[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Mon Jan 6 23:34:04 UTC 2020


The branch, master has been updated
       via  7f75dec8652 auth: Simplify struct auth4_context
       via  add8fd21c08 ntlm_auth: Replace winbind_pw_check() by _send and _recv
       via  066c4eeaa4f ntlm_auth: Replace local_pw_check() by _send and _recv
       via  d3d2e6df9c1 auth3: Replace auth3_check_password() by _send and _recv
      from  004e5531746 winbindd_pam.c: split winbindd_dual_pam_auth_samlogon

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7f75dec865256049e99f7fcf46317cd2d53e95d1
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Jan 2 22:58:06 2020 +0100

    auth: Simplify struct auth4_context
    
    The fake async code has been pushed down into the 3 users, remove the sync
    callback. Overall it's more lines of code, but the central interface is
    simplified.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Mon Jan  6 23:34:00 UTC 2020 on sn-devel-184

commit add8fd21c08f1225191b0794a92206f5c9248d23
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Jan 2 17:22:36 2020 +0100

    ntlm_auth: Replace winbind_pw_check() by _send and _recv
    
    This is just fake async, but it avoids one use of a sync function
    pointer in auth4_context
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 066c4eeaa4fc36052eb30c3aeb6d0be4c82ae1ef
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Jan 2 17:22:36 2020 +0100

    ntlm_auth: Replace local_pw_check() by _send and _recv
    
    This is just fake async, but it avoids one use of a sync function
    pointer in auth4_context
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit d3d2e6df9c17202c37e8f6beeb0da2738838181c
Author: Volker Lendecke <vl at samba.org>
Date:   Thu Jan 2 17:22:36 2020 +0100

    auth3: Replace auth3_check_password() by _send and _recv
    
    This is just fake async, but it avoids one use of a sync function
    pointer in auth4_context
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/common_auth.h            |   6 -
 auth/ntlmssp/ntlmssp_server.c |  53 +-------
 source3/auth/auth_generic.c   |  68 ++++------
 source3/auth/auth_ntlmssp.c   | 144 +++++++++++++++------
 source3/auth/proto.h          |  17 ++-
 source3/utils/ntlm_auth.c     | 288 ++++++++++++++++++++++++++++++++----------
 6 files changed, 373 insertions(+), 203 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 9f04c9b9cbb..0452c673ebc 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -129,12 +129,6 @@ struct auth4_context {
 	/* Private data for the callbacks on this auth context */
 	void *private_data;
 
-	NTSTATUS (*check_ntlm_password)(struct auth4_context *auth_ctx,
-					TALLOC_CTX *mem_ctx,
-					const struct auth_usersupplied_info *user_info,
-					uint8_t *pauthoritative,
-					void **server_returned_info,
-					DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
 	struct tevent_req *(*check_ntlm_password_send)(TALLOC_CTX *mem_ctx,
 					struct tevent_context *ev,
 					struct auth4_context *auth_ctx,
diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c
index 29559b3fe02..001238278d7 100644
--- a/auth/ntlmssp/ntlmssp_server.c
+++ b/auth/ntlmssp/ntlmssp_server.c
@@ -335,8 +335,8 @@ struct tevent_req *ntlmssp_server_auth_send(TALLOC_CTX *mem_ctx,
 				      struct gensec_ntlmssp_context);
 	struct auth4_context *auth_context = gensec_security->auth_context;
 	struct tevent_req *req = NULL;
+	struct tevent_req *subreq = NULL;
 	struct ntlmssp_server_auth_state *state = NULL;
-	uint8_t authoritative = 0;
 	NTSTATUS status;
 
 	req = tevent_req_create(mem_ctx, &state,
@@ -355,54 +355,13 @@ struct tevent_req *ntlmssp_server_auth_send(TALLOC_CTX *mem_ctx,
 		return tevent_req_post(req, ev);
 	}
 
-	if (auth_context->check_ntlm_password_send != NULL) {
-		struct tevent_req *subreq = NULL;
-
-		subreq = auth_context->check_ntlm_password_send(state, ev,
-						auth_context,
-						state->user_info);
-		if (tevent_req_nomem(subreq, req)) {
-			return tevent_req_post(req, ev);
-		}
-		tevent_req_set_callback(subreq,
-					ntlmssp_server_auth_done,
-					req);
-		return req;
-	}
-
-	if (auth_context->check_ntlm_password == NULL) {
-		tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+	subreq = auth_context->check_ntlm_password_send(
+		state, ev, auth_context, state->user_info);
+	if (tevent_req_nomem(subreq, req)) {
 		return tevent_req_post(req, ev);
 	}
-
-	status = auth_context->check_ntlm_password(auth_context,
-						   gensec_ntlmssp,
-						   state->user_info,
-						   &authoritative,
-						   &gensec_ntlmssp->server_returned_info,
-						   &state->user_session_key,
-						   &state->lm_session_key);
-	if (!NT_STATUS_IS_OK(status)) {
-		DBG_INFO("Checking NTLMSSP password for %s\\%s failed: %s\n",
-			 state->user_info->client.domain_name,
-			 state->user_info->client.account_name,
-			 nt_errstr(status));
-	}
-	if (tevent_req_nterror(req, status)) {
-		return tevent_req_post(req, ev);
-	}
-	talloc_steal(state, state->user_session_key.data);
-	talloc_steal(state, state->lm_session_key.data);
-
-	status = ntlmssp_server_postauth(gensec_security,
-					 gensec_ntlmssp,
-					 state, in);
-	if (tevent_req_nterror(req, status)) {
-		return tevent_req_post(req, ev);
-	}
-
-	tevent_req_done(req);
-	return tevent_req_post(req, ev);
+	tevent_req_set_callback(subreq,	ntlmssp_server_auth_done, req);
+	return req;
 }
 
 /**
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 167d4e00367..9243a0ba02d 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -197,7 +197,8 @@ static struct auth4_context *make_auth4_context_s3(TALLOC_CTX *mem_ctx, struct a
 	auth4_context->generate_session_info = auth3_generate_session_info;
 	auth4_context->get_ntlm_challenge = auth3_get_challenge;
 	auth4_context->set_ntlm_challenge = auth3_set_challenge;
-	auth4_context->check_ntlm_password = auth3_check_password;
+	auth4_context->check_ntlm_password_send = auth3_check_password_send;
+	auth4_context->check_ntlm_password_recv = auth3_check_password_recv;
 	auth4_context->private_data = talloc_steal(auth4_context, auth_context);
 	return auth4_context;
 }
@@ -414,48 +415,35 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context,
 	NTSTATUS nt_status;
 	void *server_info;
 	uint8_t authoritative = 0;
+	struct tevent_context *ev = NULL;
+	struct tevent_req *subreq = NULL;
+	bool ok;
 
-	if (auth_context->check_ntlm_password_send != NULL) {
-		struct tevent_context *ev = NULL;
-		struct tevent_req *subreq = NULL;
-		bool ok;
-
-		ev = samba_tevent_context_init(talloc_tos());
-		if (ev == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
+	ev = samba_tevent_context_init(talloc_tos());
+	if (ev == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
 
-		subreq = auth_context->check_ntlm_password_send(ev, ev,
-								auth_context,
-								user_info);
-		if (subreq == NULL) {
-			TALLOC_FREE(ev);
-			return NT_STATUS_NO_MEMORY;
-		}
-		ok = tevent_req_poll_ntstatus(subreq, ev, &nt_status);
-		if (!ok) {
-			TALLOC_FREE(ev);
-			return nt_status;
-		}
-		nt_status = auth_context->check_ntlm_password_recv(subreq,
-								   talloc_tos(),
-								   &authoritative,
-								   &server_info,
-								   NULL, NULL);
+	subreq = auth_context->check_ntlm_password_send(ev, ev,
+							auth_context,
+							user_info);
+	if (subreq == NULL) {
 		TALLOC_FREE(ev);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			return nt_status;
-		}
-	} else {
-		nt_status = auth_context->check_ntlm_password(auth_context,
-							      talloc_tos(),
-							      user_info,
-							      &authoritative,
-							      &server_info,
-							      NULL, NULL);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			return nt_status;
-		}
+		return NT_STATUS_NO_MEMORY;
+	}
+	ok = tevent_req_poll_ntstatus(subreq, ev, &nt_status);
+	if (!ok) {
+		TALLOC_FREE(ev);
+		return nt_status;
+	}
+	nt_status = auth_context->check_ntlm_password_recv(subreq,
+							   talloc_tos(),
+							   &authoritative,
+							   &server_info,
+							   NULL, NULL);
+	TALLOC_FREE(ev);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
 	}
 
 	nt_status = auth_context->generate_session_info(auth_context,
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 8c2e10ce6ec..3e39be30588 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -24,6 +24,7 @@
 #include "includes.h"
 #include "auth.h"
 #include "libcli/security/security.h"
+#include "lib/util/tevent_ntstatus.h"
 
 NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
 				     TALLOC_CTX *mem_ctx,
@@ -130,24 +131,38 @@ NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t
  * Return the session keys used on the connection.
  */
 
-NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
-			      TALLOC_CTX *mem_ctx,
-			      const struct auth_usersupplied_info *user_info,
-			      uint8_t *pauthoritative,
-			      void **server_returned_info,
-			      DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
+struct auth3_check_password_state {
+	uint8_t authoritative;
+	void *server_info;
+	DATA_BLOB nt_session_key;
+	DATA_BLOB lm_session_key;
+};
+
+struct tevent_req *auth3_check_password_send(
+	TALLOC_CTX *mem_ctx,
+	struct tevent_context *ev,
+	struct auth4_context *auth4_context,
+	const struct auth_usersupplied_info *user_info)
 {
-	struct auth_context *auth_context = talloc_get_type_abort(auth4_context->private_data,
-								  struct auth_context);
+	struct tevent_req *req = NULL;
+	struct auth3_check_password_state *state = NULL;
+	struct auth_context *auth_context = talloc_get_type_abort(
+		auth4_context->private_data, struct auth_context);
 	struct auth_usersupplied_info *mapped_user_info = NULL;
-	struct auth_serversupplied_info *server_info;
+	struct auth_serversupplied_info *server_info = NULL;
 	NTSTATUS nt_status;
 	bool username_was_mapped;
 
+	req = tevent_req_create(
+		mem_ctx, &state, struct auth3_check_password_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
 	/*
 	 * Be authoritative by default.
 	 */
-	*pauthoritative = 1;
+	state->authoritative = 1;
 
 	/* The client has given us its machine name (which we only get over NBT transport).
 	   We need to possibly reload smb.conf if smb.conf includes depend on the machine name. */
@@ -173,27 +188,27 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 				       NULL, NULL, NULL,
 				       AUTH_PASSWORD_RESPONSE);
 
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		return nt_status;
+	if (tevent_req_nterror(req, nt_status)) {
+		return tevent_req_post(req, ev);
 	}
 
 	mapped_user_info->logon_parameters = user_info->logon_parameters;
 
 	mapped_user_info->flags = user_info->flags;
 
-	nt_status = auth_check_ntlm_password(mem_ctx,
+	nt_status = auth_check_ntlm_password(state,
 					     auth_context,
 					     mapped_user_info,
 					     &server_info,
-					     pauthoritative);
+					     &state->authoritative);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(5,("Checking NTLMSSP password for %s\\%s failed: "
-			 "%s, authoritative=%u\n",
+		DBG_INFO("Checking NTLMSSP password for %s\\%s failed: "
+			 "%s, authoritative=%"PRIu8"\n",
 			 user_info->client.domain_name,
 			 user_info->client.account_name,
 			 nt_errstr(nt_status),
-			 *pauthoritative));
+			 state->authoritative);
 	}
 
 	username_was_mapped = mapped_user_info->was_mapped;
@@ -201,16 +216,18 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 	TALLOC_FREE(mapped_user_info);
 
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		nt_status = do_map_to_guest_server_info(mem_ctx,
-							nt_status,
-							user_info->client.account_name,
-							user_info->client.domain_name,
-							&server_info);
-		if (NT_STATUS_IS_OK(nt_status)) {
-			*pauthoritative = 1;
-			*server_returned_info = talloc_steal(mem_ctx, server_info);
+		nt_status = do_map_to_guest_server_info(
+			state,
+			nt_status,
+			user_info->client.account_name,
+			user_info->client.domain_name,
+			&server_info);
+		if (!tevent_req_nterror(req, nt_status)) {
+			state->authoritative = 1;
+			tevent_req_done(req);
 		}
-		return nt_status;
+		state->server_info = server_info;
+		return tevent_req_post(req, ev);
 	}
 
 	server_info->nss_token |= username_was_mapped;
@@ -219,21 +236,68 @@ NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
 	 * They will not be used in this form again - instead the
 	 * NTLMSSP code will decide on the final correct session key,
 	 * and supply it to create_local_token() */
-	if (session_key) {
-		DBG_DEBUG("Got NT session key of length %zu\n",
-			  server_info->session_key.length);
-		*session_key = server_info->session_key;
-		talloc_steal(mem_ctx, server_info->session_key.data);
-		server_info->session_key = data_blob_null;
+
+	DBG_DEBUG("Got NT session key of length %zu\n",
+		  server_info->session_key.length);
+	state->nt_session_key = (DATA_BLOB) {
+		.data = talloc_move(
+			state, &server_info->session_key.data),
+		.length = server_info->session_key.length,
+	};
+	server_info->session_key = data_blob_null;
+
+	DBG_DEBUG("Got LM session key of length %zu\n",
+		  server_info->lm_session_key.length);
+	state->lm_session_key = (DATA_BLOB) {
+		.data = talloc_move(
+			state, &server_info->lm_session_key.data),
+		.length = server_info->lm_session_key.length,
+	};
+	server_info->lm_session_key = data_blob_null;
+
+	state->server_info = server_info;
+
+	tevent_req_done(req);
+	return tevent_req_post(req, ev);
+}
+
+NTSTATUS auth3_check_password_recv(struct tevent_req *req,
+				   TALLOC_CTX *mem_ctx,
+				   uint8_t *pauthoritative,
+				   void **server_returned_info,
+				   DATA_BLOB *nt_session_key,
+				   DATA_BLOB *lm_session_key)
+{
+	struct auth3_check_password_state *state = tevent_req_data(
+		req, struct auth3_check_password_state);
+	NTSTATUS status;
+
+	if (pauthoritative != NULL) {
+		*pauthoritative = state->authoritative;
 	}
-	if (lm_session_key) {
-		DBG_DEBUG("Got LM session key of length %zu\n",
-			  server_info->lm_session_key.length);
-		*lm_session_key = server_info->lm_session_key;
-		talloc_steal(mem_ctx, server_info->lm_session_key.data);
-		server_info->lm_session_key = data_blob_null;
+
+	if (tevent_req_is_nterror(req, &status)) {
+		return status;
 	}
 
-	*server_returned_info = talloc_steal(mem_ctx, server_info);
-	return nt_status;
+	if (server_returned_info != NULL) {
+		*server_returned_info = talloc_move(
+			mem_ctx, &state->server_info);
+	}
+	if (nt_session_key != NULL) {
+		*nt_session_key = (DATA_BLOB) {
+			.data = talloc_move(
+				mem_ctx, &state->nt_session_key.data),
+			.length = state->nt_session_key.length,
+		};
+	}
+	if (lm_session_key != NULL) {
+		*lm_session_key = (DATA_BLOB) {
+			.data = talloc_move(
+				mem_ctx, &state->lm_session_key.data),
+			.length = state->lm_session_key.length,
+		};
+	}
+
+	return NT_STATUS_OK;
 }
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index cd33c618754..097b17fee44 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -127,12 +127,17 @@ NTSTATUS auth3_get_challenge(struct auth4_context *auth4_context,
 NTSTATUS auth3_set_challenge(struct auth4_context *auth4_context, const uint8_t *chal,
 			     const char *challenge_set_by);
 
-NTSTATUS auth3_check_password(struct auth4_context *auth4_context,
-			      TALLOC_CTX *mem_ctx,
-			      const struct auth_usersupplied_info *user_info,
-			      uint8_t *pauthoritative,
-			      void **server_returned_info,
-			      DATA_BLOB *session_key, DATA_BLOB *lm_session_key);
+struct tevent_req *auth3_check_password_send(
+	TALLOC_CTX *mem_ctx,
+	struct tevent_context *ev,
+	struct auth4_context *auth4_context,
+	const struct auth_usersupplied_info *user_info);
+NTSTATUS auth3_check_password_recv(struct tevent_req *req,
+				   TALLOC_CTX *mem_ctx,
+				   uint8_t *pauthoritative,
+				   void **server_returned_info,
+				   DATA_BLOB *nt_session_key,
+				   DATA_BLOB *lm_session_key);
 
 /* The following definitions come from auth/auth_sam.c  */
 
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index aeae460ce8d..8327af0ebf6 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -47,6 +47,7 @@
 #include "lib/param/loadparm.h"
 #include "lib/util/base64.h"
 #include "cmdline_contexts.h"
+#include "lib/util/tevent_ntstatus.h"
 
 #include <gnutls/gnutls.h>
 #include <gnutls/crypto.h>
@@ -940,91 +941,246 @@ static NTSTATUS ntlm_auth_set_challenge(struct auth4_context *auth_ctx, const ui
  * Return the session keys used on the connection.
  */
 
-static NTSTATUS winbind_pw_check(struct auth4_context *auth4_context,
-				 TALLOC_CTX *mem_ctx,
-				 const struct auth_usersupplied_info *user_info,
-				 uint8_t *pauthoritative,
-				 void **server_returned_info,
-				 DATA_BLOB *session_key, DATA_BLOB *lm_session_key)
+struct winbind_pw_check_state {
+	uint8_t authoritative;
+	void *server_info;
+	DATA_BLOB nt_session_key;
+	DATA_BLOB lm_session_key;
+};
+
+static struct tevent_req *winbind_pw_check_send(
+	TALLOC_CTX *mem_ctx,
+	struct tevent_context *ev,
+	struct auth4_context *auth4_context,
+	const struct auth_usersupplied_info *user_info)
 {
+	struct tevent_req *req = NULL;
+	struct winbind_pw_check_state *state = NULL;
 	NTSTATUS nt_status;
 	char *error_string = NULL;
 	uint8_t lm_key[8];
 	uint8_t user_sess_key[16];
 	char *unix_name = NULL;
 
-	nt_status = contact_winbind_auth_crap(user_info->client.account_name, user_info->client.domain_name,
-					      user_info->workstation_name,
-					      &auth4_context->challenge.data,
-					      &user_info->password.response.lanman,
-					      &user_info->password.response.nt,
-					      WBFLAG_PAM_LMKEY | WBFLAG_PAM_USER_SESSION_KEY | WBFLAG_PAM_UNIX_NAME,
-					      0,
-					      lm_key, user_sess_key,
-					      pauthoritative,
-					      &error_string, &unix_name);
-
-	if (NT_STATUS_IS_OK(nt_status)) {
-		if (!all_zero(lm_key, 8)) {
-			*lm_session_key = data_blob_talloc(mem_ctx, NULL, 16);
-			memcpy(lm_session_key->data, lm_key, 8);
-			memset(lm_session_key->data+8, '\0', 8);
+	req = tevent_req_create(
+		mem_ctx, &state, struct winbind_pw_check_state);
+	if (req == NULL) {
+		return NULL;
+	}
+
+	nt_status = contact_winbind_auth_crap(
+		user_info->client.account_name,
+		user_info->client.domain_name,
+		user_info->workstation_name,
+		&auth4_context->challenge.data,
+		&user_info->password.response.lanman,
+		&user_info->password.response.nt,
+		WBFLAG_PAM_LMKEY |
+		WBFLAG_PAM_USER_SESSION_KEY |
+		WBFLAG_PAM_UNIX_NAME,
+		0,
+		lm_key, user_sess_key,
+		&state->authoritative,
+		&error_string,
+		&unix_name);
+
+	if (tevent_req_nterror(req, nt_status)) {
+		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCESS_DENIED)) {
+			DBG_ERR("Login for user [%s]\\[%s]@[%s] failed due "
+				"to [%s]\n",


-- 
Samba Shared Repository



More information about the samba-cvs mailing list