summaryrefslogtreecommitdiff
path: root/source4/auth/kerberos
diff options
context:
space:
mode:
Diffstat (limited to 'source4/auth/kerberos')
-rw-r--r--source4/auth/kerberos/kerberos.h4
-rw-r--r--source4/auth/kerberos/kerberos_pac.c103
2 files changed, 57 insertions, 50 deletions
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 94de096543..501a4653d7 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -23,7 +23,7 @@
#include "auth/kerberos/krb5_init_context.h"
#include "librpc/gen_ndr/krb5pac.h"
-struct auth_serversupplied_info;
+struct auth_user_info_dc;
struct cli_credentials;
struct ccache_container {
@@ -134,7 +134,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
const krb5_keyblock *service_keyblock,
DATA_BLOB *pac);
krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *service_keyblock,
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 23b875056b..9620a80d02 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -524,7 +524,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
krb5_error_code kerberos_create_pac(TALLOC_CTX *mem_ctx,
- struct auth_serversupplied_info *server_info,
+ struct auth_user_info_dc *user_info_dc,
krb5_context context,
const krb5_keyblock *krbtgt_keyblock,
const krb5_keyblock *service_keyblock,
@@ -612,7 +612,7 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
talloc_free(pac_data);
return ENOMEM;
}
- nt_status = auth_convert_server_info_saminfo3(LOGON_INFO, server_info, &sam3);
+ nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc, &sam3);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status)));
talloc_free(pac_data);
@@ -645,10 +645,12 @@ static krb5_error_code make_pac_checksum(TALLOC_CTX *mem_ctx,
return ret;
}
-krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
- krb5_pac pac,
- krb5_context context,
- struct auth_serversupplied_info **server_info)
+krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx,
+ krb5_pac pac,
+ krb5_context context,
+ struct auth_user_info_dc **user_info_dc,
+ struct PAC_SIGNATURE_DATA *pac_srv_sig,
+ struct PAC_SIGNATURE_DATA *pac_kdc_sig)
{
NTSTATUS nt_status;
enum ndr_err_code ndr_err;
@@ -658,7 +660,7 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in;
union PAC_INFO info;
- struct auth_serversupplied_info *server_info_out;
+ struct auth_user_info_dc *user_info_dc_out;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@@ -686,62 +688,67 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
}
/* Pull this right into the normal auth sysstem structures */
- nt_status = make_server_info_pac(mem_ctx,
+ nt_status = make_user_info_dc_pac(mem_ctx,
info.logon_info.info,
- &server_info_out);
+ &user_info_dc_out);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return EINVAL;
}
- ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
- if (ret != 0) {
- talloc_free(tmp_ctx);
- return ret;
- }
-
- pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
-
- ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, server_info_out,
- &server_info_out->pac_srv_sig,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
- krb5_data_free(&k5pac_srv_checksum_in);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- nt_status = ndr_map_error2ntstatus(ndr_err);
- DEBUG(0,("can't parse the KDC signature: %s\n",
- nt_errstr(nt_status)));
- return EINVAL;
- }
+ if (pac_srv_sig) {
+ ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_SRV_CHECKSUM, &k5pac_srv_checksum_in);
+ if (ret != 0) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
- ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
- if (ret != 0) {
- talloc_free(tmp_ctx);
- return ret;
+ pac_srv_checksum_in = data_blob_const(k5pac_srv_checksum_in.data, k5pac_srv_checksum_in.length);
+
+ ndr_err = ndr_pull_struct_blob(&pac_srv_checksum_in, pac_srv_sig,
+ pac_srv_sig,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
+ krb5_data_free(&k5pac_srv_checksum_in);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ nt_status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't parse the KDC signature: %s\n",
+ nt_errstr(nt_status)));
+ return EINVAL;
+ }
}
- pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
+ if (pac_kdc_sig) {
+ ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_KDC_CHECKSUM, &k5pac_kdc_checksum_in);
+ if (ret != 0) {
+ talloc_free(tmp_ctx);
+ return ret;
+ }
- ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, server_info_out,
- &server_info_out->pac_kdc_sig,
- (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
- krb5_data_free(&k5pac_kdc_checksum_in);
- if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- nt_status = ndr_map_error2ntstatus(ndr_err);
- DEBUG(0,("can't parse the KDC signature: %s\n",
- nt_errstr(nt_status)));
- return EINVAL;
+ pac_kdc_checksum_in = data_blob_const(k5pac_kdc_checksum_in.data, k5pac_kdc_checksum_in.length);
+
+ ndr_err = ndr_pull_struct_blob(&pac_kdc_checksum_in, pac_kdc_sig,
+ pac_kdc_sig,
+ (ndr_pull_flags_fn_t)ndr_pull_PAC_SIGNATURE_DATA);
+ krb5_data_free(&k5pac_kdc_checksum_in);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ nt_status = ndr_map_error2ntstatus(ndr_err);
+ DEBUG(0,("can't parse the KDC signature: %s\n",
+ nt_errstr(nt_status)));
+ return EINVAL;
+ }
}
-
- *server_info = server_info_out;
+ *user_info_dc = user_info_dc_out;
return 0;
}
-NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx,
- DATA_BLOB pac_blob,
- krb5_context context,
- struct auth_serversupplied_info **server_info)
+NTSTATUS kerberos_pac_blob_to_user_info_dc(TALLOC_CTX *mem_ctx,
+ DATA_BLOB pac_blob,
+ krb5_context context,
+ struct auth_user_info_dc **user_info_dc,
+ struct PAC_SIGNATURE_DATA *pac_srv_sig,
+ struct PAC_SIGNATURE_DATA *pac_kdc_sig)
{
krb5_error_code ret;
krb5_pac pac;
@@ -753,7 +760,7 @@ NTSTATUS kerberos_pac_blob_to_server_info(TALLOC_CTX *mem_ctx,
}
- ret = kerberos_pac_to_server_info(mem_ctx, pac, context, server_info);
+ ret = kerberos_pac_to_user_info_dc(mem_ctx, pac, context, user_info_dc, pac_srv_sig, pac_kdc_sig);
krb5_pac_free(context, pac);
if (ret) {
return map_nt_error_from_unix(ret);