summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/include/proto.h17
-rw-r--r--source3/libads/authdata.c122
-rw-r--r--source3/libads/kerberos_verify.c25
-rw-r--r--source3/smbd/sesssetup.c10
-rw-r--r--source3/utils/net_ads.c6
-rw-r--r--source3/utils/ntlm_auth.c4
-rw-r--r--source3/winbindd/winbindd_pam.c29
7 files changed, 50 insertions, 163 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index f883cd2b8c..0d0864e8f6 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1732,7 +1732,6 @@ const char *ads_get_ldap_server_name(ADS_STRUCT *ads);
/* The following definitions come from libads/authdata.c */
-struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data);
NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
const char *name,
const char *pass,
@@ -1744,19 +1743,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
- struct PAC_DATA **pac_ret);
-NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
- const char *name,
- const char *pass,
- time_t time_offset,
- time_t *expire_time,
- time_t *renew_till_time,
- const char *cache_name,
- bool request_pac,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
- struct netr_SamInfo3 **info3);
+ struct PAC_LOGON_INFO **logon_info);
/* The following definitions come from libads/cldap.c */
bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
@@ -1850,7 +1837,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
time_t time_offset,
const DATA_BLOB *ticket,
char **principal,
- struct PAC_DATA **pac_data,
+ struct PAC_LOGON_INFO **logon_info,
DATA_BLOB *ap_rep,
DATA_BLOB *session_key,
bool use_replay_cache);
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index ee2dbde02c..e34220fc2c 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -325,25 +325,9 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
}
/****************************************************************
-****************************************************************/
-
-struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data)
-{
- int i;
-
- for (i=0; i < pac_data->num_buffers; i++) {
-
- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
- continue;
- }
-
- return pac_data->buffers[i].info->logon_info.info;
- }
-
- return NULL;
-}
-
-/****************************************************************
+Given a username, password and other details, return the
+PAC_LOGON_INFO (the structure containing the important user
+information such as groups).
****************************************************************/
NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
@@ -357,12 +341,11 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
- struct PAC_DATA **pac_ret)
+ struct PAC_LOGON_INFO **logon_info)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
DATA_BLOB tkt, ap_rep, sesskey1, sesskey2;
- struct PAC_DATA *pac_data = NULL;
char *client_princ_out = NULL;
const char *auth_princ = NULL;
const char *local_service = NULL;
@@ -453,7 +436,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
time_offset,
&tkt,
&client_princ_out,
- &pac_data,
+ logon_info,
&ap_rep,
&sesskey2,
False);
@@ -463,14 +446,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
goto out;
}
- if (!pac_data) {
+ if (!*logon_info) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
- *pac_ret = pac_data;
-
out:
if (cc != cache_name) {
ads_kdestroy(cc);
@@ -486,95 +467,4 @@ out:
return status;
}
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
- const char *name,
- const char *pass,
- time_t time_offset,
- time_t *expire_time,
- time_t *renew_till_time,
- const char *cache_name,
- bool request_pac,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
- struct PAC_LOGON_INFO **logon_info)
-{
- NTSTATUS status;
- struct PAC_DATA *pac_data = NULL;
- struct PAC_LOGON_INFO *info = NULL;
-
- status = kerberos_return_pac(mem_ctx,
- name,
- pass,
- time_offset,
- expire_time,
- renew_till_time,
- cache_name,
- request_pac,
- add_netbios_addr,
- renewable_time,
- impersonate_princ_s,
- &pac_data);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- if (!pac_data) {
- DEBUG(3,("no pac\n"));
- return NT_STATUS_INVALID_USER_BUFFER;
- }
-
- info = get_logon_info_from_pac(pac_data);
- if (!info) {
- DEBUG(1,("no logon_info\n"));
- return NT_STATUS_INVALID_USER_BUFFER;
- }
-
- *logon_info = info;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
- const char *name,
- const char *pass,
- time_t time_offset,
- time_t *expire_time,
- time_t *renew_till_time,
- const char *cache_name,
- bool request_pac,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
- struct netr_SamInfo3 **info3)
-{
- NTSTATUS status;
- struct PAC_LOGON_INFO *logon_info = NULL;
-
- status = kerberos_return_pac_logon_info(mem_ctx,
- name,
- pass,
- time_offset,
- expire_time,
- renew_till_time,
- cache_name,
- request_pac,
- add_netbios_addr,
- renewable_time,
- impersonate_princ_s,
- &logon_info);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- *info3 = &logon_info->info3;
-
- return NT_STATUS_OK;
-}
#endif
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index bf9bca6311..4d7bb8d20b 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -405,7 +405,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
time_t time_offset,
const DATA_BLOB *ticket,
char **principal,
- struct PAC_DATA **pac_data,
+ struct PAC_LOGON_INFO **logon_info,
DATA_BLOB *ap_rep,
DATA_BLOB *session_key,
bool use_replay_cache)
@@ -433,7 +433,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(auth_data);
*principal = NULL;
- *pac_data = NULL;
+ *logon_info = NULL;
*ap_rep = data_blob_null;
*session_key = data_blob_null;
@@ -611,12 +611,27 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
}
if (got_auth_data) {
- pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
+ struct PAC_DATA *pac_data;
+ pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, &pac_data);
+ data_blob_free(&auth_data);
if (!NT_STATUS_IS_OK(pac_ret)) {
DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
- *pac_data = NULL;
+ } else {
+ uint32_t i;
+ for (i=0; i < pac_data->num_buffers; i++) {
+
+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+ continue;
+ }
+
+ *logon_info = pac_data->buffers[i].info->logon_info.info;
+ }
+
+ if (!*logon_info) {
+ DEBUG(1,("correctly decoded PAC but found no logon_info! This should not happen\n"));
+ return NT_STATUS_INVALID_USER_BUFFER;
+ }
}
- data_blob_free(&auth_data);
}
#if 0
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index a00a362537..df39aed0ed 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -243,7 +243,6 @@ static void reply_spnego_kerberos(struct smb_request *req,
fstring user;
int sess_vuid = req->vuid;
NTSTATUS ret = NT_STATUS_OK;
- struct PAC_DATA *pac_data = NULL;
DATA_BLOB ap_rep, ap_rep_wrapped, response;
struct auth_serversupplied_info *server_info = NULL;
DATA_BLOB session_key = data_blob_null;
@@ -276,7 +275,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
}
ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket,
- &client, &pac_data, &ap_rep,
+ &client, &logon_info, &ap_rep,
&session_key, True);
data_blob_free(&ticket);
@@ -353,11 +352,8 @@ static void reply_spnego_kerberos(struct smb_request *req,
/* save the PAC data if we have it */
- if (pac_data) {
- logon_info = get_logon_info_from_pac(pac_data);
- if (logon_info) {
- netsamlogon_cache_store( client, &logon_info->info3 );
- }
+ if (logon_info) {
+ netsamlogon_cache_store( client, &logon_info->info3 );
}
if (!strequal(p+1, lp_realm())) {
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 53cb9ace02..5989fec3ce 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2379,7 +2379,6 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
{
- struct PAC_DATA *pac = NULL;
struct PAC_LOGON_INFO *info = NULL;
TALLOC_CTX *mem_ctx = NULL;
NTSTATUS status;
@@ -2409,7 +2408,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
status = kerberos_return_pac(mem_ctx,
c->opt_user_name,
c->opt_password,
- 0,
+ 0,
NULL,
NULL,
NULL,
@@ -2417,14 +2416,13 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
true,
2592000, /* one month */
impersonate_princ_s,
- &pac);
+ &info);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
nt_errstr(status));
goto out;
}
- info = get_logon_info_from_pac(pac);
if (info) {
const char *s;
s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 9bd7b5af66..2c8dbfc7c8 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1316,7 +1316,7 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state,
char *principal;
DATA_BLOB ap_rep;
DATA_BLOB session_key;
- struct PAC_DATA *pac_data = NULL;
+ struct PAC_LOGON_INFO *logon_info = NULL;
if ( request.negTokenInit.mechToken.data == NULL ) {
DEBUG(1, ("Client did not provide Kerberos data\n"));
@@ -1332,7 +1332,7 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state,
status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
&request.negTokenInit.mechToken,
- &principal, &pac_data, &ap_rep,
+ &principal, &logon_info, &ap_rep,
&session_key, True);
/* Now in "principal" we have the name we are
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a025433121..9554339769 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -564,8 +564,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
ADS_STRUCT *ads;
time_t time_offset = 0;
bool internal_ccache = true;
-
- ZERO_STRUCTP(info3);
+ struct PAC_LOGON_INFO *logon_info = NULL;
*info3 = NULL;
@@ -623,18 +622,18 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
}
- result = kerberos_return_info3_from_pac(state->mem_ctx,
- principal_s,
- state->request->data.auth.pass,
- time_offset,
- &ticket_lifetime,
- &renewal_until,
- cc,
- true,
- true,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- NULL,
- info3);
+ result = kerberos_return_pac(state->mem_ctx,
+ principal_s,
+ state->request->data.auth.pass,
+ time_offset,
+ &ticket_lifetime,
+ &renewal_until,
+ cc,
+ true,
+ true,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL,
+ &logon_info);
if (!internal_ccache) {
gain_root_privilege();
}
@@ -645,6 +644,8 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
goto failed;
}
+ *info3 = &logon_info->info3;
+
DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
principal_s));