s3-libads: pass down local_service to kerberos_return_pac().

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 801e551edbde2c475a544c1577ec0c2f05d715e9..dd80dc24e44171bc7202632fae9fc9fa44ca7ef9 100644 (file)
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                             bool add_netbios_addr,
                             time_t renewable_time,
                             const char *impersonate_princ_s,
+                            const char *local_service,
                             struct PAC_LOGON_INFO **_logon_info)
 {
        krb5_error_code ret;
        NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
        DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
        const char *auth_princ = NULL;
-       const char *local_service = NULL;
        const char *cc = "MEMORY:kerberos_return_pac";
        struct auth_session_info *session_info;
        struct gensec_security *gensec_server_context;
@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
        }
        NT_STATUS_HAVE_NO_MEMORY(auth_princ);
 
-       local_service = talloc_asprintf(mem_ctx, "%s$@%s",
-                                       lp_netbios_name(), lp_realm());
-       NT_STATUS_HAVE_NO_MEMORY(local_service);
-
        ret = kerberos_kinit_password_ext(auth_princ,
                                          pass,
                                          time_offset,

diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 255963405c7dfd1142d3f568bf300860c8953817..1151d66cd1527d4c441ff84bab8468aa2e46ea74 100644 (file)
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                             bool add_netbios_addr,
                             time_t renewable_time,
                             const char *impersonate_princ_s,
+                            const char *local_service,
                             struct PAC_LOGON_INFO **logon_info);
 
 /* The following definitions come from libads/krb5_setpw.c  */

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 89eebf3388d55c31f7a893e0b6475715590d4d07..5a073b1cc71dd436ee76cfacfe65bf21fcbbbafd 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
        NTSTATUS status;
        int ret = -1;
        const char *impersonate_princ_s = NULL;
+       const char *local_service = NULL;
 
        if (c->display_usage) {
                d_printf(  "%s\n"
@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
                impersonate_princ_s = argv[0];
        }
 
+       local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+                                       lp_netbios_name(), lp_realm());
+       if (local_service == NULL) {
+               goto out;
+       }
+
        c->opt_password = net_prompt_pass(c, c->opt_user_name);
 
        status = kerberos_return_pac(mem_ctx,
@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
                                     true,
                                     2592000, /* one month */
                                     impersonate_princ_s,
+                                    local_service,
                                     &info);
        if (!NT_STATUS_IS_OK(status)) {
                d_printf(_("failed to query kerberos PAC: %s\n"),

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3f3ec7090f27927f701ff5eb71489965bace6bfd..61e2cefd5224217fc7e915b6b0360fc3b2977deb 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
        time_t time_offset = 0;
        const char *user_ccache_file;
        struct PAC_LOGON_INFO *logon_info = NULL;
+       const char *local_service;
 
        *info3 = NULL;
 
@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
+       local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+                                       lp_netbios_name(), lp_realm());
+       if (local_service == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+
        /* if this is a user ccache, we need to act as the user to let the krb5
         * library handle the chown, etc. */
 
@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                                     true,
                                     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
                                     NULL,
+                                    local_service,
                                     &logon_info);
        if (user_ccache_file != NULL) {
                gain_root_privilege();