s3-auth use create_local_token() to transform server_info -> session_info

Before a auth_serversupplied_info struct can be used for
authorization, the local groups and privileges must be calculated.
create_local_token() now copies the server_info, and then sets the
calulated token and unix groups.

Soon, it will also transform the result into an expanded struct
auth_session_info.  Until then, the variable name (server_info vs
session_info provides a clue to the developer about what information
has been entered in the structure).

By moving the calls to create_local_token within the codebase, we
remove duplication, and ensure that the session key (where modified)
is consistently copied into the new structure.

Andrew Bartlett

4 files changed, 152 insertions, 116 deletions

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index ae29c30570..99f4564cdf 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -31,23 +31,16 @@ NTSTATUS auth_ntlmssp_steal_session_info(TALLOC_CTX *mem_ctx,
 					struct auth_ntlmssp_state *auth_ntlmssp_state,
 					struct auth_serversupplied_info **session_info)
 {
-	/* Free the current server_info user_session_key and reset it from the
-	 * current ntlmssp_state session_key */
-	data_blob_free(&auth_ntlmssp_state->server_info->user_session_key);
-	/* Set up the final session key for the connection */
-	auth_ntlmssp_state->server_info->user_session_key =
-		data_blob_talloc(
-			auth_ntlmssp_state->server_info,
-			auth_ntlmssp_state->ntlmssp_state->session_key.data,
-			auth_ntlmssp_state->ntlmssp_state->session_key.length);
-	if (auth_ntlmssp_state->ntlmssp_state->session_key.length &&
-	    !auth_ntlmssp_state->server_info->user_session_key.data) {
-		*session_info = NULL;
-		return NT_STATUS_NO_MEMORY;
+	NTSTATUS nt_status = create_local_token(mem_ctx,
+						auth_ntlmssp_state->server_info,
+						&auth_ntlmssp_state->ntlmssp_state->session_key,
+						session_info);
+
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(10, ("create_local_token failed: %s\n",
+			   nt_errstr(nt_status)));
 	}
-	/* Steal session_info away from auth_ntlmssp_state */
-	*session_info = talloc_move(mem_ctx, &auth_ntlmssp_state->server_info);
-	return NT_STATUS_OK;
+	return nt_status;
 }
 
 /**
@@ -156,14 +149,6 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
 
 	auth_ntlmssp_state->server_info->nss_token |= username_was_mapped;
 
-	nt_status = create_local_token(auth_ntlmssp_state->server_info);
-
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(10, ("create_local_token failed: %s\n",
-			nt_errstr(nt_status)));
-		return nt_status;
-	}
-
 	/* Clear out the session keys, and pass them to the caller.
 	 * They will not be used in this form again - instead the
 	 * NTLMSSP code will decide on the final correct session key,
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index c84e3d3508..8666b55b47 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -442,11 +442,46 @@ static NTSTATUS log_nt_token(struct security_token *token)
  * server_info->sids (the info3/sam groups). Find the unix gids.
  */
 
-NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
+NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+			    struct auth_serversupplied_info *server_info,
+			    DATA_BLOB *session_key,
+			    struct auth_serversupplied_info **session_info_out)
 {
 	NTSTATUS status;
 	size_t i;
 	struct dom_sid tmp_sid;
+	struct auth_serversupplied_info *session_info;
+
+	/* Ensure we can't possible take a code path leading to a
+	 * null defref. */
+	if (!server_info) {
+		return NT_STATUS_LOGON_FAILURE;
+	}
+
+	session_info = copy_serverinfo(mem_ctx, server_info);
+
+	if (!session_info) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (session_key) {
+		data_blob_free(&session_info->user_session_key);
+		session_info->user_session_key = data_blob_talloc(session_info,
+								  session_key->data,
+								  session_key->length);
+		if (!session_info->user_session_key.data && session_key->length) {
+			return NT_STATUS_NO_MEMORY;
+		}
+	}
+
+	if (session_info->security_token) {
+		/* Just copy the token, it has already been finalised
+		 * (nasty hack to support a cached guest session_info,
+		 * and a possible strategy for auth_samba4 to pass in
+		 * a finalised session) */
+		*session_info_out = session_info;
+		return NT_STATUS_OK;
+	}
 
 	/*
 	 * If winbind is not around, we can not make much use of the SIDs the
@@ -455,21 +490,21 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
 	 */
 
 	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
-	    (server_info->nss_token)) {
-		status = create_token_from_username(server_info,
-						    server_info->unix_name,
-						    server_info->guest,
-						    &server_info->utok.uid,
-						    &server_info->utok.gid,
-						    &server_info->unix_name,
-						    &server_info->security_token);
+	    (session_info->nss_token)) {
+		status = create_token_from_username(session_info,
+						    session_info->unix_name,
+						    session_info->guest,
+						    &session_info->utok.uid,
+						    &session_info->utok.gid,
+						    &session_info->unix_name,
+						    &session_info->security_token);
 
 	} else {
-		status = create_local_nt_token_from_info3(server_info,
-							  server_info->guest,
-							  server_info->info3,
-							  &server_info->extra,
-							  &server_info->security_token);
+		status = create_local_nt_token_from_info3(session_info,
+							  session_info->guest,
+							  session_info->info3,
+							  &session_info->extra,
+							  &session_info->security_token);
 	}
 
 	if (!NT_STATUS_IS_OK(status)) {
@@ -478,14 +513,14 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
 
 	/* Convert the SIDs to gids. */
 
-	server_info->utok.ngroups = 0;
-	server_info->utok.groups = NULL;
+	session_info->utok.ngroups = 0;
+	session_info->utok.groups = NULL;
 
 	/* Start at index 1, where the groups start. */
 
-	for (i=1; i<server_info->security_token->num_sids; i++) {
+	for (i=1; i<session_info->security_token->num_sids; i++) {
 		gid_t gid;
-		struct dom_sid *sid = &server_info->security_token->sids[i];
+		struct dom_sid *sid = &session_info->security_token->sids[i];
 
 		if (!sid_to_gid(sid, &gid)) {
 			DEBUG(10, ("Could not convert SID %s to gid, "
@@ -493,8 +528,8 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
 			continue;
 		}
 		if (!add_gid_to_array_unique(server_info, gid,
-					     &server_info->utok.groups,
-					     &server_info->utok.ngroups)) {
+					&session_info->utok.groups,
+					&session_info->utok.ngroups)) {
 			return NT_STATUS_NO_MEMORY;
 		}
 	}
@@ -512,28 +547,33 @@ NTSTATUS create_local_token(struct auth_serversupplied_info *server_info)
 	 * the nt token.
 	 */
 
-	uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid);
+	uid_to_unix_users_sid(session_info->utok.uid, &tmp_sid);
 
-	add_sid_to_array_unique(server_info->security_token, &tmp_sid,
-				&server_info->security_token->sids,
-				&server_info->security_token->num_sids);
+	add_sid_to_array_unique(session_info->security_token, &tmp_sid,
+				&session_info->security_token->sids,
+				&session_info->security_token->num_sids);
 
-	for ( i=0; i<server_info->utok.ngroups; i++ ) {
-		gid_to_unix_groups_sid(server_info->utok.groups[i], &tmp_sid);
-		add_sid_to_array_unique(server_info->security_token, &tmp_sid,
-					&server_info->security_token->sids,
-					&server_info->security_token->num_sids);
+	for ( i=0; i<session_info->utok.ngroups; i++ ) {
+		gid_to_unix_groups_sid(session_info->utok.groups[i], &tmp_sid);
+		add_sid_to_array_unique(session_info->security_token, &tmp_sid,
+					&session_info->security_token->sids,
+					&session_info->security_token->num_sids);
 	}
 
-	security_token_debug(DBGC_AUTH, 10, server_info->security_token);
+	security_token_debug(DBGC_AUTH, 10, session_info->security_token);
 	debug_unix_user_token(DBGC_AUTH, 10,
-			      server_info->utok.uid,
-			      server_info->utok.gid,
-			      server_info->utok.ngroups,
-			      server_info->utok.groups);
+			      session_info->utok.uid,
+			      session_info->utok.gid,
+			      session_info->utok.ngroups,
+			      session_info->utok.groups);
 
-	status = log_nt_token(server_info->security_token);
-	return status;
+	status = log_nt_token(session_info->security_token);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	*session_info_out = session_info;
+	return NT_STATUS_OK;
 }
 
 /***************************************************************************
@@ -693,10 +733,16 @@ static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
  Make (and fill) a user_info struct for a guest login.
  This *must* succeed for smbd to start. If there is no mapping entry for
  the guest gid, then create one.
+
+ The resulting structure is a 'session_info' because
+ create_local_token() has already been called on it.  This is quite
+ nasty, as the auth subsystem isn't expect this, but the behaviour is
+ left as-is for now.
 ***************************************************************************/
 
-static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info)
+static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **session_info)
 {
+	struct auth_serversupplied_info *server_info;
 	static const char zeros[16] = {0};
 	const char *guest_account = lp_guestaccount();
 	const char *domain = global_myname();
@@ -720,29 +766,34 @@ static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **ser
 	status = make_server_info_info3(tmp_ctx,
 					guest_account,
 					domain,
-					server_info,
+					&server_info,
 					&info3);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
 	}
 
-	(*server_info)->guest = True;
+	server_info->guest = True;
 
-	status = create_local_token(*server_info);
+	/* This should not be done here (we should produce a server
+	 * info, and later construct a session info from it), but for
+	 * now this does not change the previous behaviours */
+	status = create_local_token(tmp_ctx, server_info, NULL, session_info);
+	TALLOC_FREE(server_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("create_local_token failed: %s\n",
 			   nt_errstr(status)));
 		goto done;
 	}
+	talloc_steal(NULL, *session_info);
 
 	/* annoying, but the Guest really does have a session key, and it is
 	   all zeros! */
-	(*server_info)->user_session_key = data_blob(zeros, sizeof(zeros));
-	(*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
+	(*session_info)->user_session_key = data_blob(zeros, sizeof(zeros));
+	(*session_info)->lm_session_key = data_blob(zeros, sizeof(zeros));
 
-	alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
+	alpha_strcpy(tmp, (*session_info)->info3->base.account_name.string,
 		     ". _-$", sizeof(tmp));
-	(*server_info)->sanitized_username = talloc_strdup(*server_info, tmp);
+	(*session_info)->sanitized_username = talloc_strdup(*session_info, tmp);
 
 	status = NT_STATUS_OK;
 done:
@@ -766,10 +817,10 @@ static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_SUCH_USER;
 	}
 
-	status = make_serverinfo_from_username(mem_ctx,
-					     pwd->pw_name,
-					     false,
-					     session_info);
+	status = make_session_info_from_username(mem_ctx,
+						 pwd->pw_name,
+						 false,
+						 session_info);
 	TALLOC_FREE(pwd);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
@@ -790,13 +841,15 @@ static NTSTATUS make_new_session_info_system(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************************
-  Fake a auth_serversupplied_info just from a username
+  Fake a auth_serversupplied_info just from a username (as a
+  session_info structure, with create_local_token() already called on
+  it.
 ****************************************************************************/
 
-NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
-				       const char *username,
-				       bool is_guest,
-				       struct auth_serversupplied_info **presult)
+NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
+					 const char *username,
+					 bool is_guest,
+					 struct auth_serversupplied_info **session_info)
 {
 	struct auth_serversupplied_info *result;
 	struct passwd *pwd;
@@ -818,15 +871,10 @@ NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
 	result->nss_token = true;
 	result->guest = is_guest;
 
-	status = create_local_token(result);
-
-	if (!NT_STATUS_IS_OK(status)) {
-		TALLOC_FREE(result);
-		return status;
-	}
-
-	*presult = talloc_steal(mem_ctx, result);
-	return NT_STATUS_OK;
+	/* Now turn the server_info into a session_info with the full token etc */
+	status = create_local_token(mem_ctx, result, NULL, session_info);
+	talloc_free(result);
+	return status;
 }
 
 
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 3bf325e763..15e79dda0a 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -101,7 +101,10 @@ bool make_user_info_guest(struct auth_usersupplied_info **user_info) ;
 struct samu;
 NTSTATUS make_server_info_sam(struct auth_serversupplied_info **server_info,
 			      struct samu *sampass);
-NTSTATUS create_local_token(struct auth_serversupplied_info *server_info);
+NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
+			    struct auth_serversupplied_info *server_info,
+			    DATA_BLOB *session_key,
+			    struct auth_serversupplied_info **session_info_out);
 NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 				    bool is_guest,
 				    uid_t *uid, gid_t *gid,
@@ -113,10 +116,10 @@ struct passwd;
 NTSTATUS make_server_info_pw(struct auth_serversupplied_info **server_info,
                              char *unix_username,
 			     struct passwd *pwd);
-NTSTATUS make_serverinfo_from_username(TALLOC_CTX *mem_ctx,
-				       const char *username,
-				       bool is_guest,
-				       struct auth_serversupplied_info **presult);
+NTSTATUS make_session_info_from_username(TALLOC_CTX *mem_ctx,
+					 const char *username,
+					 bool is_guest,
+					 struct auth_serversupplied_info **session_info);
 struct auth_serversupplied_info *copy_serverinfo(TALLOC_CTX *mem_ctx,
 						 const struct auth_serversupplied_info *src);
 bool init_guest_info(void);
@@ -258,11 +261,12 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 				     char **ntdomain,
 				     char **username,
 				     struct passwd **_pw);
-NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntuser,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
 				struct PAC_LOGON_INFO *logon_info,
-			       bool mapped_to_guest, bool username_was_mapped,
-			       struct auth_serversupplied_info **server_info);
+				bool mapped_to_guest, bool username_was_mapped,
+				DATA_BLOB *session_key,
+				struct auth_serversupplied_info **session_info);
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 1d87ccab79..db73c6dfc0 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -179,19 +179,21 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntuser,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
 				struct PAC_LOGON_INFO *logon_info,
-			       bool mapped_to_guest, bool username_was_mapped,
-				struct auth_serversupplied_info **server_info)
+				bool mapped_to_guest, bool username_was_mapped,
+				DATA_BLOB *session_key,
+				struct auth_serversupplied_info **session_info)
 {
 	NTSTATUS status;
+	struct auth_serversupplied_info *server_info;
 
 	if (mapped_to_guest) {
-		status = make_server_info_guest(mem_ctx, server_info);
+		status = make_server_info_guest(mem_ctx, &server_info);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("make_server_info_guest failed: %s!\n",
 				  nt_errstr(status)));
@@ -204,7 +206,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
 
 		status = make_server_info_info3(mem_ctx,
 						ntuser, ntdomain,
-						server_info,
+						&server_info,
 						&logon_info->info3);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("make_server_info_info3 failed: %s!\n",
@@ -248,28 +250,24 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
 			return status;
                 }
 
-		/* Steal tmp server info into the server_info pointer. */
-		*server_info = talloc_move(mem_ctx, &tmp);
-
 		/* make_server_info_pw does not set the domain. Without this
 		 * we end up with the local netbios name in substitutions for
 		 * %D. */
 
-		if ((*server_info)->info3 != NULL) {
-			(*server_info)->info3->base.domain.string =
-				talloc_strdup((*server_info)->info3, ntdomain);
+		if (server_info->info3 != NULL) {
+			server_info->info3->base.domain.string =
+				talloc_strdup(server_info->info3, ntdomain);
 		}
 	}
 
-	(*server_info)->nss_token |= username_was_mapped;
+	server_info->nss_token |= username_was_mapped;
 
-	if (!mapped_to_guest) {
-		status = create_local_token(*server_info);
-		if (!NT_STATUS_IS_OK(status)) {
-			DEBUG(10,("failed to create local token: %s\n",
-				nt_errstr(status)));
-			return status;
-		}
+	status = create_local_token(mem_ctx, server_info, session_key, session_info);
+	talloc_free(server_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(10,("failed to create local token: %s\n",
+			  nt_errstr(status)));
+		return status;
 	}
 
 	return NT_STATUS_OK;
@@ -290,14 +288,15 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntuser,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
 				struct PAC_LOGON_INFO *logon_info,
-				bool mapped_to_guest,
-				struct auth_serversupplied_info **server_info)
+				bool mapped_to_guest, bool username_was_mapped,
+				DATA_BLOB *session_key,
+				struct auth_serversupplied_info **session_info)
 {
 	return NT_STATUS_NOT_IMPLEMENTED;
 }