r4338: reuse netlogon structs in the krb5 PAC

that simplifies the code a lot...

also add a note: we should fail the krb5 auth if there's no
PAC present (when heimdal is ready for that:-)

metze
(This used to be commit 532641a7003d23b034a253d166482f18c2de6191)

2 files changed, 24 insertions, 168 deletions

diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c
index 88e7cdd2e3..9323580e92 100644
--- a/source4/libcli/auth/gensec_krb5.c
+++ b/source4/libcli/auth/gensec_krb5.c
@@ -223,7 +223,7 @@ static NTSTATUS gensec_krb5_decode_pac(TALLOC_CTX *mem_ctx,
 		return status;
 	}
 #endif
-	DEBUG(0,("account_name: %s [%s]\n",logon_info->account_name.string, logon_info->full_name.string));
+	DEBUG(0,("account_name: %s [%s]\n",logon_info->info3.base.account_name.string, logon_info->info3.base.full_name.string));
 	*logon_info_out = logon_info;
 
 	return status;
@@ -609,8 +609,6 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 	struct auth_serversupplied_info *server_info = NULL;
 	struct auth_session_info *session_info = NULL;
 	struct PAC_LOGON_INFO *logon_info;
-	struct security_token *ptoken;
-	struct dom_sid *sid;
 	char *p;
 	char *principal;
 	const char *username;
@@ -633,119 +631,35 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 
 	/* IF we have the PAC - otherwise we need to get this
 	 * data from elsewere - local ldb, or (TODO) lookup of some
-	 * kind... */
+	 * kind... 
+	 *
+	 * when heimdal can generate the PAC, we should fail if there's
+	 * no PAC present
+	 */
 
 	if (NT_STATUS_IS_OK(nt_status)) {
-		nt_status = make_server_info(gensec_krb5_state, &server_info, gensec_krb5_state->peer_principal);
+		union netr_Validation validation;
+		validation.sam3 = &logon_info->info3;
+		nt_status = make_server_info_netlogon_validation(gensec_krb5_state, 
+								 username, 
+								 &server_info,
+								 3,
+								 &validation); 
 		if (!NT_STATUS_IS_OK(nt_status)) {
 			return nt_status;
 		}
-		
-		server_info->guest = False;
-
-		if (logon_info->account_name.string) {
-			server_info->account_name
-				= talloc_reference(server_info, 
-						   logon_info->account_name.string);
-		} else {
-			server_info->account_name = talloc_strdup(server_info, username);
-		}
-
-		server_info->domain = talloc_reference(server_info, 
-						       logon_info->dom_name.string);
-		server_info->realm = talloc_strdup(server_info, realm);
-		server_info->full_name = talloc_reference(server_info, 
-							  logon_info->full_name.string);
-		server_info->logon_script = talloc_reference(server_info, 
-							     logon_info->logon_script.string);
-		server_info->profile_path = talloc_reference(server_info, 
-							     logon_info->profile_path.string);
-		server_info->home_directory = talloc_reference(server_info, 
-							       logon_info->home_directory.string);
-		server_info->home_drive = talloc_reference(server_info, 
-							   logon_info->home_drive.string);
-		
-		server_info->logon_count = logon_info->logon_count;
-		/* TODO: bad password count */
-
-		server_info->acct_flags = logon_info->acct_flags;
-
-		if (!server_info->domain || !server_info->account_name || !server_info->realm) {
-			free_server_info(&server_info);
-			return NT_STATUS_NO_MEMORY;
-		}
-		
-		/* references the server_info into the session_info */
-		nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			free_server_info(&server_info);
-			return nt_status;
-		}
-
-		talloc_free(server_info);
-
-		ptoken = security_token_initialise(session_info);
-		if (ptoken == NULL) {
-			return NT_STATUS_NO_MEMORY;
-		}
-		
-		ptoken->num_sids = 0;		
-		ptoken->sids = talloc_array_p(ptoken, struct dom_sid *, 
-					      logon_info->groups_count + 2);
-		if (!ptoken->sids) {
-			return NT_STATUS_NO_MEMORY;
-		}
-		
-		
-		sid = dom_sid_dup(server_info, logon_info->dom_sid);
-		server_info->user_sid = dom_sid_add_rid(server_info, sid, logon_info->user_rid);
-		sid = dom_sid_dup(server_info, logon_info->dom_sid);
-		server_info->primary_group_sid = dom_sid_add_rid(server_info, sid, logon_info->group_rid);
-
-		ptoken->user_sid = server_info->user_sid;
-		ptoken->group_sid = server_info->primary_group_sid;
-		ptoken->sids[0] = talloc_reference(ptoken, ptoken->user_sid);
-		ptoken->num_sids++;
-		ptoken->sids[1] = talloc_reference(ptoken, ptoken->group_sid);
-		ptoken->num_sids++;
-
-		for (;ptoken->num_sids < (logon_info->groups_count + 2); 
-		     ptoken->num_sids++) {
-			sid = dom_sid_dup(session_info, logon_info->dom_sid);
-			ptoken->sids[ptoken->num_sids]
-				= dom_sid_add_rid(session_info, sid, 
-						  logon_info->groups[ptoken->num_sids - 2].rid);
-		}
-
-		/* setup any privileges for this token */
-		nt_status = samdb_privilege_setup(ptoken);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(ptoken);
-			return nt_status;
-		}
-		
-		debug_security_token(DBGC_AUTH, 0, ptoken);
-		
-		session_info->security_token = ptoken;
 	} else {
-		TALLOC_CTX *mem_ctx = talloc_named(gensec_krb5_state, 0, "PAC-less session info discovery for %s@%s", username, realm);
-		if (!mem_ctx) {
-			return NT_STATUS_NO_MEMORY;
-		}
 		nt_status = sam_get_server_info(username, realm, gensec_krb5_state, &server_info);
 		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(mem_ctx);
-			return nt_status;
-		}
-
-		/* references the server_info into the session_info */
-		nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			talloc_free(mem_ctx);
 			return nt_status;
 		}
+	}
 
-		talloc_free(mem_ctx);
+	/* references the server_info into the session_info */
+	nt_status = make_session_info(gensec_krb5_state, server_info, &session_info);
+	talloc_free(server_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
 	}
 
 	talloc_free(principal);
diff --git a/source4/librpc/idl/krb5pac.idl b/source4/librpc/idl/krb5pac.idl
index 6efd8526b2..c424f09b78 100644
--- a/source4/librpc/idl/krb5pac.idl
+++ b/source4/librpc/idl/krb5pac.idl
@@ -8,14 +8,14 @@
   uuid("46746756-7567-7567-5677-756756756756"),
   version(0.0),
   pointer_default(unique),
-  depends(security)
+  depends(security,netlogon)
 ]
 interface krb5pac
 {
 	typedef struct {
 		NTTIME logon_time;
 		[flag(STR_SIZE2|STR_NOTERM|STR_BYTESIZE)] string account_name;
-	} UNKNOWN_TYPE_10;
+	} PAC_UNKNOWN_10;
 
 	typedef [flag(NDR_PAHEX)] struct {
 		uint32 type;
@@ -23,69 +23,11 @@ interface krb5pac
 	} PAC_SIGNATURE_DATA;
 
 	typedef struct {
-		uint32 rid;
-		uint32 attrs;
-	} GROUP_MEMBERSHIP;
-
-	typedef struct {
-		dom_sid2 *sid;
-		uint32 attrs;
-	} EXTRA_SIDS;
-
-	typedef struct {
-		[value(strlen_m(r->string)*2)]	uint16 size;
-		[value(r->size)]		uint16 length;
-		unistr_noterm			*string;
-	} pac_String;
-
-	/* This is awfully similar to a samr_user_info_23, but not identical.
-	   Many of the field names have been swiped from there, because it is
-	   so similar that they are likely the same, but many have been verified.
-	   Some are in a different order, though... */
-	typedef struct {
 		uint32 unknown[5];
-		NTTIME logon_time;            /* logon time */
-		NTTIME logoff_time;           /* logoff time */
-		NTTIME kickoff_time;          /* kickoff time */
-		NTTIME pass_last_set_time;    /* password last set time */
-		NTTIME pass_can_change_time;  /* password can change time */
-		NTTIME pass_must_change_time; /* password must change time */
-
-		pac_String account_name;
-		pac_String full_name;
-		pac_String logon_script;
-		pac_String profile_path;
-		pac_String home_directory;
-		pac_String home_drive;
-
-		uint16 logon_count; /* number of times user has logged onto domain */
-		uint16 reserved12;
-
-		uint32 user_rid;
-		uint32 group_rid;
-
-		uint32 groups_count;
-		[size_is(groups_count)] GROUP_MEMBERSHIP *groups;
-
-		uint32 user_flags;
-
-		uint32 reserved13[4];
-		pac_String dom_controller;
-		pac_String dom_name;
-
-		dom_sid2 *dom_sid;
-
-		uint32 reserved16[2];
-		uint32 acct_flags;      /* looks like it may be acb_info */
-		uint32 reserved18[7];
-
-		uint32 extra_sids_count;
-		[size_is(extra_sids_count)] EXTRA_SIDS *extra_sids;
-
+		netr_SamInfo3 info3;
 		dom_sid2 *res_group_dom_sid;
-
 		uint32 res_groups_count;
-		[size_is(res_groups_count)] GROUP_MEMBERSHIP *res_groups;
+		[size_is(res_groups_count)] netr_GroupMembership *res_groups;
     	} PAC_LOGON_INFO;
 
 	const uint8 PAC_TYPE_LOGON_INFO = 1;
@@ -97,7 +39,7 @@ interface krb5pac
 		[case(PAC_TYPE_LOGON_INFO)]	PAC_LOGON_INFO logon_info;
 		[case(PAC_TYPE_SRV_CHECKSUM)]	PAC_SIGNATURE_DATA srv_cksum;
 		[case(PAC_TYPE_KDC_CHECKSUM)]	PAC_SIGNATURE_DATA kdc_cksum;
-		[case(PAC_TYPE_UNKNOWN_10)]	UNKNOWN_TYPE_10 type_10;
+		[case(PAC_TYPE_UNKNOWN_10)]	PAC_UNKNOWN_10 type_10;
 	} PAC_INFO;
 
 	typedef struct {