sync 3.0 branch with head

(This used to be commit 3928578b52cfc949be5e0ef444fce1558d75f290)

1 files changed, 109 insertions, 30 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index e608f826c9..a8b508a49c 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -23,17 +23,41 @@
 */
 
 #include "winbindd.h"
-
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
+
+static NTSTATUS append_info3_as_ndr(TALLOC_CTX *mem_ctx, 
+				    struct winbindd_cli_state *state, 
+				    NET_USER_INFO_3 *info3) 
+{
+	prs_struct ps;
+	uint32 size;
+	if (!prs_init(&ps, 256 /* Random, non-zero number */, mem_ctx, MARSHALL)) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	if (!net_io_user_info3("", info3, &ps, 1, 3)) {
+		prs_mem_free(&ps);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	size = prs_data_size(&ps);
+	state->response.extra_data = memdup(prs_data_p(&ps), size);
+	if (!state->response.extra_data) {
+		prs_mem_free(&ps);
+		return NT_STATUS_NO_MEMORY;
+	}
+	state->response.length += size;
+	prs_mem_free(&ps);
+	return NT_STATUS_OK;
+}
+
 /* Return a password structure from a username.  */
 
 enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state) 
 {
 	NTSTATUS result;
 	fstring name_domain, name_user;
-	int passlen;
 	unsigned char trust_passwd[16];
 	time_t last_change_time;
         uint32 smb_uid_low;
@@ -46,6 +70,12 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 
 	extern pstring global_myname;
 
+	/* Ensure null termination */
+	state->request.data.auth.user[sizeof(state->request.data.auth.user)-1]='\0';
+
+	/* Ensure null termination */
+	state->request.data.auth.pass[sizeof(state->request.data.auth.pass)-1]='\0';
+
 	DEBUG(3, ("[%5d]: pam auth %s\n", state->pid,
 		  state->request.data.auth.user));
 
@@ -64,16 +94,14 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 		goto done;
 	}
 
-	passlen = strlen(state->request.data.auth.pass);
-		
 	{
 		unsigned char local_lm_response[24];
 		unsigned char local_nt_response[24];
 		
 		generate_random_buffer(chal, 8, False);
-		SMBencrypt( (const uchar *)state->request.data.auth.pass, chal, local_lm_response);
+		SMBencrypt(state->request.data.auth.pass, chal, local_lm_response);
 		
-		SMBNTencrypt((const uchar *)state->request.data.auth.pass, chal, local_nt_response);
+		SMBNTencrypt(state->request.data.auth.pass, chal, local_nt_response);
 
 		lm_resp = data_blob_talloc(mem_ctx, local_lm_response, sizeof(local_lm_response));
 		nt_resp = data_blob_talloc(mem_ctx, local_nt_response, sizeof(local_nt_response));
@@ -140,34 +168,67 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
         NET_USER_INFO_3 info3;
         struct cli_state *cli = NULL;
 	TALLOC_CTX *mem_ctx = NULL;
-	const char *domain = NULL;
+	char *user = NULL;
+	char *domain = NULL;
+	char *contact_domain;
+	char *workstation;
 
 	DATA_BLOB lm_resp, nt_resp;
 
 	extern pstring global_myname;
 
-	DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
-		  state->request.data.auth_crap.domain, state->request.data.auth_crap.user));
+	/* Ensure null termination */
+	state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]='\0';
+
+	/* Ensure null termination */
+	state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]='\0';
 
-	if (!(mem_ctx = talloc_init_named("winbind pam auth crap for %s", state->request.data.auth.user))) {
+	if (!(mem_ctx = talloc_init_named("winbind pam auth crap for (utf8) %s", state->request.data.auth.user))) {
 		DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
 		result = NT_STATUS_NO_MEMORY;
 		goto done;
 	}
 
+        if (pull_utf8_talloc(mem_ctx, &user, state->request.data.auth_crap.user) < 0) {
+		DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
+	}
+
 	if (*state->request.data.auth_crap.domain) {
-		domain = talloc_strdup(mem_ctx, state->request.data.auth_crap.domain);
+		if (pull_utf8_talloc(mem_ctx, &domain, state->request.data.auth_crap.domain) < 0) {
+			DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
+		}
 	} else if (lp_winbind_use_default_domain()) {
-		domain = talloc_strdup(mem_ctx, lp_workgroup());
+		domain = lp_workgroup();
 	} else {
-		DEBUG(5,("no domain specified with username (%s) - failing auth\n", state->request.data.auth.user));
+		DEBUG(5,("no domain specified with username (%s) - failing auth\n", 
+			 user));
 		result = NT_STATUS_INVALID_PARAMETER;
 		goto done;
 	}
 
-	if (!domain) {
-		DEBUG(0,("winbindd_pam_auth_crap: talloc_strdup failed!\n"));
-		result = NT_STATUS_NO_MEMORY;
+	DEBUG(3, ("[%5d]: pam auth crap domain: %s user: %s\n", state->pid,
+		  domain, user));
+
+	if (lp_allow_trusted_domains() && (state->request.data.auth_crap.flags & WINBIND_PAM_CONTACT_TRUSTDOM)) {
+		contact_domain = domain;
+	} else {
+		contact_domain = lp_workgroup();
+	}
+
+	if (*state->request.data.auth_crap.workstation) {
+		if (pull_utf8_talloc(mem_ctx, &workstation, state->request.data.auth_crap.workstation) < 0) {
+			DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
+		}
+	} else {
+		workstation = global_myname;
+	}
+
+	if (state->request.data.auth_crap.lm_resp_len > sizeof(state->request.data.auth_crap.lm_resp)
+		|| state->request.data.auth_crap.nt_resp_len > sizeof(state->request.data.auth_crap.nt_resp)) {
+		DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", 
+			  state->request.data.auth_crap.lm_resp_len, 
+			  state->request.data.auth_crap.nt_resp_len));
+		result = NT_STATUS_INVALID_PARAMETER;
 		goto done;
 	}
 
@@ -175,13 +236,15 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	nt_resp = data_blob_talloc(mem_ctx, state->request.data.auth_crap.nt_resp, state->request.data.auth_crap.nt_resp_len);
 	
 	/*
-	 * Get the machine account password for our primary domain
+	 * Get the machine account password for the domain to contact.
+	 * This is either our own domain for a workstation, or possibly
+	 * any domain for a PDC with trusted domains.
 	 */
 
-	if (!secrets_fetch_trust_account_password(
-                lp_workgroup(), trust_passwd, &last_change_time)) {
+	if (!secrets_fetch_trust_account_password (
+                contact_domain, trust_passwd, &last_change_time)) {
 		DEBUG(0, ("winbindd_pam_auth: could not fetch trust account "
-                          "password for domain %s\n", lp_workgroup()));
+                          "password for domain %s\n", contact_domain));
 		result = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 		goto done;
 	}
@@ -189,7 +252,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 	ZERO_STRUCT(info3);
 
 	/* Don't shut this down - it belongs to the connection cache code */
-        result = cm_get_netlogon_cli(lp_workgroup(), trust_passwd, &cli);
+        result = cm_get_netlogon_cli(contact_domain, trust_passwd, &cli);
 
         if (!NT_STATUS_IS_OK(result)) {
                 DEBUG(3, ("could not open handle to NETLOGON pipe (error: %s)\n", nt_errstr(result)));
@@ -197,27 +260,43 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
         }
 
 	result = cli_netlogon_sam_network_logon(cli, mem_ctx,
-						state->request.data.auth_crap.user, domain,
-						global_myname, state->request.data.auth_crap.chal, 
+						user, domain,
+						workstation, state->request.data.auth_crap.chal, 
 						lm_resp, nt_resp, 
 						&info3);
         
 	if (NT_STATUS_IS_OK(result)) {
 		uni_group_cache_store_netlogon(mem_ctx, &info3);
+		if (state->request.data.auth_crap.flags & WINBIND_PAM_INFO3_NDR) {
+			result = append_info3_as_ndr(mem_ctx, state, &info3);
+		}
+
+#if 0
+		/* we don't currently do this stuff right */
+		if (state->request.data.auth_crap.flags & WINBIND_PAM_NTKEY) {
+			SMB_ASSERT(sizeof(state->response.data.auth.nt_session_key) == sizeof(info3.user_sess_key)); 
+			memcpy(state->response.data.auth.nt_session_key, info3.user_sess_key, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
+		}
+		if (state->request.data.auth_crap.flags & WINBIND_PAM_LMKEY) {
+			SMB_ASSERT(sizeof(state->response.data.auth.nt_session_key) <= sizeof(info3.user_sess_key)); 
+			memcpy(state->response.data.auth.first_8_lm_hash, info3.padding, sizeof(state->response.data.auth.nt_session_key) /* 16 */);
+		}
+#endif
 	}
 
 done:
 
 	state->response.data.auth.nt_status = NT_STATUS_V(result);
-	fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
-	fstrcpy(state->response.data.auth.error_string, nt_errstr(result));
+	push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
+	push_utf8_fstring(state->response.data.auth.error_string, nt_errstr(result));
 	state->response.data.auth.pam_error = nt_status_to_pam(result);
 
-	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("NTLM CRAP authenticaion for user [%s]\\[%s] returned %s (PAM: %d)\n", 
-	      state->request.data.auth_crap.domain, 
-	      state->request.data.auth_crap.user, 
-	      state->response.data.auth.nt_status_string,
-	      state->response.data.auth.pam_error));	      
+	DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
+	      ("NTLM CRAP authenticaion for user [%s]\\[%s] returned %s (PAM: %d)\n", 
+	       domain,
+	       user,
+	       state->response.data.auth.nt_status_string,
+	       state->response.data.auth.pam_error));	      
 
 	if (mem_ctx) 
 		talloc_destroy(mem_ctx);