summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-05-04 10:21:39 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:19:54 -0500
commite468268335dd797c540dbd278541340d8c01a7d1 (patch)
treed9bfa50f362041e3734174e27fdfc9fccd486c30
parent116c1532e7e8c398a1b22253a361bd88b729fb0f (diff)
downloadsamba-e468268335dd797c540dbd278541340d8c01a7d1.tar.gz
samba-e468268335dd797c540dbd278541340d8c01a7d1.tar.bz2
samba-e468268335dd797c540dbd278541340d8c01a7d1.zip
r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make
winbindd's kerberized pam_auth use that. Guenther (This used to be commit 0f436eab5b2e5891c341c27cb22db52a72bf1af7)
-rw-r--r--source3/libads/kerberos.c32
-rw-r--r--source3/nsswitch/winbindd_cred_cache.c6
-rw-r--r--source3/nsswitch/winbindd_pam.c4
3 files changed, 35 insertions, 7 deletions
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index dc3d11a60c..c721b56385 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -189,7 +189,8 @@ int kerberos_kinit_password_ext(const char *principal,
const char *cache_name,
BOOL request_pac,
BOOL add_netbios_addr,
- time_t renewable_time)
+ time_t renewable_time,
+ NTSTATUS *ntstatus)
{
krb5_context ctx = NULL;
krb5_error_code code = 0;
@@ -267,6 +268,29 @@ int kerberos_kinit_password_ext(const char *principal,
*renew_till_time = (time_t) my_creds.times.renew_till;
}
out:
+ if (ntstatus) {
+
+ NTSTATUS status;
+
+ /* fast path */
+ if (code == 0) {
+ *ntstatus = NT_STATUS_OK;
+ goto cleanup;
+ }
+
+ /* try to get ntstatus code out of krb5_error when we have it
+ * inside the krb5_get_init_creds_opt - gd */
+
+ if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) {
+ *ntstatus = status;
+ goto cleanup;
+ }
+
+ /* fall back to self-made-mapping */
+ *ntstatus = krb5_to_nt_status(code);
+ }
+
+ cleanup:
krb5_free_cred_contents(ctx, &my_creds);
if (me) {
krb5_free_principal(ctx, me);
@@ -321,7 +345,8 @@ int ads_kinit_password(ADS_STRUCT *ads)
}
ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
- &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable);
+ &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable,
+ NULL);
if (ret) {
DEBUG(0,("kerberos_kinit_password %s failed: %s\n",
@@ -580,7 +605,8 @@ int kerberos_kinit_password(const char *principal,
cache_name,
False,
False,
- 0);
+ 0,
+ NULL);
}
/************************************************************************
diff --git a/source3/nsswitch/winbindd_cred_cache.c b/source3/nsswitch/winbindd_cred_cache.c
index 368090c390..2c9572d7f8 100644
--- a/source3/nsswitch/winbindd_cred_cache.c
+++ b/source3/nsswitch/winbindd_cred_cache.c
@@ -111,7 +111,8 @@ static void krb5_ticket_refresh_handler(struct event_context *event_ctx,
entry->ccname,
False, /* no PAC required anymore */
True,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL);
gain_root_privilege();
if (ret) {
@@ -224,7 +225,8 @@ static void krb5_ticket_gain_handler(struct event_context *event_ctx,
entry->ccname,
False, /* no PAC required anymore */
True,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL);
gain_root_privilege();
if (ret) {
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 59bff901ce..97c1ac4b9c 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -564,12 +564,12 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
cc,
True,
True,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ &result);
if (krb5_ret) {
DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n",
principal_s, error_message(krb5_ret), krb5_ret));
- result = krb5_to_nt_status(krb5_ret);
goto failed;
}