[SCM] Samba Shared Repository - branch master updated
Günther Deschner
gd at samba.org
Mon Aug 30 06:23:49 MDT 2010
The branch, master has been updated
via ce60d6d s3-smbd: User helper function to resolve kerberos user for smb2
via 94adbf3 s3-smbd: Use helper function to resolve kerberos user
via b9772a4 s3-auth: Add helper function to retrieve the unix user from a kerberos ticket
from fc79f35 docs-xml/vfs_gpfs: document 'gpfs:refuse_dacl_protected'
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ce60d6d9cf3ebc6b071ebd944047f7cbc2b9e2ec
Author: Simo Sorce <idra at samba.org>
Date: Thu Aug 26 17:59:17 2010 -0400
s3-smbd: User helper function to resolve kerberos user for smb2
Signed-off-by: Günther Deschner <gd at samba.org>
commit 94adbf37263b9d5e4adca5e5adf38a3255f205da
Author: Simo Sorce <idra at samba.org>
Date: Thu Aug 26 17:58:52 2010 -0400
s3-smbd: Use helper function to resolve kerberos user
Signed-off-by: Günther Deschner <gd at samba.org>
commit b9772a4886fa5137574a1ba0734fa1e30343283b
Author: Simo Sorce <idra at samba.org>
Date: Thu Aug 26 17:57:26 2010 -0400
s3-auth: Add helper function to retrieve the unix user from a kerberos ticket
Signed-off-by: Günther Deschner <gd at samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 1 +
source3/auth/user_krb5.c | 172 +++++++++++++++++++++++++++++++++++++++++
source3/include/proto.h | 15 ++++-
source3/smbd/sesssetup.c | 150 +++++++-----------------------------
source3/smbd/smb2_sesssetup.c | 155 +++++++------------------------------
5 files changed, 244 insertions(+), 249 deletions(-)
create mode 100644 source3/auth/user_krb5.c
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 04c62d3..81f0ac9 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -832,6 +832,7 @@ AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/token_util.o \
auth/server_info_sam.o \
auth/user_info.o \
auth/user_util.o \
+ auth/user_krb5.o \
auth/auth_compat.o auth/auth_ntlmssp.o \
$(PLAINTEXT_AUTH_OBJ) $(SLCACHE_OBJ) $(DCUTIL_OBJ)
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
new file mode 100644
index 0000000..2cdcdcc
--- /dev/null
+++ b/source3/auth/user_krb5.c
@@ -0,0 +1,172 @@
+/*
+ Unix SMB/CIFS implementation.
+ Authentication utility functions
+ Copyright (C) Simo Sorce 2010
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_AUTH
+
+#ifdef HAVE_KRB5
+NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+ struct PAC_LOGON_INFO *logon_info,
+ bool *is_mapped,
+ bool *mapped_to_guest,
+ char **ntuser,
+ char **ntdomain,
+ char **username,
+ struct passwd **_pw)
+{
+ NTSTATUS status;
+ char *domain = NULL;
+ char *realm = NULL;
+ char *user = NULL;
+ char *p;
+ fstring fuser;
+ fstring unixuser;
+ struct passwd *pw = NULL;
+
+ DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
+
+ p = strchr_m(princ_name, '@');
+ if (!p) {
+ DEBUG(3, ("[%s] Doesn't look like a valid principal\n",
+ princ_name));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ user = talloc_strndup(mem_ctx, princ_name, p - princ_name);
+ if (!user) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ realm = talloc_strdup(talloc_tos(), p + 1);
+ if (!realm) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!strequal(realm, lp_realm())) {
+ DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
+ if (!lp_allow_trusted_domains()) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ if (logon_info && logon_info->info3.base.domain.string) {
+ domain = talloc_strdup(mem_ctx,
+ logon_info->info3.base.domain.string);
+ if (!domain) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
+ } else {
+
+ /* If we have winbind running, we can (and must) shorten the
+ username by using the short netbios name. Otherwise we will
+ have inconsistent user names. With Kerberos, we get the
+ fully qualified realm, with ntlmssp we get the short
+ name. And even w2k3 does use ntlmssp if you for example
+ connect to an ip address. */
+
+ wbcErr wbc_status;
+ struct wbcDomainInfo *info = NULL;
+
+ DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
+ realm));
+
+ wbc_status = wbcDomainInfo(realm, &info);
+
+ if (WBC_ERROR_IS_OK(wbc_status)) {
+ domain = talloc_strdup(mem_ctx,
+ info->short_name);
+ wbcFreeMemory(info);
+ } else {
+ DEBUG(3, ("Could not find short name: %s\n",
+ wbcErrorString(wbc_status)));
+ domain = talloc_strdup(mem_ctx, realm);
+ }
+ if (!domain) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
+ }
+
+ /* We have to use fstring for this - map_username requires it. */
+ fstr_sprintf(fuser, "%s%c%s", domain, *lp_winbind_separator(), user);
+
+ *is_mapped = map_username(fuser);
+
+ pw = smb_getpwnam(mem_ctx, fuser, unixuser, true);
+ if (pw) {
+ /* if a real user check pam account restrictions */
+ /* only really perfomed if "obey pam restriction" is true */
+ /* do this before an eventual mapping to guest occurs */
+ status = smb_pam_accountcheck(pw->pw_name, cli_name);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("PAM account restrictions prevent user "
+ "[%s] login\n", unixuser));
+ return status;
+ }
+ }
+ if (!pw) {
+
+ /* this was originally the behavior of Samba 2.2, if a user
+ did not have a local uid but has been authenticated, then
+ map them to a guest account */
+
+ if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID) {
+ *mapped_to_guest = true;
+ fstrcpy(fuser, lp_guestaccount());
+ pw = smb_getpwnam(mem_ctx, fuser, unixuser, true);
+ }
+
+ /* extra sanity check that the guest account is valid */
+ if (!pw) {
+ DEBUG(1, ("Username %s is invalid on this system\n",
+ fuser));
+ return NT_STATUS_LOGON_FAILURE;
+ }
+ }
+
+ *username = talloc_strdup(mem_ctx, unixuser);
+ if (!*username) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ *ntuser = user;
+ *ntdomain = domain;
+ *_pw = pw;
+
+ return NT_STATUS_OK;
+}
+#else /* HAVE_KRB5 */
+NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+ struct PAC_LOGON_INFO *logon_info,
+ bool *is_mapped,
+ bool *mapped_to_guest,
+ char **ntuser,
+ char **ntdomain,
+ char **username,
+ struct passwd **_pw)
+{
+ return NT_STATUS_NOT_IMPLEMENTED;
+}
+#endif /* HAVE_KRB5 */
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 5b9414f..db31127 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -4851,10 +4851,23 @@ const struct mangle_fns *mangle_hash_init(void);
const struct mangle_fns *mangle_hash2_init(void);
const struct mangle_fns *posix_mangle_init(void);
-/* The following definitions come from smbd/map_username.c */
+/* The following definitions come from auth/user_util.c */
bool map_username(fstring user);
+/* The following definitions come from auth/user_krb5.c */
+
+NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+ struct PAC_LOGON_INFO *logon_info,
+ bool *is_mapped,
+ bool *mapped_to_guest,
+ char **ntuser,
+ char **ntdomain,
+ char **username,
+ struct passwd **_pw);
+
/* The following definitions come from smbd/message.c */
void reply_sends(struct smb_request *req);
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 9ff5d55..c9b5b8c 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -243,10 +243,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
{
TALLOC_CTX *mem_ctx;
DATA_BLOB ticket;
- char *client, *p, *domain;
- fstring netbios_domain_name;
struct passwd *pw;
- fstring user;
int sess_vuid = req->vuid;
NTSTATUS ret = NT_STATUS_OK;
DATA_BLOB ap_rep, ap_rep_wrapped, response;
@@ -254,11 +251,14 @@ static void reply_spnego_kerberos(struct smb_request *req,
DATA_BLOB session_key = data_blob_null;
uint8 tok_id[2];
DATA_BLOB nullblob = data_blob_null;
- fstring real_username;
bool map_domainuser_to_guest = False;
bool username_was_mapped;
struct PAC_LOGON_INFO *logon_info = NULL;
struct smbd_server_connection *sconn = req->sconn;
+ char *principal;
+ char *user;
+ char *domain;
+ char *real_username;
ZERO_STRUCT(ticket);
ZERO_STRUCT(ap_rep);
@@ -281,7 +281,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
}
ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket,
- &client, &logon_info, &ap_rep,
+ &principal, &logon_info, &ap_rep,
&session_key, True);
data_blob_free(&ticket);
@@ -342,11 +342,14 @@ static void reply_spnego_kerberos(struct smb_request *req,
return;
}
- DEBUG(3,("Ticket name is [%s]\n", client));
-
- p = strchr_m(client, '@');
- if (!p) {
- DEBUG(3,("Doesn't look like a valid principal\n"));
+ ret = get_user_from_kerberos_info(talloc_tos(),
+ sconn->client_id.name,
+ principal, logon_info,
+ &username_was_mapped,
+ &map_domainuser_to_guest,
+ &user, &domain,
+ &real_username, &pw);
+ if (!NT_STATUS_IS_OK(ret)) {
data_blob_free(&ap_rep);
data_blob_free(&session_key);
talloc_destroy(mem_ctx);
@@ -354,131 +357,35 @@ static void reply_spnego_kerberos(struct smb_request *req,
return;
}
- *p = 0;
-
/* save the PAC data if we have it */
-
if (logon_info) {
- netsamlogon_cache_store( client, &logon_info->info3 );
- }
-
- if (!strequal(p+1, lp_realm())) {
- DEBUG(3,("Ticket for foreign realm %s@%s\n", client, p+1));
- if (!lp_allow_trusted_domains()) {
- data_blob_free(&ap_rep);
- data_blob_free(&session_key);
- talloc_destroy(mem_ctx);
- reply_nterror(req, nt_status_squash(
- NT_STATUS_LOGON_FAILURE));
- return;
- }
- }
-
- /* this gives a fully qualified user name (ie. with full realm).
- that leads to very long usernames, but what else can we do? */
-
- domain = p+1;
-
- if (logon_info && logon_info->info3.base.domain.string) {
- fstrcpy(netbios_domain_name,
- logon_info->info3.base.domain.string);
- domain = netbios_domain_name;
- DEBUG(10, ("Mapped to [%s] (using PAC)\n", domain));
-
- } else {
-
- /* If we have winbind running, we can (and must) shorten the
- username by using the short netbios name. Otherwise we will
- have inconsistent user names. With Kerberos, we get the
- fully qualified realm, with ntlmssp we get the short
- name. And even w2k3 does use ntlmssp if you for example
- connect to an ip address. */
-
- wbcErr wbc_status;
- struct wbcDomainInfo *info = NULL;
-
- DEBUG(10, ("Mapping [%s] to short name\n", domain));
-
- wbc_status = wbcDomainInfo(domain, &info);
-
- if (WBC_ERROR_IS_OK(wbc_status)) {
-
- fstrcpy(netbios_domain_name,
- info->short_name);
-
- wbcFreeMemory(info);
- domain = netbios_domain_name;
- DEBUG(10, ("Mapped to [%s] (using Winbind)\n", domain));
- } else {
- DEBUG(3, ("Could not find short name: %s\n",
- wbcErrorString(wbc_status)));
- }
+ netsamlogon_cache_store(user, &logon_info->info3);
}
- fstr_sprintf(user, "%s%c%s", domain, *lp_winbind_separator(), client);
-
- /* lookup the passwd struct, create a new user if necessary */
-
- username_was_mapped = map_username(user);
+ /* setup the string used by %U */
+ sub_set_smb_name(real_username);
- pw = smb_getpwnam( mem_ctx, user, real_username, True );
+ /* reload services so that the new %U is taken into account */
+ reload_services(sconn->msg_ctx, sconn->sock, True);
- if (pw) {
- /* if a real user check pam account restrictions */
- /* only really perfomed if "obey pam restriction" is true */
- /* do this before an eventual mapping to guest occurs */
- ret = smb_pam_accountcheck(pw->pw_name, sconn->client_id.name);
- if ( !NT_STATUS_IS_OK(ret)) {
- DEBUG(1,("PAM account restriction "
- "prevents user login\n"));
+ if (map_domainuser_to_guest) {
+ ret = make_server_info_guest(NULL, &server_info);
+ if (!NT_STATUS_IS_OK(ret)) {
+ DEBUG(1, ("make_server_info_guest failed: %s!\n",
+ nt_errstr(ret)));
data_blob_free(&ap_rep);
data_blob_free(&session_key);
TALLOC_FREE(mem_ctx);
reply_nterror(req, nt_status_squash(ret));
return;
}
- }
-
- if (!pw) {
-
- /* this was originally the behavior of Samba 2.2, if a user
- did not have a local uid but has been authenticated, then
- map them to a guest account */
-
- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){
- map_domainuser_to_guest = True;
- fstrcpy(user,lp_guestaccount());
- pw = smb_getpwnam( mem_ctx, user, real_username, True );
- }
-
- /* extra sanity check that the guest account is valid */
-
- if ( !pw ) {
- DEBUG(1,("Username %s is invalid on this system\n",
- user));
- data_blob_free(&ap_rep);
- data_blob_free(&session_key);
- TALLOC_FREE(mem_ctx);
- reply_nterror(req, nt_status_squash(
- NT_STATUS_LOGON_FAILURE));
- return;
- }
- }
-
- /* setup the string used by %U */
-
- sub_set_smb_name( real_username );
- reload_services(sconn->msg_ctx, sconn->sock, True);
-
- if ( map_domainuser_to_guest ) {
- make_server_info_guest(NULL, &server_info);
} else if (logon_info) {
/* pass the unmapped username here since map_username()
will be called again from inside make_server_info_info3() */
- ret = make_server_info_info3(mem_ctx, client, domain,
+ ret = make_server_info_info3(mem_ctx, user, domain,
&server_info, &logon_info->info3);
- if ( !NT_STATUS_IS_OK(ret) ) {
+ if (!NT_STATUS_IS_OK(ret)) {
DEBUG(1,("make_server_info_info3 failed: %s!\n",
nt_errstr(ret)));
data_blob_free(&ap_rep);
@@ -576,11 +483,8 @@ static void reply_spnego_kerberos(struct smb_request *req,
* no need to free after this on success. A better interface would copy
* it.... */
- sess_vuid = register_existing_vuid(sconn,
- sess_vuid,
- server_info,
- nullblob,
- client);
+ sess_vuid = register_existing_vuid(sconn, sess_vuid,
+ server_info, nullblob, user);
reply_outbuf(req, 4, 0);
SSVAL(req->outbuf,smb_uid,sess_vuid);
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 4a91e84..89f9ffe 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -183,13 +183,12 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
DATA_BLOB secblob_out = data_blob_null;
uint8 tok_id[2];
struct PAC_LOGON_INFO *logon_info = NULL;
- char *client = NULL;
- char *p = NULL;
+ char *principal = NULL;
+ char *user = NULL;
char *domain = NULL;
struct passwd *pw = NULL;
NTSTATUS status;
- fstring user;
- fstring real_username;
+ char *real_username;
fstring tmp;
bool username_was_mapped = false;
bool map_domainuser_to_guest = false;
@@ -200,8 +199,8 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
}
status = ads_verify_ticket(smb2req, lp_realm(), 0, &ticket,
- &client, &logon_info, &ap_rep,
- &session_key, true);
+ &principal, &logon_info, &ap_rep,
+ &session_key, true);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1,("smb2: Failed to verify incoming ticket with error %s!\n",
@@ -212,133 +211,43 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
goto fail;
}
- DEBUG(3,("smb2: Ticket name is [%s]\n", client));
-
- p = strchr_m(client, '@');
- if (!p) {
- DEBUG(3,("smb2: %s Doesn't look like a valid principal\n",
- client));
- status = NT_STATUS_LOGON_FAILURE;
+ status = get_user_from_kerberos_info(talloc_tos(),
+ smb2req->sconn->client_id.name,
+ principal, logon_info,
+ &username_was_mapped,
+ &map_domainuser_to_guest,
+ &user, &domain,
+ &real_username, &pw);
+ if (!NT_STATUS_IS_OK(status)) {
goto fail;
}
- *p = 0;
-
/* save the PAC data if we have it */
-
if (logon_info) {
- netsamlogon_cache_store(client, &logon_info->info3);
- }
-
- if (!strequal(p+1, lp_realm())) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list