From 56e7c149babcf41e5c510104a8e0cdca56f227f0 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vlendec@samba.org>
Date: Thu, 1 Apr 2004 12:31:50 +0000
Subject: This restructures lib/afs.c so that the token data can be but into a
 stream. This is to implement wbinfo -k that asks winbind for authentication
 which then creates the AFS token for the authenticated user.

Volker
(This used to be commit 2df6750a079820826013360fb9e47f90bc8223a5)
---
 source3/nsswitch/wbinfo.c       | 67 +++++++++++++++++++++++++++++++++++++++++
 source3/nsswitch/winbindd_nss.h |  1 +
 source3/nsswitch/winbindd_pam.c | 35 +++++++++++++++++++++
 3 files changed, 103 insertions(+)

(limited to 'source3/nsswitch')

diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 81626998b3..2cea4130ad 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -594,6 +594,64 @@ static BOOL wbinfo_auth_crap(char *username)
         return result == NSS_STATUS_SUCCESS;
 }
 
+/* Authenticate a user with a plaintext password and set a token */
+
+static BOOL wbinfo_klog(char *username)
+{
+	struct winbindd_request request;
+	struct winbindd_response response;
+        NSS_STATUS result;
+        char *p;
+
+	/* Send off request */
+
+	ZERO_STRUCT(request);
+	ZERO_STRUCT(response);
+
+        p = strchr(username, '%');
+
+        if (p) {
+                *p = 0;
+                fstrcpy(request.data.auth.user, username);
+                fstrcpy(request.data.auth.pass, p + 1);
+                *p = '%';
+        } else {
+                fstrcpy(request.data.auth.user, username);
+		fstrcpy(request.data.auth.pass, getpass("Password: "));
+	}
+
+	request.flags |= WBFLAG_PAM_AFS_TOKEN;
+
+	result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response);
+
+	/* Display response */
+
+        d_printf("plaintext password authentication %s\n", 
+               (result == NSS_STATUS_SUCCESS) ? "succeeded" : "failed");
+
+	if (response.data.auth.nt_status)
+		d_printf("error code was %s (0x%x)\nerror messsage was: %s\n", 
+			 response.data.auth.nt_status_string, 
+			 response.data.auth.nt_status,
+			 response.data.auth.error_string);
+
+	if (result != NSS_STATUS_SUCCESS)
+		return False;
+
+	if (response.extra_data == NULL) {
+		d_printf("Did not get token data\n");
+		return False;
+	}
+
+	if (!afs_settoken_str((char *)response.extra_data)) {
+		d_printf("Could not set token\n");
+		return False;
+	}
+
+	d_printf("Successfully created AFS token\n");
+	return True;
+}
+
 /******************************************************************
  create a winbindd user
 ******************************************************************/
@@ -1001,6 +1059,9 @@ int main(int argc, char **argv)
 		{ "get-auth-user", 0, POPT_ARG_NONE, NULL, OPT_GET_AUTH_USER, "Retrieve user and password used by winbindd (root only)", NULL },
 		{ "ping", 'p', POPT_ARG_NONE, 0, 'p', "Ping winbindd to see if it is alive" },
 		{ "domain", 0, POPT_ARG_STRING, &opt_domain_name, OPT_DOMAIN_NAME, "Define to the domain to restrict operation", "domain" },
+#ifdef WITH_FAKE_KASERVER
+ 		{ "klog", 'k', POPT_ARG_STRING, &string_arg, 'k', "set an AFS token from winbind", "user%password" },
+#endif
 		POPT_COMMON_VERSION
 		POPT_TABLEEND
 	};
@@ -1160,6 +1221,12 @@ int main(int argc, char **argv)
 					goto done;
 				break;
 			}
+		case 'k':
+			if (!wbinfo_klog(string_arg)) {
+				d_printf("Could not klog user\n");
+				goto done;
+			}
+			break;
 		case 'c':
 			if ( !wbinfo_create_user(string_arg) ) {
 				d_printf("Could not create user account\n");
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 0d110b8afa..c8fe5c826c 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -156,6 +156,7 @@ typedef struct winbindd_gr {
 #define WBFLAG_QUERY_ONLY		0x0020
 #define WBFLAG_ALLOCATE_RID		0x0040
 #define WBFLAG_PAM_UNIX_NAME            0x0080
+#define WBFLAG_PAM_AFS_TOKEN            0x0100
 
 /* Winbind request structure */
 
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 37b2a9f21b..1d232edfe3 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -211,6 +211,41 @@ done:
 	      state->response.data.auth.nt_status_string,
 	      state->response.data.auth.pam_error));	      
 
+	if ( NT_STATUS_IS_OK(result) &&
+	     (state->request.flags & WBFLAG_PAM_AFS_TOKEN) ) {
+
+		char *afsname = strdup(lp_afs_username_map());
+		char *cell;
+
+		if (afsname == NULL) goto no_token;
+
+		afsname = realloc_string_sub(afsname, "%D", name_domain);
+		afsname = realloc_string_sub(afsname, "%u", name_user);
+		afsname = realloc_string_sub(afsname, "%U", name_user);
+
+		if (afsname == NULL) goto no_token;
+
+		strlower_m(afsname);
+
+		cell = strchr(afsname, '@');
+
+		if (cell == NULL) goto no_token;
+
+		*cell = '\0';
+		cell += 1;
+
+		/* Append an AFS token string */
+		state->response.extra_data =
+			afs_createtoken_str(afsname, cell);
+
+		if (state->response.extra_data != NULL)
+			state->response.length +=
+				strlen(state->response.extra_data)+1;
+
+	no_token:
+		SAFE_FREE(afsname);
+	}
+		
 	if (mem_ctx) 
 		talloc_destroy(mem_ctx);
 	
-- 
cgit