diff options
author | Andrew Bartlett <abartlet@samba.org> | 2004-11-05 23:26:02 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 13:05:32 -0500 |
commit | ed277bb89ecbd1d9f99f9cfce705903bd3762dfd (patch) | |
tree | fdb8ad2fe524573446d3a47429ad327354019c50 /source4/libcli | |
parent | 0af3429b8582b7edcdc440435d0ccbc78080ddeb (diff) | |
download | samba-ed277bb89ecbd1d9f99f9cfce705903bd3762dfd.tar.gz samba-ed277bb89ecbd1d9f99f9cfce705903bd3762dfd.tar.bz2 samba-ed277bb89ecbd1d9f99f9cfce705903bd3762dfd.zip |
r3565: Move PAC parsing into the session_info generation, and out of the
basic krb5 request path.
The idea is that we should not do the extra work, if we are not going
to use the results.
Andrew Bartlett
(This used to be commit 13a2a9e326c027d76d27ecd08fb9863fe881bf30)
Diffstat (limited to 'source4/libcli')
-rw-r--r-- | source4/libcli/auth/gensec_krb5.c | 57 |
1 files changed, 41 insertions, 16 deletions
diff --git a/source4/libcli/auth/gensec_krb5.c b/source4/libcli/auth/gensec_krb5.c index 0af29d6087..37e96cf9dc 100644 --- a/source4/libcli/auth/gensec_krb5.c +++ b/source4/libcli/auth/gensec_krb5.c @@ -43,7 +43,7 @@ enum GENSEC_KRB5_STATE { struct gensec_krb5_state { DATA_BLOB session_key; - struct PAC_LOGON_INFO *logon_info; + DATA_BLOB pac; enum GENSEC_KRB5_STATE state_position; krb5_context krb5_context; krb5_auth_context krb5_auth_context; @@ -281,6 +281,7 @@ static NTSTATUS gensec_krb5_start(struct gensec_security *gensec_security) ZERO_STRUCT(gensec_krb5_state->ticket); ZERO_STRUCT(gensec_krb5_state->krb5_keyblock); gensec_krb5_state->session_key = data_blob(NULL, 0); + gensec_krb5_state->pac = data_blob(NULL, 0); ret = krb5_init_context(&gensec_krb5_state->krb5_context); if (ret) { @@ -544,12 +545,7 @@ static NTSTATUS gensec_krb5_update(struct gensec_security *gensec_security, TALL } if (pac.data) { - /* decode and verify the pac */ - nt_status = gensec_krb5_decode_pac(gensec_krb5_state, &gensec_krb5_state->logon_info, pac, - gensec_krb5_state); - } else { - /* NULL PAC, we might need to figure this information out the hard way */ - gensec_krb5_state->logon_info = NULL; + gensec_krb5_state->pac = data_blob_talloc_reference(gensec_krb5_state, &pac); } if (NT_STATUS_IS_OK(nt_status)) { @@ -612,7 +608,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security struct gensec_krb5_state *gensec_krb5_state = gensec_security->private_data; struct auth_serversupplied_info *server_info = NULL; struct auth_session_info *session_info = NULL; - struct PAC_LOGON_INFO *logon_info = gensec_krb5_state->logon_info; + struct PAC_LOGON_INFO *logon_info; struct nt_user_token *ptoken; struct dom_sid *sid; char *p; @@ -622,10 +618,6 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security *session_info_out = NULL; - /* IF we have the PAC - otherwise we need to get this - * data from elsewere - local ldb, or (TODO) lookup of some - * kind... */ - principal = talloc_strdup(gensec_krb5_state, gensec_krb5_state->peer_principal); p = strchr(principal, '@'); if (p) { @@ -635,17 +627,50 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security username = principal; realm = p; - if (logon_info) { + /* decode and verify the pac */ + nt_status = gensec_krb5_decode_pac(gensec_krb5_state, &logon_info, gensec_krb5_state->pac, + gensec_krb5_state); + + /* IF we have the PAC - otherwise we need to get this + * data from elsewere - local ldb, or (TODO) lookup of some + * kind... */ + + if (NT_STATUS_IS_OK(nt_status)) { nt_status = make_server_info(gensec_krb5_state, &server_info, gensec_krb5_state->peer_principal); if (!NT_STATUS_IS_OK(nt_status)) { return nt_status; } server_info->guest = False; + + if (logon_info->account_name.string) { + server_info->account_name + = talloc_reference(server_info, + logon_info->account_name.string); + } else { + server_info->account_name = talloc_strdup(server_info, username); + } + + server_info->domain = talloc_reference(server_info, + logon_info->dom_name.string); + server_info->realm = talloc_strdup(server_info, realm); + server_info->full_name = talloc_reference(server_info, + logon_info->full_name.string); + server_info->logon_script = talloc_reference(server_info, + logon_info->logon_script.string); + server_info->profile_path = talloc_reference(server_info, + logon_info->profile_path.string); + server_info->home_directory = talloc_reference(server_info, + logon_info->home_directory.string); + server_info->home_drive = talloc_reference(server_info, + logon_info->home_drive.string); - server_info->account_name = talloc_strdup(server_info, principal); - server_info->domain = talloc_strdup(server_info, realm); - if (!server_info->domain) { + server_info->logon_count = logon_info->logon_count; + /* TODO: bad password count */ + + server_info->acct_flags = logon_info->acct_flags; + + if (!server_info->domain || !server_info->account_name || !server_info->realm) { free_server_info(&server_info); return NT_STATUS_NO_MEMORY; } |