return NT_STATUS_OK;
}
-NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
- TALLOC_CTX *mem_ctx, DATA_BLOB *pac)
+NTSTATUS gse_get_pac_data(struct gse_context *gse_ctx,
+ TALLOC_CTX *mem_ctx, DATA_BLOB *pac)
{
OM_uint32 gss_min, gss_maj;
gss_buffer_set_t set = GSS_C_NO_BUFFER_SET;
+ DATA_BLOB auth_data;
if (!gse_ctx->authenticated) {
return NT_STATUS_ACCESS_DENIED;
}
-
+#ifdef HAVE_GSSKRB5_EXTRACT_AUTHZ_DATA_FROM_SEC_CONTEXT
+ {
+ gss_buffer_desc pac_buffer;
+ gss_maj = gsskrb5_extract_authz_data_from_sec_context(&gss_min,
+ gse_ctx->gss_ctx,
+ KRB5_AUTHDATA_WIN2K_PAC,
+ &pac_buffer);
+
+
+ if (gss_maj == 0) {
+ *pac = data_blob_talloc(mem_ctx, pac_buffer.value, pac_buffer.length);
+ gss_release_buffer(&gss_min, &pac_buffer);
+
+ } else {
+ DEBUG(0, ("gsskrb5_extract_authz_data_from_sec_context failed [%s]\n",
+ gse_errstr(talloc_tos(), gss_maj, gss_min)));
+
+ return NT_STATUS_NOT_FOUND;
+ }
+ }
+#else
gss_maj = gss_inquire_sec_context_by_oid(
&gss_min, gse_ctx->gss_ctx,
&gse_authz_data_oid, &set);
return NT_STATUS_INTERNAL_ERROR;
}
- /* for now we just hope it is the first value */
- *pac = data_blob_talloc(mem_ctx,
- set->elements[0].value,
- set->elements[0].length);
-
- gss_maj = gss_release_buffer_set(&gss_min, &set);
+ auth_data = data_blob_const(set->elements[0].value,
+ set->elements[0].length);
+
+ if (!unwrap_pac(mem_ctx, &auth_data, pac)) {
+ DEBUG(1, ("Failed to unwrap PAC\n"));
+ gss_release_buffer_set(&gss_min, &set);
+ return NT_STATUS_ACCESS_DENIED;
+ }
- return NT_STATUS_OK;
+ gss_release_buffer_set(&gss_min, &set);
+#endif
+ return NT_STATUS_OK;
}
NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime)
struct gse_context *gse_ctx);
NTSTATUS gse_get_client_name(struct gse_context *gse_ctx,
TALLOC_CTX *mem_ctx, char **client_name);
-NTSTATUS gse_get_authz_data(struct gse_context *gse_ctx,
- TALLOC_CTX *mem_ctx, DATA_BLOB *pac);
+NTSTATUS gse_get_pac_data(struct gse_context *gse_ctx,
+ TALLOC_CTX *mem_ctx, DATA_BLOB *pac);
NTSTATUS gse_get_authtime(struct gse_context *gse_ctx, time_t *authtime);
size_t gse_get_signature_length(struct gse_context *gse_ctx,
struct auth_serversupplied_info **server_info)
{
TALLOC_CTX *tmp_ctx;
- DATA_BLOB auth_data;
time_t tgs_authtime;
NTTIME tgs_authtime_nttime;
DATA_BLOB pac;
return NT_STATUS_NO_MEMORY;
}
- status = gse_get_authz_data(gse_ctx, tmp_ctx, &auth_data);
+ status = gse_get_pac_data(gse_ctx, tmp_ctx, &pac);
if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
/* TODO: Fetch user by principal name ? */
status = NT_STATUS_ACCESS_DENIED;
goto done;
}
- bret = unwrap_pac(tmp_ctx, &auth_data, &pac);
- if (!bret) {
- DEBUG(1, ("Failed to unwrap PAC\n"));
- status = NT_STATUS_ACCESS_DENIED;
- goto done;
- }
-
status = gse_get_client_name(gse_ctx, tmp_ctx, &princ_name);
if (!NT_STATUS_IS_OK(status)) {
goto done;
git.samba.org / abartlet / samba.git / .git / commitdiff