summaryrefslogtreecommitdiff
path: root/source4/kdc/pac-glue.c
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2008-08-28 16:28:47 +1000
committerAndrew Bartlett <abartlet@samba.org>2008-08-28 16:28:47 +1000
commitc79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1 (patch)
tree614106b34aaf64c7ba91308d2bf69331dd7338f5 /source4/kdc/pac-glue.c
parent0b16d70f3941712ed7889d57ecbc45fe0fa68916 (diff)
downloadsamba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.tar.gz
samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.tar.bz2
samba-c79dff2e9b7c0c07ae5845ddc3b2c06f7996dfd1.zip
Heimdal provides Kerberos PAC parsing routines. Use them.
This uses Heimdal's PAC parsing code in the: - LOCAL-PAC test - gensec_gssapi server - KDC (where is was already used, the support code refactored from here) In addition, the service and KDC checksums are recorded in the struct auth_serversupplied_info, allowing them to be extracted for validation across NETLOGON. Andrew Bartlett (This used to be commit 418b440a7b8cdb53035045f3981d47b078be6c1e)
Diffstat (limited to 'source4/kdc/pac-glue.c')
-rw-r--r--source4/kdc/pac-glue.c44
1 files changed, 7 insertions, 37 deletions
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index bee271eaa9..cbdbb86b1f 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -153,18 +153,12 @@ krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context,
struct hdb_entry_ex *client,
struct hdb_entry_ex *server, krb5_pac *pac)
{
- NTSTATUS nt_status;
- enum ndr_err_code ndr_err;
krb5_error_code ret;
unsigned int userAccountControl;
struct hdb_ldb_private *private = talloc_get_type(server->ctx, struct hdb_ldb_private);
- krb5_data k5pac_in;
- DATA_BLOB pac_in;
- union PAC_INFO info;
- union netr_Validation validation;
struct auth_serversupplied_info *server_info_out;
TALLOC_CTX *mem_ctx = talloc_named(private, 0, "samba_get_pac context");
@@ -176,46 +170,22 @@ krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context,
/* The service account may be set not to want the PAC */
userAccountControl = ldb_msg_find_attr_as_uint(private->msg, "userAccountControl", 0);
if (userAccountControl & UF_NO_AUTH_DATA_REQUIRED) {
+ talloc_free(mem_ctx);
*pac = NULL;
return 0;
}
- ret = krb5_pac_get_buffer(context, *pac, PAC_TYPE_LOGON_INFO, &k5pac_in);
- if (ret != 0) {
- return ret;
- }
+ ret = kerberos_pac_to_server_info(mem_ctx, private->iconv_convenience,
+ *pac, context, &server_info_out);
- pac_in = data_blob_talloc(mem_ctx, k5pac_in.data, k5pac_in.length);
- krb5_data_free(&k5pac_in);
- if (!pac_in.data) {
- talloc_free(mem_ctx);
- return ENOMEM;
- }
-
- ndr_err = ndr_pull_union_blob(&pac_in, mem_ctx, private->iconv_convenience, &info,
- PAC_TYPE_LOGON_INFO,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err) || !info.logon_info.info) {
- nt_status = ndr_map_error2ntstatus(ndr_err);
- DEBUG(0,("can't parse the PAC LOGON_INFO: %s\n", nt_errstr(nt_status)));
- talloc_free(mem_ctx);
- return EINVAL;
- }
+ /* We will compleatly regenerate this pac */
+ krb5_pac_free(context, *pac);
- /* Pull this right into the normal auth sysstem structures */
- validation.sam3 = &info.logon_info.info->info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx,
- "",
- 3, &validation,
- &server_info_out);
- if (!NT_STATUS_IS_OK(nt_status)) {
+ if (ret) {
talloc_free(mem_ctx);
- return ENOMEM;
+ return ret;
}
- /* We will compleatly regenerate this pac */
- krb5_pac_free(context, *pac);
-
ret = make_pac(context, mem_ctx, private->iconv_convenience, server_info_out, pac);
talloc_free(mem_ctx);