r24434: Simplify winbindd_raw_kerberos_login().

Guenther
(This used to be commit 98ffae031ae641fb0ba7f2e972ab731dbe114a5f)

1 files changed, 15 insertions, 115 deletions

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 354e7f1101..22b08972eb 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -422,13 +422,6 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 #ifdef HAVE_KRB5
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
 	krb5_error_code krb5_ret;
-	DATA_BLOB tkt, session_key_krb5;
-	DATA_BLOB ap_rep, session_key;
-	PAC_DATA *pac_data = NULL;
-	PAC_LOGON_INFO *logon_info = NULL;
-	char *client_princ = NULL;
-	char *client_princ_out = NULL;
-	char *local_service = NULL;
 	const char *cc = NULL;
 	const char *principal_s = NULL;
 	const char *service = NULL;
@@ -441,11 +434,6 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 	time_t time_offset = 0;
 	BOOL internal_ccache = True;
 
-	ZERO_STRUCT(session_key);
-	ZERO_STRUCT(session_key_krb5);
-	ZERO_STRUCT(tkt);
-	ZERO_STRUCT(ap_rep);
-
 	ZERO_STRUCTP(info3);
 
 	*info3 = NULL;
@@ -497,114 +485,36 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 	/* if this is a user ccache, we need to act as the user to let the krb5
 	 * library handle the chown, etc. */
 
-	/************************ NON-ROOT **********************/
+	/************************ ENTERING NON-ROOT **********************/
 
 	if (!internal_ccache) {
-
 		set_effective_uid(uid);
 		DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
 	}
 
-	krb5_ret = kerberos_kinit_password_ext(principal_s, 
-					       state->request.data.auth.pass, 
-					       time_offset, 
-					       &ticket_lifetime,
-					       &renewal_until,
-					       cc, 
-					       True,
-					       True,
-					       WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
-					       &result);
-
-	if (krb5_ret) {
-		DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", 
-			principal_s, error_message(krb5_ret), krb5_ret));
-		goto failed;
-	}
-
-	/* does http_timestring use heimdals libroken strftime?? - Guenther */
-	DEBUG(10,("got TGT for %s in %s (valid until: %s (%d), renewable till: %s (%d))\n", 
-		principal_s, cc, 
-		http_timestring(ticket_lifetime), (int)ticket_lifetime, 
-		http_timestring(renewal_until), (int)renewal_until));
-
-	/* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set,
-	 * in that case fallback to NTLM - gd */ 
-
-	if ((ticket_lifetime == 0) && (renewal_until == 0)) {
-		result = NT_STATUS_INVALID_LOGON_TYPE;
-		goto failed;
-	}
-
-	client_princ = talloc_strdup(state->mem_ctx, global_myname());
-	if (client_princ == NULL) {
-		result = NT_STATUS_NO_MEMORY;
-		goto failed;
-	}
-	strlower_m(client_princ);
-
-	local_service = talloc_asprintf(state->mem_ctx, "%s$@%s", client_princ, lp_realm());
-	if (local_service == NULL) {
-		DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
-		result = NT_STATUS_NO_MEMORY;
-		goto failed;
-	}
-
-	krb5_ret = cli_krb5_get_ticket(local_service, 
-				       time_offset, 
-				       &tkt, 
-				       &session_key_krb5, 
-				       0, 
-				       cc,
-				       NULL);
-	if (krb5_ret) {
-		DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", 
-			local_service, error_message(krb5_ret)));
-		result = krb5_to_nt_status(krb5_ret);
-		goto failed;
-	}
-
+	result = kerberos_return_info3_from_pac(state->mem_ctx,
+						principal_s,
+						state->request.data.auth.pass,
+						time_offset,
+						&ticket_lifetime,
+						&renewal_until,
+						cc,
+						True,
+						True,
+						WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+						info3);
 	if (!internal_ccache) {
 		gain_root_privilege();
 	}
 
-	/************************ NON-ROOT **********************/
+	/************************ RETURNED TO ROOT **********************/
 
-	result = ads_verify_ticket(state->mem_ctx, 
-				   lp_realm(), 
-				   time_offset,
-				   &tkt, 
-				   &client_princ_out, 
-				   &pac_data, 
-				   &ap_rep, 
-				   &session_key, False);
 	if (!NT_STATUS_IS_OK(result)) {
-		DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n", 
-			nt_errstr(result)));
 		goto failed;
 	}
 
-	if (!pac_data) {
-		DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
-		result = NT_STATUS_INVALID_PARAMETER;
-		goto failed;
-	}
-			
-	logon_info = get_logon_info_from_pac(pac_data);
-	if (logon_info == NULL) {
-		DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n"));
-		result = NT_STATUS_INVALID_PARAMETER;
-		goto failed;
-	}
-
-	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", 
-		local_service));
-
-
-	/* last step: 
-	 * put results together */
-
-	*info3 = &logon_info->info3;
+	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
+		principal_s));
 
 	/* if we had a user's ccache then return that string for the pam
 	 * environment */
@@ -666,16 +576,6 @@ failed:
 	}
 
 done:
-	data_blob_free(&session_key);
-	data_blob_free(&session_key_krb5);
-	data_blob_free(&ap_rep);
-	data_blob_free(&tkt);
-
-	SAFE_FREE(client_princ_out);
-
-	if (!internal_ccache) {
-		gain_root_privilege();
-	}
 
 	return result;
 #else