r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make
authorGünther Deschner <gd@samba.org>
Fri, 4 May 2007 10:21:39 +0000 (10:21 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 17:19:54 +0000 (12:19 -0500)
winbindd's kerberized pam_auth use that.

Guenther
(This used to be commit 0f436eab5b2e5891c341c27cb22db52a72bf1af7)

source3/libads/kerberos.c
source3/nsswitch/winbindd_cred_cache.c
source3/nsswitch/winbindd_pam.c

index dc3d11a60c2d5e7c21c7d79f17a0c096a4e778e1..c721b5638500ad45e03bdae9215cb5fd045a4582 100644 (file)
@@ -189,7 +189,8 @@ int kerberos_kinit_password_ext(const char *principal,
                                const char *cache_name,
                                BOOL request_pac,
                                BOOL add_netbios_addr,
-                               time_t renewable_time)
+                               time_t renewable_time,
+                               NTSTATUS *ntstatus)
 {
        krb5_context ctx = NULL;
        krb5_error_code code = 0;
@@ -267,6 +268,29 @@ int kerberos_kinit_password_ext(const char *principal,
                *renew_till_time = (time_t) my_creds.times.renew_till;
        }
  out:
+       if (ntstatus) {
+
+               NTSTATUS status;
+
+               /* fast path */
+               if (code == 0) {
+                       *ntstatus = NT_STATUS_OK;
+                       goto cleanup;
+               }
+
+               /* try to get ntstatus code out of krb5_error when we have it
+                * inside the krb5_get_init_creds_opt - gd */
+
+               if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) {
+                       *ntstatus = status;
+                       goto cleanup;
+               }
+
+               /* fall back to self-made-mapping */
+               *ntstatus = krb5_to_nt_status(code);
+       }
+
+ cleanup:
        krb5_free_cred_contents(ctx, &my_creds);
        if (me) {
                krb5_free_principal(ctx, me);
@@ -321,7 +345,8 @@ int ads_kinit_password(ADS_STRUCT *ads)
        }
        
        ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset,
-                       &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable);
+                       &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable, 
+                       NULL);
 
        if (ret) {
                DEBUG(0,("kerberos_kinit_password %s failed: %s\n", 
@@ -580,7 +605,8 @@ int kerberos_kinit_password(const char *principal,
                                           cache_name,
                                           False,
                                           False,
-                                          0);
+                                          0,
+                                          NULL);
 }
 
 /************************************************************************
index 368090c39090b5a780cafa85a4eea2269f8c224d..2c9572d7f86cfabdb669030045f2e843f77d7080 100644 (file)
@@ -111,7 +111,8 @@ static void krb5_ticket_refresh_handler(struct event_context *event_ctx,
                                                  entry->ccname,
                                                  False, /* no PAC required anymore */
                                                  True,
-                                                 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+                                                 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+                                                 NULL);
                gain_root_privilege();
 
                if (ret) {
@@ -224,7 +225,8 @@ static void krb5_ticket_gain_handler(struct event_context *event_ctx,
                                                entry->ccname,
                                                False, /* no PAC required anymore */
                                                True,
-                                               WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+                                               WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+                                               NULL);
                gain_root_privilege();
 
                if (ret) {
index 59bff901ce4d65d656689ad7851f96857ad08a02..97c1ac4b9c392d701065ea5793676cb8beb4e50c 100644 (file)
@@ -564,12 +564,12 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
                                               cc, 
                                               True,
                                               True,
-                                              WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
+                                              WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+                                              &result);
 
        if (krb5_ret) {
                DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", 
                        principal_s, error_message(krb5_ret), krb5_ret));
-               result = krb5_to_nt_status(krb5_ret);
                goto failed;
        }