Changeset 988 for vendor/current/auth

Timestamp:

Nov 24, 2016, 1:14:11 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.3

Location:

vendor/current/auth

Files:

• auth_sam_reply.c (modified) (10 diffs)
• auth_sam_reply.h (modified) (3 diffs)
• common_auth.h (modified) (3 diffs)
• credentials (added)
• credentials/credentials.c (added)
• credentials/credentials.h (added)
• credentials/credentials_internal.h (added)
• credentials/credentials_krb5.c (added)
• credentials/credentials_krb5.h (added)
• credentials/credentials_ntlm.c (added)
• credentials/credentials_secrets.c (added)
• credentials/pycredentials.c (added)
• credentials/pycredentials.h (added)
• credentials/samba-credentials.pc.in (added)
• credentials/tests (added)
• credentials/tests/bind.py (added)
• credentials/tests/simple.c (added)
• credentials/wscript_build (added)
• gensec (added)
• gensec/external.c (added)
• gensec/gensec.c (added)
• gensec/gensec.h (added)
• gensec/gensec_internal.h (added)
• gensec/gensec_start.c (added)
• gensec/gensec_util.c (added)
• gensec/ncalrpc.c (added)
• gensec/schannel.c (added)
• gensec/spnego.c (added)
• gensec/wscript_build (added)
• kerberos (added)
• kerberos/gssapi_helper.c (added)
• kerberos/gssapi_helper.h (added)
• kerberos/gssapi_pac.c (added)
• kerberos/kerberos_pac.c (added)
• kerberos/pac_utils.h (added)
• kerberos/wscript_build (added)
• ntlmssp (added)
• ntlmssp/gensec_ntlmssp.c (added)
• ntlmssp/gensec_ntlmssp_server.c (added)
• ntlmssp/ntlmssp.c (added)
• ntlmssp/ntlmssp.h (added)
• ntlmssp/ntlmssp_client.c (added)
• ntlmssp/ntlmssp_ndr.c (added)
• ntlmssp/ntlmssp_ndr.h (added)
• ntlmssp/ntlmssp_private.h (added)
• ntlmssp/ntlmssp_server.c (added)
• ntlmssp/ntlmssp_sign.c (added)
• ntlmssp/ntlmssp_util.c (added)
• ntlmssp/wscript_build (added)
• wbc_auth_util.c (added)
• wscript_build (modified) (1 diff)

vendor/current/auth/auth_sam_reply.c

@@ -4 +4 @@
    Convert a server info struct into the form for PAC and NETLOGON replies
 
-   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2004-2011
    Copyright (C) Stefan Metzmacher <metze@samba.org>  2005
 
@@ -60 +60 @@
         info = user_info_dc->info;
 
-        sam->last_logon = info->last_logon;
-        sam->last_logoff =  info->last_logoff;
-        sam->acct_expiry = info->acct_expiry;
+        sam->logon_time = info->last_logon;
+        sam->logoff_time =  info->last_logoff;
+        sam->kickoff_time = info->acct_expiry;
         sam->last_password_change = info->last_password_change;
         sam->allow_password_change = info->allow_password_change;
@@ -103 +103 @@
 
         sam->user_flags = 0; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
+        if (!user_info_dc->info->authenticated) {
+                sam->user_flags |= NETLOGON_GUEST;
+        }
         sam->acct_flags = user_info_dc->info->acct_flags;
         sam->logon_server.string = user_info_dc->info->logon_server;
-        sam->domain.string = user_info_dc->info->domain_name;
-
-        ZERO_STRUCT(sam->unknown);
+        sam->logon_domain.string = user_info_dc->info->domain_name;
+        sam->sub_auth_status = 0;
+        sam->last_successful_logon = 0;
+        sam->last_failed_logon = 0;
+        sam->failed_logon_count = 0;
+        sam->reserved = 0;
 
         ZERO_STRUCT(sam->key);
@@ -149 +155 @@
         sam3->sids = talloc_array(sam, struct netr_SidAttr,
                                   user_info_dc->num_sids);
-        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids, sam3);
+        if (sam3->sids == NULL) {
+                TALLOC_FREE(sam3);
+                return NT_STATUS_NO_MEMORY;
+        }
 
         /* We don't put the user and group SIDs in there */
@@ -157 +166 @@
                 }
                 sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &user_info_dc->sids[i]);
-                NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids[sam3->sidcount].sid, sam3);
+                if (sam3->sids[sam3->sidcount].sid == NULL) {
+                        TALLOC_FREE(sam3);
+                        return NT_STATUS_NO_MEMORY;
+                }
                 sam3->sids[sam3->sidcount].attributes =
                         SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
@@ -169 +181 @@
         *_sam3 = sam3;
 
+        return NT_STATUS_OK;
+}
+
+/**
+ * Make a user_info struct from the info3 or similar returned by a domain logon.
+ *
+ * The netr_SamInfo3 is also a key structure in the source3 auth subsystem
+ */
+
+NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
+                                    const char *account_name,
+                                    struct netr_SamBaseInfo *base,
+                                    bool authenticated,
+                                    struct auth_user_info **_user_info)
+{
+        struct auth_user_info *info;
+
+        info = talloc_zero(mem_ctx, struct auth_user_info);
+        NT_STATUS_HAVE_NO_MEMORY(info);
+
+        if (base->account_name.string) {
+                info->account_name = talloc_strdup(info, base->account_name.string);
+        } else {
+                info->account_name = talloc_strdup(info, account_name);
+        }
+        NT_STATUS_HAVE_NO_MEMORY(info->account_name);
+
+        if (base->logon_domain.string) {
+                info->domain_name = talloc_strdup(info, base->logon_domain.string);
+                NT_STATUS_HAVE_NO_MEMORY(info->domain_name);
+        }
+
+        if (base->full_name.string) {
+                info->full_name = talloc_strdup(info, base->full_name.string);
+                NT_STATUS_HAVE_NO_MEMORY(info->full_name);
+        }
+        if (base->logon_script.string) {
+                info->logon_script = talloc_strdup(info, base->logon_script.string);
+                NT_STATUS_HAVE_NO_MEMORY(info->logon_script);
+        }
+        if (base->profile_path.string) {
+                info->profile_path = talloc_strdup(info, base->profile_path.string);
+                NT_STATUS_HAVE_NO_MEMORY(info->profile_path);
+        }
+        if (base->home_directory.string) {
+                info->home_directory = talloc_strdup(info, base->home_directory.string);
+                NT_STATUS_HAVE_NO_MEMORY(info->home_directory);
+        }
+        if (base->home_drive.string) {
+                info->home_drive = talloc_strdup(info, base->home_drive.string);
+                NT_STATUS_HAVE_NO_MEMORY(info->home_drive);
+        }
+        if (base->logon_server.string) {
+                info->logon_server = talloc_strdup(info, base->logon_server.string);
+                NT_STATUS_HAVE_NO_MEMORY(info->logon_server);
+        }
+        info->last_logon = base->logon_time;
+        info->last_logoff = base->logoff_time;
+        info->acct_expiry = base->kickoff_time;
+        info->last_password_change = base->last_password_change;
+        info->allow_password_change = base->allow_password_change;
+        info->force_password_change = base->force_password_change;
+        info->logon_count = base->logon_count;
+        info->bad_password_count = base->bad_password_count;
+        info->acct_flags = base->acct_flags;
+
+        /* Only set authenticated if both NETLOGON_GUEST is not set, and authenticated is set */
+        info->authenticated = (authenticated && (!(base->user_flags & NETLOGON_GUEST)));
+
+        *_user_info = info;
         return NT_STATUS_OK;
 }
@@ -179 +261 @@
                                               uint16_t validation_level,
                                               union netr_Validation *validation,
+                                               bool authenticated,
                                               struct auth_user_info_dc **_user_info_dc)
 {
+        NTSTATUS status;
         struct auth_user_info_dc *user_info_dc;
-        struct auth_user_info *info;
         struct netr_SamBaseInfo *base = NULL;
         uint32_t i;
@@ -285 +368 @@
         }
 
-        user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
-        NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
-
-        if (base->account_name.string) {
-                info->account_name = talloc_reference(info, base->account_name.string);
-        } else {
-                info->account_name = talloc_strdup(info, account_name);
-                NT_STATUS_HAVE_NO_MEMORY(info->account_name);
-        }
-
-        info->domain_name = talloc_reference(info, base->domain.string);
-        info->full_name = talloc_reference(info, base->full_name.string);
-        info->logon_script = talloc_reference(info, base->logon_script.string);
-        info->profile_path = talloc_reference(info, base->profile_path.string);
-        info->home_directory = talloc_reference(info, base->home_directory.string);
-        info->home_drive = talloc_reference(info, base->home_drive.string);
-        info->logon_server = talloc_reference(info, base->logon_server.string);
-        info->last_logon = base->last_logon;
-        info->last_logoff = base->last_logoff;
-        info->acct_expiry = base->acct_expiry;
-        info->last_password_change = base->last_password_change;
-        info->allow_password_change = base->allow_password_change;
-        info->force_password_change = base->force_password_change;
-        info->logon_count = base->logon_count;
-        info->bad_password_count = base->bad_password_count;
-        info->acct_flags = base->acct_flags;
-
-        info->authenticated = true;
+        status = make_user_info_SamBaseInfo(user_info_dc, account_name, base, authenticated, &user_info_dc->info);
+        if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
 
         /* ensure we are never given NULL session keys */
@@ -348 +407 @@
         validation.sam3 = &pac_logon_info->info3;
 
-        nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation, &user_info_dc);
+        nt_status = make_user_info_dc_netlogon_validation(mem_ctx, "", 3, &validation,
+                                                          true, /* This user was authenticated */
+                                                          &user_info_dc);
         if (!NT_STATUS_IS_OK(nt_status)) {
                 return nt_status;
@@ -375 +436 @@
                 user_info_dc->sids
                         = talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount);
-                NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc);
+                if (user_info_dc->sids == NULL) {
+                        TALLOC_FREE(user_info_dc);
+                        return NT_STATUS_NO_MEMORY;
+                }
 
                 for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {

vendor/current/auth/auth_sam_reply.h

@@ -33 +33 @@
 /* The following definitions come from auth/auth_sam_reply.c  */
 
+NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
+                                    const char *account_name,
+                                    struct netr_SamBaseInfo *base,
+                                    bool authenticated,
+                                    struct auth_user_info **_user_info);
+
 NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
                                               struct auth_user_info_dc *user_info_dc,
@@ -47 +53 @@
                                               uint16_t validation_level,
                                               union netr_Validation *validation,
+                                               bool authenticated,
                                               struct auth_user_info_dc **_user_info_dc);
 
@@ -55 +62 @@
                               struct PAC_LOGON_INFO *pac_logon_info,
                               struct auth_user_info_dc **_user_info_dc);
+
+/* The following definitions come from auth/wbc_auth_util.c  */
+
+struct wbcAuthUserInfo;
+
+struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+                                                       const struct wbcAuthUserInfo *info);
+
 #undef _PRINTF_ATTRIBUTE
 #define _PRINTF_ATTRIBUTE(a1, a2)

vendor/current/auth/common_auth.h

@@ -18 +18 @@
 */
 
+#ifndef AUTH_COMMON_AUTH_H
+#define AUTH_COMMON_AUTH_H
+
+#include "librpc/gen_ndr/auth.h"
+
 #define USER_INFO_CASE_INSENSITIVE_USERNAME 0x01 /* username may be in any case */
 #define USER_INFO_CASE_INSENSITIVE_PASSWORD 0x02 /* password may be in any case */
 #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT   0x04 /* don't check unix account status */
-#define USER_INFO_INTERACTIVE_LOGON         0x08 /* don't check unix account status */
+#define USER_INFO_INTERACTIVE_LOGON         0x08 /* Interactive logon */
+#define USER_INFO_LOCAL_SAM_ONLY            0x10 /* Only authenticate against the local SAM, do not map missing passwords to NO_SUCH_USER */
+#define USER_INFO_INFO3_AND_NO_AUTHZ        0x20 /* Only fill in server_info->info3 and do not do any authorization steps */
 
 enum auth_password_state {
@@ -28 +35 @@
         AUTH_PASSWORD_RESPONSE = 3
 };
+
+#define AUTH_SESSION_INFO_DEFAULT_GROUPS     0x01 /* Add the user to the default world and network groups */
+#define AUTH_SESSION_INFO_AUTHENTICATED      0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES  0x04 /* Use a trivial map between users and privilages, rather than a DB */
+#define AUTH_SESSION_INFO_UNIX_TOKEN         0x08 /* The returned token must have the unix_token and unix_info elements provided */
 
 struct auth_usersupplied_info
@@ -60 +72 @@
         uint32_t flags;
 };
+
+struct auth_method_context;
+struct tevent_context;
+struct imessaging_context;
+struct loadparm_context;
+struct ldb_context;
+struct smb_krb5_context;
+
+#define AUTH_METHOD_LOCAL_SAM 0x01
+
+struct auth4_context {
+        struct {
+                /* Who set this up in the first place? */
+                const char *set_by;
+
+                DATA_BLOB data;
+        } challenge;
+
+        /* methods, in the order they should be called */
+        struct auth_method_context *methods;
+
+        /* the event context to use for calls that can block */
+        struct tevent_context *event_ctx;
+
+        /* the messaging context which can be used by backends */
+        struct imessaging_context *msg_ctx;
+
+        /* loadparm context */
+        struct loadparm_context *lp_ctx;
+
+        /* SAM database for this local machine - to fill in local groups, or to authenticate local NTLM users */
+        struct ldb_context *sam_ctx;
+
+        /* Private data for the callbacks on this auth context */
+        void *private_data;
+
+        NTSTATUS (*check_ntlm_password)(struct auth4_context *auth_ctx,
+                                        TALLOC_CTX *mem_ctx,
+                                        const struct auth_usersupplied_info *user_info,
+                                        void **server_returned_info,
+                                        DATA_BLOB *nt_session_key, DATA_BLOB *lm_session_key);
+
+        NTSTATUS (*get_ntlm_challenge)(struct auth4_context *auth_ctx, uint8_t chal[8]);
+
+        NTSTATUS (*set_ntlm_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by);
+
+        NTSTATUS (*generate_session_info)(struct auth4_context *auth_context,
+                                          TALLOC_CTX *mem_ctx,
+                                          void *server_returned_info,
+                                          const char *original_user_name,
+                                          uint32_t session_info_flags,
+                                          struct auth_session_info **session_info);
+
+        NTSTATUS (*generate_session_info_pac)(struct auth4_context *auth_ctx,
+                                              TALLOC_CTX *mem_ctx,
+                                              struct smb_krb5_context *smb_krb5_context,
+                                              DATA_BLOB *pac_blob,
+                                              const char *principal_name,
+                                              const struct tsocket_address *remote_address,
+                                              uint32_t session_info_flags,
+                                              struct auth_session_info **session_info);
+};
+
+#endif

vendor/current/auth/wscript_build

@@ -1 +1 @@
 #!/usr/bin/env python
 
-bld.SAMBA_SUBSYSTEM('auth_sam_reply',
-        source='auth_sam_reply.c',
-        deps='talloc',
-        autoproto='auth_sam_reply.h'
-        )
+bld.SAMBA_LIBRARY('auth_sam_reply',
+                  source='auth_sam_reply.c wbc_auth_util.c',
+                  deps='talloc samba-security samba-util',
+                  private_library=True
+                  )
+
+bld.RECURSE('gensec')
+bld.RECURSE('ntlmssp')
+bld.RECURSE('credentials')