From 1bc2f28b9420829645ed571daf2a17e6688b2103 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Wed, 18 Jul 2012 14:38:47 -0700 Subject: winbind: Extend wbcAuthenticateUserEx to provide PAC With this new interface, external applications that have authenticated to an ADS can pass the PAC from the Kerberos ticket to wbcAuthenticateUserEx. winbindd decodes and extracts the info3 information for the external application. If winbindd can verify the PAC signature, the info3 from the PACis also added to the netsamlogon_cache. The info3 data can be used by the external application to get the uid and primary gid. The data in netsamlogon_cache allows to retrieve the complete group list through the NSS function getgrouplist. Signed-off-by: Andrew Bartlett --- source3/winbindd/winbindd_pam_auth_crap.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) (limited to 'source3/winbindd/winbindd_pam_auth_crap.c') diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c index 2fb5111510..ffbc322fc0 100644 --- a/source3/winbindd/winbindd_pam_auth_crap.c +++ b/source3/winbindd/winbindd_pam_auth_crap.c @@ -22,6 +22,8 @@ struct winbindd_pam_auth_crap_state { struct winbindd_response *response; + struct netr_SamInfo3 *info3; + uint32_t flags; }; static void winbindd_pam_auth_crap_done(struct tevent_req *subreq); @@ -42,6 +44,21 @@ struct tevent_req *winbindd_pam_auth_crap_send( return NULL; } + if (request->flags & WBFLAG_PAM_AUTH_PAC) { + NTSTATUS status; + + state->flags = request->flags; + status = winbindd_pam_auth_pac_send(cli, &state->info3); + if (NT_STATUS_IS_OK(status)) { + /* Defer filling out response to recv */ + tevent_req_done(req); + } else { + tevent_req_nterror(req, status); + } + + return tevent_req_post(req, ev); + } + /* Ensure null termination */ request->data.auth_crap.user[ sizeof(request->data.auth_crap.user)-1] = '\0'; @@ -114,6 +131,12 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req, set_auth_errors(response, status); return status; } + + if (state->flags & WBFLAG_PAM_AUTH_PAC) { + return append_auth_data(response, response, state->flags, + state->info3, NULL, NULL); + } + *response = *state->response; response->result = WINBINDD_PENDING; state->response = talloc_move(response, &state->response); -- cgit