[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu May 20 01:39:39 MDT 2010
The branch, master has been updated
via a0b0dc1... s4:auth handle addition of nested aliases of domain groups.
via 9c6b637... s4:auth Change auth_generate_session_info to take flags
via 3ff2766... s4:auth Push check for messaging context into winbind backend
via feb9ffd... s4:auth Add dependency from the operational module onto auth
via 72ccbca... s4:auth Allow the operational module to get a user's tokenGroups from auth
via 4fa9aa3... s4:torture Add tests to demonstrate S2U4Self in the RPC-PAC test
via 5f9024c... s4:auth Move BUILTIN group addition into session.c
via 564b4c7... s4:dsdb disable tokenGroups until end of rewrite
from 612a333... s3:winbind:idmap_tdb2_set_mapping: untangle assignment from check
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a0b0dc16a6ca63e633f51d079bb76124965d254c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu May 20 16:51:59 2010 +1000
s4:auth handle addition of nested aliases of domain groups.
The challenge here is that we are asked not to add the domain groups
again, but we need to search inside them for any aliases that we need
to add. So, we can't short-circuit the operation just because we found
the domain group.
Andrew Bartlett
commit 9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 19 15:51:57 2010 +1000
s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
commit 3ff2766231625863140434bab18b27d5105deb3c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Apr 19 15:43:33 2010 +1000
s4:auth Push check for messaging context into winbind backend
If we don't use the winbind backend, we don't (for now) need a
messaging context- and we don't have one in LDB at the moment.
Andrew Bartlett
commit feb9ffdac82c0e30ea61b7ac0d3dae2fcd3bcedd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Apr 16 08:42:12 2010 +1000
s4:auth Add dependency from the operational module onto auth
We had to split up the auth module into a module loaded by main deamon
and a subsystem we manually init in the operational module.
Andrew Bartlett
commit 72ccbcacddd2c3fdc6bfb61b8efb78625368365d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Apr 15 11:58:05 2010 +1000
s4:auth Allow the operational module to get a user's tokenGroups from auth
This creates a new interface to the auth subsystem, to allow an
auth_context to be created from the ldb, and then tokenGroups to be
calculated in the same way that the auth subsystem would.
Andrew Bartlett
commit 4fa9aa30996219821d5d2496d574340f14a4a406
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Mar 4 20:07:12 2010 +1100
s4:torture Add tests to demonstrate S2U4Self in the RPC-PAC test
We also compare against SamLogon to try and validate the whole thing.
Note that we must represent NULL as "" when comparing between the PAC
and SamLogon, due to different marshalling of the structures.
Andrew Bartlett
commit 5f9024c8a4350792e67e1d8dbe8e45ff5732bd66
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Apr 13 22:11:26 2010 +1000
s4:auth Move BUILTIN group addition into session.c
The group list in the PAC does not include 'enterprise DCs' and
BUILTIN groups, so we should generate it on each server, not in the
list we pass around in the PAC or SamLogon reply.
Andrew Bartlett
commit 564b4c7443b256e002b7ac173d4c5e8870980de3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Apr 9 19:18:30 2010 +1000
s4:dsdb disable tokenGroups until end of rewrite
I need to change the functions this calls
Andrew Bartlett
-----------------------------------------------------------------------
Summary of changes:
source4/auth/auth.h | 27 ++-
source4/auth/gensec/gensec.c | 8 +-
source4/auth/gensec/gensec_gssapi.c | 1 +
source4/auth/gensec/gensec_krb5.c | 2 +-
source4/auth/ntlm/auth.c | 106 +++++--
source4/auth/ntlm/auth_sam.c | 60 +++-
.../auth/ntlm/auth_server_service.c | 19 +-
source4/auth/ntlm/auth_simple.c | 8 +-
source4/auth/ntlm/auth_winbind.c | 5 +
source4/auth/ntlm/wscript_build | 9 +-
source4/auth/sam.c | 188 +++++++-----
source4/auth/session.c | 148 +++++++++-
source4/auth/session.h | 1 +
source4/auth/system_session.c | 12 +-
source4/dsdb/samdb/ldb_modules/config.mk | 2 +-
source4/dsdb/samdb/ldb_modules/operational.c | 150 +++++-----
source4/dsdb/samdb/ldb_modules/wscript_build | 2 +-
source4/dsdb/samdb/samdb.c | 66 ++++-
source4/smb_server/smb/sesssetup.c | 14 +-
source4/smbd/service_named_pipe.c | 41 +++
source4/torture/rpc/netlogon.c | 2 +-
source4/torture/rpc/remote_pac.c | 314 +++++++++++++++++++-
source4/utils/ntlm_auth.c | 1 +
23 files changed, 923 insertions(+), 263 deletions(-)
copy source3/lib/version.c => source4/auth/ntlm/auth_server_service.c (79%)
Changeset truncated at 500 lines:
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 915d103..9ce338c 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -48,6 +48,10 @@ struct loadparm_context;
#define USER_INFO_DONT_CHECK_UNIX_ACCOUNT 0x04 /* don't check unix account status */
#define USER_INFO_INTERACTIVE_LOGON 0x08 /* don't check unix account status */
+#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
+#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_ENTERPRISE_DC 0x04 /* Add the user to the 'enterprise DC' group */
+
enum auth_password_state {
AUTH_PASSWORD_RESPONSE,
AUTH_PASSWORD_HASH,
@@ -127,6 +131,7 @@ struct auth_method_context;
struct auth_check_password_request;
struct auth_context;
struct auth_session_info;
+struct ldb_dn;
struct auth_operations {
const char *name;
@@ -153,6 +158,7 @@ struct auth_operations {
NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
const char *principal,
+ struct ldb_dn *user_dn,
struct auth_serversupplied_info **server_info);
};
@@ -201,13 +207,15 @@ struct auth_context {
NTSTATUS (*set_challenge)(struct auth_context *auth_ctx, const uint8_t chal[8], const char *set_by);
NTSTATUS (*get_server_info_principal)(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_context,
- const char *principal,
- struct auth_serversupplied_info **server_info);
+ struct auth_context *auth_ctx,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ struct auth_serversupplied_info **server_info);
NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
struct auth_serversupplied_info *server_info,
+ uint32_t session_info_flags,
struct auth_session_info **session_info);
};
@@ -231,7 +239,6 @@ struct auth_critical_sizes {
struct ldb_message;
struct ldb_context;
-struct ldb_dn;
struct gensec_security;
NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal[8]);
@@ -244,13 +251,11 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
const char *name_for_logs,
bool allow_domain_trust,
bool password_change);
-struct auth_session_info *system_session(struct loadparm_context *lp_ctx);
NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
- const struct dom_sid *sid,
- const bool only_childs,
- TALLOC_CTX *res_sids_ctx,
- struct dom_sid ***res_sids,
+ struct ldb_val *dn_val, const bool only_childs, const char *filter,
+ TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
unsigned int *num_res_sids);
+struct auth_session_info *system_session(struct loadparm_context *lp_ctx);
NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
const char *netbios_name,
const char *domain_name,
@@ -267,6 +272,7 @@ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
struct tevent_context *ev,
struct messaging_context *msg,
struct loadparm_context *lp_ctx,
+ struct ldb_context *sam_ctx,
struct auth_context **auth_ctx);
NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
@@ -274,6 +280,7 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
struct messaging_context *msg,
struct loadparm_context *lp_ctx,
struct auth_context **auth_ctx);
+NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx);
NTSTATUS auth_check_password(struct auth_context *auth_ctx,
TALLOC_CTX *mem_ctx,
@@ -281,6 +288,7 @@ NTSTATUS auth_check_password(struct auth_context *auth_ctx,
struct auth_serversupplied_info **server_info);
NTSTATUS auth_init(void);
NTSTATUS auth_register(const struct auth_operations *ops);
+NTSTATUS server_service_auth_init(void);
NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct messaging_context *msg,
@@ -304,6 +312,7 @@ NTSTATUS auth_context_set_challenge(struct auth_context *auth_ctx, const uint8_t
NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
struct auth_context *auth_ctx,
const char *principal,
+ struct ldb_dn *user_dn,
struct auth_serversupplied_info **server_info);
NTSTATUS samba_server_gensec_start(TALLOC_CTX *mem_ctx,
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index c19d5ff..b166d23 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -1327,8 +1327,14 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
{
NTSTATUS nt_status;
if (gensec_security->auth_context) {
+ uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ if (server_info->authenticated) {
+ flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
- server_info, session_info);
+ server_info,
+ flags,
+ session_info);
} else {
nt_status = auth_generate_simple_session_info(mem_ctx,
server_info, session_info);
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 73c12a2..4aaae6c 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1308,6 +1308,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
+ NULL,
&server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index 77b50cb..a0d880f 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -653,7 +653,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
nt_status = gensec_security->auth_context->get_server_info_principal(mem_ctx,
gensec_security->auth_context,
principal_string,
- &server_info);
+ NULL, &server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index e9e72fa..a9c3262 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -98,13 +98,16 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth_context *auth_ctx, uint8_t chal
}
/****************************************************************************
- Try to get a challenge out of the various authentication modules.
- Returns a const char of length 8 bytes.
+Used in the gensec_gssapi and gensec_krb5 server-side code, where the
+PAC isn't available, and for tokenGroups in the DSDB stack.
+
+ Supply either a principal or a DN
****************************************************************************/
_PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
- struct auth_context *auth_ctx,
- const char *principal,
- struct auth_serversupplied_info **server_info)
+ struct auth_context *auth_ctx,
+ const char *principal,
+ struct ldb_dn *user_dn,
+ struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
struct auth_method_context *method;
@@ -114,7 +117,7 @@ _PUBLIC_ NTSTATUS auth_get_server_info_principal(TALLOC_CTX *mem_ctx,
continue;
}
- nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, server_info);
+ nt_status = method->ops->get_server_info_principal(mem_ctx, auth_ctx, principal, user_dn, server_info);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
continue;
}
@@ -399,13 +402,14 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
/***************************************************************************
Make a auth_info struct for the auth subsystem
- - Allow the caller to specify the methods to use
+ - Allow the caller to specify the methods to use, including optionally the SAM to use
***************************************************************************/
_PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **methods,
- struct tevent_context *ev,
- struct messaging_context *msg,
- struct loadparm_context *lp_ctx,
- struct auth_context **auth_ctx)
+ struct tevent_context *ev,
+ struct messaging_context *msg,
+ struct loadparm_context *lp_ctx,
+ struct ldb_context *sam_ctx,
+ struct auth_context **auth_ctx)
{
int i;
struct auth_context *ctx;
@@ -422,11 +426,6 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
return NT_STATUS_INTERNAL_ERROR;
}
- if (!msg) {
- DEBUG(0,("auth_context_create: called with out messaging context\n"));
- return NT_STATUS_INTERNAL_ERROR;
- }
-
ctx = talloc(mem_ctx, struct auth_context);
NT_STATUS_HAVE_NO_MEMORY(ctx);
ctx->challenge.set_by = NULL;
@@ -437,7 +436,11 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
ctx->msg_ctx = msg;
ctx->lp_ctx = lp_ctx;
- ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx));
+ if (sam_ctx) {
+ ctx->sam_ctx = sam_ctx;
+ } else {
+ ctx->sam_ctx = samdb_connect(ctx, ctx->event_ctx, ctx->lp_ctx, system_session(ctx->lp_ctx));
+ }
for (i=0; methods[i] ; i++) {
struct auth_method_context *method;
@@ -471,15 +474,8 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
return NT_STATUS_OK;
}
-/***************************************************************************
- Make a auth_info struct for the auth subsystem
- - Uses default auth_methods, depending on server role and smb.conf settings
-***************************************************************************/
-_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
- struct tevent_context *ev,
- struct messaging_context *msg,
- struct loadparm_context *lp_ctx,
- struct auth_context **auth_ctx)
+
+static const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx)
{
const char **auth_methods = NULL;
switch (lp_server_role(lp_ctx)) {
@@ -493,9 +489,60 @@ _PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
auth_methods = lp_parm_string_list(mem_ctx, lp_ctx, NULL, "auth methods", "domain controller", NULL);
break;
}
- return auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, auth_ctx);
+ return auth_methods;
}
+/***************************************************************************
+ Make a auth_info struct for the auth subsystem
+ - Uses default auth_methods, depending on server role and smb.conf settings
+***************************************************************************/
+_PUBLIC_ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ struct messaging_context *msg,
+ struct loadparm_context *lp_ctx,
+ struct auth_context **auth_ctx)
+{
+ NTSTATUS status;
+ const char **auth_methods;
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
+ if (!auth_methods) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ status = auth_context_create_methods(mem_ctx, auth_methods, ev, msg, lp_ctx, NULL, auth_ctx);
+ talloc_free(tmp_ctx);
+ return status;
+}
+
+/* Create an auth context from an open LDB.
+
+ This allows us not to re-open the LDB when we need to do a some authentication logic (such as tokenGroups)
+
+ */
+NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth_context **auth_ctx)
+{
+ NTSTATUS status;
+ const char **auth_methods;
+ struct loadparm_context *lp_ctx = talloc_get_type_abort(ldb_get_opaque(ldb, "loadparm"), struct loadparm_context);
+ struct tevent_context *ev = ldb_get_event_context(ldb);
+
+ TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
+ if (!tmp_ctx) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ auth_methods = auth_methods_from_lp(tmp_ctx, lp_ctx);
+ if (!auth_methods) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ status = auth_context_create_methods(mem_ctx, auth_methods, ev, NULL, lp_ctx, ldb, auth_ctx);
+ talloc_free(tmp_ctx);
+ return status;
+}
/* the list of currently registered AUTH backends */
static struct auth_backend {
@@ -593,8 +640,3 @@ _PUBLIC_ NTSTATUS auth_init(void)
return NT_STATUS_OK;
}
-
-NTSTATUS server_service_auth_init(void)
-{
- return auth_init();
-}
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index e4e56e1..6d1ed0e 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -23,6 +23,8 @@
#include "system/time.h"
#include "lib/ldb/include/ldb.h"
#include "../lib/util/util_ldb.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "libcli/security/security.h"
#include "auth/auth.h"
#include "../libcli/auth/ntlm_check.h"
#include "auth/ntlm/auth_proto.h"
@@ -300,10 +302,14 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
}
-/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available */
+/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
+
+ Supply either a principal or a DN
+*/
NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
struct auth_context *auth_context,
const char *principal,
+ struct ldb_dn *user_dn,
struct auth_serversupplied_info **server_info)
{
NTSTATUS nt_status;
@@ -311,7 +317,6 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
DATA_BLOB lm_sess_key = data_blob(NULL, 0);
struct ldb_message *msg;
- struct ldb_context *sam_ctx;
struct ldb_dn *domain_dn;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@@ -319,21 +324,48 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- sam_ctx = samdb_connect(tmp_ctx, auth_context->event_ctx, auth_context->lp_ctx,
- system_session(auth_context->lp_ctx));
- if (sam_ctx == NULL) {
- talloc_free(tmp_ctx);
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
- }
+ if (principal) {
+ nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal,
+ user_attrs, &domain_dn, &msg);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ talloc_free(tmp_ctx);
+ return nt_status;
+ }
+ } else if (user_dn) {
+ struct dom_sid *user_sid, *domain_sid;
+ int ret;
+ /* pull the user attributes */
+ ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn,
+ LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
+ if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_NO_SUCH_USER;
+ } else if (ret != LDB_SUCCESS) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
- nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal,
- user_attrs, &domain_dn, &msg);
- if (!NT_STATUS_IS_OK(nt_status)) {
- talloc_free(tmp_ctx);
- return nt_status;
+ user_sid = samdb_result_dom_sid(msg, msg, "objectSid");
+
+ nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL,
+ "(&(objectSid=%s)(objectClass=domain))",
+ ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid));
+ if (!domain_dn) {
+ DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n",
+ dom_sid_string(tmp_ctx, domain_sid)));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ } else {
+ return NT_STATUS_INVALID_PARAMETER;
}
- nt_status = authsam_make_server_info(tmp_ctx, sam_ctx,
+ nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx,
lp_netbios_name(auth_context->lp_ctx),
lp_workgroup(auth_context->lp_ctx),
domain_dn,
diff --git a/source3/lib/version.c b/source4/auth/ntlm/auth_server_service.c
similarity index 79%
copy from source3/lib/version.c
copy to source4/auth/ntlm/auth_server_service.c
index e81f463..df47117 100644
--- a/source3/lib/version.c
+++ b/source4/auth/ntlm/auth_server_service.c
@@ -1,27 +1,26 @@
-/*
+/*
Unix SMB/CIFS implementation.
- Samba Version functions
-
- Copyright (C) Stefan Metzmacher 2003
-
+ Password and authentication handling
+ Copyright (C) Andrew Bartlett 2010
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
-#include "version.h"
+#include "auth/auth.h"
-const char *samba_version_string(void)
+NTSTATUS server_service_auth_init(void)
{
- return SAMBA_VERSION_STRING;
+ return auth_init();
}
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 7f972ac..9c8f7f6 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -87,8 +87,14 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
}
if (session_info) {
+ uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+ if (server_info->authenticated) {
+ flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+ }
nt_status = auth_context->generate_session_info(tmp_ctx, auth_context,
- server_info, session_info);
+ server_info,
+ flags,
+ session_info);
if (NT_STATUS_IS_OK(nt_status)) {
talloc_steal(mem_ctx, *session_info);
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index 7406a94..51a1f4d 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -240,6 +240,11 @@ static NTSTATUS winbind_check_password(struct auth_method_context *ctx,
const struct auth_usersupplied_info *user_info_new;
struct netr_IdentityInfo *identity_info;
+ if (!ctx->auth_ctx->msg_ctx) {
+ DEBUG(0,("winbind_check_password: auth_context_create was called with out messaging context\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
s = talloc(mem_ctx, struct winbind_check_password_state);
NT_STATUS_HAVE_NO_MEMORY(s);
diff --git a/source4/auth/ntlm/wscript_build b/source4/auth/ntlm/wscript_build
--
Samba Shared Repository
More information about the samba-cvs
mailing list