X-Git-Url: http://git.samba.org/?p=samba.git;a=blobdiff_plain;f=source3%2Fwinbindd%2Fwinbindd_pam.c;h=83f75f5e5649c1ce35761b8de6f26edff8564bbc;hp=55764178502f810a915ddc2e5fe6bce0374fa4aa;hb=4bf783d4d6693f927f5e7ef7a9855766c91983f2;hpb=4e4228bd5d970350516162cc716ec2e083ead56f diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 55764178502..83f75f5e564 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -256,7 +256,7 @@ static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3, */ { struct dom_sid *require_membership_of_sid; - size_t num_require_membership_of_sid; + uint32_t num_require_membership_of_sid; char *req_sid; const char *p; struct dom_sid sid; @@ -463,7 +463,7 @@ static NTSTATUS get_pwd_properties(struct winbindd_domain *domain, static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, const char *type, uid_t uid, - bool *internal_ccache) + const char **user_ccache_file) { /* accept FILE and WRFILE as krb5_cc_type from the client and then * build the full ccname string based on the user's uid here - @@ -471,62 +471,33 @@ static const char *generate_krb5_ccache(TALLOC_CTX *mem_ctx, const char *gen_cc = NULL; - *internal_ccache = true; - - if (uid == -1) { - goto memory_ccache; + if (uid != -1) { + if (strequal(type, "FILE")) { + gen_cc = talloc_asprintf( + mem_ctx, "FILE:/tmp/krb5cc_%d", uid); + } + if (strequal(type, "WRFILE")) { + gen_cc = talloc_asprintf( + mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid); + } } - if (!type || type[0] == '\0') { - goto memory_ccache; - } + *user_ccache_file = gen_cc; - if (strequal(type, "FILE")) { - gen_cc = talloc_asprintf(mem_ctx, "FILE:/tmp/krb5cc_%d", uid); - } else if (strequal(type, "WRFILE")) { - gen_cc = talloc_asprintf(mem_ctx, "WRFILE:/tmp/krb5cc_%d", uid); - } else { - DEBUG(10,("we don't allow to set a %s type ccache\n", type)); - goto memory_ccache; + if (gen_cc == NULL) { + gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache"); } - - *internal_ccache = false; - goto done; - - memory_ccache: - gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache"); - - done: if (gen_cc == NULL) { DEBUG(0,("out of memory\n")); return NULL; } - DEBUG(10,("using ccache: %s %s\n", gen_cc, *internal_ccache ? "(internal)":"")); + DEBUG(10, ("using ccache: %s%s\n", gen_cc, + (*user_ccache_file == NULL) ? " (internal)":"")); return gen_cc; } -static void setup_return_cc_name(struct winbindd_cli_state *state, const char *cc) -{ - const char *type = state->request->data.auth.krb5_cc_type; - - state->response->data.auth.krb5ccname[0] = '\0'; - - if (type[0] == '\0') { - return; - } - - if (!strequal(type, "FILE") && - !strequal(type, "WRFILE")) { - DEBUG(10,("won't return krbccname for a %s type ccache\n", - type)); - return; - } - - fstrcpy(state->response->data.auth.krb5ccname, cc); -} - #endif uid_t get_uid_from_request(struct winbindd_request *request) @@ -569,7 +540,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, uid_t uid = -1; ADS_STRUCT *ads; time_t time_offset = 0; - bool internal_ccache = true; + const char *user_ccache_file; struct PAC_LOGON_INFO *logon_info = NULL; *info3 = NULL; @@ -585,7 +556,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, cc = generate_krb5_ccache(state->mem_ctx, state->request->data.auth.krb5_cc_type, state->request->data.auth.uid, - &internal_ccache); + &user_ccache_file); if (cc == NULL) { return NT_STATUS_NO_MEMORY; } @@ -623,7 +594,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, /************************ ENTERING NON-ROOT **********************/ - if (!internal_ccache) { + if (user_ccache_file != NULL) { set_effective_uid(uid); DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid)); } @@ -640,7 +611,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, NULL, &logon_info); - if (!internal_ccache) { + if (user_ccache_file != NULL) { gain_root_privilege(); } @@ -658,9 +629,10 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, /* if we had a user's ccache then return that string for the pam * environment */ - if (!internal_ccache) { + if (user_ccache_file != NULL) { - setup_return_cc_name(state, cc); + fstrcpy(state->response->data.auth.krb5ccname, + user_ccache_file); result = add_ccache_to_list(principal_s, cc, @@ -838,8 +810,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, parse_domain_user(state->request->data.auth.user, name_domain, name_user); - if (!lookup_cached_name(state->mem_ctx, - name_domain, + if (!lookup_cached_name(name_domain, name_user, &sid, &type)) { @@ -945,7 +916,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, char *realm = NULL; const char *principal_s = NULL; const char *service = NULL; - bool internal_ccache = false; + const char *user_ccache_file; uid = get_uid_from_state(state); if (uid == -1) { @@ -956,7 +927,7 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, cc = generate_krb5_ccache(state->mem_ctx, state->request->data.auth.krb5_cc_type, state->request->data.auth.uid, - &internal_ccache); + &user_ccache_file); if (cc == NULL) { return NT_STATUS_NO_MEMORY; } @@ -974,9 +945,10 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, return NT_STATUS_NO_MEMORY; } - if (!internal_ccache) { + if (user_ccache_file != NULL) { - setup_return_cc_name(state, cc); + fstrcpy(state->response->data.auth.krb5ccname, + user_ccache_file); result = add_ccache_to_list(principal_s, cc, @@ -1005,7 +977,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, my_info3->base.bad_password_count = 0; result = winbindd_update_creds_by_info3(domain, - state->mem_ctx, state->request->data.auth.user, state->request->data.auth.pass, my_info3); @@ -1053,7 +1024,6 @@ static NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, failed: result = winbindd_update_creds_by_info3(domain, - state->mem_ctx, state->request->data.auth.user, NULL, my_info3); @@ -1314,7 +1284,6 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, DEBUG(3, ("Got a DC that can not do NetSamLogonEx, " "retrying with NetSamLogon\n")); domain->can_do_samlogon_ex = false; - retry = true; continue; } @@ -1323,7 +1292,6 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(struct winbindd_domain *domain, our connection. */ if (!rpccli_is_connected(netlogon_pipe)) { - retry = true; continue; } @@ -1429,11 +1397,6 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, DEBUG(3, ("[%5lu]: dual pam auth %s\n", (unsigned long)state->pid, state->request->data.auth.user)); - if (!check_request_flags(state->request->flags)) { - result = NT_STATUS_INVALID_PARAMETER_MIX; - goto done; - } - /* Parse domain and username */ name_map_status = normalize_name_unmap(state->mem_ctx, @@ -1617,18 +1580,15 @@ process_result: goto done; } - if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) { + if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN) + && lp_winbind_offline_logon()) { - if (lp_winbind_offline_logon()) { - result = winbindd_store_creds(domain, - state->mem_ctx, + result = winbindd_store_creds(domain, state->request->data.auth.user, state->request->data.auth.pass, info3); - } } - if (state->request->flags & WBFLAG_PAM_GET_PWD_POLICY) { struct winbindd_domain *our_domain = find_our_domain(); @@ -1693,33 +1653,13 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0; state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0; - if (!check_request_flags(state->request->flags)) { - result = NT_STATUS_INVALID_PARAMETER_MIX; - goto done; - } - name_user = state->request->data.auth_crap.user; - - if (*state->request->data.auth_crap.domain) { - name_domain = state->request->data.auth_crap.domain; - } else if (lp_winbind_use_default_domain()) { - name_domain = lp_workgroup(); - } else { - DEBUG(5,("no domain specified with username (%s) - failing auth\n", - name_user)); - result = NT_STATUS_NO_SUCH_USER; - goto done; - } + name_domain = state->request->data.auth_crap.domain; + workstation = state->request->data.auth_crap.workstation; DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, name_domain, name_user)); - if (*state->request->data.auth_crap.workstation) { - workstation = state->request->data.auth_crap.workstation; - } else { - workstation = global_myname(); - } - if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp) || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) { if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) || @@ -1792,7 +1732,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, DEBUG(3, ("Got a DC that can not do NetSamLogonEx, " "retrying with NetSamLogon\n")); domain->can_do_samlogon_ex = false; - retry = true; continue; } @@ -1803,7 +1742,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, our connection. */ if (!rpccli_is_connected(netlogon_pipe)) { - retry = true; continue; } @@ -1961,8 +1899,7 @@ done: if (NT_STATUS_IS_OK(result) && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) { if (lp_winbind_offline_logon()) { result = winbindd_update_creds_by_name(contact_domain, - state->mem_ctx, user, - newpass); + user, newpass); /* Again, this happens when we login from gdm or xdm * and the password expires, *BUT* cached crendentials * doesn't exist. winbindd_update_creds_by_name()