return NT_STATUS_OK;
}
-static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *info3,
- const char *group_sid)
+NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
+ const char *group_sid)
/**
* Check whether a user belongs to a group or list of groups.
*
DOM_SID sid;
size_t i;
struct nt_user_token *token;
- TALLOC_CTX *frame = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
/* Parse the 'required group' SID */
return NT_STATUS_OK;
}
- if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
+ token = talloc_zero(talloc_tos(), struct nt_user_token);
+ if (token == NULL) {
DEBUG(0, ("talloc failed\n"));
+ TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
p = group_sid;
- frame = talloc_stackframe();
- while (next_token_talloc(frame, &p, &req_sid, ",")) {
+ while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
if (!string_to_sid(&sid, req_sid)) {
DEBUG(0, ("check_info3_in_group: could not parse %s "
"as a SID!", req_sid));
return NT_STATUS_INVALID_PARAMETER;
}
- status = add_sid_to_array(mem_ctx, &sid,
+ status = add_sid_to_array(talloc_tos(), &sid,
&require_membership_of_sid,
&num_require_membership_of_sid);
if (!NT_STATUS_IS_OK(status)) {
}
}
- TALLOC_FREE(frame);
-
- status = sid_array_from_info3(mem_ctx, info3,
+ status = sid_array_from_info3(talloc_tos(), info3,
&token->user_sids,
&token->num_sids,
true, false);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
return status;
}
token))) {
DEBUG(3, ("could not add aliases: %s\n",
nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
if (nt_token_check_sid(&require_membership_of_sid[i],
token)) {
DEBUG(10, ("Access ok\n"));
+ TALLOC_FREE(frame);
return NT_STATUS_OK;
}
}
/* Do not distinguish this error from a wrong username/pw */
+ TALLOC_FREE(frame);
return NT_STATUS_LOGON_FAILURE;
}
static uid_t get_uid_from_state(struct winbindd_cli_state *state)
{
- uid_t uid = -1;
+ uid_t uid;
uid = state->request->data.auth.uid;
/****************************************************************
****************************************************************/
-static bool check_request_flags(uint32_t flags)
+bool check_request_flags(uint32_t flags)
{
uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
WBFLAG_PAM_INFO3_TEXT |
return true;
}
- DEBUG(1,("check_request_flags: invalid request flags[0x%08X]\n",flags));
+ DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
+ flags));
return false;
}
void winbindd_pam_auth(struct winbindd_cli_state *state)
{
struct winbindd_domain *domain;
- fstring name_domain, name_user;
- char *mapped_user = NULL;
+ fstring name_domain, name_user, mapped_user;
+ char *mapped = NULL;
NTSTATUS result;
NTSTATUS name_map_status = NT_STATUS_UNSUCCESSFUL;
name_map_status = normalize_name_unmap(state->mem_ctx,
state->request->data.auth.user,
- &mapped_user);
+ &mapped);
/* If the name normalization didnt' actually do anything,
just use the original name */
- if (!NT_STATUS_IS_OK(name_map_status) &&
- !NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED))
- {
- mapped_user = state->request->data.auth.user;
+ if (NT_STATUS_IS_OK(name_map_status)
+ ||NT_STATUS_EQUAL(name_map_status, NT_STATUS_FILE_RENAMED)) {
+ fstrcpy(mapped_user, mapped);
+ } else {
+ fstrcpy(mapped_user, state->request->data.auth.user);
}
if (!canonicalize_username(mapped_user, name_domain, name_user)) {
/* Check if the user is in the right group */
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
- state->request->data.auth.require_membership_of_sid))) {
+ result = check_info3_in_group(
+ info3,
+ state->request->data.auth.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request->data.auth.user,
state->request->data.auth.require_membership_of_sid));
/* Check if the user is in the right group */
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
- state->request->data.auth_crap.require_membership_of_sid))) {
+ result = check_info3_in_group(
+ info3,
+ state->request->data.auth_crap.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("User %s is not in the required group (%s), so "
"crap authentication is rejected\n",
state->request->data.auth_crap.user,
struct rpc_pipe_client *cli;
bool got_info = false;
struct samr_DomInfo1 *info = NULL;
- struct samr_ChangeReject *reject = NULL;
+ struct userPwdChangeFailureInformation *reject = NULL;
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
fstring domain, user;
fill_in_password_policy(state->response, info);
state->response->data.auth.reject_reason =
- reject->reason;
+ reject->extendedFailureReason;
got_info = true;
}