Merge branch 'v4-0-logon' of git://git.id10ts.net/samba into 4-0-local
authorAndrew Bartlett <abartlet@samba.org>
Wed, 19 Mar 2008 00:04:42 +0000 (11:04 +1100)
committerAndrew Bartlett <abartlet@samba.org>
Wed, 19 Mar 2008 00:04:42 +0000 (11:04 +1100)
(This used to be commit 8252b51850f108aa8f43ec25c752a411c32f9764)

source4/heimdal/kdc/kdc-private.h
source4/heimdal/kdc/kerberos5.c
source4/heimdal/kdc/windc.c
source4/heimdal/kdc/windc_plugin.h
source4/kdc/pac-glue.c

index 030be9ae58baeabc2717d43acb642d99c58d1e01..4052e9b5090acd1f29f9e61cd4993391fcc7abc5 100644 (file)
@@ -281,6 +281,7 @@ krb5_error_code
 _kdc_windc_client_access (
        krb5_context /*context*/,
        struct hdb_entry_ex */*client*/,
-       KDC_REQ */*req*/);
+       KDC_REQ */*req*/,
+       krb5_data */*e_data*/);
 
 #endif /* __kdc_private_h__ */
index bc600a5319b2c959e5ee61724d7763db7aa35a7c..f1dea6499df0252d71c15d4c64dcb27e7da02f65 100644 (file)
@@ -1050,7 +1050,7 @@ _kdc_as_rep(krb5_context context,
        goto out;
     }
 
-    ret = _kdc_windc_client_access(context, client, req);
+    ret = _kdc_windc_client_access(context, client, req, &e_data);
     if(ret)
        goto out;
 
index 395ab7343284667ab7119def32d9cf1ff5e38dae..85e4d7f725cb415d036409b8a675d9823d0bef78 100644 (file)
@@ -101,9 +101,10 @@ _kdc_pac_verify(krb5_context context,
 krb5_error_code
 _kdc_windc_client_access(krb5_context context,
                         struct hdb_entry_ex *client,
-                        KDC_REQ *req)
+                        KDC_REQ *req,
+                        krb5_data *e_data)
 {
     if (windcft == NULL)
        return 0;
-    return (windcft->client_access)(windcctx, context, client, req);
+    return (windcft->client_access)(windcctx, context, client, req, e_data);
 }
index ec480cf950c667414e0e392da0e5607a530c2b59..3ae0c94681e785cd28cdf9eaf3d2db456c361de4 100644 (file)
@@ -64,7 +64,7 @@ typedef krb5_error_code
 
 typedef krb5_error_code 
 (*krb5plugin_windc_client_access)(
-    void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *);
+    void *, krb5_context, struct hdb_entry_ex *, KDC_REQ *, krb5_data *);
 
 
 #define KRB5_WINDC_PLUGING_MINOR               2
index 66f36af870fca5a44ec84ec950d5eb6a3da13e1d..f65bd67ab1439a6164ed771be76e4032fba8bcc2 100644 (file)
@@ -220,13 +220,48 @@ krb5_error_code samba_kdc_reget_pac(void *priv, krb5_context context,
        return ret;
 }
 
+static void samba_kdc_build_edata_reply(TALLOC_CTX *tmp_ctx, krb5_data *e_data,
+                                      NTSTATUS nt_status)
+{
+       PA_DATA pa;
+       unsigned char *buf;
+       size_t len;
+       krb5_error_code ret = 0;
+       uint32_t *tmp;
+
+       if (!e_data)
+               return;
+
+       pa.padata_type          = KRB5_PADATA_PW_SALT;
+       pa.padata_value.length  = 12;
+       pa.padata_value.data    = malloc(pa.padata_value.length);
+       if (!pa.padata_value.data) {
+               e_data->length = 0;
+               e_data->data = NULL;
+               return;
+       }
+
+       SIVAL(pa.padata_value.data, 0, NT_STATUS_V(nt_status));
+       SIVAL(pa.padata_value.data, 4, 0);
+       SIVAL(pa.padata_value.data, 8, 1);
+
+       ASN1_MALLOC_ENCODE(PA_DATA, buf, len, &pa, &len, ret);
+       free(pa.padata_value.data);
+
+       e_data->data   = buf;
+       e_data->length = len;
+
+       return;
+}
+
 /* Given an hdb entry (and in particular it's private member), consult
  * the account_ok routine in auth/auth_sam.c for consistancy */
 
 
 krb5_error_code samba_kdc_check_client_access(void *priv, 
                                              krb5_context context, hdb_entry_ex *entry_ex, 
-                                             KDC_REQ *req)
+                                             KDC_REQ *req,
+                                             krb5_data *e_data)
 {
        krb5_error_code ret;
        NTSTATUS nt_status;
@@ -274,30 +309,28 @@ krb5_error_code samba_kdc_check_client_access(void *priv,
                                       name);
        free(name);
 
-       /* TODO:  Need a more complete mapping of NTSTATUS to krb5kdc errors */
-
-       /* TODO:  Also need to add the appropriate e-data struct of type
-        * PA-PW-SALT (3) that includes the NT_STATUS code, which gives Windows
-        * the information it needs to display the appropriate dialog. */
+       if (NT_STATUS_IS_OK(nt_status))
+               return 0;
 
        if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_MUST_CHANGE))
-               return KRB5KDC_ERR_KEY_EXPIRED;
+               ret = KRB5KDC_ERR_KEY_EXPIRED;
        else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_PASSWORD_EXPIRED))
-               return KRB5KDC_ERR_KEY_EXPIRED;
+               ret = KRB5KDC_ERR_KEY_EXPIRED;
        else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_EXPIRED))
-               return KRB5KDC_ERR_CLIENT_REVOKED;
+               ret = KRB5KDC_ERR_CLIENT_REVOKED;
        else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED))
-               return KRB5KDC_ERR_CLIENT_REVOKED;
+               ret = KRB5KDC_ERR_CLIENT_REVOKED;
        else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_LOGON_HOURS))
-               return KRB5KDC_ERR_CLIENT_REVOKED;
+               ret = KRB5KDC_ERR_CLIENT_REVOKED;
        else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_LOCKED_OUT))
-               return KRB5KDC_ERR_CLIENT_REVOKED;
+               ret = KRB5KDC_ERR_CLIENT_REVOKED;
        else if (NT_STATUS_EQUAL(nt_status, NT_STATUS_INVALID_WORKSTATION))
-               return KRB5KDC_ERR_POLICY;
-       else if (!NT_STATUS_IS_OK(nt_status)) {
-               return KRB5KDC_ERR_POLICY;
-       }
+               ret = KRB5KDC_ERR_POLICY;
+       else
+               ret = KRB5KDC_ERR_POLICY;
 
-       return 0;
+       samba_kdc_build_edata_reply(tmp_ctx, e_data, nt_status);
+
+       return ret;
 }