7 files changed, 19 insertions, 98 deletions

diff --git a/source3/Makefile.in b/source3/Makefile.in
index 3407dfd215..1e8b5bb994 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -598,6 +598,7 @@ LIBMSRPC_OBJ = $(SCHANNEL_OBJ) \
 	       rpc_client/cli_pipe.o \
 	       librpc/crypto/gse_krb5.o \
 	       librpc/crypto/gse.o \
+	       ../auth/kerberos/gssapi_pac.o \
 	       librpc/crypto/cli_spnego.o \
 	       librpc/rpc/rpc_common.o \
 	       rpc_client/rpc_transport_np.o \
diff --git a/source3/configure.in b/source3/configure.in
index 556b8d3aee..883f0b1df0 100644
--- a/source3/configure.in
+++ b/source3/configure.in
@@ -3869,6 +3869,7 @@ if test x"$with_ads_support" != x"no"; then
   AC_CHECK_FUNC_EXT(krb5_get_host_realm, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(krb5_free_host_realm, $KRB5_LIBS)
   AC_CHECK_FUNC_EXT(gss_krb5_import_cred, $KRB5_LIBS)
+  AC_CHECK_FUNC_EXT(gss_get_name_attribute, $KRB5_LIBS)
 
   # MIT krb5 1.8 does not expose this call (yet)
   AC_CHECK_DECLS(krb5_get_credentials_for_user, [], [], [#include <krb5.h>])
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 0d9eead082..42e9c942a9 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -62,16 +62,6 @@ gss_OID_desc gse_authz_data_oid = {
 	(void *)GSE_EXTRACT_RELEVANT_AUTHZ_DATA_OID
 };
 
-#ifndef GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
-#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH 11
-#define GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0c"
-#endif
-
-gss_OID_desc gse_authtime_oid = {
-	GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH,
-	(void *)GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID
-};
-
 static char *gse_errstr(TALLOC_CTX *mem_ctx, OM_uint32 maj, OM_uint32 min);
 
 struct gse_context {
@@ -692,42 +682,15 @@ NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
 	return NT_STATUS_OK;
 }
 
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
+NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
+			  TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob)
 {
-	OM_uint32 gss_min, gss_maj;
-	gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
-	int32_t	tkttime;
-
 	if (!gse_ctx->authenticated) {
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
-	gss_maj = gss_inquire_sec_context_by_oid(
-				&gss_min, gse_ctx->gss_ctx,
-				&gse_authtime_oid, &set);
-	if (gss_maj) {
-		DEBUG(0, ("gss_inquire_sec_context_by_oid failed [%s]\n",
-			  gse_errstr(talloc_tos(), gss_maj, gss_min)));
-		return NT_STATUS_NOT_FOUND;
-	}
-
-	if ((set == GSS_C_NO_BUFFER_SET) || (set->count != 1) != 0) {
-		DEBUG(0, ("gss_inquire_sec_context_by_oid returned unknown "
-			  "data in results.\n"));
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	if (set->elements[0].length != sizeof(int32_t)) {
-		DEBUG(0, ("Invalid authtime size!\n"));
-		return NT_STATUS_INTERNAL_ERROR;
-	}
-
-	tkttime = *((int32_t *)set->elements[0].value);
-
-	gss_maj = gss_release_buffer_set(&gss_min, &set);
-
-	*authtime = (time_t)tkttime;
-	return NT_STATUS_OK;
+	return gssapi_obtain_pac_blob(mem_ctx, gse_ctx->gss_ctx,
+					gse_ctx->client_name, pac_blob);
 }
 
 size_t gse_get_signature_length(struct gse_context *gse_ctx,
@@ -1017,4 +980,4 @@ NTSTATUS gse_sigcheck(TALLOC_CTX *mem_ctx, struct gse_context *gse_ctx,
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
 
-#endif /* HAVE_KRB5 && HAVE_GSSAPI_EXT_H && HAVE_GSS_WRAP_IOV */
+#endif /* HAVE_KRB5 && HAVE_GSS_WRAP_IOV */
diff --git a/source3/librpc/crypto/gse.h b/source3/librpc/crypto/gse.h
index fbcf5b6e10..27cc2e9255 100644
--- a/source3/librpc/crypto/gse.h
+++ b/source3/librpc/crypto/gse.h
@@ -56,7 +56,8 @@ NTSTATUS gse_get_client_name(struct gse_context *gse_ctx,
 			     TALLOC_CTX *mem_ctx, char **client_name);
 NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
 			    TALLOC_CTX *mem_ctx, DATA_BLOB *pac);
-NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime);
+NTSTATUS gse_get_pac_blob(struct gse_context *gse_ctx,
+			  TALLOC_CTX *mem_ctx, DATA_BLOB *pac_blob);
 
 size_t gse_get_signature_length(struct gse_context *gse_ctx,
 				int seal, size_t payload_size);
diff --git a/source3/rpc_server/dcesrv_gssapi.c b/source3/rpc_server/dcesrv_gssapi.c
index ec02459633..b63f4f129e 100644
--- a/source3/rpc_server/dcesrv_gssapi.c
+++ b/source3/rpc_server/dcesrv_gssapi.c
@@ -23,6 +23,7 @@
 #include "../librpc/gen_ndr/ndr_krb5pac.h"
 #include "librpc/crypto/gse.h"
 #include "auth.h"
+#include "libcli/auth/krb5_wrap.h"
 
 NTSTATUS gssapi_server_auth_start(TALLOC_CTX *mem_ctx,
 				  bool do_sign,
@@ -105,14 +106,9 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
 				     struct auth_serversupplied_info **server_info)
 {
 	TALLOC_CTX *tmp_ctx;
-	DATA_BLOB auth_data;
-	time_t tgs_authtime;
-	NTTIME tgs_authtime_nttime;
-	DATA_BLOB pac;
+	DATA_BLOB pac_blob;
 	struct PAC_DATA *pac_data;
-	struct PAC_LOGON_NAME *logon_name = NULL;
 	struct PAC_LOGON_INFO *logon_info = NULL;
-	enum ndr_err_code ndr_err;
 	unsigned int i;
 	bool is_mapped;
 	bool is_guest;
@@ -122,14 +118,13 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
 	char *username;
 	struct passwd *pw;
 	NTSTATUS status;
-	bool bret;
 
 	tmp_ctx = talloc_new(mem_ctx);
 	if (!tmp_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = gse_get_authz_data(gse_ctx, tmp_ctx, &auth_data);
+	status = gse_get_pac_blob(gse_ctx, tmp_ctx, &pac_blob);
 	if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
 		/* TODO: Fetch user by principal name ? */
 		status = NT_STATUS_ACCESS_DENIED;
@@ -139,37 +134,18 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
 		goto done;
 	}
 
-	bret = unwrap_pac(tmp_ctx, &auth_data, &pac);
-	if (!bret) {
-		DEBUG(1, ("Failed to unwrap PAC\n"));
-		status = NT_STATUS_ACCESS_DENIED;
-		goto done;
-	}
-
-	status = gse_get_client_name(gse_ctx, tmp_ctx, &princ_name);
+	status = kerberos_decode_pac(tmp_ctx,
+				     pac_blob,
+				     NULL, NULL, NULL, NULL, 0, &pac_data);
+	data_blob_free(&pac_blob);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
 	}
 
-	status = gse_get_authtime(gse_ctx, &tgs_authtime);
+	status = gse_get_client_name(gse_ctx, tmp_ctx, &princ_name);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto done;
 	}
-	unix_to_nt_time(&tgs_authtime_nttime, tgs_authtime);
-
-	pac_data = talloc_zero(tmp_ctx, struct PAC_DATA);
-	if (!pac_data) {
-		status = NT_STATUS_NO_MEMORY;
-		goto done;
-	}
-
-	ndr_err = ndr_pull_struct_blob(&pac, pac_data, pac_data,
-				(ndr_pull_flags_fn_t)ndr_pull_PAC_DATA);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		DEBUG(1, ("Failed to parse the PAC for %s\n", princ_name));
-		status = ndr_map_error2ntstatus(ndr_err);
-		goto done;
-	}
 
 	/* get logon name and logon info */
 	for (i = 0; i < pac_data->num_buffers; i++) {
@@ -182,9 +158,6 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
 			}
 			logon_info = data_buf->info->logon_info.info;
 			break;
-		case PAC_TYPE_LOGON_NAME:
-			logon_name = &data_buf->info->logon_name;
-			break;
 		default:
 			break;
 		}
@@ -194,25 +167,6 @@ NTSTATUS gssapi_server_get_user_info(struct gse_context *gse_ctx,
 		status = NT_STATUS_NOT_FOUND;
 		goto done;
 	}
-	if (!logon_name) {
-		DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
-		status = NT_STATUS_NOT_FOUND;
-		goto done;
-	}
-
-	/* check time */
-	if (tgs_authtime_nttime != logon_name->logon_time) {
-		DEBUG(1, ("Logon time mismatch between ticket and PAC!\n"
-			  "PAC Time = %s | Ticket Time = %s\n",
-			  nt_time_string(tmp_ctx, logon_name->logon_time),
-			  nt_time_string(tmp_ctx, tgs_authtime_nttime)));
-		status = NT_STATUS_ACCESS_DENIED;
-		goto done;
-	}
-
-	/* TODO: Should we check princ_name against account_name in
-	 * logon_name ? Are they supposed to be identical, or can an
-	 * account_name be different from the UPN ? */
 
 	status = get_user_from_kerberos_info(tmp_ctx, client_id->name,
 					     princ_name, logon_info,
diff --git a/source3/wscript b/source3/wscript
index 49f11f2e5b..6081ac9d4d 100644
--- a/source3/wscript
+++ b/source3/wscript
@@ -632,7 +632,7 @@ msg.msg_acctrightslen = sizeof(fd);
         if conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi') or \
            conf.CHECK_FUNCS_IN('gss_display_status', 'gssapi_krb5'):
             have_gssapi=True
-        conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred', 'gssapi gssapi_krb5 krb5')
+        conf.CHECK_FUNCS_IN('gss_wrap_iov gss_krb5_import_cred gss_get_name_attribute', 'gssapi gssapi_krb5 krb5')
         conf.CHECK_FUNCS_IN('krb5_mk_req_extended krb5_kt_compare', 'krb5')
         conf.CHECK_FUNCS('''
 krb5_set_real_time krb5_set_default_in_tkt_etypes krb5_set_default_tgs_enctypes
diff --git a/source3/wscript_build b/source3/wscript_build
index dc01554c2e..8b337e6ccb 100755
--- a/source3/wscript_build
+++ b/source3/wscript_build
@@ -1327,6 +1327,7 @@ if not bld.env.toplevel_build:
 
 bld.RECURSE('../lib/util/charset')
 bld.RECURSE('../auth')
+bld.RECURSE('../auth/kerberos')
 bld.RECURSE('../lib/addns')
 bld.RECURSE('../lib/async_req')
 bld.RECURSE('../libcli/auth')