
->domain_groups
[i
];
110 filter
= talloc_asprintf(tmp_ctx
, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
111 GROUP_TYPE_BUILTIN_LOCAL_GROUP
);
113 session_info
= talloc(tmp_ctx
, struct auth_session_info
);
114 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info
, tmp_ctx
);
116 session_info
->server_info
= talloc_reference(session_info
, server_info
);
118 /* unless set otherwise, the session key is the user session
119 * key from the auth subsystem */
120 session_info
->session_key
= server_info
->user_session_key
;
122 /* Search for each group in the token */
124 /* Expands the account SID - this function takes in
125 * memberOf-like values, so we fake one up with the
126 * <SID=S-...> format of DN and then let it expand
127 * them, as long as they meet the filter - so only
130 * We already have the primary group in the token, so set
131 * 'only childs' flag to true
133 account_sid_string
= dom_sid_string(tmp_ctx
, server_info
->account_sid
);
134 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_string
, server_info
);
136 account_sid_dn
= talloc_asprintf(tmp_ctx
, "<SID=%s>", account_sid_string
);
137 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_dn
, server_info
);
139 account_sid_blob
= data_blob_string_const(account_sid_dn
);
141 nt_status
= authsam_expand_nested_groups(auth_context
->sam_ctx
, &account_sid_blob
, true, filter
,
142 tmp_ctx
, &groupSIDs
, &num_groupSIDs
);
143 if (!NT_STATUS_IS_OK(nt_status
)) {
144 talloc_free(tmp_ctx
);
148 /* Expands the primary group - this function takes in
149 * memberOf-like values, so we fake one up with the
150 * <SID=S-...> format of DN and then let it expand
151 * them, as long as they meet the filter - so only
154 * We already have the primary group in the token, so set
155 * 'only childs' flag to true
157 primary_group_string
= dom_sid_string(tmp_ctx
, server_info
->primary_group_sid
);
158 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string
, server_info
);
160 primary_group_dn
= talloc_asprintf(tmp_ctx
, "<SID=%s>", primary_group_string
);
161 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn
, server_info
);
163 primary_group_blob
= data_blob_string_const(primary_group_dn
);
165 nt_status
= authsam_expand_nested_groups(auth_context
->sam_ctx
, &primary_group_blob
, true, filter
,
166 tmp_ctx
, &groupSIDs
, &num_groupSIDs
);
167 if (!NT_STATUS_IS_OK(nt_status
)) {
168 talloc_free(tmp_ctx
);
172 for (i
= 0; i
< server_info
->n_domain_groups
; i
++) {
173 const char *group_string
;
174 const char *group_dn
;
175 DATA_BLOB group_blob
;
176 group_string
= dom_sid_string(tmp_ctx
, server_info
->domain_groups
[i
]);
177 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_string
, server_info
);
179 group_dn
= talloc_asprintf(tmp_ctx
, "<SID=%s>", group_string
);
180 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_dn
, server_info
);
181 talloc_free(group_string
);
182 group_blob
= data_blob_string_const(group_dn
);
184 /* This function takes in memberOf values and expands
185 * them, as long as they meet the filter - so only
187 nt_status
= authsam_expand_nested_groups(auth_context
->sam_ctx
, &group_blob
, true, filter
,
188 tmp_ctx
, &groupSIDs
, &num_groupSIDs
);
189 if (!NT_STATUS_IS_OK(nt_status
)) {
190 talloc_free(tmp_ctx
);
195 nt_status
= security_token_create(session_info
,
196 auth_context
->event_ctx
,
197 auth_context
->lp_ctx
,
198 server_info
->account_sid
,
199 server_info
->primary_group_sid
,
203 &session_info
->security_token
);
204 NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status
, tmp_ctx
);
206 session_info
->credentials
= NULL
;
208 talloc_steal(mem_ctx
, session_info
);
209 *_session_info
= session_info
;
214 * prints a struct auth_session_info security token to debug output.
216 void auth_session_info_debug(int dbg_lev
,
217 const struct auth_session_info
*session_info
)
220 DEBUG(dbg_lev
, ("Session Info: (NULL)\n"));
224 security_token_debug(dbg_lev
, session_info
->security_token
);