summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2006-08-28 23:01:30 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:38:57 -0500
commit8e0a4e7e6f8935b41e6e4ca77ef75f3e766d6eef (patch)
tree8361b7e0265b84de489c491fd56f625b593f7c76 /source3
parent49a08c7c5a099fc9bd45493622c001124f41ce8c (diff)
downloadsamba-8e0a4e7e6f8935b41e6e4ca77ef75f3e766d6eef.tar.gz
samba-8e0a4e7e6f8935b41e6e4ca77ef75f3e766d6eef.tar.bz2
samba-8e0a4e7e6f8935b41e6e4ca77ef75f3e766d6eef.zip
r17897: Store the uid in the memory creds. Don't request the
krb5 refresh creds when doing cached NTLM auth, request the memory creds instead. Jeremy. (This used to be commit 310ac0b226edcfd5bedc2c3305a05993db20c7af)
Diffstat (limited to 'source3')
-rw-r--r--source3/nsswitch/winbindd_ccache_access.c12
-rw-r--r--source3/nsswitch/winbindd_cred_cache.c24
-rw-r--r--source3/nsswitch/winbindd_nss.h1
-rw-r--r--source3/nsswitch/winbindd_pam.c1
4 files changed, 27 insertions, 11 deletions
diff --git a/source3/nsswitch/winbindd_ccache_access.c b/source3/nsswitch/winbindd_ccache_access.c
index 6aa221448e..13b551b696 100644
--- a/source3/nsswitch/winbindd_ccache_access.c
+++ b/source3/nsswitch/winbindd_ccache_access.c
@@ -29,7 +29,7 @@
#define DBGC_CLASS DBGC_WINBIND
static BOOL client_can_access_ccache_entry(uid_t client_uid,
- struct WINBINDD_CCACHE_ENTRY *entry)
+ struct WINBINDD_MEMORY_CREDS *entry)
{
if (client_uid == entry->uid || client_uid == 0) {
DEBUG(10, ("Access granted to uid %d\n", client_uid));
@@ -190,7 +190,7 @@ enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *doma
struct winbindd_cli_state *state)
{
NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
- struct WINBINDD_CCACHE_ENTRY *entry;
+ struct WINBINDD_MEMORY_CREDS *entry;
DATA_BLOB initial, challenge, auth;
fstring name_domain, name_user;
uint32 initial_blob_len, challenge_blob_len, extra_len;
@@ -229,15 +229,15 @@ enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *doma
goto process_result;
}
- entry = get_ccache_by_username(state->request.data.ccache_ntlm_auth.user);
- if (entry == NULL || entry->cred_ptr == NULL) {
+ entry = find_memory_creds_by_name(state->request.data.ccache_ntlm_auth.user);
+ if (entry == NULL || entry->nt_hash == NULL || entry->lm_hash == NULL) {
DEBUG(10,("winbindd_dual_ccache_ntlm_auth: could not find "
"credentials for user %s\n",
state->request.data.ccache_ntlm_auth.user));
goto process_result;
}
- DEBUG(10,("winbindd_dual_ccache_ntlm_auth: found ccache [%s]\n", entry->ccname));
+ DEBUG(10,("winbindd_dual_ccache_ntlm_auth: found ccache [%s]\n", entry->username));
if (!client_can_access_ccache_entry(state->request.data.ccache_ntlm_auth.uid, entry)) {
goto process_result;
@@ -258,7 +258,7 @@ enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *doma
result = NT_STATUS_NO_MEMORY;
} else {
result = do_ntlm_auth_with_hashes(name_user, name_domain,
- entry->cred_ptr->lm_hash, entry->cred_ptr->nt_hash,
+ entry->lm_hash, entry->nt_hash,
initial, challenge, &auth);
}
diff --git a/source3/nsswitch/winbindd_cred_cache.c b/source3/nsswitch/winbindd_cred_cache.c
index ceca389825..e107b82a04 100644
--- a/source3/nsswitch/winbindd_cred_cache.c
+++ b/source3/nsswitch/winbindd_cred_cache.c
@@ -35,7 +35,7 @@ static struct WINBINDD_CCACHE_ENTRY *ccache_list;
Find an entry by name.
****************************************************************/
-struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username)
+static struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username)
{
struct WINBINDD_CCACHE_ENTRY *entry;
@@ -307,7 +307,7 @@ static struct WINBINDD_MEMORY_CREDS *memory_creds_list;
Find an entry on the list by name.
***********************************************************/
-static struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username)
+struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username)
{
struct WINBINDD_MEMORY_CREDS *p;
@@ -411,7 +411,7 @@ static NTSTATUS winbindd_replace_memory_creds_internal(struct WINBINDD_MEMORY_CR
Store credentials in memory in a list.
*************************************************************/
-static NTSTATUS winbindd_add_memory_creds_internal(const char *username, const char *pass, BOOL store_pass)
+static NTSTATUS winbindd_add_memory_creds_internal(const char *username, uid_t uid, const char *pass, BOOL store_pass)
{
/* Shortcut to ensure we don't store if no mlock. */
#if !defined(HAVE_MLOCK) || !defined(HAVE_MUNLOCK)
@@ -420,8 +420,20 @@ static NTSTATUS winbindd_add_memory_creds_internal(const char *username, const c
NTSTATUS status;
struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username);
+ if (uid == (uid_t)-1) {
+ DEBUG(0,("winbindd_add_memory_creds_internal: invalid uid for user %s.\n",
+ username ));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
if (memcredp) {
/* Already exists. Increment the reference count and replace stored creds. */
+ if (uid != memcredp->uid) {
+ DEBUG(0,("winbindd_add_memory_creds_internal: uid %u for user %s doesn't "
+ "match stored uid %u. Replacing.\n",
+ (unsigned int)uid, username, (unsigned int)memcredp->uid ));
+ memcredp->uid = uid;
+ }
memcredp->ref_count++;
DEBUG(10,("winbindd_add_memory_creds_internal: ref count for user %s is now %d\n",
username, memcredp->ref_count ));
@@ -440,9 +452,11 @@ static NTSTATUS winbindd_add_memory_creds_internal(const char *username, const c
status = store_memory_creds(memcredp, pass, store_pass);
if (!NT_STATUS_IS_OK(status)) {
+ talloc_destroy(memcredp);
return status;
}
+ memcredp->uid = uid;
memcredp->ref_count = 1;
DLIST_ADD(memory_creds_list, memcredp);
@@ -460,7 +474,7 @@ static NTSTATUS winbindd_add_memory_creds_internal(const char *username, const c
and associate the new credentials with the struct WINBINDD_CCACHE_ENTRY.
*************************************************************/
-NTSTATUS winbindd_add_memory_creds(const char *username, const char *pass)
+NTSTATUS winbindd_add_memory_creds(const char *username, uid_t uid, const char *pass)
{
struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
BOOL store_pass = False;
@@ -470,7 +484,7 @@ NTSTATUS winbindd_add_memory_creds(const char *username, const char *pass)
store_pass = True;
}
- status = winbindd_add_memory_creds_internal(username, pass, store_pass);
+ status = winbindd_add_memory_creds_internal(username, uid, pass, store_pass);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 88fe671114..bab200ce04 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -459,6 +459,7 @@ struct winbindd_response {
struct WINBINDD_MEMORY_CREDS {
struct WINBINDD_MEMORY_CREDS *next, *prev;
const char *username; /* lookup key. */
+ uid_t uid;
int ref_count;
size_t len;
unsigned char *nt_hash; /* Base pointer for the following 2 */
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index f87749abed..dbd52092ef 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -1271,6 +1271,7 @@ process_result:
/* Store in-memory creds for single-signon using ntlm_auth. */
result = winbindd_add_memory_creds(state->request.data.auth.user,
+ get_uid_from_state(state),
state->request.data.auth.pass);
if (!NT_STATUS_IS_OK(result)) {