[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Mon Jan 30 01:39:02 MST 2012


The branch, master has been updated
       via  959d13a s3-auth: Remove duplicate check for NT_STATUS_IS_OK(nt_status)
       via  3ddb983 gensec: inline gensec_generate_session_info() into only caller
       via  fc035af s4-auth: Return NT_STATUS_NOT_IMPLEMENTED if the challenge cannot be obtained
       via  a647df4 auth: Make check_password and generate_session_info hook generic
      from  7c6713e tdb2: make --enable-tdb2 the default.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 959d13ac204db88613e1b81eff72575c5a8f8edb
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 30 14:00:58 2012 +1100

    s3-auth: Remove duplicate check for NT_STATUS_IS_OK(nt_status)
    
    Autobuild-User: Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date: Mon Jan 30 09:38:47 CET 2012 on sn-devel-104

commit 3ddb983c10aab6ad8eb2a766accfccb2b3671a3a
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 30 11:53:04 2012 +1100

    gensec: inline gensec_generate_session_info() into only caller
    
    This avoids casting to and from the struct auth_user_info_dc *user_info_dc
    
    to to this, the
    
    if (user_info_dc->info->authenticated)
    
    is moved into auth_generate_session_info_wrapper(), which is the
    function that gensec_security->auth_context->generate_session_info
    points to.
    
    Andrew Bartlett

commit fc035afb6ecdb54e6183be511e886ac07727cc0b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 30 11:49:23 2012 +1100

    s4-auth: Return NT_STATUS_NOT_IMPLEMENTED if the challenge cannot be obtained

commit a647df4607cb6d916cd689f92cd27995ca0f9ab4
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Mon Jan 30 11:17:44 2012 +1100

    auth: Make check_password and generate_session_info hook generic
    
    gensec_ntlmssp does not need to know the internal form of the
    struct user_info_dc or auth_serversupplied_info.  This will allow the
    calling logic to be put in common.
    
    Andrew Bartlett

-----------------------------------------------------------------------

Summary of changes:
 auth/common_auth.h                    |    5 ++-
 auth/gensec/gensec.h                  |    5 ---
 auth/gensec/gensec_util.c             |   29 ------------------
 auth/ntlmssp/ntlmssp.h                |    5 +--
 source3/auth/auth_ntlmssp.c           |   37 ++++++++++++-----------
 source4/auth/auth.h                   |    8 ++++-
 source4/auth/ntlm/auth.c              |   51 +++++++++++++++++++++++++++++----
 source4/auth/ntlmssp/ntlmssp_server.c |   43 +++++++++++++++-------------
 8 files changed, 98 insertions(+), 85 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 3991c40..453c0c9 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -108,7 +108,8 @@ struct auth4_context {
 	NTSTATUS (*check_password)(struct auth4_context *auth_ctx,
 				   TALLOC_CTX *mem_ctx,
 				   const struct auth_usersupplied_info *user_info,
-				   struct auth_user_info_dc **user_info_dc);
+				   void **server_returned_info,
+				   DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
 
 	NTSTATUS (*get_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]);
 
@@ -118,7 +119,7 @@ struct auth4_context {
 
 	NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
 					  struct auth4_context *auth_context,
-					  struct auth_user_info_dc *user_info_dc,
+					  void *server_returned_info,
 					  uint32_t session_info_flags,
 					  struct auth_session_info **session_info);
 
diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h
index b03bcd8..c52eecb 100644
--- a/auth/gensec/gensec.h
+++ b/auth/gensec/gensec.h
@@ -336,11 +336,6 @@ bool gensec_setting_bool(struct gensec_settings *settings, const char *mechanism
 NTSTATUS gensec_set_target_principal(struct gensec_security *gensec_security, const char *principal);
 const char *gensec_get_target_principal(struct gensec_security *gensec_security);
 
-NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
-				      struct gensec_security *gensec_security,
-				      struct auth_user_info_dc *user_info_dc,
-				      struct auth_session_info **session_info);
-
 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 					  struct gensec_security *gensec_security,
 					  struct smb_krb5_context *smb_krb5_context,
diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index feff3c3..cdd615f 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -24,35 +24,6 @@
 #include "auth/gensec/gensec.h"
 #include "auth/common_auth.h"
 
-NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
-				      struct gensec_security *gensec_security,
-				      struct auth_user_info_dc *user_info_dc,
-				      struct auth_session_info **session_info)
-{
-	NTSTATUS nt_status;
-	uint32_t session_info_flags = 0;
-
-	if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
-		session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
-	}
-
-	session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
-	if (user_info_dc->info->authenticated) {
-		session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
-	}
-
-	if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
-		nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
-										 user_info_dc,
-										 session_info_flags,
-										 session_info);
-	} else {
-		DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-	return nt_status;
-}
-
 NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 					  struct gensec_security *gensec_security,
 					  struct smb_krb5_context *smb_krb5_context,
diff --git a/auth/ntlmssp/ntlmssp.h b/auth/ntlmssp/ntlmssp.h
index 9801b14..54d3e53 100644
--- a/auth/ntlmssp/ntlmssp.h
+++ b/auth/ntlmssp/ntlmssp.h
@@ -34,13 +34,10 @@ struct ntlmssp_state;
 struct gensec_ntlmssp_context {
 	/* used only by s3 server implementation */
 	struct auth_context *auth_context;
-	struct auth_serversupplied_info *server_info;
-
-	/* Used by the s4 server implementation */
-	struct auth_user_info_dc *user_info_dc;
 
 	/* For GENSEC users */
 	struct gensec_security *gensec_security;
+	void *server_returned_info;
 
 	/* used by both client and server implementation */
 	struct ntlmssp_state *ntlmssp_state;
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 7a23a92..00a99c3 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -37,10 +37,12 @@ static NTSTATUS gensec_ntlmssp3_server_session_info(struct gensec_security *gens
 	struct gensec_ntlmssp_context *gensec_ntlmssp =
 		talloc_get_type_abort(gensec_security->private_data,
 				      struct gensec_ntlmssp_context);
+	struct auth_serversupplied_info *server_info = talloc_get_type_abort(gensec_ntlmssp->server_returned_info, 
+									     struct auth_serversupplied_info);
 	NTSTATUS nt_status;
 
 	nt_status = create_local_token(mem_ctx,
-				       gensec_ntlmssp->server_info,
+				       server_info,
 				       &gensec_ntlmssp->ntlmssp_state->session_key,
 				       gensec_ntlmssp->ntlmssp_state->user,
 				       session_info);
@@ -137,6 +139,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 	struct gensec_ntlmssp_context *gensec_ntlmssp =
 		(struct gensec_ntlmssp_context *)ntlmssp_state->callback_private;
 	struct auth_usersupplied_info *user_info = NULL;
+	struct auth_serversupplied_info *server_info;
 	NTSTATUS nt_status;
 	bool username_was_mapped;
 
@@ -168,7 +171,7 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 	user_info->logon_parameters = MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT | MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT;
 
 	nt_status = gensec_ntlmssp->auth_context->check_ntlm_password(gensec_ntlmssp->auth_context,
-									  user_info, &gensec_ntlmssp->server_info);
+									  user_info, &server_info);
 
 	username_was_mapped = user_info->was_mapped;
 
@@ -176,36 +179,34 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		nt_status = do_map_to_guest_server_info(nt_status,
-							&gensec_ntlmssp->server_info,
+							&server_info,
 							gensec_ntlmssp->ntlmssp_state->user,
 							gensec_ntlmssp->ntlmssp_state->domain);
+		gensec_ntlmssp->server_returned_info = server_info;
 		return nt_status;
 	}
 
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
-	}
-
-	gensec_ntlmssp->server_info->nss_token |= username_was_mapped;
+	server_info->nss_token |= username_was_mapped;
 
 	/* Clear out the session keys, and pass them to the caller.
 	 * They will not be used in this form again - instead the
 	 * NTLMSSP code will decide on the final correct session key,
 	 * and supply it to create_local_token() */
-	if (gensec_ntlmssp->server_info->session_key.length) {
+	if (server_info->session_key.length) {
 		DEBUG(10, ("Got NT session key of length %u\n",
-			(unsigned int)gensec_ntlmssp->server_info->session_key.length));
-		*session_key = gensec_ntlmssp->server_info->session_key;
-		talloc_steal(mem_ctx, gensec_ntlmssp->server_info->session_key.data);
-		gensec_ntlmssp->server_info->session_key = data_blob_null;
+			(unsigned int)server_info->session_key.length));
+		*session_key = server_info->session_key;
+		talloc_steal(mem_ctx, server_info->session_key.data);
+		server_info->session_key = data_blob_null;
 	}
-	if (gensec_ntlmssp->server_info->lm_session_key.length) {
+	if (server_info->lm_session_key.length) {
 		DEBUG(10, ("Got LM session key of length %u\n",
-			(unsigned int)gensec_ntlmssp->server_info->lm_session_key.length));
-		*lm_session_key = gensec_ntlmssp->server_info->lm_session_key;
-		talloc_steal(mem_ctx, gensec_ntlmssp->server_info->lm_session_key.data);
-		gensec_ntlmssp->server_info->lm_session_key = data_blob_null;
+			(unsigned int)server_info->lm_session_key.length));
+		*lm_session_key = server_info->lm_session_key;
+		talloc_steal(mem_ctx, server_info->lm_session_key.data);
+		server_info->lm_session_key = data_blob_null;
 	}
+	gensec_ntlmssp->server_returned_info = server_info;
 	return nt_status;
 }
 
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index a7fc413..1b22701 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -152,9 +152,15 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx,
 			     struct loadparm_context *lp_ctx,
 			     struct auth4_context **auth_ctx);
 
+NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
+			     TALLOC_CTX *mem_ctx,
+			     const struct auth_usersupplied_info *user_info, 
+			     void **server_returned_info,
+			     DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key);
+
 NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 			     TALLOC_CTX *mem_ctx,
-			     const struct auth_usersupplied_info *user_info,
+			     const struct auth_usersupplied_info *user_info, 
 			     struct auth_user_info_dc **user_info_dc);
 NTSTATUS auth4_init(void);
 NTSTATUS auth_register(const struct auth_operations *ops);
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 95bdd84..6dd82e4 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -35,7 +35,7 @@
 
 static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
                                                   struct auth4_context *auth_context,
-                                                  struct auth_user_info_dc *user_info_dc,
+						   void *server_returned_info,
                                                   uint32_t session_info_flags,
 						   struct auth_session_info **session_info);
 
@@ -208,6 +208,38 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 	return status;
 }
 
+_PUBLIC_ NTSTATUS auth_check_password_wrapper(struct auth4_context *auth_ctx,
+					      TALLOC_CTX *mem_ctx,
+					      const struct auth_usersupplied_info *user_info, 
+					      void **server_returned_info,
+					      DATA_BLOB *user_session_key, DATA_BLOB *lm_session_key)
+{
+	struct auth_user_info_dc *user_info_dc;
+	NTSTATUS status = auth_check_password(auth_ctx, mem_ctx, user_info, &user_info_dc);
+
+	if (NT_STATUS_IS_OK(status)) {
+		*server_returned_info = user_info_dc;
+
+		if (user_session_key) {
+			DEBUG(10, ("Got NT session key of length %u\n",
+				   (unsigned)user_info_dc->user_session_key.length));
+			*user_session_key = user_info_dc->user_session_key;
+			talloc_steal(mem_ctx, user_session_key->data);
+			user_info_dc->user_session_key = data_blob_null;
+		}
+
+		if (lm_session_key) {
+			DEBUG(10, ("Got LM session key of length %u\n",
+				   (unsigned)user_info_dc->lm_session_key.length));
+			*lm_session_key = user_info_dc->lm_session_key;
+			talloc_steal(mem_ctx, lm_session_key->data);
+			user_info_dc->lm_session_key = data_blob_null;
+		}
+	}
+
+	return status;
+}
+
 struct auth_check_password_state {
 	struct auth4_context *auth_ctx;
 	const struct auth_usersupplied_info *user_info;
@@ -433,13 +465,20 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
   * generation of unix tokens via IRPC */
 static NTSTATUS auth_generate_session_info_wrapper(TALLOC_CTX *mem_ctx,
                                                   struct auth4_context *auth_context,
-                                                  struct auth_user_info_dc *user_info_dc,
+						   void *server_returned_info,
                                                   uint32_t session_info_flags,
                                                   struct auth_session_info **session_info)
 {
-	NTSTATUS status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
-						     auth_context->sam_ctx, user_info_dc,
-						     session_info_flags, session_info);
+	NTSTATUS status;
+	struct auth_user_info_dc *user_info_dc = talloc_get_type_abort(server_returned_info, struct auth_user_info_dc);
+
+	if (user_info_dc->info->authenticated) {
+		session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+	}
+
+	status = auth_generate_session_info(mem_ctx, auth_context->lp_ctx,
+					    auth_context->sam_ctx, user_info_dc,
+					    session_info_flags, session_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}
@@ -562,7 +601,7 @@ _PUBLIC_ NTSTATUS auth_context_create_methods(TALLOC_CTX *mem_ctx, const char **
 		DLIST_ADD_END(ctx->methods, method, struct auth_method_context *);
 	}
 
-	ctx->check_password = auth_check_password;
+	ctx->check_password = auth_check_password_wrapper;
 	ctx->get_challenge = auth_get_challenge;
 	ctx->set_challenge = auth_context_set_challenge;
 	ctx->challenge_may_be_modified = auth_challenge_may_be_modified;
diff --git a/source4/auth/ntlmssp/ntlmssp_server.c b/source4/auth/ntlmssp/ntlmssp_server.c
index dcd6123..f463859 100644
--- a/source4/auth/ntlmssp/ntlmssp_server.c
+++ b/source4/auth/ntlmssp/ntlmssp_server.c
@@ -101,7 +101,7 @@ static NTSTATUS auth_ntlmssp_get_challenge(const struct ntlmssp_state *ntlmssp_s
 		}
 	}
 
-	return NT_STATUS_OK;
+	return status;
 }
 
 /**
@@ -189,25 +189,15 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 		nt_status = auth_context->check_password(auth_context,
 							 gensec_ntlmssp,
 							 user_info,
-							 &gensec_ntlmssp->user_info_dc);
+							 &gensec_ntlmssp->server_returned_info,
+							 user_session_key, lm_session_key);
 	}
 	talloc_free(user_info);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	if (gensec_ntlmssp->user_info_dc->user_session_key.length) {
-		DEBUG(10, ("Got NT session key of length %u\n",
-			   (unsigned)gensec_ntlmssp->user_info_dc->user_session_key.length));
-		*user_session_key = gensec_ntlmssp->user_info_dc->user_session_key;
-		talloc_steal(mem_ctx, user_session_key->data);
-		gensec_ntlmssp->user_info_dc->user_session_key = data_blob_null;
-	}
-	if (gensec_ntlmssp->user_info_dc->lm_session_key.length) {
-		DEBUG(10, ("Got LM session key of length %u\n",
-			   (unsigned)gensec_ntlmssp->user_info_dc->lm_session_key.length));
-		*lm_session_key = gensec_ntlmssp->user_info_dc->lm_session_key;
-		talloc_steal(mem_ctx, lm_session_key->data);
-		gensec_ntlmssp->user_info_dc->lm_session_key = data_blob_null;
-	}
+	talloc_steal(mem_ctx, user_session_key->data);
+	talloc_steal(mem_ctx, lm_session_key->data);
+	
 	return nt_status;
 }
 
@@ -229,11 +219,24 @@ NTSTATUS gensec_ntlmssp_session_info(struct gensec_security *gensec_security,
 	struct gensec_ntlmssp_context *gensec_ntlmssp =
 		talloc_get_type_abort(gensec_security->private_data,
 				      struct gensec_ntlmssp_context);
+	uint32_t session_info_flags = 0;
+
+	if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
+		session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+	}
+
+	session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
 
-	nt_status = gensec_generate_session_info(mem_ctx,
-						 gensec_security,
-						 gensec_ntlmssp->user_info_dc,
-						 session_info);
+	if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info) {
+		nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
+										 gensec_ntlmssp->server_returned_info,
+										 session_info_flags,
+										 session_info);
+	} else {
+		DEBUG(0, ("Cannot generate a session_info without the auth_context\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+	
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
 	return gensec_ntlmssp_session_key(gensec_security, *session_info,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list