diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2008-08-28 16:28:47 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2008-08-28 16:28:47 +1000 |
| commit | c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1 (patch) | |
| tree | 614106b34aaf64c7ba91308d2bf69331dd7338f5 /source4/kdc/pac-glue.c | |
| parent | 0b16d70f3941712ed7889d57ecbc45fe0fa68916 (diff) | |
| download | samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.tar.gz samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.tar.bz2 samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.zip | |
Heimdal provides Kerberos PAC parsing routines. Use them.
This uses Heimdal's PAC parsing code in the:
- LOCAL-PAC test
- gensec_gssapi server
- KDC (where is was already used, the support code refactored from here)
In addition, the service and KDC checksums are recorded in the struct
auth_serversupplied_info, allowing them to be extracted for validation
across NETLOGON.
Andrew Bartlett
(This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
Diffstat (limited to 'source4/kdc/pac-glue.c')
| -rw-r--r-- | source4/kdc/pac-glue.c | 44 |
1 files changed, 7 insertions, 37 deletions
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index bee271eaa9..cbdbb86b1f 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -153,18 +153,12 @@ krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context, struct hdb_entry_ex *client, struct hdb_entry_ex *server, krb5_pac *pac) { - NTSTATUS nt_status; - enum ndr_err_code ndr_err; krb5_error_code ret; unsigned int userAccountControl; struct hdb_ldb_private *private = talloc_get_type(server->ctx, struct hdb_ldb_private); - krb5_data k5pac_in; - DATA_BLOB pac_in; - union PAC_INFO info; - union netr_Validation validation; struct auth_serversupplied_info *server_info_out; TALLOC_CTX *mem_ctx = talloc_named(private, 0, "samba_get_pac context"); @@ -176,46 +170,22 @@ krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context, /* The service account may be set not to want the PAC */ userAccountControl = ldb_msg_find_attr_as_uint(private->msg, "userAccountControl", 0); if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) { + talloc_free(mem_ctx); *pac = NULL; return 0; } - ret = krb5_pac_get_buffer(context, *pac, PAC_TYPE_LOGON_INFO, &k5pac_in); - if (ret != 0) { - return ret; - } + ret = kerberos_pac_to_server_info(mem_ctx, private->iconv_convenience, + *pac, context, &server_info_out); - pac_in = data_blob_talloc(mem_ctx, k5pac_in.data, k5pac_in.length); - krb5_data_free(&k5pac_in); - if (!pac_in.data) { - talloc_free(mem_ctx); - return ENOMEM; - } - - ndr_err = ndr_pull_union_blob(&pac_in, mem_ctx, private->iconv_convenience, &info, - PAC_TYPE_LOGON_INFO, - (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err) || !info.logon_info.info) { - nt_status = ndr_map_error2ntstatus(ndr_err); - DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status))); - talloc_free(mem_ctx); - return EINVAL; - } + /* We will compleatly regenerate this pac */ + krb5_pac_free(context, *pac); - /* Pull this right into the normal auth sysstem structures */ - validation.sam3 = &info.logon_info.info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, - "", - 3, &validation, - &server_info_out); - if (!NT_STATUS_IS_OK(nt_status)) { + if (ret) { talloc_free(mem_ctx); - return ENOMEM; + return ret; } - /* We will compleatly regenerate this pac */ - krb5_pac_free(context, *pac); - ret = make_pac(context, mem_ctx, private->iconv_convenience, server_info_out, pac); talloc_free(mem_ctx); |