5 files changed, 67 insertions, 45 deletions

diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 58adb60a5f..56e61ea2a3 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -151,8 +151,8 @@ static NTSTATUS authsam_password_ok(struct auth_context *auth_context,
 NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			    struct ldb_context *sam_ctx,
 			    uint32_t logon_parameters,
-			    struct ldb_message **msgs,
-			    struct ldb_message **msgs_domain_ref,
+			    struct ldb_message *msg,
+			    struct ldb_message *msg_domain_ref,
 			    const char *logon_workstation,
 			    const char *name_for_logs)
 {
@@ -162,20 +162,20 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	NTTIME must_change_time;
 	NTTIME last_set_time;
 
-	struct ldb_dn *domain_dn = samdb_result_dn(mem_ctx, msgs_domain_ref[0], "nCName", ldb_dn_new(mem_ctx));
+	struct ldb_dn *domain_dn = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx));
 
 	NTTIME now;
 	DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
 
-	acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");
+	acct_flags = samdb_result_acct_flags(msg, "userAccountControl");
 	
-	acct_expiry = samdb_result_nttime(msgs[0], "accountExpires", 0);
+	acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
 	must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
-							      domain_dn, msgs[0], 
+							      domain_dn, msg, 
 							      "pwdLastSet");
-	last_set_time = samdb_result_nttime(msgs[0], "pwdLastSet", 0);
+	last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0);
 
-	workstation_list = samdb_result_string(msgs[0], "userWorkstations", NULL);
+	workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
 
 	/* Quit if the account was disabled. */
 	if (acct_flags & ACB_DISABLED) {
@@ -412,17 +412,17 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
 
 	nt_status = authsam_account_ok(mem_ctx, sam_ctx, 
 				       user_info->logon_parameters,
-				       msgs,
-				       msgs_domain_ref,
+				       msgs[0],
+				       msgs_domain_ref[0],
 				       user_info->workstation_name,
 				       user_info->mapped.account_name);
 
 	return nt_status;
 }
 
-static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
-					 struct ldb_message **msgs,
-					 struct ldb_message **msgs_domain,
+NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
+					 struct ldb_message *msg,
+					 struct ldb_message *msg_domain_ref,
 					 DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
 					 struct auth_serversupplied_info **_server_info)
 {
@@ -443,7 +443,7 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context
 	group_ret = gendb_search(sam_ctx,
 				 tmp_ctx, NULL, &group_msgs, group_attrs,
 				 "(&(member=%s)(sAMAccountType=*))", 
-				 ldb_dn_linearize(tmp_ctx, msgs[0]->dn));
+				 ldb_dn_linearize(tmp_ctx, msg->dn));
 	if (group_ret == -1) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -466,13 +466,13 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context
 
 	talloc_free(tmp_ctx);
 
-	account_sid = samdb_result_dom_sid(server_info, msgs[0], "objectSid");
+	account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
 	NT_STATUS_HAVE_NO_MEMORY(account_sid);
 
 	primary_group_sid = dom_sid_dup(server_info, account_sid);
 	NT_STATUS_HAVE_NO_MEMORY(primary_group_sid);
 
-	rid = samdb_result_uint(msgs[0], "primaryGroupID", ~0);
+	rid = samdb_result_uint(msg, "primaryGroupID", ~0);
 	if (rid == ~0) {
 		if (group_ret > 0) {
 			primary_group_sid = groupSIDs[0];
@@ -489,49 +489,49 @@ static NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context
 	server_info->n_domain_groups = group_ret;
 	server_info->domain_groups = groupSIDs;
 
-	server_info->account_name = talloc_steal(server_info, samdb_result_string(msgs[0], "sAMAccountName", NULL));
+	server_info->account_name = talloc_steal(server_info, samdb_result_string(msg, "sAMAccountName", NULL));
 
-	server_info->domain_name = talloc_steal(server_info, samdb_result_string(msgs_domain[0], "nETBIOSName", NULL));
+	server_info->domain_name = talloc_steal(server_info, samdb_result_string(msg_domain_ref, "nETBIOSName", NULL));
 
-	str = samdb_result_string(msgs[0], "displayName", "");
+	str = samdb_result_string(msg, "displayName", "");
 	server_info->full_name = talloc_strdup(server_info, str);
 	NT_STATUS_HAVE_NO_MEMORY(server_info->full_name);
 
-	str = samdb_result_string(msgs[0], "scriptPath", "");
+	str = samdb_result_string(msg, "scriptPath", "");
 	server_info->logon_script = talloc_strdup(server_info, str);
 	NT_STATUS_HAVE_NO_MEMORY(server_info->logon_script);
 
-	str = samdb_result_string(msgs[0], "profilePath", "");
+	str = samdb_result_string(msg, "profilePath", "");
 	server_info->profile_path = talloc_strdup(server_info, str);
 	NT_STATUS_HAVE_NO_MEMORY(server_info->profile_path);
 
-	str = samdb_result_string(msgs[0], "homeDirectory", "");
+	str = samdb_result_string(msg, "homeDirectory", "");
 	server_info->home_directory = talloc_strdup(server_info, str);
 	NT_STATUS_HAVE_NO_MEMORY(server_info->home_directory);
 
-	str = samdb_result_string(msgs[0], "homeDrive", "");
+	str = samdb_result_string(msg, "homeDrive", "");
 	server_info->home_drive = talloc_strdup(server_info, str);
 	NT_STATUS_HAVE_NO_MEMORY(server_info->home_drive);
 
 	server_info->logon_server = talloc_strdup(server_info, lp_netbios_name());
 	NT_STATUS_HAVE_NO_MEMORY(server_info->logon_server);
 
-	server_info->last_logon = samdb_result_nttime(msgs[0], "lastLogon", 0);
-	server_info->last_logoff = samdb_result_nttime(msgs[0], "lastLogoff", 0);
-	server_info->acct_expiry = samdb_result_nttime(msgs[0], "accountExpires", 0);
-	server_info->last_password_change = samdb_result_nttime(msgs[0], "pwdLastSet", 0);
+	server_info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
+	server_info->last_logoff = samdb_result_nttime(msg, "lastLogoff", 0);
+	server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
+	server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0);
 
-	ncname = samdb_result_dn(mem_ctx, msgs_domain[0], "nCName", ldb_dn_new(mem_ctx));
+	ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx));
 
 	server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, 
-							ncname, msgs[0], "pwdLastSet");
+							ncname, msg, "pwdLastSet");
 	server_info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx, 
-							ncname, msgs[0], "pwdLastSet");
+							ncname, msg, "pwdLastSet");
 
-	server_info->logon_count = samdb_result_uint(msgs[0], "logonCount", 0);
-	server_info->bad_password_count = samdb_result_uint(msgs[0], "badPwdCount", 0);
+	server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
+	server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);
 
-	server_info->acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");
+	server_info->acct_flags = samdb_result_acct_flags(msg, "userAccountControl");
 
 	server_info->user_session_key = user_sess_key;
 	server_info->lm_session_key = lm_sess_key;
@@ -614,7 +614,7 @@ NTSTATUS sam_get_server_info_principal(TALLOC_CTX *mem_ctx, const char *principa
 		return nt_status;
 	}
 
-	nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, msgs_domain_ref,
+	nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs[0], msgs_domain_ref[0],
 					     user_sess_key, lm_sess_key,
 					     server_info);
 	if (!NT_STATUS_IS_OK(nt_status)) {
@@ -654,7 +654,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
 					 &user_sess_key, &lm_sess_key);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs, domain_ref_msgs,
+	nt_status = authsam_make_server_info(mem_ctx, sam_ctx, msgs[0], domain_ref_msgs[0],
 					     user_sess_key, lm_sess_key,
 					     server_info);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 08e2298c1a..c8a57234e3 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -891,7 +891,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		/* decode and verify the pac */
 		nt_status = kerberos_pac_logon_info(mem_ctx, &logon_info, pac_blob,
 						    gensec_gssapi_state->smb_krb5_context->krb5_context,
-						    NULL, keyblock, principal, authtime);
+						    NULL, keyblock, principal, authtime, NULL);
 		krb5_free_principal(gensec_gssapi_state->smb_krb5_context->krb5_context, principal);
 
 		if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/auth/gensec/gensec_krb5.c b/source4/auth/gensec/gensec_krb5.c
index d5a2fd9a8f..c8640dde8c 100644
--- a/source4/auth/gensec/gensec_krb5.c
+++ b/source4/auth/gensec/gensec_krb5.c
@@ -521,7 +521,7 @@ static NTSTATUS gensec_krb5_session_info(struct gensec_security *gensec_security
 						    gensec_krb5_state->smb_krb5_context->krb5_context,
 						    NULL, gensec_krb5_state->keyblock,
 						    client_principal,
-						    gensec_krb5_state->ticket->ticket.authtime);
+						    gensec_krb5_state->ticket->ticket.authtime, NULL);
 		krb5_free_principal(context, client_principal);
 
 		if (NT_STATUS_IS_OK(nt_status)) {
diff --git a/source4/auth/kerberos/kerberos.h b/source4/auth/kerberos/kerberos.h
index 9813290650..46bf300229 100644
--- a/source4/auth/kerberos/kerberos.h
+++ b/source4/auth/kerberos/kerberos.h
@@ -137,7 +137,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 			     krb5_keyblock *krbtgt_keyblock,
 			     krb5_keyblock *service_keyblock,
 			     krb5_const_principal client_principal,
-			     time_t tgs_authtime);
+			     time_t tgs_authtime,
+			     krb5_error_code *k5ret);
  NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
 				  struct PAC_LOGON_INFO **logon_info,
 				  DATA_BLOB blob,
@@ -145,7 +146,8 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
 				  krb5_keyblock *krbtgt_keyblock,
 				  krb5_keyblock *service_keyblock,
 				  krb5_const_principal client_principal,
-				  time_t tgs_authtime);
+				  time_t tgs_authtime, 
+				  krb5_error_code *k5ret);
  krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
 				    struct PAC_DATA *pac_data,
 				    krb5_context context,
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index 9be9df133a..55805f0c4a 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -74,7 +74,8 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 			      krb5_keyblock *krbtgt_keyblock,
 			      krb5_keyblock *service_keyblock,
 			      krb5_const_principal client_principal,
-			      time_t tgs_authtime)
+			      time_t tgs_authtime,
+			      krb5_error_code *k5ret)
 {
 	krb5_error_code ret;
 	NTSTATUS status;
@@ -87,19 +88,28 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 	struct PAC_DATA *pac_data;
 	struct PAC_DATA_RAW *pac_data_raw;
 
-	DATA_BLOB *srv_sig_blob;
-	DATA_BLOB *kdc_sig_blob;
+	DATA_BLOB *srv_sig_blob = NULL;
+	DATA_BLOB *kdc_sig_blob = NULL;
 
 	DATA_BLOB modified_pac_blob;
 	NTTIME tgs_authtime_nttime;
 	krb5_principal client_principal_pac;
 	int i;
 
+	krb5_clear_error_string(context);
+
+	if (k5ret) {
+		*k5ret = KRB5_PARSE_MALFORMED;
+	}
+
 	pac_data = talloc(mem_ctx, struct PAC_DATA);
 	pac_data_raw = talloc(mem_ctx, struct PAC_DATA_RAW);
 	kdc_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
 	srv_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA);
 	if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) {
+		if (k5ret) {
+			*k5ret = ENOMEM;
+		}
 		return NT_STATUS_NO_MEMORY;
 	}
 
@@ -242,6 +252,9 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 	if (ret) {
 		DEBUG(1, ("PAC Decode: Failed to verify the service signature: %s\n",
 			  smb_get_krb5_error_message(context, ret, mem_ctx)));
+		if (k5ret) {
+			*k5ret = ret;
+		}
 		return NT_STATUS_ACCESS_DENIED;
 	}
 
@@ -252,6 +265,9 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 		if (ret) {
 			DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n",
 				  smb_get_krb5_error_message(context, ret, mem_ctx)));
+			if (k5ret) {
+				*k5ret = ret;
+			}
 			return NT_STATUS_ACCESS_DENIED;
 		}
 	}
@@ -271,6 +287,9 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 		DEBUG(2, ("Could not parse name from incoming PAC: [%s]: %s\n", 
 			  logon_name->account_name, 
 			  smb_get_krb5_error_message(context, ret, mem_ctx)));
+		if (k5ret) {
+			*k5ret = ret;
+		}
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
@@ -302,19 +321,20 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 				  krb5_keyblock *krbtgt_keyblock,
 				  krb5_keyblock *service_keyblock,
 				  krb5_const_principal client_principal,
-				  time_t tgs_authtime)
+				  time_t tgs_authtime, 
+				  krb5_error_code *k5ret)
 {
 	NTSTATUS nt_status;
 	struct PAC_DATA *pac_data;
 	int i;
-
 	nt_status = kerberos_decode_pac(mem_ctx, &pac_data,
 					blob,
 					context,
 					krbtgt_keyblock,
 					service_keyblock,
 					client_principal, 
-					tgs_authtime);
+					tgs_authtime,
+					k5ret);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		return nt_status;
 	}