diff options
-rw-r--r-- | source3/Makefile.in | 1 | ||||
-rw-r--r-- | source3/winbindd/winbindd.c | 3 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 71 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam_auth_crap.c | 122 | ||||
-rw-r--r-- | source3/winbindd/winbindd_proto.h | 9 |
5 files changed, 133 insertions, 73 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index a15ec2d0f6..e807e825bf 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -1238,6 +1238,7 @@ WINBINDD_OBJ1 = \ winbindd/winbindd_remove_mapping.o \ winbindd/winbindd_set_hwm.o \ winbindd/winbindd_pam_auth.o \ + winbindd/winbindd_pam_auth_crap.o \ auth/token_util.o \ auth/check_samsec.o \ auth/server_info.o \ diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c index d9335d08d5..8b1dee2a0e 100644 --- a/source3/winbindd/winbindd.c +++ b/source3/winbindd/winbindd.c @@ -444,7 +444,6 @@ static struct winbindd_dispatch_table { /* PAM auth functions */ - { WINBINDD_PAM_AUTH_CRAP, winbindd_pam_auth_crap, "AUTH_CRAP" }, { WINBINDD_PAM_CHAUTHTOK, winbindd_pam_chauthtok, "CHAUTHTOK" }, { WINBINDD_PAM_LOGOFF, winbindd_pam_logoff, "PAM_LOGOFF" }, { WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP, winbindd_pam_chng_pswd_auth_crap, "CHNG_PSWD_AUTH_CRAP" }, @@ -570,6 +569,8 @@ static struct winbindd_async_dispatch_table async_priv_table[] = { winbindd_set_hwm_send, winbindd_set_hwm_recv }, { WINBINDD_CHANGE_MACHACC, "CHANGE_MACHACC", winbindd_change_machine_acct_send, winbindd_change_machine_acct_recv }, + { WINBINDD_PAM_AUTH_CRAP, "PAM_AUTH_CRAP", + winbindd_pam_auth_crap_send, winbindd_pam_auth_crap_recv }, { 0, NULL, NULL, NULL } }; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 2e1bc204e6..140fa3c506 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1694,77 +1694,6 @@ done: return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; } - -/********************************************************************** - Challenge Response Authentication Protocol -**********************************************************************/ - -void winbindd_pam_auth_crap(struct winbindd_cli_state *state) -{ - struct winbindd_domain *domain = NULL; - const char *domain_name = NULL; - NTSTATUS result; - - if (!check_request_flags(state->request->flags)) { - result = NT_STATUS_INVALID_PARAMETER_MIX; - goto done; - } - - if (!state->privileged) { - DEBUG(2, ("winbindd_pam_auth_crap: non-privileged access " - "denied. !\n")); - DEBUGADD(2, ("winbindd_pam_auth_crap: Ensure permissions " - "on %s are set correctly.\n", - get_winbind_priv_pipe_dir())); - /* send a better message than ACCESS_DENIED */ - fstr_sprintf(state->response->data.auth.error_string, - "winbind client not authorized to use " - "winbindd_pam_auth_crap. Ensure permissions on " - "%s are set correctly.", - get_winbind_priv_pipe_dir()); - result = NT_STATUS_ACCESS_DENIED; - goto done; - } - - /* Ensure null termination */ - state->request->data.auth_crap.user - [sizeof(state->request->data.auth_crap.user)-1]=0; - state->request->data.auth_crap.domain - [sizeof(state->request->data.auth_crap.domain)-1]=0; - - DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n", - (unsigned long)state->pid, - state->request->data.auth_crap.domain, - state->request->data.auth_crap.user)); - - if (*state->request->data.auth_crap.domain != '\0') { - domain_name = state->request->data.auth_crap.domain; - } else if (lp_winbind_use_default_domain()) { - domain_name = lp_workgroup(); - } - - if (domain_name != NULL) - domain = find_auth_domain(state->request->flags, domain_name); - - if (domain != NULL) { - sendto_domain(state, domain); - return; - } - - result = NT_STATUS_NO_SUCH_USER; - - done: - set_auth_errors(state->response, result); - DEBUG(5, ("CRAP authentication for %s\\%s returned %s (PAM: %d)\n", - state->request->data.auth_crap.domain, - state->request->data.auth_crap.user, - state->response->data.auth.nt_status_string, - state->response->data.auth.pam_error)); - request_error(state); - return; -} - - enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, struct winbindd_cli_state *state) { diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c new file mode 100644 index 0000000000..dc2dc3e265 --- /dev/null +++ b/source3/winbindd/winbindd_pam_auth_crap.c @@ -0,0 +1,122 @@ +/* + Unix SMB/CIFS implementation. + async implementation of WINBINDD_PAM_AUTH_CRAP + Copyright (C) Volker Lendecke 2010 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "winbindd.h" + +struct winbindd_pam_auth_crap_state { + struct winbindd_response *response; +}; + +static void winbindd_pam_auth_crap_done(struct tevent_req *subreq); + +struct tevent_req *winbindd_pam_auth_crap_send( + TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct winbindd_cli_state *cli, + struct winbindd_request *request) +{ + struct tevent_req *req, *subreq; + struct winbindd_pam_auth_crap_state *state; + struct winbindd_domain *domain; + const char *domain_name; + + req = tevent_req_create(mem_ctx, &state, + struct winbindd_pam_auth_crap_state); + if (req == NULL) { + return NULL; + } + + /* Ensure null termination */ + request->data.auth_crap.user[ + sizeof(request->data.auth_crap.user)-1] = '\0'; + request->data.auth_crap.domain[ + sizeof(request->data.auth_crap.domain)-1] = '\0'; + + DEBUG(3, ("[%5lu]: pam auth crap domain: [%s] user: %s\n", + (unsigned long)cli->pid, + request->data.auth_crap.domain, + request->data.auth_crap.user)); + + if (!check_request_flags(request->flags)) { + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER_MIX); + return tevent_req_post(req, ev); + } + + domain_name = NULL; + + if (request->data.auth_crap.domain[0] != '\0') { + domain_name = request->data.auth_crap.domain; + } else if (lp_winbind_use_default_domain()) { + domain_name = lp_workgroup(); + } + + domain = NULL; + + if (domain_name != NULL) { + domain = find_auth_domain(request->flags, domain_name); + } + + if (domain == NULL) { + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return tevent_req_post(req, ev); + } + + subreq = wb_domain_request_send(state, winbind_event_context(), domain, + request); + if (tevent_req_nomem(subreq, req)) { + return tevent_req_post(req, ev); + } + tevent_req_set_callback(subreq, winbindd_pam_auth_crap_done, req); + return req; +} + +static void winbindd_pam_auth_crap_done(struct tevent_req *subreq) +{ + struct tevent_req *req = tevent_req_callback_data( + subreq, struct tevent_req); + struct winbindd_pam_auth_crap_state *state = tevent_req_data( + req, struct winbindd_pam_auth_crap_state); + int res, err; + + res = wb_domain_request_recv(subreq, state, &state->response, &err); + TALLOC_FREE(subreq); + if (res == -1) { + tevent_req_nterror(req, map_nt_error_from_unix(err)); + return; + } + tevent_req_done(req); +} + +NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req, + struct winbindd_response *response) +{ + struct winbindd_pam_auth_crap_state *state = tevent_req_data( + req, struct winbindd_pam_auth_crap_state); + NTSTATUS status; + + if (tevent_req_is_nterror(req, &status)) { + set_auth_errors(response, status); + return status; + } + *response = *state->response; + response->result = WINBINDD_PENDING; + state->response = talloc_move(response, &state->response); + return NT_STATUS(response->data.auth.nt_status); +} diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 4daf0857f2..4e88d88404 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -384,7 +384,6 @@ struct winbindd_domain *find_auth_domain(uint8_t flags, const char *domain_name); enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, struct winbindd_cli_state *state) ; -void winbindd_pam_auth_crap(struct winbindd_cli_state *state); enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, struct winbindd_cli_state *state) ; void winbindd_pam_chauthtok(struct winbindd_cli_state *state); @@ -858,4 +857,12 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx, NTSTATUS winbindd_pam_auth_recv(struct tevent_req *req, struct winbindd_response *response); +struct tevent_req *winbindd_pam_auth_crap_send( + TALLOC_CTX *mem_ctx, + struct tevent_context *ev, + struct winbindd_cli_state *cli, + struct winbindd_request *request); +NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req, + struct winbindd_response *response); + #endif /* _WINBINDD_PROTO_H_ */ |