[SCM] Samba Shared Repository - branch master updated

Andrew Tridgell tridge at samba.org
Thu Jan 13 23:24:02 MST 2011


The branch, master has been updated
       via  ad8965c s4-dsdb: only enforce the extended dn rules over ldap
       via  74674e7 s4-dsdb: removed the last use of samdb_search_*() from the dsdb ldb modules
       via  90110a0 s4-dsdb: removed some more samdb_search_*() calls from samldb.c
       via  3b7c498 s4-dsdb: replaced another use of samdb_search in a ldb module
       via  15c8107 s4-dsdb: fixed primaryGroupID to use dsdb_module_search_dn()
       via  31d644c s4-dsdb: fixed filtering of tokengroups
       via  f33ce41 ldb: new ABI file for 0.9.23
       via  60be4a4 s4-kdc: don't ask for an extended DN for krbtgt_dn
       via  197f4b0 s4-test: added a tokengroups test
       via  0450ab9 s4-samdb: give a more useful debug when we can't open the privileges db
       via  8df6504 s4-auth: fixed status return
       via  a0bc538 s4-samba-tool: fixed the gpo command to use the right DN for access checks
       via  a38854f s4-dsdb: minimise the DN in group expansion
       via  504a3cc ldb: added ldb_dn_minimise()
       via  74493af s4-dns: renamed DNS_TYPE_ZERO to DNS_TYPE_TOMBSTONE
       via  27d7f6a s4-dsdb: validate number of extended components
       via  fb704d7 ldb: added ldb_dn_get_extended_comp_num()
       via  29fb42a s4-samba_tool Added ACL checking to python GPO management tool
       via  012e570 libcli/security Add python bindings for se_access_check
       via  5322567 pyldb Simplify python wrappers for struct ldb_val (LdbValue)
       via  edd3b03 s4-auth Add get and set methods for auth_session_info python wrapper
       via  ece6eae s4-auth Add function to obtain any user's session_info from a given LDB
       via  c82269c s4-auth use new dsdb_expand_nested_groups()
       via  cbffc51 s4-dsdb Implement tokenGroups expansion directly in ldb operational module
      from  99a74ff Fix bug #7909 - map SYNCHRONIZE acl permission statically in zfs_acl vfs module.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ad8965c36446398a63bf698fffeaae3d8ba9ff8b
Author: Andrew Tridgell <tridge at samba.org>
Date:   Fri Jan 14 16:39:28 2011 +1100

    s4-dsdb: only enforce the extended dn rules over ldap
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User: Andrew Tridgell <tridge at samba.org>
    Autobuild-Date: Fri Jan 14 07:23:31 CET 2011 on sn-devel-104

commit 74674e782e9ecb6518bcfb7ca4bb40d44cd63c35
Author: Andrew Tridgell <tridge at samba.org>
Date:   Fri Jan 14 15:46:32 2011 +1100

    s4-dsdb: removed the last use of samdb_search_*() from the dsdb ldb modules
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 90110a0bbcde7bd8280c005777869609357b79ad
Author: Andrew Tridgell <tridge at samba.org>
Date:   Fri Jan 14 15:21:42 2011 +1100

    s4-dsdb: removed some more samdb_search_*() calls from samldb.c
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 3b7c49843734720fb31d4fa7d5d14ec0debb5867
Author: Andrew Tridgell <tridge at samba.org>
Date:   Fri Jan 14 11:47:49 2011 +1100

    s4-dsdb: replaced another use of samdb_search in a ldb module
    
    we should be using the dsdb_module_search*() calls
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 15c81078682a9ff67ff8c2f5c25fb4fad3a68616
Author: Andrew Tridgell <tridge at samba.org>
Date:   Fri Jan 14 11:37:09 2011 +1100

    s4-dsdb: fixed primaryGroupID to use dsdb_module_search_dn()
    
    this avoids using a multi-part extended DN in a search that hits the
    check in extended_dn_in
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 31d644c7f9a8ac5c142aa08e2338e6b7fa23a54e
Author: Andrew Tridgell <tridge at samba.org>
Date:   Fri Jan 14 10:41:47 2011 +1100

    s4-dsdb: fixed filtering of tokengroups
    
    builtin groups are shown in user tokenGroups searches
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit f33ce4101e81626c5a2d3d145923642997dda746
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 17:59:14 2011 +1100

    ldb: new ABI file for 0.9.23

commit 60be4a4c3729f0a1353947abc4a688c06a94e54d
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 17:40:29 2011 +1100

    s4-kdc: don't ask for an extended DN for krbtgt_dn
    
    otherwise msg->dn would be non-minimal and would fail in searches
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 197f4b098b31293f092580aa8e177cc6b8bc98c6
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 16:56:13 2011 +1100

    s4-test: added a tokengroups test
    
    this tests that the remote tokenGroups match the internally calculated
    ones
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 0450ab9536592965ab39d2ba7c5e431154ae1842
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 16:55:34 2011 +1100

    s4-samdb: give a more useful debug when we can't open the privileges db
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 8df6504ffeb0f32d6b53f8607fcc23418bda63bd
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 16:55:05 2011 +1100

    s4-auth: fixed status return
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit a0bc538a8f5906e86aa7cc8636ca141794c04514
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 15:09:03 2011 +1100

    s4-samba-tool: fixed the gpo command to use the right DN for access checks

commit a38854f74b9ab0e54647e1fe28fd85be345766dc
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 12:26:24 2011 +1100

    s4-dsdb: minimise the DN in group expansion
    
    this DN we have came from an extended DN search, which means it may
    have multiple extended components. We need to minimise the DN before
    AD will accept it
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 504a3cc6b36056f8240dae70a2445be1ad8cc6de
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 12:13:42 2011 +1100

    ldb: added ldb_dn_minimise()
    
    this removes any extraneous components from a DN. For an extended DN,
    this means removing the string DN and all but the first extended
    component.
    
    This is needed as AD returns "invalid syntax" if you don't use
    a minimal DN as the base DN for a search. A non-minimal DN also
    doesn't ever match in a search expression.
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 74493af86f953d209c57649178421929e8061c99
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 11:10:27 2011 +1100

    s4-dns: renamed DNS_TYPE_ZERO to DNS_TYPE_TOMBSTONE
    
    we now know that these are tombstone records, with a timestamp
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 27d7f6a31203c6ab3c5b1e3d667fc1c4c79d334f
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 11:08:40 2011 +1100

    s4-dsdb: validate number of extended components
    
    this checks that the number of extended components in a DN is valid,
    to match MS AD behaviour. We need to do this to ensure that our tools
    don't try to do operations that will be invalid when used against MS
    servers
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit fb704d7fc1336ad73f685abd8ac454bbde8ac966
Author: Andrew Tridgell <tridge at samba.org>
Date:   Thu Jan 13 11:07:15 2011 +1100

    ldb: added ldb_dn_get_extended_comp_num()
    
    this returns the number of extended components. We need this to
    validate a DN in the extended_dn_in module
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>

commit 29fb42a48b29158dc77682e2f4a42ed0e961c4b2
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jan 11 18:40:54 2011 +1100

    s4-samba_tool Added ACL checking to python GPO management tool

commit 012e570416de8b48f89216ac1e6b0bba2357ac39
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jan 11 17:39:25 2011 +1100

    libcli/security Add python bindings for se_access_check
    
    Andrew Bartlett

commit 5322567530d588d0f420eeb720c9a2e3225d6007
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jan 11 16:45:39 2011 +1100

    pyldb Simplify python wrappers for struct ldb_val (LdbValue)
    
    Andrew Bartlett

commit edd3b033b861cf9e747c35a2345e714b4b2122a9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Jan 11 16:43:54 2011 +1100

    s4-auth Add get and set methods for auth_session_info python wrapper
    
    This allows the session key, security_token and credentials to be
    manipulated from python.
    
    Andrew Bartlett
    
    Pair-Programmed-With: Andrew Tridgell <tridge at samba.org>

commit ece6eae4d8862a564c581a3f3808c04edab6cb19
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Dec 22 17:17:07 2010 +1100

    s4-auth Add function to obtain any user's session_info from a given LDB
    
    This will be a building block for a tokenGroups test, which can
    compare against a remote server (in particular the rootDSE) against
    what we would calculate the tokenGroups to be.
    
    (this meant moving some parts out of the auth_sam code into the
    containing library)
    
    Andrew Bartlett

commit c82269cf862b00c987c02aefa78155c142f6d065
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Dec 21 22:35:13 2010 +1100

    s4-auth use new dsdb_expand_nested_groups()
    
    This isn't quite as good as using tokenGroups, but that is only
    available for BASE searches, and this isn't how the all the callers
    work at the moment.
    
    Andrew Bartlett

commit cbffc513130733ca9e775d99cea8f9a7402f10d0
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Dec 21 22:34:16 2010 +1100

    s4-dsdb Implement tokenGroups expansion directly in ldb operational module
    
    This removes a silly cross-dependency between the ldb moudle stack and auth/
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/pysecurity.c                       |   83 +++++++
 libcli/security/wscript_build                      |    6 +
 librpc/idl/dnsp.idl                                |    3 +-
 source4/auth/ntlm/auth_sam.c                       |   87 +-------
 source4/auth/pyauth.c                              |  130 +++++++++++-
 source4/auth/sam.c                                 |  235 ++++++++------------
 source4/auth/session.c                             |   51 ++++-
 source4/auth/session.h                             |   14 ++
 source4/auth/wscript_build                         |    2 +-
 source4/dns_server/dlz_bind9.c                     |   10 +-
 source4/dsdb/common/util_groups.c                  |  172 ++++++++++++++
 source4/dsdb/samdb/ldb_modules/extended_dn_in.c    |   31 +++-
 source4/dsdb/samdb/ldb_modules/operational.c       |  128 ++++++++---
 source4/dsdb/samdb/ldb_modules/rootdse.c           |   16 +-
 source4/dsdb/samdb/ldb_modules/samldb.c            |  129 ++++++++---
 source4/dsdb/samdb/samdb.c                         |    1 +
 source4/dsdb/tests/python/token_group.py           |  100 +++++++++
 source4/dsdb/wscript_build                         |    2 +-
 source4/kdc/db-glue.c                              |    2 +-
 .../ldb/ABI/{ldb-0.9.22.sigs => ldb-0.9.23.sigs}   |    2 +
 source4/lib/ldb/common/ldb_dn.c                    |   62 +++++
 source4/lib/ldb/include/ldb.h                      |   11 +
 source4/lib/ldb/pyldb.c                            |   21 +--
 source4/lib/ldb/wscript                            |    2 +-
 source4/scripting/python/samba/netcmd/gpo.py       |   43 +++-
 source4/selftest/tests.py                          |    1 +
 26 files changed, 1006 insertions(+), 338 deletions(-)
 create mode 100644 libcli/security/pysecurity.c
 create mode 100644 source4/dsdb/common/util_groups.c
 create mode 100755 source4/dsdb/tests/python/token_group.py
 copy source4/lib/ldb/ABI/{ldb-0.9.22.sigs => ldb-0.9.23.sigs} (99%)


Changeset truncated at 500 lines:

diff --git a/libcli/security/pysecurity.c b/libcli/security/pysecurity.c
new file mode 100644
index 0000000..56bdd69
--- /dev/null
+++ b/libcli/security/pysecurity.c
@@ -0,0 +1,83 @@
+/*
+   Unix SMB/CIFS implementation.
+   Copyright (C) Jelmer Vernooij <jelmer at samba.org> 2007-2008
+   Copyright (C) Andrew Bartlett <abartlet at samba.org> 2011
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include <Python.h>
+#include "includes.h"
+#include "libcli/util/pyerrors.h"
+#include "libcli/security/security.h"
+#include "pytalloc.h"
+
+static PyObject *py_se_access_check(PyObject *module, PyObject *args, PyObject *kwargs)
+{
+	NTSTATUS nt_status;
+	const char * const kwnames[] = { "security_descriptor", "token", "access_desired", NULL };
+	PyObject *py_sec_desc = Py_None;
+	PyObject *py_security_token = Py_None;
+	struct security_descriptor *security_descriptor;
+	struct security_token *security_token;
+	int access_desired; /* This is an int, because that's what
+			     * we need for the python
+			     * PyArg_ParseTupleAndKeywords */
+	uint32_t access_granted;
+
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "OOi",
+					 discard_const_p(char *, kwnames),
+					 &py_sec_desc, &py_security_token, &access_desired)) {
+		return NULL;
+	}
+
+	security_descriptor = py_talloc_get_type(py_sec_desc, struct security_descriptor);
+	if (!security_descriptor) {
+		PyErr_Format(PyExc_TypeError,
+			     "Expected dcerpc.security.descriptor for security_descriptor argument got  %s",
+			     talloc_get_name(py_talloc_get_ptr(py_sec_desc)));
+		return NULL;
+	}
+
+	security_token = py_talloc_get_type(py_security_token, struct security_token);
+	if (!security_token) {
+		PyErr_Format(PyExc_TypeError,
+			     "Expected dcerpc.security.token for token argument, got %s",
+			     talloc_get_name(py_talloc_get_ptr(py_security_token)));
+		return NULL;
+	}
+
+	nt_status = se_access_check(security_descriptor, security_token, access_desired, &access_granted);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		PyErr_NTSTATUS_IS_ERR_RAISE(nt_status);
+	}
+
+	return PyLong_FromLong(access_granted);
+}
+
+static PyMethodDef py_security_methods[] = {
+	{ "access_check", (PyCFunction)py_se_access_check, METH_VARARGS|METH_KEYWORDS,
+	"access_check(security_descriptor, token, access_desired) -> access_granted.  Raises NT_STATUS on error, including on access check failure, returns access granted bitmask"},
+	{ NULL },
+};
+
+void initsecurity(void)
+{
+	PyObject *m;
+
+	m = Py_InitModule3("security", py_security_methods,
+			   "Security support.");
+	if (m == NULL)
+		return;
+}
diff --git a/libcli/security/wscript_build b/libcli/security/wscript_build
index 4b3f46e..ca60a44 100644
--- a/libcli/security/wscript_build
+++ b/libcli/security/wscript_build
@@ -7,3 +7,9 @@ bld.SAMBA_LIBRARY('security',
                   deps='talloc ndr NDR_SECURITY'
                   )
 
+if getattr(bld.env, '_SAMBA_BUILD_', 0) == 4:
+    bld.SAMBA_PYTHON('pysecurity',
+                     source='pysecurity.c',
+                     deps='security',
+                     realname='samba/security.so'
+                     )
diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl
index 495a3e2..f8cf1d4 100644
--- a/librpc/idl/dnsp.idl
+++ b/librpc/idl/dnsp.idl
@@ -24,7 +24,7 @@ import "misc.idl";
 interface dnsp
 {
 	typedef [enum16bit] enum {
-		DNS_TYPE_ZERO  = 0x0,
+		DNS_TYPE_TOMBSTONE  = 0x0,
 		DNS_TYPE_A     = 0x1,
 		DNS_TYPE_NS    = 0x2,
 		DNS_TYPE_MD    = 0x3,
@@ -109,6 +109,7 @@ interface dnsp
 	} dnsp_srv;
 
 	typedef [nodiscriminant,gensize] union {
+		[case(DNS_TYPE_TOMBSTONE)] 		    NTTIME timestamp;
 		[case(DNS_TYPE_A)] [flag(NDR_BIG_ENDIAN)]   ipv4address ipv4;
 		[case(DNS_TYPE_NS)]                         dnsp_name ns;
 		[case(DNS_TYPE_CNAME)]                      dnsp_name cname;
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 259efec..6457132 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -353,87 +353,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 }
 
 				   
-/* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack.
-
- Supply either a principal or a DN
-*/
-NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx, 
-					   struct auth_context *auth_context,
-					   const char *principal,
-					   struct ldb_dn *user_dn,
-					   struct auth_serversupplied_info **server_info)
+/* Wrapper for the auth subsystem pointer */
+NTSTATUS authsam_get_server_info_principal_wrapper(TALLOC_CTX *mem_ctx,
+						   struct auth_context *auth_context,
+						   const char *principal,
+						   struct ldb_dn *user_dn,
+						   struct auth_serversupplied_info **server_info)
 {
-	NTSTATUS nt_status;
-	DATA_BLOB user_sess_key = data_blob(NULL, 0);
-	DATA_BLOB lm_sess_key = data_blob(NULL, 0);
-
-	struct ldb_message *msg;
-	struct ldb_dn *domain_dn;
-	
-	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-	if (!tmp_ctx) {
-		return NT_STATUS_NO_MEMORY;
-	}
-
-	if (principal) {
-		nt_status = sam_get_results_principal(auth_context->sam_ctx, tmp_ctx, principal,
-						      user_attrs, &domain_dn, &msg);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(tmp_ctx);
-			return nt_status;
-		}
-	} else if (user_dn) {
-		struct dom_sid *user_sid, *domain_sid;
-		int ret;
-		/* pull the user attributes */
-		ret = dsdb_search_one(auth_context->sam_ctx, tmp_ctx, &msg, user_dn,
-				      LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)");
-		if (ret == LDB_ERR_NO_SUCH_OBJECT) {
-			talloc_free(tmp_ctx);
-			return NT_STATUS_NO_SUCH_USER;
-		} else if (ret != LDB_SUCCESS) {
-			talloc_free(tmp_ctx);
-			return NT_STATUS_INTERNAL_DB_CORRUPTION;
-		}
-
-		user_sid = samdb_result_dom_sid(msg, msg, "objectSid");
-
-		nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			return nt_status;
-		}
-
-		domain_dn = samdb_search_dn(auth_context->sam_ctx, mem_ctx, NULL,
-					  "(&(objectSid=%s)(objectClass=domain))",
-					    ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid));
-		if (!domain_dn) {
-			DEBUG(3, ("authsam_get_server_info_principal: Failed to find domain with: SID %s\n",
-				  dom_sid_string(tmp_ctx, domain_sid)));
-			return NT_STATUS_NO_SUCH_USER;
-		}
-
-	} else {
-		return NT_STATUS_INVALID_PARAMETER;
-	}
-
-	nt_status = authsam_make_server_info(tmp_ctx, auth_context->sam_ctx,
-					     lpcfg_netbios_name(auth_context->lp_ctx),
-					     lpcfg_workgroup(auth_context->lp_ctx),
-					     domain_dn, 
-					     msg,
-					     user_sess_key, lm_sess_key,
-					     server_info);
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(tmp_ctx);
-		return nt_status;
-	}
-
-	talloc_steal(mem_ctx, *server_info);
-	talloc_free(tmp_ctx);
-
-	return NT_STATUS_OK;
+	return authsam_get_server_info_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
+						 principal, user_dn, server_info);
 }
-
 static const struct auth_operations sam_ignoredomain_ops = {
 	.name		           = "sam_ignoredomain",
 	.get_challenge	           = auth_get_challenge_not_implemented,
diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c
index 2ef5ebb..c8ab460 100644
--- a/source4/auth/pyauth.c
+++ b/source4/auth/pyauth.c
@@ -1,7 +1,8 @@
 /* 
    Unix SMB/CIFS implementation.
    Copyright (C) Jelmer Vernooij <jelmer at samba.org> 2007-2008
-   
+   Copyright (C) Andrew Bartlett <abartlet at samba.org> 2011
+
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 3 of the License, or
@@ -18,17 +19,78 @@
 
 #include <Python.h>
 #include "includes.h"
+#include "libcli/util/pyerrors.h"
 #include "param/param.h"
 #include "pyauth.h"
+#include "pyldb.h"
 #include "auth/system_session_proto.h"
+#include "auth/auth.h"
 #include "param/pyparam.h"
 #include "libcli/security/security.h"
+#include "auth/credentials/pycredentials.h"
+#include "librpc/rpc/pyrpc_util.h"
+
+static PyObject *py_auth_session_get_security_token(PyObject *self, void *closure)
+{
+	struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self);
+	PyObject *py_security_token;
+	py_security_token = py_return_ndr_struct("samba.dcerpc.security", "token",
+						 session->security_token, session->security_token);
+	return py_security_token;
+}
+
+static int py_auth_session_set_security_token(PyObject *self, PyObject *value, void *closure)
+{
+	struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self);
+	session->security_token = talloc_reference(session, py_talloc_get_ptr(value));
+	return 0;
+}
+
+static PyObject *py_auth_session_get_session_key(PyObject *self, void *closure)
+{
+	struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self);
+	return PyString_FromStringAndSize((char *)session->session_key.data, session->session_key.length);
+}
+
+static int py_auth_session_set_session_key(PyObject *self, PyObject *value, void *closure)
+{
+	DATA_BLOB val;
+	struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self);
+	val.data = (uint8_t *)PyString_AsString(value);
+	val.length = PyString_Size(value);
+
+	session->session_key = data_blob_talloc(session, val.data, val.length);
+	return 0;
+}
+
+static PyObject *py_auth_session_get_credentials(PyObject *self, void *closure)
+{
+	struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self);
+	PyObject *py_credentials;
+	/* This is evil, as the credentials are not IDL structures */
+	py_credentials = py_return_ndr_struct("samba.credentials", "Credentials", session->credentials, session->credentials);
+	return py_credentials;
+}
+
+static int py_auth_session_set_credentials(PyObject *self, PyObject *value, void *closure)
+{
+	struct auth_session_info *session = (struct auth_session_info *)py_talloc_get_ptr(self);
+	session->credentials = talloc_reference(session, PyCredentials_AsCliCredentials(value));
+	return 0;
+}
 
+static PyGetSetDef py_auth_session_getset[] = {
+	{ discard_const_p(char, "security_token"), (getter)py_auth_session_get_security_token, (setter)py_auth_session_set_security_token, NULL },
+	{ discard_const_p(char, "session_key"), (getter)py_auth_session_get_session_key, (setter)py_auth_session_set_session_key, NULL },
+	{ discard_const_p(char, "credentials"), (getter)py_auth_session_get_credentials, (setter)py_auth_session_set_credentials, NULL },
+	{ NULL }
+};
 
 static PyTypeObject PyAuthSession = {
 	.tp_name = "AuthSession",
 	.tp_basicsize = sizeof(py_talloc_Object),
 	.tp_flags = Py_TPFLAGS_DEFAULT,
+	.tp_getset = py_auth_session_getset,
 };
 
 PyObject *PyAuthSession_FromSession(struct auth_session_info *session)
@@ -102,9 +164,69 @@ static PyObject *py_admin_session(PyObject *module, PyObject *args)
 	return PyAuthSession_FromSession(session);
 }
 
+static PyObject *py_user_session(PyObject *module, PyObject *args, PyObject *kwargs)
+{
+	NTSTATUS nt_status;
+	struct auth_session_info *session;
+	TALLOC_CTX *mem_ctx;
+	const char * const kwnames[] = { "ldb", "lp_ctx", "principal", "dn", "session_info_flags", NULL };
+	struct ldb_context *ldb_ctx;
+	PyObject *py_ldb = Py_None;
+	PyObject *py_dn = Py_None;
+	PyObject *py_lp_ctx = Py_None;
+	struct loadparm_context *lp_ctx = NULL;
+	struct ldb_dn *user_dn;
+	char *principal = NULL;
+	int session_info_flags = 0; /* This is an int, because that's
+				 * what we need for the python
+				 * PyArg_ParseTupleAndKeywords */
+
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "O|OzOi",
+					 discard_const_p(char *, kwnames),
+					 &py_ldb, &py_lp_ctx, &principal, &py_dn, &session_info_flags)) {
+		return NULL;
+	}
+
+	mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		PyErr_NoMemory();
+		return NULL;
+	}
+
+	ldb_ctx = PyLdb_AsLdbContext(py_ldb);
+
+	if (py_dn == Py_None) {
+		user_dn = NULL;
+	} else {
+		if (!PyObject_AsDn(ldb_ctx, py_dn, ldb_ctx, &user_dn)) {
+			talloc_free(mem_ctx);
+			return NULL;
+		}
+	}
+
+	lp_ctx = lpcfg_from_py_object(mem_ctx, py_lp_ctx);
+	if (lp_ctx == NULL) {
+		talloc_free(mem_ctx);
+		return NULL;
+	}
+
+	nt_status = authsam_get_session_info_principal(mem_ctx, lp_ctx, ldb_ctx, principal, user_dn,
+						       session_info_flags, &session);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(mem_ctx);
+		PyErr_NTSTATUS_IS_ERR_RAISE(nt_status);
+	}
+
+	talloc_steal(NULL, session);
+	talloc_free(mem_ctx);
+
+	return PyAuthSession_FromSession(session);
+}
+
 static PyMethodDef py_auth_methods[] = {
 	{ "system_session", (PyCFunction)py_system_session, METH_VARARGS, NULL },
 	{ "admin_session", (PyCFunction)py_admin_session, METH_VARARGS, NULL },
+	{ "user_session", (PyCFunction)py_user_session, METH_VARARGS|METH_KEYWORDS, NULL },
 	{ NULL },
 };
 
@@ -126,4 +248,10 @@ void initauth(void)
 
 	Py_INCREF(&PyAuthSession);
 	PyModule_AddObject(m, "AuthSession", (PyObject *)&PyAuthSession);
+
+#define ADD_FLAG(val)  PyModule_AddObject(m, #val, PyInt_FromLong(val))
+	ADD_FLAG(AUTH_SESSION_INFO_DEFAULT_GROUPS);
+	ADD_FLAG(AUTH_SESSION_INFO_AUTHENTICATED);
+	ADD_FLAG(AUTH_SESSION_INFO_SIMPLE_PRIVILEGES);
+
 }
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 0da36ea..0a97d81 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -1,7 +1,7 @@
 /* 
    Unix SMB/CIFS implementation.
    Password and authentication handling
-   Copyright (C) Andrew Bartlett <abartlet at samba.org> 2001-2004
+   Copyright (C) Andrew Bartlett <abartlet at samba.org> 2001-2010
    Copyright (C) Gerald Carter                             2003
    Copyright (C) Stefan Metzmacher                         2005
    Copyright (C) Matthias Dieter Wallnöfer                 2009
@@ -28,6 +28,8 @@
 #include "libcli/security/security.h"
 #include "auth/auth_sam.h"
 #include "dsdb/common/util.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "param/param.h"
 
 #define KRBTGT_ATTRS \
 	/* required for the krb5 kdc */		\
@@ -265,147 +267,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-/* This function tests if a SID structure "sids" contains the SID "sid" */
-static bool sids_contains_sid(const struct dom_sid **sids,
-			      const unsigned int num_sids,
-			      const struct dom_sid *sid)
-{
-	unsigned int i;
-
-	for (i = 0; i < num_sids; i++) {
-		if (dom_sid_equal(sids[i], sid))
-			return true;
-	}
-	return false;
-}
-
-
-/*
- * This function generates the transitive closure of a given SAM object "dn_val"
- * (it basically expands nested memberships).
- * If the object isn't located in the "res_sids" structure yet and the
- * "only_childs" flag is false, we add it to "res_sids".
- * Then we've always to consider the "memberOf" attributes. We invoke the
- * function recursively on each of it with the "only_childs" flag set to
- * "false".
- * The "only_childs" flag is particularly useful if you have a user object and
- * want to include all it's groups (referenced with "memberOf") but not itself
- * or considering if that object matches the filter.
- *
- * At the beginning "res_sids" should reference to a NULL pointer.
- */
-NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
-				      struct ldb_val *dn_val, const bool only_childs, const char *filter,
-				      TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
-				      unsigned int *num_res_sids)
-{
-	const char * const attrs[] = { "memberOf", NULL };
-	unsigned int i;
-	int ret;
-	bool already_there;
-	struct ldb_dn *dn;
-	struct dom_sid sid;
-	TALLOC_CTX *tmp_ctx;
-	struct ldb_result *res;
-	NTSTATUS status;
-	const struct ldb_message_element *el;
-
-	if (*res_sids == NULL) {
-		*num_res_sids = 0;
-	}
-
-	if (!sam_ctx) {
-		DEBUG(0, ("No SAM available, cannot determine local groups\n"));
-		return NT_STATUS_INVALID_SYSTEM_SERVICE;
-	}
-
-	tmp_ctx = talloc_new(res_sids_ctx);
-
-	dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, dn_val);
-	if (dn == NULL) {
-		talloc_free(tmp_ctx);
-		DEBUG(0, (__location__ ": we failed parsing DN %.*s, so we cannot calculate the group token\n",
-			  (int)dn_val->length, dn_val->data));
-		return NT_STATUS_INTERNAL_DB_CORRUPTION;
-	}
-
-	status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
-	if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
-		/* If we fail finding a SID then this is no error since it could
-		 * be a non SAM object - e.g. a group with object class
-		 * "groupOfNames" */
-		talloc_free(tmp_ctx);
-		return NT_STATUS_OK;
-	} else if (!NT_STATUS_IS_OK(status)) {
-		DEBUG(0, (__location__ ": when parsing DN '%s' we failed to parse it's SID component, so we cannot calculate the group token: %s\n",
-			  ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
-			  nt_errstr(status)));
-		talloc_free(tmp_ctx);


-- 
Samba Shared Repository


More information about the samba-cvs mailing list