From 1961d7a4119200b8a4ad7b0207e0cdcf2e10d3f8 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 21 Dec 2010 10:19:53 +1100
Subject: [PATCH] s4-auth rework session_info handling not to require an auth
 context

This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.

Andrew Bartlett
---
 source4/auth/ntlm/auth.c                     | 15 ++++++++++++++-
 source4/auth/session.c                       | 13 +++++++------
 source4/auth/session.h                       |  7 +++----
 source4/auth/system_session.c                |  4 ++--
 source4/dsdb/samdb/ldb_modules/operational.c |  2 +-
 source4/samba_tool/gpo.c                     | 11 +----------
 6 files changed, 28 insertions(+), 24 deletions(-)

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index f7de0201b60..0c6c8ef52c6 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -408,6 +408,19 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
 	return NT_STATUS_OK;
 }
 
+/* Wrapper because we don't want to expose all callers to needing to
+ * know that session_info is generated from the main ldb */
+static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
+						   struct auth_context *auth_context,
+						   struct auth_serversupplied_info *server_info,
+						   uint32_t session_info_flags,
+						   struct auth_session_info **session_info)
+{
+	return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
+					  auth_context->sam_ctx, server_info,
+					  session_info_flags, session_info);
+}
+
 /***************************************************************************
  Make a auth_info struct for the auth subsystem
  - Allow the caller to specify the methods to use, including optionally the SAM to use
@@ -476,7 +489,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
 	ctx->set_challenge = auth_context_set_challenge;
 	ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
 	ctx->get_server_info_principal = auth_get_server_info_principal;
-	ctx->generate_session_info = auth_generate_session_info;
+	ctx->generate_session_info = auth_generate_session_info_wrapper;
 
 	*auth_ctx = ctx;
 
diff --git a/source4/auth/session.c b/source4/auth/session.c
index bb6a5946e58..1028aa83201 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -41,7 +41,8 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
 }
 
 _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
-					     struct auth_context *auth_context, /* Optional if the domain SID is in the NT AUTHORITY domain */
+					     struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
+					     struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
 					     struct auth_serversupplied_info *server_info,
 					     uint32_t session_info_flags,
 					     struct auth_session_info **_session_info)
@@ -83,7 +84,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		/* Don't expand nested groups of system, anonymous etc*/
 	} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
 		/* Don't expand nested groups of system, anonymous etc*/
-	} else if (auth_context) {
+	} else if (sam_ctx) {
 		groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
 		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
 		if (!groupSIDs) {
@@ -119,7 +120,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		
 		account_sid_blob = data_blob_string_const(account_sid_dn);
 		
-		nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &account_sid_blob, true, filter,
+		nt_status = authsam_expand_nested_groups(sam_ctx, &account_sid_blob, true, filter,
 							 tmp_ctx, &groupSIDs, &num_groupSIDs);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(tmp_ctx);
@@ -143,7 +144,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		
 		primary_group_blob = data_blob_string_const(primary_group_dn);
 		
-		nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &primary_group_blob, true, filter,
+		nt_status = authsam_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
 							 tmp_ctx, &groupSIDs, &num_groupSIDs);
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			talloc_free(tmp_ctx);
@@ -167,7 +168,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 			/* This function takes in memberOf values and expands
 			 * them, as long as they meet the filter - so only
 			 * builtin groups */
-			nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &group_blob, true, filter,
+			nt_status = authsam_expand_nested_groups(sam_ctx, &group_blob, true, filter,
 								 tmp_ctx, &groupSIDs, &num_groupSIDs);
 			if (!NT_STATUS_IS_OK(nt_status)) {
 				talloc_free(tmp_ctx);
@@ -177,7 +178,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 	}
 
 	nt_status = security_token_create(session_info,
-					  auth_context ? auth_context->lp_ctx : NULL,
+					  lp_ctx,
 					  server_info->account_sid,
 					  server_info->primary_group_sid,
 					  num_groupSIDs,
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 3de054aef1a..bdcfe7ab935 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -31,7 +31,6 @@ struct auth_session_info {
 #include "librpc/gen_ndr/netlogon.h"
 
 struct tevent_context;
-struct auth_context;
 /* Create a security token for a session SYSTEM (the most
  * trusted/prvilaged account), including the local machine account as
  * the off-host credentials */
@@ -41,11 +40,11 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
 				    const char *netbios_name,
 				    struct auth_serversupplied_info **_server_info) ;
 NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
-				    struct auth_context *auth_context,
-				    struct auth_serversupplied_info *server_info, 
+				    struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
+				    struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
+				    struct auth_serversupplied_info *server_info,
 				    uint32_t session_info_flags,
 				    struct auth_session_info **_session_info);
-
 NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, 
 				     struct loadparm_context *lp_ctx,
 				     struct auth_session_info **_session_info);
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index bec22c16005..6e0cd7be5a5 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -194,7 +194,7 @@ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
 	}
 
 	/* references the server_info into the session_info */
-	nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
+	nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info);
 	talloc_free(mem_ctx);
 
 	NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -445,7 +445,7 @@ _PUBLIC_ NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
 	}
 
 	/* references the server_info into the session_info */
-	nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
+	nt_status = auth_generate_session_info(parent_ctx, lp_ctx, NULL, server_info, 0, &session_info);
 	talloc_free(mem_ctx);
 
 	NT_STATUS_NOT_OK_RETURN(nt_status);
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index d98131113d2..c4c2660f57e 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -167,7 +167,7 @@ static int construct_token_groups(struct ldb_module *module,
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	status = auth_generate_session_info(tmp_ctx, auth_context, server_info, 0, &session_info);
+	status = auth_generate_session_info(tmp_ctx, auth_context->lp_ctx, ldb, server_info, 0, &session_info);
 	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
 		talloc_free(tmp_ctx);
 		return ldb_module_oom(module);
diff --git a/source4/samba_tool/gpo.c b/source4/samba_tool/gpo.c
index 65838d07123..93aae609834 100644
--- a/source4/samba_tool/gpo.c
+++ b/source4/samba_tool/gpo.c
@@ -215,7 +215,6 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
 	NTSTATUS status;
 	int rv;
 	unsigned int i;
-	struct auth_context *auth_context;
 
 	if (argc != 1) {
 		return net_gpo_list_usage(ctx, argc, argv);
@@ -267,16 +266,8 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
 		return 1;
 	}
 
-	/* We do now need an auth context to create a session */
-	status = auth_context_create_from_ldb(gp_ctx, gp_ctx->ldb_ctx, &auth_context);
-	if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, ("Failed to get an auth context: %s\n", get_friendly_nt_error_msg(status)));
-		talloc_free(gp_ctx);
-		return 1;
-	}
-
 	/* The session info will contain the security token for this user */
-	status = auth_generate_session_info(gp_ctx, auth_context, server_info, 0, &session_info);
+	status = auth_generate_session_info(gp_ctx, gp_ctx->lp_ctx, gp_ctx->ldb_ctx, server_info, 0, &session_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0, ("Failed to generate session information: %s\n", get_friendly_nt_error_msg(status)));
 		talloc_free(gp_ctx);
-- 
2.11.4.GIT