/* The following definitions come from libads/authdata.c */
-struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data);
NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
const char *name,
const char *pass,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
- struct PAC_DATA **pac_ret);
-NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
- const char *name,
- const char *pass,
- time_t time_offset,
- time_t *expire_time,
- time_t *renew_till_time,
- const char *cache_name,
- bool request_pac,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
- struct netr_SamInfo3 **info3);
+ struct PAC_LOGON_INFO **logon_info);
/* The following definitions come from libads/cldap.c */
bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
time_t time_offset,
const DATA_BLOB *ticket,
char **principal,
- struct PAC_DATA **pac_data,
+ struct PAC_LOGON_INFO **logon_info,
DATA_BLOB *ap_rep,
DATA_BLOB *session_key,
bool use_replay_cache);
}
/****************************************************************
-****************************************************************/
-
-struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data)
-{
- int i;
-
- for (i=0; i < pac_data->num_buffers; i++) {
-
- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
- continue;
- }
-
- return pac_data->buffers[i].info->logon_info.info;
- }
-
- return NULL;
-}
-
-/****************************************************************
+Given a username, password and other details, return the
+PAC_LOGON_INFO (the structure containing the important user
+information such as groups).
****************************************************************/
NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
bool add_netbios_addr,
time_t renewable_time,
const char *impersonate_princ_s,
- struct PAC_DATA **pac_ret)
+ struct PAC_LOGON_INFO **logon_info)
{
krb5_error_code ret;
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
DATA_BLOB tkt, ap_rep, sesskey1, sesskey2;
- struct PAC_DATA *pac_data = NULL;
char *client_princ_out = NULL;
const char *auth_princ = NULL;
const char *local_service = NULL;
time_offset,
&tkt,
&client_princ_out,
- &pac_data,
+ logon_info,
&ap_rep,
&sesskey2,
False);
goto out;
}
- if (!pac_data) {
+ if (!*logon_info) {
DEBUG(1,("no PAC\n"));
status = NT_STATUS_INVALID_PARAMETER;
goto out;
}
- *pac_ret = pac_data;
-
out:
if (cc != cache_name) {
ads_kdestroy(cc);
return status;
}
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
- const char *name,
- const char *pass,
- time_t time_offset,
- time_t *expire_time,
- time_t *renew_till_time,
- const char *cache_name,
- bool request_pac,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
- struct PAC_LOGON_INFO **logon_info)
-{
- NTSTATUS status;
- struct PAC_DATA *pac_data = NULL;
- struct PAC_LOGON_INFO *info = NULL;
-
- status = kerberos_return_pac(mem_ctx,
- name,
- pass,
- time_offset,
- expire_time,
- renew_till_time,
- cache_name,
- request_pac,
- add_netbios_addr,
- renewable_time,
- impersonate_princ_s,
- &pac_data);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- if (!pac_data) {
- DEBUG(3,("no pac\n"));
- return NT_STATUS_INVALID_USER_BUFFER;
- }
-
- info = get_logon_info_from_pac(pac_data);
- if (!info) {
- DEBUG(1,("no logon_info\n"));
- return NT_STATUS_INVALID_USER_BUFFER;
- }
-
- *logon_info = info;
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
- const char *name,
- const char *pass,
- time_t time_offset,
- time_t *expire_time,
- time_t *renew_till_time,
- const char *cache_name,
- bool request_pac,
- bool add_netbios_addr,
- time_t renewable_time,
- const char *impersonate_princ_s,
- struct netr_SamInfo3 **info3)
-{
- NTSTATUS status;
- struct PAC_LOGON_INFO *logon_info = NULL;
-
- status = kerberos_return_pac_logon_info(mem_ctx,
- name,
- pass,
- time_offset,
- expire_time,
- renew_till_time,
- cache_name,
- request_pac,
- add_netbios_addr,
- renewable_time,
- impersonate_princ_s,
- &logon_info);
- if (!NT_STATUS_IS_OK(status)) {
- return status;
- }
-
- *info3 = &logon_info->info3;
-
- return NT_STATUS_OK;
-}
#endif
time_t time_offset,
const DATA_BLOB *ticket,
char **principal,
- struct PAC_DATA **pac_data,
+ struct PAC_LOGON_INFO **logon_info,
DATA_BLOB *ap_rep,
DATA_BLOB *session_key,
bool use_replay_cache)
ZERO_STRUCT(auth_data);
*principal = NULL;
- *pac_data = NULL;
+ *logon_info = NULL;
*ap_rep = data_blob_null;
*session_key = data_blob_null;
}
if (got_auth_data) {
- pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
+ struct PAC_DATA *pac_data;
+ pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, &pac_data);
+ data_blob_free(&auth_data);
if (!NT_STATUS_IS_OK(pac_ret)) {
DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
- *pac_data = NULL;
+ } else {
+ uint32_t i;
+ for (i=0; i < pac_data->num_buffers; i++) {
+
+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+ continue;
+ }
+
+ *logon_info = pac_data->buffers[i].info->logon_info.info;
+ }
+
+ if (!*logon_info) {
+ DEBUG(1,("correctly decoded PAC but found no logon_info! This should not happen\n"));
+ return NT_STATUS_INVALID_USER_BUFFER;
+ }
}
- data_blob_free(&auth_data);
}
#if 0
fstring user;
int sess_vuid = req->vuid;
NTSTATUS ret = NT_STATUS_OK;
- struct PAC_DATA *pac_data = NULL;
DATA_BLOB ap_rep, ap_rep_wrapped, response;
struct auth_serversupplied_info *server_info = NULL;
DATA_BLOB session_key = data_blob_null;
}
ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket,
- &client, &pac_data, &ap_rep,
+ &client, &logon_info, &ap_rep,
&session_key, True);
data_blob_free(&ticket);
/* save the PAC data if we have it */
- if (pac_data) {
- logon_info = get_logon_info_from_pac(pac_data);
- if (logon_info) {
- netsamlogon_cache_store( client, &logon_info->info3 );
- }
+ if (logon_info) {
+ netsamlogon_cache_store( client, &logon_info->info3 );
}
if (!strequal(p+1, lp_realm())) {
static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
{
- struct PAC_DATA *pac = NULL;
struct PAC_LOGON_INFO *info = NULL;
TALLOC_CTX *mem_ctx = NULL;
NTSTATUS status;
status = kerberos_return_pac(mem_ctx,
c->opt_user_name,
c->opt_password,
- 0,
+ 0,
NULL,
NULL,
NULL,
true,
2592000, /* one month */
impersonate_princ_s,
- &pac);
+ &info);
if (!NT_STATUS_IS_OK(status)) {
d_printf(_("failed to query kerberos PAC: %s\n"),
nt_errstr(status));
goto out;
}
- info = get_logon_info_from_pac(pac);
if (info) {
const char *s;
s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
char *principal;
DATA_BLOB ap_rep;
DATA_BLOB session_key;
- struct PAC_DATA *pac_data = NULL;
+ struct PAC_LOGON_INFO *logon_info = NULL;
if ( request.negTokenInit.mechToken.data == NULL ) {
DEBUG(1, ("Client did not provide Kerberos data\n"));
status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
&request.negTokenInit.mechToken,
- &principal, &pac_data, &ap_rep,
+ &principal, &logon_info, &ap_rep,
&session_key, True);
/* Now in "principal" we have the name we are
ADS_STRUCT *ads;
time_t time_offset = 0;
bool internal_ccache = true;
-
- ZERO_STRUCTP(info3);
+ struct PAC_LOGON_INFO *logon_info = NULL;
*info3 = NULL;
DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
}
- result = kerberos_return_info3_from_pac(state->mem_ctx,
- principal_s,
- state->request->data.auth.pass,
- time_offset,
- &ticket_lifetime,
- &renewal_until,
- cc,
- true,
- true,
- WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
- NULL,
- info3);
+ result = kerberos_return_pac(state->mem_ctx,
+ principal_s,
+ state->request->data.auth.pass,
+ time_offset,
+ &ticket_lifetime,
+ &renewal_until,
+ cc,
+ true,
+ true,
+ WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+ NULL,
+ &logon_info);
if (!internal_ccache) {
gain_root_privilege();
}
goto failed;
}
+ *info3 = &logon_info->info3;
+
DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
principal_s));
git.samba.org / vlendec / samba-autobuild / .git / commitdiff