summaryrefslogtreecommitdiff
path: root/source3/nsswitch
diff options
context:
space:
mode:
Diffstat (limited to 'source3/nsswitch')
-rw-r--r--source3/nsswitch/libwbclient/wbc_pam.c128
-rw-r--r--source3/nsswitch/wbinfo.c5
2 files changed, 95 insertions, 38 deletions
diff --git a/source3/nsswitch/libwbclient/wbc_pam.c b/source3/nsswitch/libwbclient/wbc_pam.c
index d614474cb7..9b8a913a57 100644
--- a/source3/nsswitch/libwbclient/wbc_pam.c
+++ b/source3/nsswitch/libwbclient/wbc_pam.c
@@ -34,30 +34,16 @@
wbcErr wbcAuthenticateUser(const char *username,
const char *password)
{
- wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
- struct winbindd_request request;
- struct winbindd_response response;
-
- if (!username) {
- wbc_status = WBC_ERR_INVALID_PARAM;
- BAIL_ON_WBC_ERROR(wbc_status);
- }
-
- /* Initialize request */
-
- ZERO_STRUCT(request);
- ZERO_STRUCT(response);
+ wbcErr wbc_status = WBC_ERR_SUCCESS;
+ struct wbcAuthUserParams params;
- /* dst is already null terminated from the memset above */
+ ZERO_STRUCT(params);
- strncpy(request.data.auth.user, username,
- sizeof(request.data.auth.user)-1);
- strncpy(request.data.auth.pass, password,
- sizeof(request.data.auth.user)-1);
+ params.account_name = username;
+ params.level = WBC_AUTH_USER_LEVEL_PLAIN;
+ params.password.plaintext = password;
- wbc_status = wbcRequestResponse(WINBINDD_PAM_AUTH,
- &request,
- &response);
+ wbc_status = wbcAuthenticateUserEx(&params, NULL, NULL);
BAIL_ON_WBC_ERROR(wbc_status);
done:
@@ -252,8 +238,8 @@ done:
/** @brief Authenticate with more detailed information
*
- * @param params Input parameters, only WBC_AUTH_USER_LEVEL_RESPONSE
- * is supported yet
+ * @param params Input parameters, WBC_AUTH_USER_LEVEL_HASH
+ * is not supported yet
* @param info Output details on WBC_ERR_SUCCESS
* @param error Output details on WBC_ERR_AUTH_ERROR
*
@@ -265,11 +251,10 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
struct wbcAuthErrorInfo **error)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
- int cmd;
+ int cmd = 0;
struct winbindd_request request;
struct winbindd_response response;
-
ZERO_STRUCT(request);
ZERO_STRUCT(response);
@@ -282,12 +267,49 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
BAIL_ON_WBC_ERROR(wbc_status);
}
+ if (!params->account_name) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+
/* Initialize request */
switch (params->level) {
case WBC_AUTH_USER_LEVEL_PLAIN:
- wbc_status = WBC_ERR_NOT_IMPLEMENTED;
- BAIL_ON_WBC_ERROR(wbc_status);
+ cmd = WINBINDD_PAM_AUTH;
+ request.flags = WBFLAG_PAM_INFO3_TEXT |
+ WBFLAG_PAM_USER_SESSION_KEY |
+ WBFLAG_PAM_LMKEY;
+
+ if (!params->password.plaintext) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+
+ if (params->domain_name && params->domain_name[0]) {
+ /* We need to get the winbind separator :-( */
+ struct winbindd_response sep_response;
+
+ ZERO_STRUCT(sep_response);
+
+ wbc_status = wbcRequestResponse(WINBINDD_INFO,
+ NULL, &sep_response);
+ BAIL_ON_WBC_ERROR(wbc_status);
+
+ snprintf(request.data.auth.user,
+ sizeof(request.data.auth.user)-1,
+ "%s%c%s",
+ params->domain_name,
+ sep_response.data.info.winbind_separator,
+ params->account_name);
+ } else {
+ strncpy(request.data.auth.user,
+ params->account_name,
+ sizeof(request.data.auth.user)-1);
+ }
+ strncpy(request.data.auth.pass,
+ params->password.plaintext,
+ sizeof(request.data.auth.user)-1);
break;
case WBC_AUTH_USER_LEVEL_HASH:
@@ -301,12 +323,36 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
WBFLAG_PAM_USER_SESSION_KEY |
WBFLAG_PAM_LMKEY;
+ if (params->password.response.lm_length &&
+ params->password.response.lm_data) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+ if (params->password.response.lm_length == 0 &&
+ params->password.response.lm_data) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+
+ if (params->password.response.nt_length &&
+ !params->password.response.nt_data) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+ if (params->password.response.nt_length == 0&&
+ params->password.response.nt_data) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+
strncpy(request.data.auth_crap.user,
params->account_name,
sizeof(request.data.auth_crap.user)-1);
- strncpy(request.data.auth_crap.domain,
- params->domain_name,
- sizeof(request.data.auth_crap.domain)-1);
+ if (params->domain_name) {
+ strncpy(request.data.auth_crap.domain,
+ params->domain_name,
+ sizeof(request.data.auth_crap.domain)-1);
+ }
if (params->workstation_name) {
strncpy(request.data.auth_crap.workstation,
params->workstation_name,
@@ -326,19 +372,27 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
request.data.auth_crap.nt_resp_len =
MIN(params->password.response.nt_length,
sizeof(request.data.auth_crap.nt_resp));
- memcpy(request.data.auth_crap.lm_resp,
- params->password.response.lm_data,
- request.data.auth_crap.lm_resp_len);
- memcpy(request.data.auth_crap.nt_resp,
- params->password.response.nt_data,
- request.data.auth_crap.nt_resp_len);
-
+ if (params->password.response.lm_data) {
+ memcpy(request.data.auth_crap.lm_resp,
+ params->password.response.lm_data,
+ request.data.auth_crap.lm_resp_len);
+ }
+ if (params->password.response.nt_data) {
+ memcpy(request.data.auth_crap.nt_resp,
+ params->password.response.nt_data,
+ request.data.auth_crap.nt_resp_len);
+ }
break;
default:
wbc_status = WBC_ERR_INVALID_PARAM;
BAIL_ON_WBC_ERROR(wbc_status);
}
+ if (cmd == 0) {
+ wbc_status = WBC_ERR_INVALID_PARAM;
+ BAIL_ON_WBC_ERROR(wbc_status);
+ }
+
wbc_status = wbcRequestResponse(cmd,
&request,
&response);
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 689dc5e9e1..ee51cce835 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -906,6 +906,7 @@ static bool wbinfo_auth_crap(char *username)
{
wbcErr wbc_status = WBC_ERR_UNKNOWN_FAILURE;
struct wbcAuthUserParams params;
+ struct wbcAuthUserInfo *info = NULL;
struct wbcAuthErrorInfo *err = NULL;
DATA_BLOB lm = data_blob_null;
DATA_BLOB nt = data_blob_null;
@@ -974,7 +975,7 @@ static bool wbinfo_auth_crap(char *username)
params.password.response.lm_length = lm.length;
params.password.response.lm_data = lm.data;
- wbc_status = wbcAuthenticateUserEx(&params, NULL, &err);
+ wbc_status = wbcAuthenticateUserEx(&params, &info, &err);
/* Display response */
@@ -987,6 +988,8 @@ static bool wbinfo_auth_crap(char *username)
err->nt_status,
err->display_string);
wbcFreeMemory(err);
+ } else if (WBC_ERROR_IS_OK(wbc_status)) {
+ wbcFreeMemory(info);
}
data_blob_free(&nt);