diff options
| -rw-r--r-- | source3/include/proto.h | 17 | ||||
| -rw-r--r-- | source3/libads/authdata.c | 122 | ||||
| -rw-r--r-- | source3/libads/kerberos_verify.c | 25 | ||||
| -rw-r--r-- | source3/smbd/sesssetup.c | 10 | ||||
| -rw-r--r-- | source3/utils/net_ads.c | 6 | ||||
| -rw-r--r-- | source3/utils/ntlm_auth.c | 4 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_pam.c | 29 |
7 files changed, 50 insertions, 163 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h index f883cd2b8c..0d0864e8f6 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1732,7 +1732,6 @@ const char *ads_get_ldap_server_name(ADS_STRUCT *ads); /* The following definitions come from libads/authdata.c */ -struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data); NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, const char *name, const char *pass, @@ -1744,19 +1743,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, bool add_netbios_addr, time_t renewable_time, const char *impersonate_princ_s, - struct PAC_DATA **pac_ret); -NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, - const char *name, - const char *pass, - time_t time_offset, - time_t *expire_time, - time_t *renew_till_time, - const char *cache_name, - bool request_pac, - bool add_netbios_addr, - time_t renewable_time, - const char *impersonate_princ_s, - struct netr_SamInfo3 **info3); + struct PAC_LOGON_INFO **logon_info); /* The following definitions come from libads/cldap.c */ bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx, @@ -1850,7 +1837,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, time_t time_offset, const DATA_BLOB *ticket, char **principal, - struct PAC_DATA **pac_data, + struct PAC_LOGON_INFO **logon_info, DATA_BLOB *ap_rep, DATA_BLOB *session_key, bool use_replay_cache); diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index ee2dbde02c..e34220fc2c 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -325,25 +325,9 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, } /**************************************************************** -****************************************************************/ - -struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data) -{ - int i; - - for (i=0; i < pac_data->num_buffers; i++) { - - if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { - continue; - } - - return pac_data->buffers[i].info->logon_info.info; - } - - return NULL; -} - -/**************************************************************** +Given a username, password and other details, return the +PAC_LOGON_INFO (the structure containing the important user +information such as groups). ****************************************************************/ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, @@ -357,12 +341,11 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, bool add_netbios_addr, time_t renewable_time, const char *impersonate_princ_s, - struct PAC_DATA **pac_ret) + struct PAC_LOGON_INFO **logon_info) { krb5_error_code ret; NTSTATUS status = NT_STATUS_INVALID_PARAMETER; DATA_BLOB tkt, ap_rep, sesskey1, sesskey2; - struct PAC_DATA *pac_data = NULL; char *client_princ_out = NULL; const char *auth_princ = NULL; const char *local_service = NULL; @@ -453,7 +436,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_offset, &tkt, &client_princ_out, - &pac_data, + logon_info, &ap_rep, &sesskey2, False); @@ -463,14 +446,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, goto out; } - if (!pac_data) { + if (!*logon_info) { DEBUG(1,("no PAC\n")); status = NT_STATUS_INVALID_PARAMETER; goto out; } - *pac_ret = pac_data; - out: if (cc != cache_name) { ads_kdestroy(cc); @@ -486,95 +467,4 @@ out: return status; } -/**************************************************************** -****************************************************************/ - -static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, - const char *name, - const char *pass, - time_t time_offset, - time_t *expire_time, - time_t *renew_till_time, - const char *cache_name, - bool request_pac, - bool add_netbios_addr, - time_t renewable_time, - const char *impersonate_princ_s, - struct PAC_LOGON_INFO **logon_info) -{ - NTSTATUS status; - struct PAC_DATA *pac_data = NULL; - struct PAC_LOGON_INFO *info = NULL; - - status = kerberos_return_pac(mem_ctx, - name, - pass, - time_offset, - expire_time, - renew_till_time, - cache_name, - request_pac, - add_netbios_addr, - renewable_time, - impersonate_princ_s, - &pac_data); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - if (!pac_data) { - DEBUG(3,("no pac\n")); - return NT_STATUS_INVALID_USER_BUFFER; - } - - info = get_logon_info_from_pac(pac_data); - if (!info) { - DEBUG(1,("no logon_info\n")); - return NT_STATUS_INVALID_USER_BUFFER; - } - - *logon_info = info; - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, - const char *name, - const char *pass, - time_t time_offset, - time_t *expire_time, - time_t *renew_till_time, - const char *cache_name, - bool request_pac, - bool add_netbios_addr, - time_t renewable_time, - const char *impersonate_princ_s, - struct netr_SamInfo3 **info3) -{ - NTSTATUS status; - struct PAC_LOGON_INFO *logon_info = NULL; - - status = kerberos_return_pac_logon_info(mem_ctx, - name, - pass, - time_offset, - expire_time, - renew_till_time, - cache_name, - request_pac, - add_netbios_addr, - renewable_time, - impersonate_princ_s, - &logon_info); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - *info3 = &logon_info->info3; - - return NT_STATUS_OK; -} #endif diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index bf9bca6311..4d7bb8d20b 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -405,7 +405,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, time_t time_offset, const DATA_BLOB *ticket, char **principal, - struct PAC_DATA **pac_data, + struct PAC_LOGON_INFO **logon_info, DATA_BLOB *ap_rep, DATA_BLOB *session_key, bool use_replay_cache) @@ -433,7 +433,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, ZERO_STRUCT(auth_data); *principal = NULL; - *pac_data = NULL; + *logon_info = NULL; *ap_rep = data_blob_null; *session_key = data_blob_null; @@ -611,12 +611,27 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, } if (got_auth_data) { - pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); + struct PAC_DATA *pac_data; + pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, &pac_data); + data_blob_free(&auth_data); if (!NT_STATUS_IS_OK(pac_ret)) { DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret))); - *pac_data = NULL; + } else { + uint32_t i; + for (i=0; i < pac_data->num_buffers; i++) { + + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { + continue; + } + + *logon_info = pac_data->buffers[i].info->logon_info.info; + } + + if (!*logon_info) { + DEBUG(1,("correctly decoded PAC but found no logon_info! This should not happen\n")); + return NT_STATUS_INVALID_USER_BUFFER; + } } - data_blob_free(&auth_data); } #if 0 diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index a00a362537..df39aed0ed 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -243,7 +243,6 @@ static void reply_spnego_kerberos(struct smb_request *req, fstring user; int sess_vuid = req->vuid; NTSTATUS ret = NT_STATUS_OK; - struct PAC_DATA *pac_data = NULL; DATA_BLOB ap_rep, ap_rep_wrapped, response; struct auth_serversupplied_info *server_info = NULL; DATA_BLOB session_key = data_blob_null; @@ -276,7 +275,7 @@ static void reply_spnego_kerberos(struct smb_request *req, } ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket, - &client, &pac_data, &ap_rep, + &client, &logon_info, &ap_rep, &session_key, True); data_blob_free(&ticket); @@ -353,11 +352,8 @@ static void reply_spnego_kerberos(struct smb_request *req, /* save the PAC data if we have it */ - if (pac_data) { - logon_info = get_logon_info_from_pac(pac_data); - if (logon_info) { - netsamlogon_cache_store( client, &logon_info->info3 ); - } + if (logon_info) { + netsamlogon_cache_store( client, &logon_info->info3 ); } if (!strequal(p+1, lp_realm())) { diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 53cb9ace02..5989fec3ce 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2379,7 +2379,6 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) { - struct PAC_DATA *pac = NULL; struct PAC_LOGON_INFO *info = NULL; TALLOC_CTX *mem_ctx = NULL; NTSTATUS status; @@ -2409,7 +2408,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar status = kerberos_return_pac(mem_ctx, c->opt_user_name, c->opt_password, - 0, + 0, NULL, NULL, NULL, @@ -2417,14 +2416,13 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar true, 2592000, /* one month */ impersonate_princ_s, - &pac); + &info); if (!NT_STATUS_IS_OK(status)) { d_printf(_("failed to query kerberos PAC: %s\n"), nt_errstr(status)); goto out; } - info = get_logon_info_from_pac(pac); if (info) { const char *s; s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info); diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 9bd7b5af66..2c8dbfc7c8 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1316,7 +1316,7 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state, char *principal; DATA_BLOB ap_rep; DATA_BLOB session_key; - struct PAC_DATA *pac_data = NULL; + struct PAC_LOGON_INFO *logon_info = NULL; if ( request.negTokenInit.mechToken.data == NULL ) { DEBUG(1, ("Client did not provide Kerberos data\n")); @@ -1332,7 +1332,7 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state, status = ads_verify_ticket(mem_ctx, lp_realm(), 0, &request.negTokenInit.mechToken, - &principal, &pac_data, &ap_rep, + &principal, &logon_info, &ap_rep, &session_key, True); /* Now in "principal" we have the name we are diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index a025433121..9554339769 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -564,8 +564,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, ADS_STRUCT *ads; time_t time_offset = 0; bool internal_ccache = true; - - ZERO_STRUCTP(info3); + struct PAC_LOGON_INFO *logon_info = NULL; *info3 = NULL; @@ -623,18 +622,18 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid)); } - result = kerberos_return_info3_from_pac(state->mem_ctx, - principal_s, - state->request->data.auth.pass, - time_offset, - &ticket_lifetime, - &renewal_until, - cc, - true, - true, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - info3); + result = kerberos_return_pac(state->mem_ctx, + principal_s, + state->request->data.auth.pass, + time_offset, + &ticket_lifetime, + &renewal_until, + cc, + true, + true, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL, + &logon_info); if (!internal_ccache) { gain_root_privilege(); } @@ -645,6 +644,8 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, goto failed; } + *info3 = &logon_info->info3; + DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", principal_s)); |