[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Aug 17 19:23:44 MDT 2010
The branch, master has been updated
via f37793e... s4:ldap_server use talloc_unlink() to avoid talloc_free() with references
via 23dc2e4... s4:auth Change {anonymous,system}_session to use common session_info generation
via 2ceb3d8... s4:auth Avoid doing database lookups for NT AUTHORITY users
via ba52834... s4:auth Remove system_session_anon() from python bindings
via a68a559... s4:auth Remove the system:anonymous parameter used for the LDAP backend
via d99ff14... s4:auth Remove special case constructor for admin_session()
via 7c6ca95... s4:security Remove use of user_sid and group_sid from struct security_token
via 60086dc... s4:ntvfs Don't treat the user SID and primary group SID special for idmap
via e229f68... s4:security Bring in #defines for the user and primary group token location
from 26ff858... s3: Remove smbd_server_fd() from session_claim
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit f37793ef0aa31eec9a6e619b55fa07c3025fcac6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Aug 18 10:00:40 2010 +1000
s4:ldap_server use talloc_unlink() to avoid talloc_free() with references
Both the session_info and the ldb can have references.
Andrew Bartlett
commit 23dc2e4244a99f1e955d54c22516a7a8c108d989
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 14 20:33:36 2010 +1000
s4:auth Change {anonymous,system}_session to use common session_info generation
This also changes the primary group for anonymous to be the anonymous
SID, and adds code to detect and ignore this when constructing the token.
Andrew Bartlett
commit 2ceb3d8d35b87926d0ffc933782321598457fc11
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 14 19:55:30 2010 +1000
s4:auth Avoid doing database lookups for NT AUTHORITY users
commit ba52834dd97d4c855ab98c2cbab1d6ed8d189de8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 14 17:45:57 2010 +1000
s4:auth Remove system_session_anon() from python bindings
commit a68a5592c5fc88fc7ba335cfbe375d687c8b8112
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 14 14:16:41 2010 +1000
s4:auth Remove the system:anonymous parameter used for the LDAP backend
This isn't needed any more, and just introduces complexity.
commit d99ff145aec8933a49be9e6fcc4d9e39591bbb28
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 14 14:15:49 2010 +1000
s4:auth Remove special case constructor for admin_session()
There isn't a good reason why this code is duplicated.
Andrew Bartlett
commit 7c6ca95bec5141707d4f19e802062731d6789cc5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 14 13:30:51 2010 +1000
s4:security Remove use of user_sid and group_sid from struct security_token
This makes the structure more like Samba3's NT_USER_TOKEN
commit 60086dcf9a58525d400b39e9464847d73cbce6d2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 14 13:28:40 2010 +1000
s4:ntvfs Don't treat the user SID and primary group SID special for idmap
This simply askes IDMAP about all the user SIDs, rather than the user
and group sid, followed by all but the first two sids from the token.
Andrew Bartlett
commit e229f68b3e8f146d5dfa4ab57f126cc7ea5c7214
Author: Andrew Bartlett <abartlet at samba.org>
Date: Sat Aug 14 13:26:35 2010 +1000
s4:security Bring in #defines for the user and primary group token location
This will allow us to stop duplicating the user and primary group SID in the
struct security_token, and therefore make it more like the NT_USER_TOKEN
in Samba3.
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/security.idl | 2 -
source4/auth/pyauth.c | 19 ---
source4/auth/sam.c | 6 +
source4/auth/session.c | 224 ++++++++++++++-------------
source4/auth/session.h | 7 -
source4/auth/system_session.c | 134 +++-------------
source4/auth/tests/bindings.py | 2 -
source4/dsdb/samdb/ldb_modules/acl.c | 4 +-
source4/dsdb/samdb/samdb.c | 10 +-
source4/dsdb/samdb/samdb_privilege.c | 2 +-
source4/dsdb/tests/python/acl.py | 3 +-
source4/kdc/kpasswdd.c | 6 +-
source4/ldap_server/ldap_bind.c | 8 +-
source4/lib/policy/gp_ldap.c | 2 +-
source4/libcli/security/create_descriptor.c | 7 +-
source4/libcli/security/security.h | 3 +
source4/libcli/security/security_token.c | 8 +-
source4/ntvfs/unixuid/vfs_unixuid.c | 16 +--
source4/rpc_server/drsuapi/getncchanges.c | 2 +-
source4/rpc_server/drsuapi/updaterefs.c | 4 +-
source4/rpc_server/handles.c | 6 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 2 +-
22 files changed, 185 insertions(+), 292 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 369579c..68ed485 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -467,8 +467,6 @@ interface security
} sec_desc_buf;
typedef [public] struct {
- dom_sid *user_sid;
- dom_sid *group_sid;
uint32 num_sids;
[size_is(num_sids)] dom_sid *sids[*];
udlong privilege_mask;
diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c
index ee4d511..dff6963 100644
--- a/source4/auth/pyauth.c
+++ b/source4/auth/pyauth.c
@@ -56,24 +56,6 @@ static PyObject *py_system_session(PyObject *module, PyObject *args)
}
-static PyObject *py_system_session_anon(PyObject *module, PyObject *args)
-{
- PyObject *py_lp_ctx = Py_None;
- struct loadparm_context *lp_ctx;
- struct auth_session_info *session;
-
- if (!PyArg_ParseTuple(args, "|O", &py_lp_ctx))
- return NULL;
-
- lp_ctx = lpcfg_from_py_object(NULL, py_lp_ctx); /* FIXME: leaks memory */
- if (lp_ctx == NULL)
- return NULL;
-
- session = system_session_anon(NULL, lp_ctx);
-
- return PyAuthSession_FromSession(session);
-}
-
static PyObject *py_admin_session(PyObject *module, PyObject *args)
{
PyObject *py_lp_ctx;
@@ -96,7 +78,6 @@ static PyObject *py_admin_session(PyObject *module, PyObject *args)
static PyMethodDef py_auth_methods[] = {
{ "system_session", (PyCFunction)py_system_session, METH_VARARGS, NULL },
- { "system_session_anonymous", (PyCFunction)py_system_session_anon, METH_VARARGS, NULL },
{ "admin_session", (PyCFunction)py_admin_session, METH_VARARGS, NULL },
{ NULL },
};
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 7a776b9..0bb6bd8 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -330,6 +330,12 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
+ if (!sam_ctx) {
+ DEBUG(0, ("No SAM available, cannot determine local groups\n"));
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ }
+
if (only_childs) {
ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN);
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 024d8ec..bd1be8e 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -41,7 +41,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
}
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context,
+ struct auth_context *auth_context, /* Optional if the domain SID is in the NT AUTHORITY domain */
struct auth_serversupplied_info *server_info,
uint32_t session_info_flags,
struct auth_session_info **_session_info)
@@ -59,16 +59,11 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
const char *filter;
struct dom_sid **groupSIDs = NULL;
- const struct dom_sid *dom_sid;
+ const struct dom_sid *dom_sid, *anonymous_sid, *system_sid;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
- if (!auth_context->sam_ctx) {
- DEBUG(0, ("No SAM available, cannot determine local groups\n"));
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
-
/* For now, we don't have trusted domains, so we do a very
* simple check to see that the user's SID is in *this*
* domain, and then trust the user account control. When we
@@ -76,40 +71,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
* in this forest. This elaborate check is to try and avoid a
* nasty security bug if we forget about this later... */
- if (server_info->acct_flags & ACB_SVRTRUST) {
- dom_sid = samdb_domain_sid(auth_context->sam_ctx);
- if (dom_sid) {
- if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
- session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
- } else {
- DEBUG(2, ("DC %s is not in our domain. "
- "It will not have Enterprise Domain Controllers membership on this server",
- server_info->account_name));
- }
- } else {
- DEBUG(2, ("Could not obtain local domain SID, "
- "so can not determine if DC %s is a DC of this domain. "
- "It will not have Enterprise Domain Controllers membership",
- server_info->account_name));
- }
- }
-
- groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
- if (!groupSIDs) {
- talloc_free(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- num_groupSIDs = server_info->n_domain_groups;
-
- for (i=0; i < server_info->n_domain_groups; i++) {
- groupSIDs[i] = server_info->domain_groups[i];
- }
-
- filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
- GROUP_TYPE_BUILTIN_LOCAL_GROUP);
-
session_info = talloc(tmp_ctx, struct auth_session_info);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
@@ -119,84 +80,130 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
* key from the auth subsystem */
session_info->session_key = server_info->user_session_key;
- /* Search for each group in the token */
-
- /* Expands the account SID - this function takes in
- * memberOf-like values, so we fake one up with the
- * <SID=S-...> format of DN and then let it expand
- * them, as long as they meet the filter - so only
- * builtin groups
- *
- * We already have the primary group in the token, so set
- * 'only childs' flag to true
- */
- account_sid_string = dom_sid_string(tmp_ctx, server_info->account_sid);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_string, server_info);
-
- account_sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", account_sid_string);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_dn, server_info);
-
- account_sid_blob = data_blob_string_const(account_sid_dn);
-
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &account_sid_blob, true, filter,
- tmp_ctx, &groupSIDs, &num_groupSIDs);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(tmp_ctx);
- return nt_status;
- }
-
- /* Expands the primary group - this function takes in
- * memberOf-like values, so we fake one up with the
- * <SID=S-...> format of DN and then let it expand
- * them, as long as they meet the filter - so only
- * builtin groups
- *
- * We already have the primary group in the token, so set
- * 'only childs' flag to true
- */
- primary_group_string = dom_sid_string(tmp_ctx, server_info->primary_group_sid);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
-
- primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info);
-
- primary_group_blob = data_blob_string_const(primary_group_dn);
-
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &primary_group_blob, true, filter,
- tmp_ctx, &groupSIDs, &num_groupSIDs);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(tmp_ctx);
- return nt_status;
- }
-
- for (i = 0; i < server_info->n_domain_groups; i++) {
- char *group_string;
- const char *group_dn;
- DATA_BLOB group_blob;
+ anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx);
+
+ system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
+
+ if (dom_sid_equal(anonymous_sid, server_info->account_sid)) {
+ /* Don't expand nested groups of system, anonymous etc*/
+ } else if (dom_sid_equal(system_sid, server_info->account_sid)) {
+ /* Don't expand nested groups of system, anonymous etc*/
+ } else if (auth_context) {
+ if (server_info->acct_flags & ACB_SVRTRUST) {
+ dom_sid = samdb_domain_sid(auth_context->sam_ctx);
+ if (dom_sid) {
+ if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
+ session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
+ } else {
+ DEBUG(2, ("DC %s is not in our domain. "
+ "It will not have Enterprise Domain Controllers membership on this server",
+ server_info->account_name));
+ }
+ } else {
+ DEBUG(2, ("Could not obtain local domain SID, "
+ "so can not determine if DC %s is a DC of this domain. "
+ "It will not have Enterprise Domain Controllers membership",
+ server_info->account_name));
+ }
+ }
+
+ groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
+ if (!groupSIDs) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ num_groupSIDs = server_info->n_domain_groups;
+
+ for (i=0; i < server_info->n_domain_groups; i++) {
+ groupSIDs[i] = server_info->domain_groups[i];
+ }
+
+ filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
+ GROUP_TYPE_BUILTIN_LOCAL_GROUP);
- group_string = dom_sid_string(tmp_ctx,
- server_info->domain_groups[i]);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_string, server_info);
+ /* Search for each group in the token */
- group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", group_string);
- talloc_free(group_string);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_dn, server_info);
- group_blob = data_blob_string_const(group_dn);
+ /* Expands the account SID - this function takes in
+ * memberOf-like values, so we fake one up with the
+ * <SID=S-...> format of DN and then let it expand
+ * them, as long as they meet the filter - so only
+ * builtin groups
+ *
+ * We already have the primary group in the token, so set
+ * 'only childs' flag to true
+ */
+ account_sid_string = dom_sid_string(tmp_ctx, server_info->account_sid);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_string, server_info);
+
+ account_sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", account_sid_string);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_dn, server_info);
+
+ account_sid_blob = data_blob_string_const(account_sid_dn);
+
+ nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &account_sid_blob, true, filter,
+ tmp_ctx, &groupSIDs, &num_groupSIDs);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
- /* This function takes in memberOf values and expands
+ /* Expands the primary group - this function takes in
+ * memberOf-like values, so we fake one up with the
+ * <SID=S-...> format of DN and then let it expand
* them, as long as they meet the filter - so only
- * builtin groups */
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &group_blob, true, filter,
- tmp_ctx, &groupSIDs, &num_groupSIDs);
+ * builtin groups
+ *
+ * We already have the primary group in the token, so set
+ * 'only childs' flag to true
+ */
+ primary_group_string = dom_sid_string(tmp_ctx, server_info->primary_group_sid);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
+
+ primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info);
+
+ primary_group_blob = data_blob_string_const(primary_group_dn);
+
+ nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &primary_group_blob, true, filter,
+ tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
+
+ for (i = 0; i < server_info->n_domain_groups; i++) {
+ char *group_string;
+ const char *group_dn;
+ DATA_BLOB group_blob;
+
+ group_string = dom_sid_string(tmp_ctx,
+ server_info->domain_groups[i]);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_string, server_info);
+
+ group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", group_string);
+ talloc_free(group_string);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_dn, server_info);
+ group_blob = data_blob_string_const(group_dn);
+
+ /* This function takes in memberOf values and expands
+ * them, as long as they meet the filter - so only
+ * builtin groups */
+ nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &group_blob, true, filter,
+ tmp_ctx, &groupSIDs, &num_groupSIDs);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+ }
}
nt_status = security_token_create(session_info,
- auth_context->event_ctx,
- auth_context->lp_ctx,
+ auth_context ? auth_context->event_ctx : NULL,
+ auth_context ? auth_context->lp_ctx : NULL,
server_info->account_sid,
server_info->primary_group_sid,
num_groupSIDs,
@@ -209,6 +216,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
talloc_steal(mem_ctx, session_info);
*_session_info = session_info;
+ talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 8e22cc0..3de054a 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -37,13 +37,6 @@ struct auth_context;
* the off-host credentials */
struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ;
-/*
- * Create a system session, but with anonymous credentials (so we do
- * not need to open secrets.ldb)
- */
-struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
-
-
NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
const char *netbios_name,
struct auth_serversupplied_info **_server_info) ;
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index 386f066..4712702 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -51,13 +51,10 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->user_sid = talloc_reference(ptoken, user_sid);
- ptoken->group_sid = talloc_reference(ptoken, group_sid);
+ ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
+ ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
ptoken->privilege_mask = 0;
- ptoken->sids[0] = ptoken->user_sid;
- ptoken->sids[1] = ptoken->group_sid;
-
/*
* Finally add the "standard" SIDs.
* The only difference between guest and "anonymous"
@@ -93,23 +90,21 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
*token = ptoken;
/* Shortcuts to prevent recursion and avoid lookups */
- if (ptoken->user_sid == NULL) {
+ if (ptoken->sids == NULL) {
ptoken->privilege_mask = 0;
return NT_STATUS_OK;
}
if (security_token_is_system(ptoken)) {
ptoken->privilege_mask = ~0;
- return NT_STATUS_OK;
- }
-
- if (security_token_is_anonymous(ptoken)) {
+ } else if (security_token_is_anonymous(ptoken)) {
+ ptoken->privilege_mask = 0;
+ } else if (security_token_has_builtin_administrators(ptoken)) {
+ ptoken->privilege_mask = ~0;
+ } else {
+ /* All other 'users' get a empty priv set so far */
ptoken->privilege_mask = 0;
- return NT_STATUS_OK;
}
-
- /* All other 'users' get a empty priv set so far */
- ptoken->privilege_mask = 0;
return NT_STATUS_OK;
}
@@ -178,10 +173,9 @@ _PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ct
return static_session;
}
-static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx,
- struct loadparm_context *lp_ctx,
- bool anonymous_credentials,
- struct auth_session_info **_session_info)
+NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
+ struct loadparm_context *lp_ctx,
+ struct auth_session_info **_session_info)
{
NTSTATUS nt_status;
struct auth_serversupplied_info *server_info = NULL;
@@ -196,7 +190,7 @@ static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx,
}
/* references the server_info into the session_info */
- nt_status = auth_generate_simple_session_info(parent_ctx, server_info, &session_info);
+ nt_status = auth_generate_session_info(parent_ctx, NULL, server_info, 0, &session_info);
talloc_free(mem_ctx);
NT_STATUS_NOT_OK_RETURN(nt_status);
@@ -208,42 +202,12 @@ static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx,
cli_credentials_set_conf(session_info->credentials, lp_ctx);
- if (anonymous_credentials) {
- cli_credentials_set_anonymous(session_info->credentials);
- } else {
- cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
- }
+ cli_credentials_set_machine_account_pending(session_info->credentials, lp_ctx);
*_session_info = session_info;
return NT_STATUS_OK;
}
-/*
- Create a system session, but with anonymous credentials (so we do not need to open secrets.ldb)
-*/
-_PUBLIC_ struct auth_session_info *system_session_anon(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
-{
- NTSTATUS nt_status;
- struct auth_session_info *session_info = NULL;
- nt_status = _auth_system_session_info(mem_ctx, lp_ctx, true, &session_info);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return NULL;
- }
- return session_info;
-}
-
-
-
-_PUBLIC_ NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
- struct loadparm_context *lp_ctx,
- struct auth_session_info **_session_info)
-{
- return _auth_system_session_info(parent_ctx,
- lp_ctx,
- lpcfg_parm_bool(lp_ctx, NULL, "system", "anonymous", false),
- _session_info);
-}
-
NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
struct auth_serversupplied_info **_server_info)
{
@@ -317,57 +281,6 @@ NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
}
-/* Create server info for the Administrator account. This should only be used
- * during provisioning when we need to impersonate Administrator but
- * the account has not been created yet */
-
-static NTSTATUS create_admin_token(TALLOC_CTX *mem_ctx,
- struct dom_sid *user_sid,
- struct dom_sid *group_sid,
- unsigned int n_groupSIDs,
- struct dom_sid **groupSIDs,
- struct security_token **token)
-{
- struct security_token *ptoken;
- unsigned int i;
-
- ptoken = security_token_initialise(mem_ctx);
--
Samba Shared Repository
More information about the samba-cvs
mailing list