diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-10-01 03:28:39 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:52:51 -0500 |
commit | f219db7d698438969be95186dad7dc60512b86a9 (patch) | |
tree | ba0614270b626e34608c1ed994aefc4601eeefc6 | |
parent | 90cd0c339c800b7a4529a80442c3c487d99d5250 (diff) | |
download | samba-f219db7d698438969be95186dad7dc60512b86a9.tar.gz samba-f219db7d698438969be95186dad7dc60512b86a9.tar.bz2 samba-f219db7d698438969be95186dad7dc60512b86a9.zip |
r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix the
naming of the require_membership_of parameter in pam_winbind and fix
the error code for 'you didn't specify a domain' in ntlm_auth.
Andrew Bartlett
(This used to be commit 4bf0b94011fe6bfbec5635e58cafbfe3dc898569)
-rw-r--r-- | source3/nsswitch/pam_winbind.c | 16 | ||||
-rw-r--r-- | source3/nsswitch/wbinfo.c | 14 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_nss.h | 4 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 54 | ||||
-rw-r--r-- | source3/utils/ntlm_auth.c | 44 |
5 files changed, 49 insertions, 83 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c index 64e2173822..9a00ac2886 100644 --- a/source3/nsswitch/pam_winbind.c +++ b/source3/nsswitch/pam_winbind.c @@ -45,7 +45,9 @@ static int _pam_parse(int argc, const char **argv) ctrl |= WINBIND_TRY_FIRST_PASS_ARG; else if (!strcasecmp(*argv, "unknown_ok")) ctrl |= WINBIND_UNKNOWN_OK_ARG; - else if (!strncasecmp(*argv, "required_membership", strlen("required_membership"))) + else if (!strncasecmp(*argv, "require_membership_of", strlen("require_membership_of"))) + ctrl |= WINBIND_REQUIRED_MEMBERSHIP; + else if (!strncasecmp(*argv, "require-membership-of", strlen("require-membership-of"))) ctrl |= WINBIND_REQUIRED_MEMBERSHIP; else { _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv); @@ -213,8 +215,8 @@ static int winbind_auth_request(const char *user, const char *pass, const char * /* lookup name? */ if (!strncmp("S-", member, 2) == 0) { - struct winbindd_request request; - struct winbindd_response response; + struct winbindd_request sid_request; + struct winbindd_response sid_response; ZERO_STRUCT(request); ZERO_STRUCT(response); @@ -230,11 +232,11 @@ static int winbind_auth_request(const char *user, const char *pass, const char * return PAM_AUTH_ERR; } - member = strdup(response.data.sid.sid); + member = response.data.sid.sid; } - strncpy(request.data.auth.required_membership_sid, member, - sizeof(request.data.auth.required_membership_sid)-1); + strncpy(request.data.auth.require_membership_of_sid, member, + sizeof(request.data.auth.require_membership_of_sid)-1); return pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user); } @@ -488,7 +490,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags, /* Retrieve membership-string here */ for ( i=0; i<argc; i++ ) { - if (!strncmp(argv[i], "required_membership", strlen("required_membership"))) { + if (!strncmp(argv[i], "require_membership_of", strlen("require_membership_of"))) { char *p; char *parm = strdup(argv[i]); diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c index 2abd9c69a1..69f464f446 100644 --- a/source3/nsswitch/wbinfo.c +++ b/source3/nsswitch/wbinfo.c @@ -567,18 +567,10 @@ static BOOL wbinfo_auth_crap(char *username) parse_wbinfo_domain_user(username, name_domain, name_user); - if (push_utf8_fstring(request.data.auth_crap.user, name_user) == -1) { - d_printf("unable to create utf8 string for '%s'\n", - name_user); - return False; - } + fstrcpy(request.data.auth_crap.user, name_user); - if (push_utf8_fstring(request.data.auth_crap.domain, - name_domain) == -1) { - d_printf("unable to create utf8 string for '%s'\n", - name_domain); - return False; - } + fstrcpy(request.data.auth_crap.domain, + name_domain); generate_random_buffer(request.data.auth_crap.chal, 8); diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h index 6a457f3800..9a99bad9d7 100644 --- a/source3/nsswitch/winbindd_nss.h +++ b/source3/nsswitch/winbindd_nss.h @@ -181,7 +181,7 @@ struct winbindd_request { character is. */ fstring user; fstring pass; - fstring required_membership_sid; + fstring require_membership_of_sid; } auth; /* pam_winbind auth module */ struct { unsigned char chal[8]; @@ -192,7 +192,7 @@ struct winbindd_request { fstring nt_resp; uint16 nt_resp_len; fstring workstation; - fstring required_membership_sid; + fstring require_membership_of_sid; } auth_crap; struct { fstring user; diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index e8d15f4703..e13649afe1 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -59,7 +59,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *info3, const char *group_sid) { - DOM_SID required_membership_sid; + DOM_SID require_membership_of_sid; DOM_SID *all_sids; size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids); size_t i, j = 0; @@ -71,7 +71,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } - if (!string_to_sid(&required_membership_sid, group_sid)) { + if (!string_to_sid(&require_membership_of_sid, group_sid)) { DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!", group_sid)); @@ -133,9 +133,9 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx, fstring sid1, sid2; DEBUG(10, ("User has SID: %s\n", sid_to_string(sid1, &all_sids[i]))); - if (sid_equal(&required_membership_sid, &all_sids[i])) { + if (sid_equal(&require_membership_of_sid, &all_sids[i])) { DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n", - sid_to_string(sid1, &required_membership_sid), sid_to_string(sid2, &all_sids[i]))); + sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i]))); return NT_STATUS_OK; } } @@ -334,10 +334,10 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) /* Check if the user is in the right group */ - if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.required_membership_sid))) { + if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.require_membership_of_sid))) { DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n", state->request.data.auth.user, - state->request.data.auth.required_membership_sid)); + state->request.data.auth.require_membership_of_sid)); } } @@ -414,7 +414,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) NET_USER_INFO_3 info3; struct cli_state *cli = NULL; TALLOC_CTX *mem_ctx = NULL; - char *name_user = NULL; + const char *name_user = NULL; const char *name_domain = NULL; const char *workstation; struct winbindd_domain *contact_domain; @@ -432,7 +432,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) /* send a better message than ACCESS_DENIED */ asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on %s are set correctly.", get_winbind_priv_pipe_dir()); - push_utf8_fstring(state->response.data.auth.error_string, error_string); + fstrcpy(state->response.data.auth.error_string, error_string); SAFE_FREE(error_string); result = NT_STATUS_ACCESS_DENIED; goto done; @@ -442,26 +442,16 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0; state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0; - if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) { + if (!(mem_ctx = talloc_init("winbind pam auth crap for %s", state->request.data.auth_crap.user))) { DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n")); result = NT_STATUS_NO_MEMORY; goto done; } - if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) { - DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } + name_user = state->request.data.auth_crap.user; if (*state->request.data.auth_crap.domain) { - char *dom = NULL; - if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) { - DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - name_domain = dom; + name_domain = state->request.data.auth_crap.domain; } else if (lp_winbind_use_default_domain()) { name_domain = lp_workgroup(); } else { @@ -475,13 +465,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) name_domain, name_user)); if (*state->request.data.auth_crap.workstation) { - char *wrk = NULL; - if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) { - DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n")); - result = NT_STATUS_UNSUCCESSFUL; - goto done; - } - workstation = wrk; + workstation = state->request.data.auth_crap.workstation; } else { workstation = global_myname(); } @@ -587,10 +571,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) netsamlogon_cache_store( cli->mem_ctx, name_user, &info3 ); wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3); - if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.required_membership_sid))) { + if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.require_membership_of_sid))) { DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n", state->request.data.auth_crap.user, - state->request.data.auth_crap.required_membership_sid)); + state->request.data.auth_crap.require_membership_of_sid)); goto done; } @@ -616,8 +600,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state) DEBUG(5, ("Setting unix username to [%s]\n", username_out)); - /* this interface is in UTF8 */ - if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) { + state->response.extra_data = strdup(username_out); + if (!state->response.extra_data) { result = NT_STATUS_NO_MEMORY; goto done; } @@ -643,11 +627,11 @@ done: } state->response.data.auth.nt_status = NT_STATUS_V(result); - push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result)); + fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result)); /* we might have given a more useful error above */ if (!*state->response.data.auth.error_string) - push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result)); + fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result)); state->response.data.auth.pam_error = nt_status_to_pam(result); DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, @@ -677,7 +661,7 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state) DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid, state->request.data.chauthtok.user)); - if (!(mem_ctx = talloc_init("winbind password change for (utf8) %s", + if (!(mem_ctx = talloc_init("winbind password change for %s", state->request.data.chauthtok.user))) { DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n")); result = NT_STATUS_NO_MEMORY; diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 609b480406..ea7db55e2d 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -90,7 +90,7 @@ static int request_lm_key; static int request_user_session_key; static const char *require_membership_of; -static const char *require_membership_sid; +static const char *require_membership_of_sid; static char winbind_separator(void) { @@ -214,7 +214,7 @@ static BOOL get_require_membership_sid(void) { return True; } - if (require_membership_sid) { + if (require_membership_of_sid) { return True; } @@ -238,9 +238,9 @@ static BOOL get_require_membership_sid(void) { return False; } - require_membership_sid = strdup(response.data.sid.sid); + require_membership_of_sid = strdup(response.data.sid.sid); - if (require_membership_sid) + if (require_membership_of_sid) return True; return False; @@ -265,8 +265,8 @@ static BOOL check_plaintext_auth(const char *user, const char *pass, fstrcpy(request.data.auth.user, user); fstrcpy(request.data.auth.pass, pass); - if (require_membership_sid) - fstrcpy(request.data.auth.required_membership_sid, require_membership_sid); + if (require_membership_of_sid) + fstrcpy(request.data.auth.require_membership_of_sid, require_membership_of_sid); result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response); @@ -323,27 +323,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username, request.flags = flags; - if (require_membership_sid) - fstrcpy(request.data.auth_crap.required_membership_sid, require_membership_sid); + if (require_membership_of_sid) + fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid); - if (push_utf8_fstring(request.data.auth_crap.user, username) == -1) { - *error_string = smb_xstrdup( - "unable to create utf8 string for username"); - return NT_STATUS_UNSUCCESSFUL; - } - - if (push_utf8_fstring(request.data.auth_crap.domain, domain) == -1) { - *error_string = smb_xstrdup( - "unable to create utf8 string for domain"); - return NT_STATUS_UNSUCCESSFUL; - } + fstrcpy(request.data.auth_crap.user, username); + fstrcpy(request.data.auth_crap.domain, domain); - if (push_utf8_fstring(request.data.auth_crap.workstation, - workstation) == -1) { - *error_string = smb_xstrdup( - "unable to create utf8 string for workstation"); - return NT_STATUS_UNSUCCESSFUL; - } + fstrcpy(request.data.auth_crap.workstation, + workstation); memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); @@ -391,7 +378,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username, } if (flags & WBFLAG_PAM_UNIX_NAME) { - if (pull_utf8_allocate(unix_name, (char *)response.extra_data) == -1) { + *unix_name = strdup((char *)response.extra_data); + if (!*unix_name) { free_response(&response); return NT_STATUS_NO_MEMORY; } @@ -478,7 +466,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_st NTSTATUS status; if ( (opt_username == NULL) || (opt_domain == NULL) ) { DEBUG(1, ("Need username and domain for NTLMSSP\n")); - return status; + return NT_STATUS_INVALID_PARAMETER; } status = ntlmssp_client_start(client_ntlmssp_state); @@ -1817,7 +1805,7 @@ enum { case OPT_REQUIRE_MEMBERSHIP: if (StrnCaseCmp("S-", require_membership_of, 2) == 0) { - require_membership_sid = require_membership_of; + require_membership_of_sid = require_membership_of; } break; } |