Changeset 740 for vendor/current/source4/auth/sam.c
- Timestamp:
- Nov 14, 2012, 12:59:34 PM (13 years ago)
- File:
-
- 1 edited
-
vendor/current/source4/auth/sam.c (modified) (15 diffs)
Legend:
- Unmodified
- Added
- Removed
-
vendor/current/source4/auth/sam.c
r414 r740 2 2 Unix SMB/CIFS implementation. 3 3 Password and authentication handling 4 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-20 044 Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2010 5 5 Copyright (C) Gerald Carter 2003 6 6 Copyright (C) Stefan Metzmacher 2005 … … 25 25 #include "auth/auth.h" 26 26 #include <ldb.h> 27 #include "../lib/util/util_ldb.h"28 27 #include "dsdb/samdb/samdb.h" 29 28 #include "libcli/security/security.h" 30 #include "libcli/ldap/ldap.h" 31 #include "../libcli/ldap/ldap_ndr.h" 32 #include "librpc/gen_ndr/ndr_netlogon.h" 33 #include "librpc/gen_ndr/ndr_security.h" 29 #include "auth/auth_sam.h" 30 #include "dsdb/common/util.h" 31 #include "libcli/ldap/ldap_ndr.h" 34 32 #include "param/param.h" 35 #include "auth/auth_sam.h"36 33 37 34 #define KRBTGT_ATTRS \ … … 42 39 "servicePrincipalName", \ 43 40 "msDS-KeyVersionNumber", \ 41 "msDS-SecondaryKrbTgtNumber", \ 42 "msDS-SupportedEncryptionTypes", \ 44 43 "supplementalCredentials", \ 45 44 \ … … 52 51 \ 53 52 "pwdLastSet", \ 54 "accountExpires" 53 "accountExpires" 55 54 56 55 const char *krbtgt_attrs[] = { 57 KRBTGT_ATTRS 56 KRBTGT_ATTRS, NULL 58 57 }; 59 58 60 59 const char *server_attrs[] = { 61 KRBTGT_ATTRS 60 KRBTGT_ATTRS, NULL 62 61 }; 63 62 … … 70 69 "userWorkstations", 71 70 72 /* required for server_info, not access control: */71 /* required for user_info_dc, not access control: */ 73 72 "displayName", 74 73 "scriptPath", … … 149 148 150 149 /**************************************************************************** 151 Do a specific test for a SAM_ACCOUNT being va ild for this connection150 Do a specific test for a SAM_ACCOUNT being valid for this connection 152 151 (ie not disabled, expired and the like). 153 152 ****************************************************************************/ … … 179 178 domain_dn, msg); 180 179 181 workstation_list = samdb_result_string(msg, "userWorkstations", NULL);180 workstation_list = ldb_msg_find_attr_as_string(msg, "userWorkstations", NULL); 182 181 183 182 /* Quit if the account was disabled. */ 184 183 if (acct_flags & ACB_DISABLED) { 185 DEBUG( 1,("authsam_account_ok: Account for user '%s' was disabled.\n", name_for_logs));184 DEBUG(2,("authsam_account_ok: Account for user '%s' was disabled.\n", name_for_logs)); 186 185 return NT_STATUS_ACCOUNT_DISABLED; 187 186 } … … 189 188 /* Quit if the account was locked out. */ 190 189 if (acct_flags & ACB_AUTOLOCK) { 191 DEBUG( 1,("authsam_account_ok: Account for user %s was locked out.\n", name_for_logs));190 DEBUG(2,("authsam_account_ok: Account for user %s was locked out.\n", name_for_logs)); 192 191 return NT_STATUS_ACCOUNT_LOCKED_OUT; 193 192 } … … 196 195 unix_to_nt_time(&now, time(NULL)); 197 196 if (now > acct_expiry) { 198 DEBUG( 1,("authsam_account_ok: Account for user '%s' has expired.\n", name_for_logs));197 DEBUG(2,("authsam_account_ok: Account for user '%s' has expired.\n", name_for_logs)); 199 198 DEBUG(3,("authsam_account_ok: Account expired at '%s'.\n", 200 199 nt_time_string(mem_ctx, acct_expiry))); … … 204 203 /* check for immediate expiry "must change at next logon" (but not if this is a password change request) */ 205 204 if ((must_change_time == 0) && !password_change) { 206 DEBUG( 1,("sam_account_ok: Account for user '%s' password must change!.\n",205 DEBUG(2,("sam_account_ok: Account for user '%s' password must change!.\n", 207 206 name_for_logs)); 208 207 return NT_STATUS_PASSWORD_MUST_CHANGE; … … 211 210 /* check for expired password (but not if this is a password change request) */ 212 211 if ((must_change_time < now) && !password_change) { 213 DEBUG( 1,("sam_account_ok: Account for user '%s' password expired!.\n",212 DEBUG(2,("sam_account_ok: Account for user '%s' password expired!.\n", 214 213 name_for_logs)); 215 DEBUG( 1,("sam_account_ok: Password expired at '%s' unix time.\n",214 DEBUG(2,("sam_account_ok: Password expired at '%s' unix time.\n", 216 215 nt_time_string(mem_ctx, must_change_time))); 217 216 return NT_STATUS_PASSWORD_EXPIRED; … … 269 268 } 270 269 271 /* This function tests if a SID structure "sids" contains the SID "sid" */ 272 static bool sids_contains_sid(const struct dom_sid **sids, const int num_sids, 273 const struct dom_sid *sid) 274 { 275 int i; 276 277 for (i = 0; i < num_sids; i++) { 278 if (dom_sid_equal(sids[i], sid)) 279 return true; 280 } 281 return false; 282 } 283 284 /* 285 * This function generates the transitive closure of a given SID "sid" (it 286 * basically expands nested groups of a SID). 287 * If the SID isn't located in the "res_sids" structure yet and the 288 * "only_childs" flag is negative, we add it to "res_sids". 289 * Then we've always to consider the "memberOf" attributes. We invoke the 290 * function recursively on each item of it with the "only_childs" flag set to 291 * "false". 292 * The "only_childs" flag is particularly useful if you have a user SID and 293 * want to include all his groups (referenced with "memberOf") without his SID 294 * itself. 295 * 296 * At the beginning "res_sids" should reference to a NULL pointer. 297 */ 298 static NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx, 299 const struct dom_sid *sid, const bool only_childs, 300 TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids, 301 int *num_res_sids) 302 { 303 const char * const attrs[] = { "memberOf", NULL }; 304 int i, ret; 305 bool already_there; 306 struct ldb_dn *tmp_dn; 307 struct dom_sid *tmp_sid; 308 TALLOC_CTX *tmp_ctx; 309 struct ldb_message **res; 310 NTSTATUS status; 311 312 if (*res_sids == NULL) { 313 *num_res_sids = 0; 314 } 315 316 if (sid == NULL) { 317 return NT_STATUS_OK; 318 } 319 320 already_there = sids_contains_sid((const struct dom_sid**) *res_sids, 321 *num_res_sids, sid); 322 if (already_there) { 323 return NT_STATUS_OK; 324 } 325 326 if (!only_childs) { 327 tmp_sid = dom_sid_dup(res_sids_ctx, sid); 328 NT_STATUS_HAVE_NO_MEMORY(tmp_sid); 329 *res_sids = talloc_realloc(res_sids_ctx, *res_sids, 330 struct dom_sid *, *num_res_sids + 1); 331 NT_STATUS_HAVE_NO_MEMORY(*res_sids); 332 (*res_sids)[*num_res_sids] = tmp_sid; 333 ++(*num_res_sids); 334 } 335 336 tmp_ctx = talloc_new(sam_ctx); 337 338 ret = gendb_search(sam_ctx, tmp_ctx, NULL, &res, attrs, 339 "objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid)); 340 if (ret != 1) { 341 talloc_free(tmp_ctx); 342 return NT_STATUS_INTERNAL_DB_CORRUPTION; 343 } 344 345 if (res[0]->num_elements == 0) { 346 talloc_free(res); 347 talloc_free(tmp_ctx); 348 return NT_STATUS_OK; 349 } 350 351 for (i = 0; i < res[0]->elements[0].num_values; i++) { 352 tmp_dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, 353 &res[0]->elements[0].values[i]); 354 tmp_sid = samdb_search_dom_sid(sam_ctx, tmp_ctx, tmp_dn, 355 "objectSid", NULL); 356 357 status = authsam_expand_nested_groups(sam_ctx, tmp_sid, 358 false, res_sids_ctx, res_sids, num_res_sids); 359 if (!NT_STATUS_IS_OK(status)) { 360 talloc_free(res); 361 talloc_free(tmp_ctx); 362 return status; 363 } 364 } 365 366 talloc_free(res); 367 talloc_free(tmp_ctx); 368 369 return NT_STATUS_OK; 370 } 371 372 _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, 270 _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, 373 271 struct ldb_context *sam_ctx, 374 272 const char *netbios_name, … … 378 276 DATA_BLOB user_sess_key, 379 277 DATA_BLOB lm_sess_key, 380 struct auth_serversupplied_info 381 **_server_info) 278 struct auth_user_info_dc **_user_info_dc) 382 279 { 383 280 NTSTATUS status; 384 struct auth_ serversupplied_info *server_info;385 const char *str;386 struct dom_sid *tmp_sid;281 struct auth_user_info_dc *user_info_dc; 282 struct auth_user_info *info; 283 const char *str, *filter; 387 284 /* SIDs for the account and his primary group */ 388 285 struct dom_sid *account_sid; 389 struct dom_sid *primary_group_sid; 286 const char *primary_group_string; 287 const char *primary_group_dn; 288 DATA_BLOB primary_group_blob; 390 289 /* SID structures for the expanded group memberships */ 391 struct dom_sid **groupSIDs = NULL, **groupSIDs_2 = NULL; 392 int num_groupSIDs = 0, num_groupSIDs_2 = 0, i; 393 uint32_t userAccountControl; 394 395 server_info = talloc(mem_ctx, struct auth_serversupplied_info); 396 NT_STATUS_HAVE_NO_MEMORY(server_info); 397 398 account_sid = samdb_result_dom_sid(server_info, msg, "objectSid"); 399 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info); 400 401 primary_group_sid = dom_sid_add_rid(server_info, 402 samdb_domain_sid(sam_ctx), 403 samdb_result_uint(msg, "primaryGroupID", ~0)); 404 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, server_info); 405 406 /* Expands the primary group */ 407 status = authsam_expand_nested_groups(sam_ctx, primary_group_sid, false, 408 server_info, &groupSIDs, &num_groupSIDs); 290 struct dom_sid *sids = NULL; 291 unsigned int num_sids = 0, i; 292 struct dom_sid *domain_sid; 293 TALLOC_CTX *tmp_ctx; 294 struct ldb_message_element *el; 295 296 user_info_dc = talloc(mem_ctx, struct auth_user_info_dc); 297 NT_STATUS_HAVE_NO_MEMORY(user_info_dc); 298 299 tmp_ctx = talloc_new(user_info_dc); 300 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc, user_info_dc); 301 302 sids = talloc_array(user_info_dc, struct dom_sid, 2); 303 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, user_info_dc); 304 305 num_sids = 2; 306 307 account_sid = samdb_result_dom_sid(user_info_dc, msg, "objectSid"); 308 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, user_info_dc); 309 310 status = dom_sid_split_rid(tmp_ctx, account_sid, &domain_sid, NULL); 409 311 if (!NT_STATUS_IS_OK(status)) { 410 talloc_free( server_info);312 talloc_free(user_info_dc); 411 313 return status; 412 314 } 413 315 316 sids[PRIMARY_USER_SID_INDEX] = *account_sid; 317 sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; 318 sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0)); 319 320 /* Filter out builtin groups from this token. We will search 321 * for builtin groups later, and not include them in the PAC 322 * on SamLogon validation info */ 323 filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED); 324 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, user_info_dc); 325 326 primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]); 327 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, user_info_dc); 328 329 primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string); 330 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, user_info_dc); 331 332 primary_group_blob = data_blob_string_const(primary_group_dn); 333 334 /* Expands the primary group - this function takes in 335 * memberOf-like values, so we fake one up with the 336 * <SID=S-...> format of DN and then let it expand 337 * them, as long as they meet the filter - so only 338 * domain groups, not builtin groups 339 * 340 * The primary group is still treated specially, so we set the 341 * 'only childs' flag to true 342 */ 343 status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter, 344 user_info_dc, &sids, &num_sids); 345 if (!NT_STATUS_IS_OK(status)) { 346 talloc_free(user_info_dc); 347 return status; 348 } 349 414 350 /* Expands the additional groups */ 415 status = authsam_expand_nested_groups(sam_ctx, account_sid, true, 416 server_info, &groupSIDs_2, &num_groupSIDs_2); 417 if (!NT_STATUS_IS_OK(status)) { 418 talloc_free(server_info); 419 return status; 420 } 421 422 /* Merge the two expanded structures (groupSIDs, groupSIDs_2) */ 423 for (i = 0; i < num_groupSIDs_2; i++) 424 if (!sids_contains_sid((const struct dom_sid **) groupSIDs, 425 num_groupSIDs, groupSIDs_2[i])) { 426 tmp_sid = dom_sid_dup(server_info, groupSIDs_2[i]); 427 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(tmp_sid, server_info); 428 groupSIDs = talloc_realloc(server_info, groupSIDs, 429 struct dom_sid *, num_groupSIDs + 1); 430 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, 431 server_info); 432 groupSIDs[num_groupSIDs] = tmp_sid; 433 ++num_groupSIDs; 434 } 435 talloc_free(groupSIDs_2); 436 437 server_info->account_sid = account_sid; 438 server_info->primary_group_sid = primary_group_sid; 439 440 /* DCs also get SID_NT_ENTERPRISE_DCS */ 441 userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); 442 if (userAccountControl & UF_SERVER_TRUST_ACCOUNT) { 443 groupSIDs = talloc_realloc(server_info, groupSIDs, struct dom_sid *, 444 num_groupSIDs+1); 445 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, server_info); 446 groupSIDs[num_groupSIDs] = dom_sid_parse_talloc(groupSIDs, SID_NT_ENTERPRISE_DCS); 447 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs[num_groupSIDs], server_info); 448 num_groupSIDs++; 449 } 450 451 server_info->domain_groups = groupSIDs; 452 server_info->n_domain_groups = num_groupSIDs; 453 454 server_info->account_name = talloc_steal(server_info, 455 samdb_result_string(msg, "sAMAccountName", NULL)); 456 457 server_info->domain_name = talloc_strdup(server_info, domain_name); 458 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_name, 459 server_info); 460 461 str = samdb_result_string(msg, "displayName", ""); 462 server_info->full_name = talloc_strdup(server_info, str); 463 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->full_name, server_info); 464 465 str = samdb_result_string(msg, "scriptPath", ""); 466 server_info->logon_script = talloc_strdup(server_info, str); 467 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_script, 468 server_info); 469 470 str = samdb_result_string(msg, "profilePath", ""); 471 server_info->profile_path = talloc_strdup(server_info, str); 472 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->profile_path, 473 server_info); 474 475 str = samdb_result_string(msg, "homeDirectory", ""); 476 server_info->home_directory = talloc_strdup(server_info, str); 477 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_directory, 478 server_info); 479 480 str = samdb_result_string(msg, "homeDrive", ""); 481 server_info->home_drive = talloc_strdup(server_info, str); 482 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->home_drive, server_info); 483 484 server_info->logon_server = talloc_strdup(server_info, netbios_name); 485 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->logon_server, 486 server_info); 487 488 server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); 489 server_info->last_logoff = samdb_result_last_logoff(msg); 490 server_info->acct_expiry = samdb_result_account_expires(msg); 491 server_info->last_password_change = samdb_result_nttime(msg, 351 el = ldb_msg_find_element(msg, "memberOf"); 352 for (i = 0; el && i < el->num_values; i++) { 353 /* This function takes in memberOf values and expands 354 * them, as long as they meet the filter - so only 355 * domain groups, not builtin groups */ 356 status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter, 357 user_info_dc, &sids, &num_sids); 358 if (!NT_STATUS_IS_OK(status)) { 359 talloc_free(user_info_dc); 360 return status; 361 } 362 } 363 364 user_info_dc->sids = sids; 365 user_info_dc->num_sids = num_sids; 366 367 user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info); 368 NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info); 369 370 info->account_name = talloc_steal(info, 371 ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL)); 372 373 info->domain_name = talloc_strdup(info, domain_name); 374 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->domain_name, 375 user_info_dc); 376 377 str = ldb_msg_find_attr_as_string(msg, "displayName", ""); 378 info->full_name = talloc_strdup(info, str); 379 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->full_name, user_info_dc); 380 381 str = ldb_msg_find_attr_as_string(msg, "scriptPath", ""); 382 info->logon_script = talloc_strdup(info, str); 383 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_script, 384 user_info_dc); 385 386 str = ldb_msg_find_attr_as_string(msg, "profilePath", ""); 387 info->profile_path = talloc_strdup(info, str); 388 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->profile_path, 389 user_info_dc); 390 391 str = ldb_msg_find_attr_as_string(msg, "homeDirectory", ""); 392 info->home_directory = talloc_strdup(info, str); 393 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_directory, 394 user_info_dc); 395 396 str = ldb_msg_find_attr_as_string(msg, "homeDrive", ""); 397 info->home_drive = talloc_strdup(info, str); 398 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_drive, user_info_dc); 399 400 info->logon_server = talloc_strdup(info, netbios_name); 401 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_server, 402 user_info_dc); 403 404 info->last_logon = samdb_result_nttime(msg, "lastLogon", 0); 405 info->last_logoff = samdb_result_last_logoff(msg); 406 info->acct_expiry = samdb_result_account_expires(msg); 407 info->last_password_change = samdb_result_nttime(msg, 492 408 "pwdLastSet", 0); 493 server_info->allow_password_change409 info->allow_password_change 494 410 = samdb_result_allow_password_change(sam_ctx, mem_ctx, 495 411 domain_dn, msg, "pwdLastSet"); 496 server_info->force_password_change412 info->force_password_change 497 413 = samdb_result_force_password_change(sam_ctx, mem_ctx, 498 414 domain_dn, msg); 499 server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);500 server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount",415 info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0); 416 info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount", 501 417 0); 502 418 503 server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,419 info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, 504 420 msg, domain_dn); 505 421 506 server_info->user_session_key = data_blob_talloc_reference(server_info, 507 &user_sess_key); 508 server_info->lm_session_key = data_blob_talloc_reference(server_info, 509 &lm_sess_key); 510 511 server_info->authenticated = true; 512 513 *_server_info = server_info; 422 user_info_dc->user_session_key = data_blob_talloc(user_info_dc, 423 user_sess_key.data, 424 user_sess_key.length); 425 if (user_sess_key.data) { 426 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->user_session_key.data, 427 user_info_dc); 428 } 429 user_info_dc->lm_session_key = data_blob_talloc(user_info_dc, 430 lm_sess_key.data, 431 lm_sess_key.length); 432 if (lm_sess_key.data) { 433 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->lm_session_key.data, 434 user_info_dc); 435 } 436 437 if (info->acct_flags & ACB_SVRTRUST) { 438 /* the SID_NT_ENTERPRISE_DCS SID gets added into the 439 PAC */ 440 user_info_dc->sids = talloc_realloc(user_info_dc, 441 user_info_dc->sids, 442 struct dom_sid, 443 user_info_dc->num_sids+1); 444 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc); 445 user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs; 446 user_info_dc->num_sids++; 447 } 448 449 if ((info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) == 450 (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) { 451 /* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */ 452 user_info_dc->sids = talloc_realloc(user_info_dc, 453 user_info_dc->sids, 454 struct dom_sid, 455 user_info_dc->num_sids+1); 456 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc); 457 user_info_dc->sids[user_info_dc->num_sids] = *domain_sid; 458 sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], 459 DOMAIN_RID_ENTERPRISE_READONLY_DCS); 460 user_info_dc->num_sids++; 461 } 462 463 info->authenticated = true; 464 465 talloc_free(tmp_ctx); 466 *_user_info_dc = user_info_dc; 514 467 515 468 return NT_STATUS_OK; … … 539 492 540 493 /* pull the user attributes */ 541 ret = gendb_search_single_extended_dn(sam_ctx, tmp_ctx, user_dn,542 LDB_SCOPE_BASE, msg, attrs, "(objectClass=*)");494 ret = dsdb_search_one(sam_ctx, tmp_ctx, msg, user_dn, 495 LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)"); 543 496 if (ret != LDB_SUCCESS) { 544 497 talloc_free(tmp_ctx); … … 551 504 return NT_STATUS_OK; 552 505 } 506 507 /* Used in the gensec_gssapi and gensec_krb5 server-side code, where the PAC isn't available, and for tokenGroups in the DSDB stack. 508 509 Supply either a principal or a DN 510 */ 511 NTSTATUS authsam_get_user_info_dc_principal(TALLOC_CTX *mem_ctx, 512 struct loadparm_context *lp_ctx, 513 struct ldb_context *sam_ctx, 514 const char *principal, 515 struct ldb_dn *user_dn, 516 struct auth_user_info_dc **user_info_dc) 517 { 518 NTSTATUS nt_status; 519 DATA_BLOB user_sess_key = data_blob(NULL, 0); 520 DATA_BLOB lm_sess_key = data_blob(NULL, 0); 521 522 struct ldb_message *msg; 523 struct ldb_dn *domain_dn; 524 525 TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); 526 if (!tmp_ctx) { 527 return NT_STATUS_NO_MEMORY; 528 } 529 530 if (principal) { 531 nt_status = sam_get_results_principal(sam_ctx, tmp_ctx, principal, 532 user_attrs, &domain_dn, &msg); 533 if (!NT_STATUS_IS_OK(nt_status)) { 534 talloc_free(tmp_ctx); 535 return nt_status; 536 } 537 } else if (user_dn) { 538 struct dom_sid *user_sid, *domain_sid; 539 int ret; 540 /* pull the user attributes */ 541 ret = dsdb_search_one(sam_ctx, tmp_ctx, &msg, user_dn, 542 LDB_SCOPE_BASE, user_attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "(objectClass=*)"); 543 if (ret == LDB_ERR_NO_SUCH_OBJECT) { 544 talloc_free(tmp_ctx); 545 return NT_STATUS_NO_SUCH_USER; 546 } else if (ret != LDB_SUCCESS) { 547 talloc_free(tmp_ctx); 548 return NT_STATUS_INTERNAL_DB_CORRUPTION; 549 } 550 551 user_sid = samdb_result_dom_sid(msg, msg, "objectSid"); 552 553 nt_status = dom_sid_split_rid(tmp_ctx, user_sid, &domain_sid, NULL); 554 if (!NT_STATUS_IS_OK(nt_status)) { 555 return nt_status; 556 } 557 558 domain_dn = samdb_search_dn(sam_ctx, mem_ctx, NULL, 559 "(&(objectSid=%s)(objectClass=domain))", 560 ldap_encode_ndr_dom_sid(tmp_ctx, domain_sid)); 561 if (!domain_dn) { 562 DEBUG(3, ("authsam_get_user_info_dc_principal: Failed to find domain with: SID %s\n", 563 dom_sid_string(tmp_ctx, domain_sid))); 564 return NT_STATUS_NO_SUCH_USER; 565 } 566 567 } else { 568 return NT_STATUS_INVALID_PARAMETER; 569 } 570 571 nt_status = authsam_make_user_info_dc(tmp_ctx, sam_ctx, 572 lpcfg_netbios_name(lp_ctx), 573 lpcfg_workgroup(lp_ctx), 574 domain_dn, 575 msg, 576 user_sess_key, lm_sess_key, 577 user_info_dc); 578 if (!NT_STATUS_IS_OK(nt_status)) { 579 talloc_free(tmp_ctx); 580 return nt_status; 581 } 582 583 talloc_steal(mem_ctx, *user_info_dc); 584 talloc_free(tmp_ctx); 585 586 return NT_STATUS_OK; 587 }
Note:
See TracChangeset
for help on using the changeset viewer.
