diff options
| -rw-r--r-- | source3/libads/authdata.c | 28 | ||||
| -rw-r--r-- | source3/libads/kerberos_proto.h | 4 | ||||
| -rw-r--r-- | source3/utils/net_ads.c | 17 | ||||
| -rw-r--r-- | source3/winbindd/winbindd_pam.c | 22 |
4 files changed, 56 insertions, 15 deletions
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index dd80dc24e4..53e40ef71b 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, struct auth_session_info **session_info) { TALLOC_CTX *tmp_ctx; - struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; NTSTATUS status = NT_STATUS_INTERNAL_ERROR; tmp_ctx = talloc_new(mem_ctx); @@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, } if (pac_blob) { - status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, - NULL, NULL, 0, &logon_info); + status = kerberos_decode_pac(tmp_ctx, + *pac_blob, + NULL, + NULL, + NULL, + NULL, + 0, + &pac_data); if (!NT_STATUS_IS_OK(status)) { goto done; } } - talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO"); + talloc_set_name_const(pac_data, "struct PAC_DATA"); - auth_ctx->private_data = talloc_steal(auth_ctx, logon_info); + auth_ctx->private_data = talloc_steal(auth_ctx, pac_data); *session_info = talloc_zero(mem_ctx, struct auth_session_info); if (!*session_info) { status = NT_STATUS_NO_MEMORY; @@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t renewable_time, const char *impersonate_princ_s, const char *local_service, - struct PAC_LOGON_INFO **_logon_info) + struct PAC_DATA **_pac_data) { krb5_error_code ret; NTSTATUS status = NT_STATUS_INVALID_PARAMETER; @@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, size_t idx = 0; struct auth4_context *auth_context; struct loadparm_context *lp_ctx; - struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); @@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, goto out; } - logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data, - struct PAC_LOGON_INFO); - if (logon_info == NULL) { + pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data, + struct PAC_DATA); + if (pac_data == NULL) { DEBUG(1,("no PAC\n")); status = NT_STATUS_INVALID_PARAMETER; goto out; } - *_logon_info = talloc_move(mem_ctx, &logon_info); + *_pac_data = talloc_move(mem_ctx, &pac_data); out: talloc_free(tmp_ctx); diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index 1151d66cd1..b2f74865af 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -32,7 +32,7 @@ #include "system/kerberos.h" -struct PAC_LOGON_INFO; +struct PAC_DATA; #include "libads/ads_status.h" @@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t renewable_time, const char *impersonate_princ_s, const char *local_service, - struct PAC_LOGON_INFO **logon_info); + struct PAC_DATA **pac_data); /* The following definitions come from libads/krb5_setpw.c */ diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index c53c8c6ab6..19da6da810 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) { struct PAC_LOGON_INFO *info = NULL; + struct PAC_DATA *pac_data = NULL; TALLOC_CTX *mem_ctx = NULL; NTSTATUS status; int ret = -1; @@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar 2592000, /* one month */ impersonate_princ_s, local_service, - &info); + &pac_data); if (!NT_STATUS_IS_OK(status)) { d_printf(_("failed to query kerberos PAC: %s\n"), nt_errstr(status)); goto out; } + for (i=0; i < pac_data->num_buffers; i++) { + + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { + continue; + } + + info = pac_data->buffers[i].info->logon_info.info; + if (!info) { + goto out; + } + + break; + } + if (info) { const char *s; s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info); diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 61e2cefd52..a8daae5148 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, time_t time_offset = 0; const char *user_ccache_file; struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; const char *local_service; + int i; *info3 = NULL; @@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, NULL, local_service, - &logon_info); + &pac_data); if (user_ccache_file != NULL) { gain_root_privilege(); } @@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, goto failed; } + if (pac_data == NULL) { + goto failed; + } + + for (i=0; i < pac_data->num_buffers; i++) { + + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { + continue; + } + + logon_info = pac_data->buffers[i].info->logon_info.info; + if (!logon_info) { + return NT_STATUS_INVALID_PARAMETER; + } + + break; + } + *info3 = &logon_info->info3; DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", |