diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2014-03-27 12:58:05 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2014-06-11 10:18:26 +0200 |
| commit | 597d2a7a29f768f51cbcbc13de56a4dc349e20e4 (patch) | |
| tree | 905e3d34a91965eec4d08e77227e2cd9adcdf5a2 /source3/winbindd | |
| parent | 2e961bf598e58178ce0d4ed5e35553acd882e436 (diff) | |
| download | samba-597d2a7a29f768f51cbcbc13de56a4dc349e20e4.tar.gz samba-597d2a7a29f768f51cbcbc13de56a4dc349e20e4.tar.xz samba-597d2a7a29f768f51cbcbc13de56a4dc349e20e4.zip | |
auth: Provide a way to use the auth stack for winbindd authentication
This adds in flags that allow winbindd to request authentication
without directly calling into the auth_sam module.
That in turn will allow winbindd to call auth_samba4 and so permit
winbindd operation in the AD DC.
Andrew Bartlett
Change-Id: I27d11075eb8e1a54f034ee2fdcb05360b4203567
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source3/winbindd')
| -rw-r--r-- | source3/winbindd/winbindd_pam.c | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 65f27dfcad..c432afac1a 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -1212,13 +1212,16 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx, const DATA_BLOB *nt_resp, struct netr_SamInfo3 **pinfo3) { + struct auth_context *auth_context; + struct auth_serversupplied_info *server_info; struct auth_usersupplied_info *user_info = NULL; struct tsocket_address *local; + struct netr_SamInfo3 *info3; NTSTATUS status; int rc; TALLOC_CTX *frame = talloc_stackframe(); - rc = tsocket_address_inet_from_strings(mem_ctx, + rc = tsocket_address_inet_from_strings(frame, "ip", "127.0.0.1", 0, @@ -1235,13 +1238,49 @@ static NTSTATUS winbindd_dual_auth_passdb(TALLOC_CTX *mem_ctx, TALLOC_FREE(frame); return status; } + user_info->logon_parameters = logon_parameters; /* We don't want any more mapping of the username */ user_info->mapped_state = True; - status = check_sam_security_info3(challenge, mem_ctx, user_info, - pinfo3); + /* We don't want to come back to winbindd or to do PAM account checks */ + user_info->flags |= USER_INFO_LOCAL_SAM_ONLY | USER_INFO_INFO3_AND_NO_AUTHZ; + + status = make_auth_context_fixed(frame, &auth_context, challenge->data); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to test authentication with check_sam_security_info3: %s\n", nt_errstr(status))); + TALLOC_FREE(frame); + return status; + } + + status = auth_check_ntlm_password(mem_ctx, + auth_context, + user_info, + &server_info); + + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + return status; + } + + info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); + if (info3 == NULL) { + TALLOC_FREE(frame); + return NT_STATUS_NO_MEMORY; + } + + status = serverinfo_to_SamInfo3(server_info, info3); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(frame); + TALLOC_FREE(info3); + DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n", + nt_errstr(status))); + return status; + } + + *pinfo3 = info3; DEBUG(10, ("Authenticaticating user %s\\%s returned %s\n", domain, user, nt_errstr(status))); TALLOC_FREE(frame); |