ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
else if (!strcasecmp(*argv, "unknown_ok"))
ctrl |= WINBIND_UNKNOWN_OK_ARG;
- else if (!strncasecmp(*argv, "required_membership", strlen("required_membership")))
+ else if (!strncasecmp(*argv, "require_membership_of", strlen("require_membership_of")))
+ ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
+ else if (!strncasecmp(*argv, "require-membership-of", strlen("require-membership-of")))
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
else {
_pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv);
/* lookup name? */
if (!strncmp("S-", member, 2) == 0) {
- struct winbindd_request request;
- struct winbindd_response response;
+ struct winbindd_request sid_request;
+ struct winbindd_response sid_response;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
return PAM_AUTH_ERR;
}
- member = strdup(response.data.sid.sid);
+ member = response.data.sid.sid;
}
- strncpy(request.data.auth.required_membership_sid, member,
- sizeof(request.data.auth.required_membership_sid)-1);
+ strncpy(request.data.auth.require_membership_of_sid, member,
+ sizeof(request.data.auth.require_membership_of_sid)-1);
return pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user);
}
/* Retrieve membership-string here */
for ( i=0; i<argc; i++ ) {
- if (!strncmp(argv[i], "required_membership", strlen("required_membership"))) {
+ if (!strncmp(argv[i], "require_membership_of", strlen("require_membership_of"))) {
char *p;
char *parm = strdup(argv[i]);
NET_USER_INFO_3 *info3,
const char *group_sid)
{
- DOM_SID required_membership_sid;
+ DOM_SID require_membership_of_sid;
DOM_SID *all_sids;
size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids);
size_t i, j = 0;
return NT_STATUS_OK;
}
- if (!string_to_sid(&required_membership_sid, group_sid)) {
+ if (!string_to_sid(&require_membership_of_sid, group_sid)) {
DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
group_sid));
fstring sid1, sid2;
DEBUG(10, ("User has SID: %s\n",
sid_to_string(sid1, &all_sids[i])));
- if (sid_equal(&required_membership_sid, &all_sids[i])) {
+ if (sid_equal(&require_membership_of_sid, &all_sids[i])) {
DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n",
- sid_to_string(sid1, &required_membership_sid), sid_to_string(sid2, &all_sids[i])));
+ sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i])));
return NT_STATUS_OK;
}
}
/* Check if the user is in the right group */
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.required_membership_sid))) {
+ if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.require_membership_of_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request.data.auth.user,
- state->request.data.auth.required_membership_sid));
+ state->request.data.auth.require_membership_of_sid));
}
}
NET_USER_INFO_3 info3;
struct cli_state *cli = NULL;
TALLOC_CTX *mem_ctx = NULL;
- char *name_user = NULL;
+ const char *name_user = NULL;
const char *name_domain = NULL;
const char *workstation;
struct winbindd_domain *contact_domain;
/* send a better message than ACCESS_DENIED */
asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on %s are set correctly.",
get_winbind_priv_pipe_dir());
- push_utf8_fstring(state->response.data.auth.error_string, error_string);
+ fstrcpy(state->response.data.auth.error_string, error_string);
SAFE_FREE(error_string);
result = NT_STATUS_ACCESS_DENIED;
goto done;
state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
- if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
+ if (!(mem_ctx = talloc_init("winbind pam auth crap for %s", state->request.data.auth_crap.user))) {
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
- if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) {
- DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
+ name_user = state->request.data.auth_crap.user;
if (*state->request.data.auth_crap.domain) {
- char *dom = NULL;
- if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) {
- DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
- name_domain = dom;
+ name_domain = state->request.data.auth_crap.domain;
} else if (lp_winbind_use_default_domain()) {
name_domain = lp_workgroup();
} else {
name_domain, name_user));
if (*state->request.data.auth_crap.workstation) {
- char *wrk = NULL;
- if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) {
- DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
- workstation = wrk;
+ workstation = state->request.data.auth_crap.workstation;
} else {
workstation = global_myname();
}
netsamlogon_cache_store( cli->mem_ctx, name_user, &info3 );
wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.required_membership_sid))) {
+ if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.require_membership_of_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request.data.auth_crap.user,
- state->request.data.auth_crap.required_membership_sid));
+ state->request.data.auth_crap.require_membership_of_sid));
goto done;
}
DEBUG(5, ("Setting unix username to [%s]\n", username_out));
- /* this interface is in UTF8 */
- if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
+ state->response.extra_data = strdup(username_out);
+ if (!state->response.extra_data) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
}
state->response.data.auth.nt_status = NT_STATUS_V(result);
- push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
+ fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
/* we might have given a more useful error above */
if (!*state->response.data.auth.error_string)
- push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
+ fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
state->request.data.chauthtok.user));
- if (!(mem_ctx = talloc_init("winbind password change for (utf8) %s",
+ if (!(mem_ctx = talloc_init("winbind password change for %s",
state->request.data.chauthtok.user))) {
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
static int request_user_session_key;
static const char *require_membership_of;
-static const char *require_membership_sid;
+static const char *require_membership_of_sid;
static char winbind_separator(void)
{
return True;
}
- if (require_membership_sid) {
+ if (require_membership_of_sid) {
return True;
}
return False;
}
- require_membership_sid = strdup(response.data.sid.sid);
+ require_membership_of_sid = strdup(response.data.sid.sid);
- if (require_membership_sid)
+ if (require_membership_of_sid)
return True;
return False;
fstrcpy(request.data.auth.user, user);
fstrcpy(request.data.auth.pass, pass);
- if (require_membership_sid)
- fstrcpy(request.data.auth.required_membership_sid, require_membership_sid);
+ if (require_membership_of_sid)
+ fstrcpy(request.data.auth.require_membership_of_sid, require_membership_of_sid);
result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response);
request.flags = flags;
- if (require_membership_sid)
- fstrcpy(request.data.auth_crap.required_membership_sid, require_membership_sid);
+ if (require_membership_of_sid)
+ fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
- if (push_utf8_fstring(request.data.auth_crap.user, username) == -1) {
- *error_string = smb_xstrdup(
- "unable to create utf8 string for username");
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (push_utf8_fstring(request.data.auth_crap.domain, domain) == -1) {
- *error_string = smb_xstrdup(
- "unable to create utf8 string for domain");
- return NT_STATUS_UNSUCCESSFUL;
- }
+ fstrcpy(request.data.auth_crap.user, username);
+ fstrcpy(request.data.auth_crap.domain, domain);
- if (push_utf8_fstring(request.data.auth_crap.workstation,
- workstation) == -1) {
- *error_string = smb_xstrdup(
- "unable to create utf8 string for workstation");
- return NT_STATUS_UNSUCCESSFUL;
- }
+ fstrcpy(request.data.auth_crap.workstation,
+ workstation);
memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
}
if (flags & WBFLAG_PAM_UNIX_NAME) {
- if (pull_utf8_allocate(unix_name, (char *)response.extra_data) == -1) {
+ *unix_name = strdup((char *)response.extra_data);
+ if (!*unix_name) {
free_response(&response);
return NT_STATUS_NO_MEMORY;
}
NTSTATUS status;
if ( (opt_username == NULL) || (opt_domain == NULL) ) {
DEBUG(1, ("Need username and domain for NTLMSSP\n"));
- return status;
+ return NT_STATUS_INVALID_PARAMETER;
}
status = ntlmssp_client_start(client_ntlmssp_state);
case OPT_REQUIRE_MEMBERSHIP:
if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
- require_membership_sid = require_membership_of;
+ require_membership_of_sid = require_membership_of;
}
break;
}