summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--source3/nsswitch/pam_winbind.c16
-rw-r--r--source3/nsswitch/wbinfo.c14
-rw-r--r--source3/nsswitch/winbindd_nss.h4
-rw-r--r--source3/nsswitch/winbindd_pam.c54
-rw-r--r--source3/utils/ntlm_auth.c44
5 files changed, 49 insertions, 83 deletions
diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 64e21738221..9a00ac2886c 100644
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -45,7 +45,9 @@ static int _pam_parse(int argc, const char **argv)
ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
else if (!strcasecmp(*argv, "unknown_ok"))
ctrl |= WINBIND_UNKNOWN_OK_ARG;
- else if (!strncasecmp(*argv, "required_membership", strlen("required_membership")))
+ else if (!strncasecmp(*argv, "require_membership_of", strlen("require_membership_of")))
+ ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
+ else if (!strncasecmp(*argv, "require-membership-of", strlen("require-membership-of")))
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
else {
_pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv);
@@ -213,8 +215,8 @@ static int winbind_auth_request(const char *user, const char *pass, const char *
/* lookup name? */
if (!strncmp("S-", member, 2) == 0) {
- struct winbindd_request request;
- struct winbindd_response response;
+ struct winbindd_request sid_request;
+ struct winbindd_response sid_response;
ZERO_STRUCT(request);
ZERO_STRUCT(response);
@@ -230,11 +232,11 @@ static int winbind_auth_request(const char *user, const char *pass, const char *
return PAM_AUTH_ERR;
}
- member = strdup(response.data.sid.sid);
+ member = response.data.sid.sid;
}
- strncpy(request.data.auth.required_membership_sid, member,
- sizeof(request.data.auth.required_membership_sid)-1);
+ strncpy(request.data.auth.require_membership_of_sid, member,
+ sizeof(request.data.auth.require_membership_of_sid)-1);
return pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user);
}
@@ -488,7 +490,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
/* Retrieve membership-string here */
for ( i=0; i<argc; i++ ) {
- if (!strncmp(argv[i], "required_membership", strlen("required_membership"))) {
+ if (!strncmp(argv[i], "require_membership_of", strlen("require_membership_of"))) {
char *p;
char *parm = strdup(argv[i]);
diff --git a/source3/nsswitch/wbinfo.c b/source3/nsswitch/wbinfo.c
index 2abd9c69a17..69f464f446a 100644
--- a/source3/nsswitch/wbinfo.c
+++ b/source3/nsswitch/wbinfo.c
@@ -567,18 +567,10 @@ static BOOL wbinfo_auth_crap(char *username)
parse_wbinfo_domain_user(username, name_domain, name_user);
- if (push_utf8_fstring(request.data.auth_crap.user, name_user) == -1) {
- d_printf("unable to create utf8 string for '%s'\n",
- name_user);
- return False;
- }
+ fstrcpy(request.data.auth_crap.user, name_user);
- if (push_utf8_fstring(request.data.auth_crap.domain,
- name_domain) == -1) {
- d_printf("unable to create utf8 string for '%s'\n",
- name_domain);
- return False;
- }
+ fstrcpy(request.data.auth_crap.domain,
+ name_domain);
generate_random_buffer(request.data.auth_crap.chal, 8);
diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 6a457f38004..9a99bad9d74 100644
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -181,7 +181,7 @@ struct winbindd_request {
character is. */
fstring user;
fstring pass;
- fstring required_membership_sid;
+ fstring require_membership_of_sid;
} auth; /* pam_winbind auth module */
struct {
unsigned char chal[8];
@@ -192,7 +192,7 @@ struct winbindd_request {
fstring nt_resp;
uint16 nt_resp_len;
fstring workstation;
- fstring required_membership_sid;
+ fstring require_membership_of_sid;
} auth_crap;
struct {
fstring user;
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index e8d15f47038..e13649afe15 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -59,7 +59,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
NET_USER_INFO_3 *info3,
const char *group_sid)
{
- DOM_SID required_membership_sid;
+ DOM_SID require_membership_of_sid;
DOM_SID *all_sids;
size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids);
size_t i, j = 0;
@@ -71,7 +71,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
- if (!string_to_sid(&required_membership_sid, group_sid)) {
+ if (!string_to_sid(&require_membership_of_sid, group_sid)) {
DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
group_sid));
@@ -133,9 +133,9 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
fstring sid1, sid2;
DEBUG(10, ("User has SID: %s\n",
sid_to_string(sid1, &all_sids[i])));
- if (sid_equal(&required_membership_sid, &all_sids[i])) {
+ if (sid_equal(&require_membership_of_sid, &all_sids[i])) {
DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n",
- sid_to_string(sid1, &required_membership_sid), sid_to_string(sid2, &all_sids[i])));
+ sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i])));
return NT_STATUS_OK;
}
}
@@ -334,10 +334,10 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
/* Check if the user is in the right group */
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.required_membership_sid))) {
+ if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.require_membership_of_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request.data.auth.user,
- state->request.data.auth.required_membership_sid));
+ state->request.data.auth.require_membership_of_sid));
}
}
@@ -414,7 +414,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
NET_USER_INFO_3 info3;
struct cli_state *cli = NULL;
TALLOC_CTX *mem_ctx = NULL;
- char *name_user = NULL;
+ const char *name_user = NULL;
const char *name_domain = NULL;
const char *workstation;
struct winbindd_domain *contact_domain;
@@ -432,7 +432,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
/* send a better message than ACCESS_DENIED */
asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on %s are set correctly.",
get_winbind_priv_pipe_dir());
- push_utf8_fstring(state->response.data.auth.error_string, error_string);
+ fstrcpy(state->response.data.auth.error_string, error_string);
SAFE_FREE(error_string);
result = NT_STATUS_ACCESS_DENIED;
goto done;
@@ -442,26 +442,16 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
- if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
+ if (!(mem_ctx = talloc_init("winbind pam auth crap for %s", state->request.data.auth_crap.user))) {
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
goto done;
}
- if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) {
- DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
+ name_user = state->request.data.auth_crap.user;
if (*state->request.data.auth_crap.domain) {
- char *dom = NULL;
- if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) {
- DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
- name_domain = dom;
+ name_domain = state->request.data.auth_crap.domain;
} else if (lp_winbind_use_default_domain()) {
name_domain = lp_workgroup();
} else {
@@ -475,13 +465,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
name_domain, name_user));
if (*state->request.data.auth_crap.workstation) {
- char *wrk = NULL;
- if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) {
- DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
- result = NT_STATUS_UNSUCCESSFUL;
- goto done;
- }
- workstation = wrk;
+ workstation = state->request.data.auth_crap.workstation;
} else {
workstation = global_myname();
}
@@ -587,10 +571,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
netsamlogon_cache_store( cli->mem_ctx, name_user, &info3 );
wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.required_membership_sid))) {
+ if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.require_membership_of_sid))) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request.data.auth_crap.user,
- state->request.data.auth_crap.required_membership_sid));
+ state->request.data.auth_crap.require_membership_of_sid));
goto done;
}
@@ -616,8 +600,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
DEBUG(5, ("Setting unix username to [%s]\n", username_out));
- /* this interface is in UTF8 */
- if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
+ state->response.extra_data = strdup(username_out);
+ if (!state->response.extra_data) {
result = NT_STATUS_NO_MEMORY;
goto done;
}
@@ -643,11 +627,11 @@ done:
}
state->response.data.auth.nt_status = NT_STATUS_V(result);
- push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
+ fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
/* we might have given a more useful error above */
if (!*state->response.data.auth.error_string)
- push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
+ fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
state->response.data.auth.pam_error = nt_status_to_pam(result);
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
@@ -677,7 +661,7 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
state->request.data.chauthtok.user));
- if (!(mem_ctx = talloc_init("winbind password change for (utf8) %s",
+ if (!(mem_ctx = talloc_init("winbind password change for %s",
state->request.data.chauthtok.user))) {
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
result = NT_STATUS_NO_MEMORY;
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 609b480406e..ea7db55e2dd 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -90,7 +90,7 @@ static int request_lm_key;
static int request_user_session_key;
static const char *require_membership_of;
-static const char *require_membership_sid;
+static const char *require_membership_of_sid;
static char winbind_separator(void)
{
@@ -214,7 +214,7 @@ static BOOL get_require_membership_sid(void) {
return True;
}
- if (require_membership_sid) {
+ if (require_membership_of_sid) {
return True;
}
@@ -238,9 +238,9 @@ static BOOL get_require_membership_sid(void) {
return False;
}
- require_membership_sid = strdup(response.data.sid.sid);
+ require_membership_of_sid = strdup(response.data.sid.sid);
- if (require_membership_sid)
+ if (require_membership_of_sid)
return True;
return False;
@@ -265,8 +265,8 @@ static BOOL check_plaintext_auth(const char *user, const char *pass,
fstrcpy(request.data.auth.user, user);
fstrcpy(request.data.auth.pass, pass);
- if (require_membership_sid)
- fstrcpy(request.data.auth.required_membership_sid, require_membership_sid);
+ if (require_membership_of_sid)
+ fstrcpy(request.data.auth.require_membership_of_sid, require_membership_of_sid);
result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response);
@@ -323,27 +323,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
request.flags = flags;
- if (require_membership_sid)
- fstrcpy(request.data.auth_crap.required_membership_sid, require_membership_sid);
+ if (require_membership_of_sid)
+ fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
- if (push_utf8_fstring(request.data.auth_crap.user, username) == -1) {
- *error_string = smb_xstrdup(
- "unable to create utf8 string for username");
- return NT_STATUS_UNSUCCESSFUL;
- }
-
- if (push_utf8_fstring(request.data.auth_crap.domain, domain) == -1) {
- *error_string = smb_xstrdup(
- "unable to create utf8 string for domain");
- return NT_STATUS_UNSUCCESSFUL;
- }
+ fstrcpy(request.data.auth_crap.user, username);
+ fstrcpy(request.data.auth_crap.domain, domain);
- if (push_utf8_fstring(request.data.auth_crap.workstation,
- workstation) == -1) {
- *error_string = smb_xstrdup(
- "unable to create utf8 string for workstation");
- return NT_STATUS_UNSUCCESSFUL;
- }
+ fstrcpy(request.data.auth_crap.workstation,
+ workstation);
memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
@@ -391,7 +378,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
}
if (flags & WBFLAG_PAM_UNIX_NAME) {
- if (pull_utf8_allocate(unix_name, (char *)response.extra_data) == -1) {
+ *unix_name = strdup((char *)response.extra_data);
+ if (!*unix_name) {
free_response(&response);
return NT_STATUS_NO_MEMORY;
}
@@ -478,7 +466,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_st
NTSTATUS status;
if ( (opt_username == NULL) || (opt_domain == NULL) ) {
DEBUG(1, ("Need username and domain for NTLMSSP\n"));
- return status;
+ return NT_STATUS_INVALID_PARAMETER;
}
status = ntlmssp_client_start(client_ntlmssp_state);
@@ -1817,7 +1805,7 @@ enum {
case OPT_REQUIRE_MEMBERSHIP:
if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
- require_membership_sid = require_membership_of;
+ require_membership_of_sid = require_membership_of;
}
break;
}