From 68e1991c6cfd34a6852c5be24259285c6214ea3c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 2 Oct 2009 21:31:05 +1000 Subject: s4-winbind: support the Samba3 TXT form of the info3 for wbinfo -a This sends the info3 as hand marshalled data --- source4/winbind/wb_samba3_cmd.c | 112 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) (limited to 'source4/winbind/wb_samba3_cmd.c') diff --git a/source4/winbind/wb_samba3_cmd.c b/source4/winbind/wb_samba3_cmd.c index b219615b1e..280c47a274 100644 --- a/source4/winbind/wb_samba3_cmd.c +++ b/source4/winbind/wb_samba3_cmd.c @@ -29,11 +29,114 @@ #include "libcli/composite/composite.h" #include "version.h" #include "librpc/gen_ndr/netlogon.h" +#include "librpc/gen_ndr/ndr_netlogon.h" #include "libcli/security/security.h" #include "auth/ntlm/pam_errors.h" #include "auth/credentials/credentials.h" #include "smbd/service_task.h" +/* + support the old Samba3 TXT form of the info3 + */ +static NTSTATUS wb_samba3_append_info3_as_txt(TALLOC_CTX *mem_ctx, + struct wbsrv_samba3_call *s3call, + DATA_BLOB info3b) +{ + struct netr_SamInfo3 *info3; + char *ex; + uint32_t i; + enum ndr_err_code ndr_err; + + info3 = talloc(mem_ctx, struct netr_SamInfo3); + NT_STATUS_HAVE_NO_MEMORY(info3); + + /* The Samba3 protocol has a redundent 4 bytes at the start */ + info3b.data += 4; + info3b.length -= 4; + + ndr_err = ndr_pull_struct_blob(&info3b, + mem_ctx, + lp_iconv_convenience(s3call->wbconn->lp_ctx), + info3, + (ndr_pull_flags_fn_t)ndr_pull_netr_SamInfo3); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return ndr_map_error2ntstatus(ndr_err); + } + + s3call->response.data.auth.info3.logon_time = + nt_time_to_unix(info3->base.last_logon); + s3call->response.data.auth.info3.logoff_time = + nt_time_to_unix(info3->base.last_logoff); + s3call->response.data.auth.info3.kickoff_time = + nt_time_to_unix(info3->base.acct_expiry); + s3call->response.data.auth.info3.pass_last_set_time = + nt_time_to_unix(info3->base.last_password_change); + s3call->response.data.auth.info3.pass_can_change_time = + nt_time_to_unix(info3->base.allow_password_change); + s3call->response.data.auth.info3.pass_must_change_time = + nt_time_to_unix(info3->base.force_password_change); + + s3call->response.data.auth.info3.logon_count = info3->base.logon_count; + s3call->response.data.auth.info3.bad_pw_count = info3->base.bad_password_count; + + s3call->response.data.auth.info3.user_rid = info3->base.rid; + s3call->response.data.auth.info3.group_rid = info3->base.primary_gid; + fstrcpy(s3call->response.data.auth.info3.dom_sid, dom_sid_string(mem_ctx, info3->base.domain_sid)); + + s3call->response.data.auth.info3.num_groups = info3->base.groups.count; + s3call->response.data.auth.info3.user_flgs = info3->base.user_flags; + + s3call->response.data.auth.info3.acct_flags = info3->base.acct_flags; + s3call->response.data.auth.info3.num_other_sids = info3->sidcount; + + fstrcpy(s3call->response.data.auth.info3.user_name, + info3->base.account_name.string); + fstrcpy(s3call->response.data.auth.info3.full_name, + info3->base.full_name.string); + fstrcpy(s3call->response.data.auth.info3.logon_script, + info3->base.logon_script.string); + fstrcpy(s3call->response.data.auth.info3.profile_path, + info3->base.profile_path.string); + fstrcpy(s3call->response.data.auth.info3.home_dir, + info3->base.home_directory.string); + fstrcpy(s3call->response.data.auth.info3.dir_drive, + info3->base.home_drive.string); + + fstrcpy(s3call->response.data.auth.info3.logon_srv, + info3->base.logon_server.string); + fstrcpy(s3call->response.data.auth.info3.logon_dom, + info3->base.domain.string); + + ex = talloc_strdup(mem_ctx, ""); + NT_STATUS_HAVE_NO_MEMORY(ex); + + for (i=0; i < info3->base.groups.count; i++) { + ex = talloc_asprintf_append_buffer(ex, "0x%08X:0x%08X\n", + info3->base.groups.rids[i].rid, + info3->base.groups.rids[i].attributes); + NT_STATUS_HAVE_NO_MEMORY(ex); + } + + for (i=0; i < info3->sidcount; i++) { + char *sid; + + sid = dom_sid_string(mem_ctx, info3->sids[i].sid); + NT_STATUS_HAVE_NO_MEMORY(sid); + + ex = talloc_asprintf_append_buffer(ex, "%s:0x%08X\n", + sid, + info3->sids[i].attributes); + NT_STATUS_HAVE_NO_MEMORY(ex); + + talloc_free(sid); + } + + s3call->response.extra_data.data = ex; + s3call->response.length += talloc_get_size(ex); + + return NT_STATUS_OK; +} + /* Send off the reply to an async Samba3 query, handling filling in the PAM, NTSTATUS and string errors. */ @@ -554,6 +657,15 @@ static void pam_auth_crap_recv(struct composite_context *ctx) sizeof(s3call->response.data.auth.user_session_key)); } + if (s3call->request.flags & WBFLAG_PAM_INFO3_TEXT) { + status = wb_samba3_append_info3_as_txt(ctx, s3call, info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("Failed to append INFO3 (TXT): %s\n", + nt_errstr(status))); + goto done; + } + } + if (s3call->request.flags & WBFLAG_PAM_INFO3_NDR) { s3call->response.extra_data.data = info3.data; s3call->response.length += info3.length; -- cgit From 83e9b1c325964a016b499ad124d161eb20f6c26c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 2 Oct 2009 22:17:42 +1000 Subject: s4-winbind: support the s3 response flags on krb5 auth too This fixes the samba4.blackbox.wbinfo test, which was failing on a wbinfo -K command --- source4/winbind/wb_samba3_cmd.c | 41 +++++++++++++++++++++++++++++++++++++++-- 1 file changed, 39 insertions(+), 2 deletions(-) (limited to 'source4/winbind/wb_samba3_cmd.c') diff --git a/source4/winbind/wb_samba3_cmd.c b/source4/winbind/wb_samba3_cmd.c index 280c47a274..c5fba92f14 100644 --- a/source4/winbind/wb_samba3_cmd.c +++ b/source4/winbind/wb_samba3_cmd.c @@ -299,7 +299,7 @@ static void check_machacc_recv(struct composite_context *ctx) struct wbsrv_samba3_call); NTSTATUS status; - status = wb_cmd_pam_auth_recv(ctx); + status = wb_cmd_pam_auth_recv(ctx, s3call, NULL, NULL, NULL, NULL); if (!NT_STATUS_IS_OK(status)) goto done; @@ -734,11 +734,48 @@ static void pam_auth_recv(struct composite_context *ctx) talloc_get_type(ctx->async.private_data, struct wbsrv_samba3_call); NTSTATUS status; + DATA_BLOB info3; + struct netr_UserSessionKey user_session_key; + struct netr_LMSessionKey lm_key; + char *unix_username; - status = wb_cmd_pam_auth_recv(ctx); + status = wb_cmd_pam_auth_recv(ctx, s3call, &info3, + &user_session_key, &lm_key, &unix_username); if (!NT_STATUS_IS_OK(status)) goto done; + if (s3call->request.flags & WBFLAG_PAM_USER_SESSION_KEY) { + memcpy(s3call->response.data.auth.user_session_key, + &user_session_key.key, + sizeof(s3call->response.data.auth.user_session_key)); + } + + if (s3call->request.flags & WBFLAG_PAM_INFO3_TEXT) { + status = wb_samba3_append_info3_as_txt(ctx, s3call, info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("Failed to append INFO3 (TXT): %s\n", + nt_errstr(status))); + goto done; + } + } + + if (s3call->request.flags & WBFLAG_PAM_INFO3_NDR) { + s3call->response.extra_data.data = info3.data; + s3call->response.length += info3.length; + } + + if (s3call->request.flags & WBFLAG_PAM_LMKEY) { + memcpy(s3call->response.data.auth.first_8_lm_hash, + lm_key.key, + sizeof(s3call->response.data.auth.first_8_lm_hash)); + } + + if (s3call->request.flags & WBFLAG_PAM_UNIX_NAME) { + s3call->response.extra_data.data = unix_username; + s3call->response.length += strlen(unix_username)+1; + } + + done: wbsrv_samba3_async_auth_epilogue(status, s3call); } -- cgit