s3-kerberos: return a full PAC in kerberos_return_pac().

Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
author: Günther Deschner <gd@samba.org> 2014-02-21 18:56:04 +0100
committer: Günther Deschner <gd@samba.org> 2014-03-12 10:13:20 +0100
commit: 1270e35ba70a4e4881512d375c767023512f67bd (patch)
tree: e64e3bdf1912577e3d8c253d4219d27be81cf090 /source3
parent: 35a1ed22f65473fabb2f4846f6d2b50da1847f6a (diff)
download: samba-1270e35ba70a4e4881512d375c767023512f67bd.tar.gz
samba-1270e35ba70a4e4881512d375c767023512f67bd.tar.xz
samba-1270e35ba70a4e4881512d375c767023512f67bd.zip
4 files changed, 56 insertions, 15 deletions
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index dd80dc24e4..53e40ef71b 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
 				   struct auth_session_info **session_info)
 {
 	TALLOC_CTX *tmp_ctx;
-	struct PAC_LOGON_INFO *logon_info = NULL;
+	struct PAC_DATA *pac_data = NULL;
 	NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
 
 	tmp_ctx = talloc_new(mem_ctx);
@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
 	}
 
 	if (pac_blob) {
-		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
-						 NULL, NULL, 0, &logon_info);
+		status = kerberos_decode_pac(tmp_ctx,
+					     *pac_blob,
+					     NULL,
+					     NULL,
+					     NULL,
+					     NULL,
+					     0,
+					     &pac_data);
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
 	}
 
-	talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
+	talloc_set_name_const(pac_data, "struct PAC_DATA");
 
-	auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
+	auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
 	*session_info = talloc_zero(mem_ctx, struct auth_session_info);
 	if (!*session_info) {
 		status = NT_STATUS_NO_MEMORY;
@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
 			     const char *local_service,
-			     struct PAC_LOGON_INFO **_logon_info)
+			     struct PAC_DATA **_pac_data)
 {
 	krb5_error_code ret;
 	NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 	size_t idx = 0;
 	struct auth4_context *auth_context;
 	struct loadparm_context *lp_ctx;
-	struct PAC_LOGON_INFO *logon_info = NULL;
+	struct PAC_DATA *pac_data = NULL;
 
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 		goto out;
 	}
 
-	logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
-					   struct PAC_LOGON_INFO);
-	if (logon_info == NULL) {
+	pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
+					 struct PAC_DATA);
+	if (pac_data == NULL) {
 		DEBUG(1,("no PAC\n"));
 		status = NT_STATUS_INVALID_PARAMETER;
 		goto out;
 	}
 
-	*_logon_info = talloc_move(mem_ctx, &logon_info);
+	*_pac_data = talloc_move(mem_ctx, &pac_data);
 
 out:
 	talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 1151d66cd1..b2f74865af 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -32,7 +32,7 @@
 
 #include "system/kerberos.h"
 
-struct PAC_LOGON_INFO;
+struct PAC_DATA;
 
 #include "libads/ads_status.h"
 
@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
 			     const char *local_service,
-			     struct PAC_LOGON_INFO **logon_info);
+			     struct PAC_DATA **pac_data);
 
 /* The following definitions come from libads/krb5_setpw.c  */
 
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index c53c8c6ab6..19da6da810 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
 {
 	struct PAC_LOGON_INFO *info = NULL;
+	struct PAC_DATA *pac_data = NULL;
 	TALLOC_CTX *mem_ctx = NULL;
 	NTSTATUS status;
 	int ret = -1;
@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
 				     2592000, /* one month */
 				     impersonate_princ_s,
 				     local_service,
-				     &info);
+				     &pac_data);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf(_("failed to query kerberos PAC: %s\n"),
 			nt_errstr(status));
 		goto out;
 	}
 
+	for (i=0; i < pac_data->num_buffers; i++) {
+
+		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+			continue;
+		}
+
+		info = pac_data->buffers[i].info->logon_info.info;
+		if (!info) {
+			goto out;
+		}
+
+		break;
+	}
+
 	if (info) {
 		const char *s;
 		s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 61e2cefd52..a8daae5148 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	time_t time_offset = 0;
 	const char *user_ccache_file;
 	struct PAC_LOGON_INFO *logon_info = NULL;
+	struct PAC_DATA *pac_data = NULL;
 	const char *local_service;
+	int i;
 
 	*info3 = NULL;
 
@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
 				     NULL,
 				     local_service,
-				     &logon_info);
+				     &pac_data);
 	if (user_ccache_file != NULL) {
 		gain_root_privilege();
 	}
@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		goto failed;
 	}
 
+	if (pac_data == NULL) {
+		goto failed;
+	}
+
+	for (i=0; i < pac_data->num_buffers; i++) {
+
+		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+			continue;
+		}
+
+		logon_info = pac_data->buffers[i].info->logon_info.info;
+		if (!logon_info) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		break;
+	}
+
 	*info3 = &logon_info->info3;
 
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
author	Günther Deschner <gd@samba.org>	2014-02-21 18:56:04 +0100
committer	Günther Deschner <gd@samba.org>	2014-03-12 10:13:20 +0100
commit	1270e35ba70a4e4881512d375c767023512f67bd (patch)
tree	e64e3bdf1912577e3d8c253d4219d27be81cf090 /source3
parent	35a1ed22f65473fabb2f4846f6d2b50da1847f6a (diff)
download	samba-1270e35ba70a4e4881512d375c767023512f67bd.tar.gz samba-1270e35ba70a4e4881512d375c767023512f67bd.tar.xz samba-1270e35ba70a4e4881512d375c767023512f67bd.zip