diff options
Diffstat (limited to 'source3/libads')
| -rw-r--r-- | source3/libads/authdata.c | 122 | ||||
| -rw-r--r-- | source3/libads/kerberos_verify.c | 25 |
2 files changed, 26 insertions, 121 deletions
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index ee2dbde02c..e34220fc2c 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -325,25 +325,9 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, } /**************************************************************** -****************************************************************/ - -struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data) -{ - int i; - - for (i=0; i < pac_data->num_buffers; i++) { - - if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { - continue; - } - - return pac_data->buffers[i].info->logon_info.info; - } - - return NULL; -} - -/**************************************************************** +Given a username, password and other details, return the +PAC_LOGON_INFO (the structure containing the important user +information such as groups). ****************************************************************/ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, @@ -357,12 +341,11 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, bool add_netbios_addr, time_t renewable_time, const char *impersonate_princ_s, - struct PAC_DATA **pac_ret) + struct PAC_LOGON_INFO **logon_info) { krb5_error_code ret; NTSTATUS status = NT_STATUS_INVALID_PARAMETER; DATA_BLOB tkt, ap_rep, sesskey1, sesskey2; - struct PAC_DATA *pac_data = NULL; char *client_princ_out = NULL; const char *auth_princ = NULL; const char *local_service = NULL; @@ -453,7 +436,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_offset, &tkt, &client_princ_out, - &pac_data, + logon_info, &ap_rep, &sesskey2, False); @@ -463,14 +446,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, goto out; } - if (!pac_data) { + if (!*logon_info) { DEBUG(1,("no PAC\n")); status = NT_STATUS_INVALID_PARAMETER; goto out; } - *pac_ret = pac_data; - out: if (cc != cache_name) { ads_kdestroy(cc); @@ -486,95 +467,4 @@ out: return status; } -/**************************************************************** -****************************************************************/ - -static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx, - const char *name, - const char *pass, - time_t time_offset, - time_t *expire_time, - time_t *renew_till_time, - const char *cache_name, - bool request_pac, - bool add_netbios_addr, - time_t renewable_time, - const char *impersonate_princ_s, - struct PAC_LOGON_INFO **logon_info) -{ - NTSTATUS status; - struct PAC_DATA *pac_data = NULL; - struct PAC_LOGON_INFO *info = NULL; - - status = kerberos_return_pac(mem_ctx, - name, - pass, - time_offset, - expire_time, - renew_till_time, - cache_name, - request_pac, - add_netbios_addr, - renewable_time, - impersonate_princ_s, - &pac_data); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - if (!pac_data) { - DEBUG(3,("no pac\n")); - return NT_STATUS_INVALID_USER_BUFFER; - } - - info = get_logon_info_from_pac(pac_data); - if (!info) { - DEBUG(1,("no logon_info\n")); - return NT_STATUS_INVALID_USER_BUFFER; - } - - *logon_info = info; - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx, - const char *name, - const char *pass, - time_t time_offset, - time_t *expire_time, - time_t *renew_till_time, - const char *cache_name, - bool request_pac, - bool add_netbios_addr, - time_t renewable_time, - const char *impersonate_princ_s, - struct netr_SamInfo3 **info3) -{ - NTSTATUS status; - struct PAC_LOGON_INFO *logon_info = NULL; - - status = kerberos_return_pac_logon_info(mem_ctx, - name, - pass, - time_offset, - expire_time, - renew_till_time, - cache_name, - request_pac, - add_netbios_addr, - renewable_time, - impersonate_princ_s, - &logon_info); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - *info3 = &logon_info->info3; - - return NT_STATUS_OK; -} #endif diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index bf9bca6311..4d7bb8d20b 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -405,7 +405,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, time_t time_offset, const DATA_BLOB *ticket, char **principal, - struct PAC_DATA **pac_data, + struct PAC_LOGON_INFO **logon_info, DATA_BLOB *ap_rep, DATA_BLOB *session_key, bool use_replay_cache) @@ -433,7 +433,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, ZERO_STRUCT(auth_data); *principal = NULL; - *pac_data = NULL; + *logon_info = NULL; *ap_rep = data_blob_null; *session_key = data_blob_null; @@ -611,12 +611,27 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, } if (got_auth_data) { - pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data); + struct PAC_DATA *pac_data; + pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, &pac_data); + data_blob_free(&auth_data); if (!NT_STATUS_IS_OK(pac_ret)) { DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret))); - *pac_data = NULL; + } else { + uint32_t i; + for (i=0; i < pac_data->num_buffers; i++) { + + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { + continue; + } + + *logon_info = pac_data->buffers[i].info->logon_info.info; + } + + if (!*logon_info) { + DEBUG(1,("correctly decoded PAC but found no logon_info! This should not happen\n")); + return NT_STATUS_INVALID_USER_BUFFER; + } } - data_blob_free(&auth_data); } #if 0 |