[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Dec 20 21:57:02 MST 2010
The branch, master has been updated
via 446f8a1 s4-auth Ensure that we always copy across domain groups
via 6f7423c s4-auth Remove duplicate copies of session_info creation code
via 1961d7a s4-auth rework session_info handling not to require an auth context
via 94a59b7 s4-auth Remove event context from privilage database handling
via becaa18 s4-auth Remove obsolete comment
via 912faf1 s4:dsdb/schema/schema_* - adaptions needed for removed "const" on OIDs
via ef618f5 s4:lib/ldb-samba/ldif_handlers.c - adaption needed for removed "const" on OIDs
via 13fa674 s3/s4:auth SPNEGO - adaptions for the removed "const" from OIDs
via 464b8fa librpc/ndr/ndr_*.c - remove "const" from OIDs
via 3b591ca lib/util/asn1.c - remove the "const" specifier from OID
via 32bae10 s4:dsdb/common/util.c - remove unused variable "ndr_err"
via 89522ea s4:auth/gensec/spnego.c - remove unused variable "principal"
from 0a5f4f5 Keep track of the sparse status of an open file handle. Allows bypass of strict allocation on sparse files. Files opened as POSIX opens are always sparse.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 446f8a163cfdcfb2c4bb2b8b8adc720bf96c05a5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 21 14:08:34 2010 +1100
s4-auth Ensure that we always copy across domain groups
Even if we can't calculate the local groups (because we don't have a
local SAM to do it with) we still need to include the domain groups in
the session_info token.
Andrew Bartlett
Autobuild-User: Andrew Bartlett <abartlet at samba.org>
Autobuild-Date: Tue Dec 21 05:56:22 CET 2010 on sn-devel-104
commit 6f7423c7f1cc3a4596a955a90f315ffbf1025c3b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 21 11:43:04 2010 +1100
s4-auth Remove duplicate copies of session_info creation code
We now just do or do not call into LDB based on some flags.
This means there may be some more link time dependencies, but we seem
to deal with those better now.
Andrew Bartlett
commit 1961d7a4119200b8a4ad7b0207e0cdcf2e10d3f8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 21 10:19:53 2010 +1100
s4-auth rework session_info handling not to require an auth context
This reverts a previous move to have this based around the auth
subsystem, which just spread auth deps all over unrelated code.
Andrew Bartlett
commit 94a59b781ccc5a552a9141484740255977db4637
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 20 21:26:35 2010 +1100
s4-auth Remove event context from privilage database handling
These local TDB operations can quite safely be handled in a new/nested
event context, rather than using the main event context.
Andrew Bartlett
commit becaa18a46f4ee14d8617c22e78da463fda823b2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Dec 20 16:07:40 2010 +1100
s4-auth Remove obsolete comment
The code that this referred to went away in September with
7dbfeb0dc040889244a1110940af2d070f823374
Andrew Bartlett
commit 912faf1b080736a4855e3ea99b49f0ccbf76af33
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Dec 19 16:37:04 2010 +0100
s4:dsdb/schema/schema_* - adaptions needed for removed "const" on OIDs
commit ef618f577870f28b8efd472a87d4dcf094d67d29
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Dec 19 16:36:16 2010 +0100
s4:lib/ldb-samba/ldif_handlers.c - adaption needed for removed "const" on OIDs
commit 13fa6743d86ef6e51b3243cf3045242850358b43
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Dec 15 17:17:09 2010 +0100
s3/s4:auth SPNEGO - adaptions for the removed "const" from OIDs
This is needed in order to suppress warnings.
commit 464b8fa3173de7cc801195a28b84786cb1c63833
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Dec 15 17:21:04 2010 +0100
librpc/ndr/ndr_*.c - remove "const" from OIDs
commit 3b591caed00790c5d21b8774c7af87357c329d1c
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Dec 15 17:02:49 2010 +0100
lib/util/asn1.c - remove the "const" specifier from OID
There is no reason to have it "const" since it's an allocated thing.
commit 32bae1051272e805e290e49dffb25e4a635ffdfb
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Sun Dec 19 16:30:10 2010 +0100
s4:dsdb/common/util.c - remove unused variable "ndr_err"
commit 89522ea5b17dea91608ca49c58bfe7d802e0638e
Author: Matthias Dieter Wallnöfer <mdw at samba.org>
Date: Wed Dec 15 17:43:45 2010 +0100
s4:auth/gensec/spnego.c - remove unused variable "principal"
-----------------------------------------------------------------------
Summary of changes:
lib/util/asn1.c | 17 ++--
lib/util/asn1.h | 6 +-
lib/util/tests/asn1_tests.c | 4 +-
libcli/auth/spnego_parse.c | 8 +-
librpc/ndr/ndr_drsblobs.c | 2 +-
librpc/ndr/ndr_drsuapi.c | 2 +-
source3/libsmb/clispnego.c | 4 +-
source4/auth/auth.h | 5 +-
source4/auth/gensec/gensec.c | 16 ++-
source4/auth/gensec/spnego.c | 1 -
source4/auth/ntlm/auth.c | 15 +++-
source4/auth/session.c | 47 ++++-----
source4/auth/session.h | 7 +-
source4/auth/system_session.c | 156 ++------------------------
source4/dsdb/common/util.c | 1 -
source4/dsdb/samdb/ldb_modules/operational.c | 2 +-
source4/dsdb/samdb/samdb.c | 28 ++++-
source4/dsdb/samdb/samdb_privilege.c | 8 +-
source4/dsdb/schema/schema_prefixmap.c | 5 +-
source4/dsdb/schema/schema_syntax.c | 2 +-
source4/lib/ldb-samba/ldif_handlers.c | 2 +-
source4/libnet/libnet_samsync_ldb.c | 3 +-
source4/rpc_server/lsa/lsa_init.c | 2 +-
source4/samba_tool/gpo.c | 11 +--
source4/smbd/server.c | 2 +-
source4/torture/drs/drs_util.c | 5 +-
26 files changed, 124 insertions(+), 237 deletions(-)
Changeset truncated at 500 lines:
diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index 21d4bd4..f4a6bc5 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -660,7 +660,7 @@ int asn1_tag_remaining(struct asn1_data *data)
* till buffer ends or not valid sub-identifier is found.
*/
static bool _ber_read_OID_String_impl(TALLOC_CTX *mem_ctx, DATA_BLOB blob,
- const char **OID, size_t *bytes_eaten)
+ char **OID, size_t *bytes_eaten)
{
int i;
uint8_t *b;
@@ -699,7 +699,7 @@ nomem:
}
/* read an object ID from a data blob */
-bool ber_read_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob, const char **OID)
+bool ber_read_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob, char **OID)
{
size_t bytes_eaten;
@@ -715,14 +715,15 @@ bool ber_read_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob, const char **OID)
* 1:2.5.6:0x81
* 1:2.5.6:0x8182
*/
-bool ber_read_partial_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob, const char **partial_oid)
+bool ber_read_partial_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob,
+ char **partial_oid)
{
size_t bytes_left;
size_t bytes_eaten;
char *identifier = NULL;
char *tmp_oid = NULL;
- if (!_ber_read_OID_String_impl(mem_ctx, blob, (const char **)&tmp_oid, &bytes_eaten))
+ if (!_ber_read_OID_String_impl(mem_ctx, blob, &tmp_oid, &bytes_eaten))
return false;
if (bytes_eaten < blob.length) {
@@ -746,7 +747,7 @@ nomem:
}
/* read an object ID from a ASN1 buffer */
-bool asn1_read_OID(struct asn1_data *data, TALLOC_CTX *mem_ctx, const char **OID)
+bool asn1_read_OID(struct asn1_data *data, TALLOC_CTX *mem_ctx, char **OID)
{
DATA_BLOB blob;
int len;
@@ -785,16 +786,16 @@ bool asn1_read_OID(struct asn1_data *data, TALLOC_CTX *mem_ctx, const char **OID
/* check that the next object ID is correct */
bool asn1_check_OID(struct asn1_data *data, const char *OID)
{
- const char *id;
+ char *id;
if (!asn1_read_OID(data, data, &id)) return false;
if (strcmp(id, OID) != 0) {
- talloc_free(discard_const(id));
+ talloc_free(id);
data->has_error = true;
return false;
}
- talloc_free(discard_const(id));
+ talloc_free(id);
return true;
}
diff --git a/lib/util/asn1.h b/lib/util/asn1.h
index 266a9a3..568b4e4 100644
--- a/lib/util/asn1.h
+++ b/lib/util/asn1.h
@@ -84,9 +84,9 @@ bool asn1_peek_tag(struct asn1_data *data, uint8_t tag);
bool asn1_start_tag(struct asn1_data *data, uint8_t tag);
bool asn1_end_tag(struct asn1_data *data);
int asn1_tag_remaining(struct asn1_data *data);
-bool ber_read_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob, const char **OID);
-bool ber_read_partial_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob, const char **partial_oid);
-bool asn1_read_OID(struct asn1_data *data, TALLOC_CTX *mem_ctx, const char **OID);
+bool ber_read_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob, char **OID);
+bool ber_read_partial_OID_String(TALLOC_CTX *mem_ctx, DATA_BLOB blob, char **partial_oid);
+bool asn1_read_OID(struct asn1_data *data, TALLOC_CTX *mem_ctx, char **OID);
bool asn1_check_OID(struct asn1_data *data, const char *OID);
bool asn1_read_LDAPString(struct asn1_data *data, TALLOC_CTX *mem_ctx, char **s);
bool asn1_read_GeneralString(struct asn1_data *data, TALLOC_CTX *mem_ctx, char **s);
diff --git a/lib/util/tests/asn1_tests.c b/lib/util/tests/asn1_tests.c
index 5cc5146..ac8ca53 100644
--- a/lib/util/tests/asn1_tests.c
+++ b/lib/util/tests/asn1_tests.c
@@ -148,7 +148,7 @@ static bool test_ber_write_OID_String(struct torture_context *tctx)
static bool test_ber_read_OID_String(struct torture_context *tctx)
{
int i;
- const char *oid;
+ char *oid;
DATA_BLOB oid_blob;
TALLOC_CTX *mem_ctx;
const struct oid_data *data = oid_data_ok;
@@ -221,7 +221,7 @@ static bool test_ber_write_partial_OID_String(struct torture_context *tctx)
static bool test_ber_read_partial_OID_String(struct torture_context *tctx)
{
int i;
- const char *oid;
+ char *oid;
DATA_BLOB oid_blob;
TALLOC_CTX *mem_ctx;
const struct oid_data *data = oid_data_ok;
diff --git a/libcli/auth/spnego_parse.c b/libcli/auth/spnego_parse.c
index 27ede1b..3bf7aea 100644
--- a/libcli/auth/spnego_parse.c
+++ b/libcli/auth/spnego_parse.c
@@ -49,10 +49,12 @@ static bool read_negTokenInit(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
token->mechTypes = talloc(NULL, const char *);
for (i = 0; !asn1->has_error &&
0 < asn1_tag_remaining(asn1); i++) {
+ char *oid;
token->mechTypes = talloc_realloc(NULL,
token->mechTypes,
const char *, i+2);
- asn1_read_OID(asn1, token->mechTypes, token->mechTypes + i);
+ asn1_read_OID(asn1, token->mechTypes, &oid);
+ token->mechTypes[i] = oid;
}
token->mechTypes[i] = NULL;
@@ -184,6 +186,7 @@ static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
while (!asn1->has_error && 0 < asn1_tag_remaining(asn1)) {
uint8_t context;
+ char *oid;
if (!asn1_peek_uint8(asn1, &context)) {
asn1->has_error = true;
break;
@@ -199,7 +202,8 @@ static bool read_negTokenTarg(struct asn1_data *asn1, TALLOC_CTX *mem_ctx,
break;
case ASN1_CONTEXT(1):
asn1_start_tag(asn1, ASN1_CONTEXT(1));
- asn1_read_OID(asn1, mem_ctx, &token->supportedMech);
+ asn1_read_OID(asn1, mem_ctx, &oid);
+ token->supportedMech = oid;
asn1_end_tag(asn1);
break;
case ASN1_CONTEXT(2):
diff --git a/librpc/ndr/ndr_drsblobs.c b/librpc/ndr/ndr_drsblobs.c
index 51880bb..32176a7 100644
--- a/librpc/ndr/ndr_drsblobs.c
+++ b/librpc/ndr/ndr_drsblobs.c
@@ -138,7 +138,7 @@ _PUBLIC_ void ndr_print_drsuapi_MSPrefixMap_Entry(struct ndr_print *ndr, const c
char *partial_oid = NULL;
DATA_BLOB oid_blob = data_blob_const(r->binary_oid, r->length);
char *hex_str = data_blob_hex_string_upper(ndr, &oid_blob);
- ber_read_partial_OID_String(ndr, oid_blob, (const char **)&partial_oid);
+ ber_read_partial_OID_String(ndr, oid_blob, &partial_oid);
ndr->depth++;
ndr->print(ndr, "%-25s: 0x%s (%s)", "binary_oid", hex_str, partial_oid);
ndr->depth--;
diff --git a/librpc/ndr/ndr_drsuapi.c b/librpc/ndr/ndr_drsuapi.c
index 999aef9..86ecdcb 100644
--- a/librpc/ndr/ndr_drsuapi.c
+++ b/librpc/ndr/ndr_drsuapi.c
@@ -76,7 +76,7 @@ _PUBLIC_ void ndr_print_drsuapi_DsReplicaOID(struct ndr_print *ndr, const char *
char *partial_oid = NULL;
DATA_BLOB oid_blob = data_blob_const(r->binary_oid, r->length);
char *hex_str = data_blob_hex_string_upper(ndr, &oid_blob);
- ber_read_partial_OID_String(ndr, oid_blob, (const char **)&partial_oid);
+ ber_read_partial_OID_String(ndr, oid_blob, &partial_oid);
ndr->depth++;
ndr->print(ndr, "%-25s: 0x%s (%s)", "binary_oid", hex_str, partial_oid);
ndr->depth--;
diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c
index 9ef848b..382a29a 100644
--- a/source3/libsmb/clispnego.c
+++ b/source3/libsmb/clispnego.c
@@ -125,9 +125,7 @@ bool spnego_parse_negTokenInit(TALLOC_CTX *ctx,
asn1_start_tag(data,ASN1_CONTEXT(0));
asn1_start_tag(data,ASN1_SEQUENCE(0));
for (i=0; asn1_tag_remaining(data) > 0 && i < ASN1_MAX_OIDS-1; i++) {
- const char *oid_str = NULL;
- asn1_read_OID(data,ctx,&oid_str);
- OIDs[i] = CONST_DISCARD(char *, oid_str);
+ asn1_read_OID(data,ctx, &OIDs[i]);
}
OIDs[i] = NULL;
asn1_end_tag(data);
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 0f6386f..33c398d 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -44,8 +44,9 @@ struct loadparm_context;
/* version 0 - till samba4 is stable - metze */
#define AUTH_INTERFACE_VERSION 0
-#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
-#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
+#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privilages, rather than a DB */
struct auth_serversupplied_info
{
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index 0cb0d3d..3c25f3b 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -1315,18 +1315,22 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
+ uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ if (server_info->authenticated) {
+ flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
if (gensec_security->auth_context) {
- uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
- if (server_info->authenticated) {
- flags |= AUTH_SESSION_INFO_AUTHENTICATED;
- }
nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
server_info,
flags,
session_info);
} else {
- nt_status = auth_generate_simple_session_info(mem_ctx,
- server_info, session_info);
+ flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+ nt_status = auth_generate_session_info(mem_ctx,
+ NULL,
+ NULL,
+ server_info, flags,
+ session_info);
}
return nt_status;
}
diff --git a/source4/auth/gensec/spnego.c b/source4/auth/gensec/spnego.c
index 5555fc4..99687c7 100644
--- a/source4/auth/gensec/spnego.c
+++ b/source4/auth/gensec/spnego.c
@@ -584,7 +584,6 @@ static NTSTATUS gensec_spnego_create_negTokenInit(struct gensec_security *gensec
const char **mechTypes = NULL;
DATA_BLOB unwrapped_out = data_blob(NULL, 0);
const struct gensec_security_ops_wrapper *all_sec;
- const char *principal = NULL;
mechTypes = gensec_security_oids(gensec_security,
out_mem_ctx, GENSEC_OID_SPNEGO);
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index f7de020..0c6c8ef 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -408,6 +408,19 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
return NT_STATUS_OK;
}
+/* Wrapper because we don't want to expose all callers to needing to
+ * know that session_info is generated from the main ldb */
+static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
+ struct auth_context *auth_context,
+ struct auth_serversupplied_info *server_info,
+ uint32_t session_info_flags,
+ struct auth_session_info **session_info)
+{
+ return auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
+ auth_context->sam_ctx, server_info,
+ session_info_flags, session_info);
+}
+
/***************************************************************************
Make a auth_info struct for the auth subsystem
- Allow the caller to specify the methods to use, including optionally the SAM to use
@@ -476,7 +489,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
ctx->set_challenge = auth_context_set_challenge;
ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
ctx->get_server_info_principal = auth_get_server_info_principal;
- ctx->generate_session_info = auth_generate_session_info;
+ ctx->generate_session_info = auth_generate_session_info_wrapper;
*auth_ctx = ctx;
diff --git a/source4/auth/session.c b/source4/auth/session.c
index dce00b9..c964378 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -41,7 +41,8 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
}
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context, /* Optional if the domain SID is in the NT AUTHORITY domain */
+ struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
+ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
struct auth_serversupplied_info *server_info,
uint32_t session_info_flags,
struct auth_session_info **_session_info)
@@ -64,13 +65,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
- /* For now, we don't have trusted domains, so we do a very
- * simple check to see that the user's SID is in *this*
- * domain, and then trust the user account control. When we
- * get trusted domains, we should check it's a trusted domain
- * in this forest. This elaborate check is to try and avoid a
- * nasty security bug if we forget about this later... */
-
session_info = talloc(tmp_ctx, struct auth_session_info);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
@@ -86,24 +80,24 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
+ groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
+ if (!groupSIDs) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ num_groupSIDs = server_info->n_domain_groups;
+
+ for (i=0; i < server_info->n_domain_groups; i++) {
+ groupSIDs[i] = server_info->domain_groups[i];
+ }
+
if (dom_sid_equal(anonymous_sid, server_info->account_sid)) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
/* Don't expand nested groups of system, anonymous etc*/
- } else if (auth_context) {
- groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
- NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
- if (!groupSIDs) {
- talloc_free(tmp_ctx);
- return NT_STATUS_NO_MEMORY;
- }
-
- num_groupSIDs = server_info->n_domain_groups;
-
- for (i=0; i < server_info->n_domain_groups; i++) {
- groupSIDs[i] = server_info->domain_groups[i];
- }
-
+ } else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
@@ -126,7 +120,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
account_sid_blob = data_blob_string_const(account_sid_dn);
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &account_sid_blob, true, filter,
+ nt_status = authsam_expand_nested_groups(sam_ctx, &account_sid_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -150,7 +144,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
primary_group_blob = data_blob_string_const(primary_group_dn);
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &primary_group_blob, true, filter,
+ nt_status = authsam_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -174,7 +168,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
/* This function takes in memberOf values and expands
* them, as long as they meet the filter - so only
* builtin groups */
- nt_status = authsam_expand_nested_groups(auth_context->sam_ctx, &group_blob, true, filter,
+ nt_status = authsam_expand_nested_groups(sam_ctx, &group_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
@@ -184,8 +178,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
}
nt_status = security_token_create(session_info,
- auth_context ? auth_context->event_ctx : NULL,
- auth_context ? auth_context->lp_ctx : NULL,
+ lp_ctx,
server_info->account_sid,
server_info->primary_group_sid,
num_groupSIDs,
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 3de054a..bdcfe7a 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -31,7 +31,6 @@ struct auth_session_info {
#include "librpc/gen_ndr/netlogon.h"
struct tevent_context;
-struct auth_context;
/* Create a security token for a session SYSTEM (the most
* trusted/prvilaged account), including the local machine account as
* the off-host credentials */
@@ -41,11 +40,11 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
const char *netbios_name,
struct auth_serversupplied_info **_server_info) ;
NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context,
- struct auth_serversupplied_info *server_info,
+ struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
+ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
+ struct auth_serversupplied_info *server_info,
uint32_t session_info_flags,
struct auth_session_info **_session_info);
-
NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct auth_session_info **_session_info);
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index bec22c1..1058f19 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -29,120 +29,6 @@
#include "auth/session.h"
#include "auth/system_session_proto.h"
-/**
- * Create the SID list for this user.
- *
- * @note Specialised version for system sessions that doesn't use the SAM.
- */
-static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
- struct dom_sid *user_sid,
- struct dom_sid *group_sid,
- unsigned int n_groupSIDs,
- struct dom_sid **groupSIDs,
- bool is_authenticated,
- struct security_token **token)
-{
- struct security_token *ptoken;
- unsigned int i;
-
- ptoken = security_token_initialise(mem_ctx);
- NT_STATUS_HAVE_NO_MEMORY(ptoken);
-
- ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 5);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
- ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid;
- ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid;
- ptoken->privilege_mask = 0;
-
- /*
- * Finally add the "standard" SIDs.
- * The only difference between guest and "anonymous"
- * is the addition of Authenticated_Users.
- */
-
- if (!dom_sid_parse(SID_WORLD, &ptoken->sids[2])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[3])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- ptoken->num_sids = 4;
-
- if (is_authenticated) {
- if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[4])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- ptoken->num_sids++;
- }
-
- for (i = 0; i < n_groupSIDs; i++) {
- size_t check_sid_idx;
- for (check_sid_idx = 1;
- check_sid_idx < ptoken->num_sids;
- check_sid_idx++) {
- if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) {
- break;
- }
- }
-
- if (check_sid_idx == ptoken->num_sids) {
- ptoken->sids[ptoken->num_sids++] = *groupSIDs[i];
- }
- }
-
- *token = ptoken;
-
- /* Shortcuts to prevent recursion and avoid lookups */
- if (ptoken->sids == NULL) {
- ptoken->privilege_mask = 0;
- return NT_STATUS_OK;
- }
-
- if (security_token_is_system(ptoken)) {
- ptoken->privilege_mask = ~0;
- } else if (security_token_is_anonymous(ptoken)) {
- ptoken->privilege_mask = 0;
- } else if (security_token_has_builtin_administrators(ptoken)) {
- ptoken->privilege_mask = ~0;
- } else {
- /* All other 'users' get a empty priv set so far */
- ptoken->privilege_mask = 0;
- }
- return NT_STATUS_OK;
-}
--
Samba Shared Repository
More information about the samba-cvs
mailing list