s3: Add wbinfo --ccache-save

With this command you can give winbind your password for later use by
the automatic ntlm_auth

4 files changed, 82 insertions, 1 deletions

diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
index 1f76c0a143..087db2e6c6 100644
--- a/nsswitch/libwbclient/wbc_pam.c
+++ b/nsswitch/libwbclient/wbc_pam.c
@@ -1119,3 +1119,21 @@ wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params,
 {
 	return WBC_ERR_NOT_IMPLEMENTED;
 }
+
+/* Authenticate a user with cached credentials */
+wbcErr wbcCredentialSave(const char *user, const char *password)
+{
+	struct winbindd_request request;
+	struct winbindd_response response;
+
+	ZERO_STRUCT(request);
+	ZERO_STRUCT(response);
+
+	strncpy(request.data.ccache_save.user, user,
+		sizeof(request.data.ccache_save.user)-1);
+	strncpy(request.data.ccache_save.pass, password,
+		sizeof(request.data.ccache_save.pass)-1);
+	request.data.ccache_save.uid = getuid();
+
+	return wbcRequestResponse(WINBINDD_CCACHE_SAVE, &request, &response);
+}
diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
index 33a4ace75c..06f0713c86 100644
--- a/nsswitch/libwbclient/wbclient.h
+++ b/nsswitch/libwbclient/wbclient.h
@@ -1164,6 +1164,16 @@ wbcErr wbcCredentialCache(struct wbcCredentialCacheParams *params,
                           struct wbcCredentialCacheInfo **info,
                           struct wbcAuthErrorInfo **error);
 
+/**
+ * @brief Save a password with winbind for doing wbcCredentialCache() later
+ *
+ * @param *user	     Username
+ * @param *password  Password
+ *
+ * @return #wbcErr
+ **/
+wbcErr wbcCredentialSave(const char *user, const char *password);
+
 /**********************************************************
  * Resolve functions
  **********************************************************/
diff --git a/nsswitch/wbinfo.c b/nsswitch/wbinfo.c
index 45d8684bad..a43ce8f4c9 100644
--- a/nsswitch/wbinfo.c
+++ b/nsswitch/wbinfo.c
@@ -1530,6 +1530,43 @@ static bool wbinfo_auth_crap(char *username, bool use_ntlmv2, bool use_lanman)
 	return WBC_ERROR_IS_OK(wbc_status);
 }
 
+/* Save creds with winbind */
+
+static bool wbinfo_ccache_save(char *username)
+{
+	wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
+	char *s = NULL;
+	char *p = NULL;
+	char *password = NULL;
+	char *name = NULL;
+	TALLOC_CTX *frame = talloc_stackframe();
+
+	s = talloc_strdup(frame, username);
+	if (s == NULL) {
+		return false;
+	}
+
+	p = strchr(s, '%');
+	if (p != NULL) {
+		*p = 0;
+		p++;
+		password = talloc_strdup(frame, p);
+	} else {
+		password = wbinfo_prompt_pass(frame, NULL, username);
+	}
+
+	name = s;
+
+	wbc_status = wbcCredentialSave(name, password);
+
+	d_printf("saving creds %s\n",
+		 WBC_ERROR_IS_OK(wbc_status) ? "succeeded" : "failed");
+
+	TALLOC_FREE(frame);
+
+	return WBC_ERROR_IS_OK(wbc_status);
+}
+
 #ifdef WITH_FAKE_KASERVER
 /* Authenticate a user with a plaintext password and set a token */
 
@@ -1736,6 +1773,7 @@ enum {
 	OPT_ONLINESTATUS,
 	OPT_CHANGE_USER_PASSWORD,
 	OPT_PING_DC,
+	OPT_CCACHE_SAVE,
 	OPT_SID_TO_FULLNAME,
 	OPT_NTLMV2,
 	OPT_LANMAN
@@ -1805,6 +1843,9 @@ int main(int argc, char **argv, char **envp)
 		{ "user-sids", 0, POPT_ARG_STRING, &string_arg, OPT_USERSIDS, "Get user group sids for user SID", "SID" },
 		{ "authenticate", 'a', POPT_ARG_STRING, &string_arg, 'a', "authenticate user", "user%password" },
 		{ "set-auth-user", 0, POPT_ARG_STRING, &string_arg, OPT_SET_AUTH_USER, "Store user and password used by winbindd (root only)", "user%password" },
+		{ "ccache-save", 0, POPT_ARG_STRING, &string_arg,
+		  OPT_CCACHE_SAVE, "Store user and password for ccache "
+		  "operation", "user%password" },
 		{ "getdcname", 0, POPT_ARG_STRING, &string_arg, OPT_GETDCNAME,
 		  "Get a DC name for a foreign domain", "domainname" },
 		{ "dsgetdcname", 0, POPT_ARG_STRING, &string_arg, OPT_DSGETDCNAME, "Find a DC for a domain", "domainname" },
@@ -2189,6 +2230,11 @@ int main(int argc, char **argv, char **envp)
 			wbinfo_get_auth_user();
 			goto done;
 			break;
+		case OPT_CCACHE_SAVE:
+			if (!wbinfo_ccache_save(string_arg)) {
+				goto done;
+			}
+			break;
 		case OPT_GETDCNAME:
 			if (!wbinfo_getdcname(string_arg)) {
 				goto done;
diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h
index 4d27d5283c..7790155f25 100644
--- a/nsswitch/winbind_struct_protocol.h
+++ b/nsswitch/winbind_struct_protocol.h
@@ -48,8 +48,9 @@ typedef char fstring[FSTRING_LEN];
  * 21: added WINBINDD_GETPWSID
  *     added WINBINDD_GETSIDALIASES
  * 22: added WINBINDD_PING_DC
+ * 23: added WINBINDD_CCACHE_SAVE
  */
-#define WINBIND_INTERFACE_VERSION 22
+#define WINBIND_INTERFACE_VERSION 23
 
 /* Have to deal with time_t being 4 or 8 bytes due to structure alignment.
    On a 64bit Linux box, we have to support a constant structure size
@@ -177,6 +178,7 @@ enum winbindd_cmd {
 	/* Complete the challenge phase of the NTLM authentication
 	   protocol using cached password. */
 	WINBINDD_CCACHE_NTLMAUTH,
+	WINBINDD_CCACHE_SAVE,
 
 	WINBINDD_NUM_CMDS
 };
@@ -335,6 +337,11 @@ struct winbindd_request {
 			uint32_t challenge_blob_len;
 		} ccache_ntlm_auth;
 		struct {
+			uid_t uid;
+			fstring user;
+			fstring pass;
+		} ccache_save;
+		struct {
 			fstring domain_name;
 			fstring domain_guid;
 			fstring site_name;