diff options
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 46 |
1 files changed, 30 insertions, 16 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 19bc998e4..0e5230c68 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -316,7 +316,7 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) return ENOMEM; } - buf->size = 9*sizeof(uint32_t) + strlen(kr->pd->upn) + strlen(kr->ccname) + + buf->size = 9*sizeof(uint32_t) + strlen(kr->upn) + strlen(kr->ccname) + strlen(keytab) + kr->pd->authtok_size; if (kr->pd->cmd == SSS_PAM_CHAUTHTOK) { @@ -332,13 +332,13 @@ errno_t create_send_buffer(struct krb5child_req *kr, struct io_buffer **io_buf) rp = 0; COPY_UINT32(&buf->data[rp], &kr->pd->cmd, rp); - COPY_UINT32(&buf->data[rp], &kr->pd->pw_uid, rp); - COPY_UINT32(&buf->data[rp], &kr->pd->gr_gid, rp); + COPY_UINT32(&buf->data[rp], &kr->uid, rp); + COPY_UINT32(&buf->data[rp], &kr->gid, rp); COPY_UINT32(&buf->data[rp], &validate, rp); COPY_UINT32(&buf->data[rp], &kr->is_offline, rp); - COPY_UINT32_VALUE(&buf->data[rp], strlen(kr->pd->upn), rp); - COPY_MEM(&buf->data[rp], kr->pd->upn, rp, strlen(kr->pd->upn)); + COPY_UINT32_VALUE(&buf->data[rp], strlen(kr->upn), rp); + COPY_MEM(&buf->data[rp], kr->upn, rp, strlen(kr->upn)); COPY_UINT32_VALUE(&buf->data[rp], strlen(kr->ccname), rp); COPY_MEM(&buf->data[rp], kr->ccname, rp, strlen(kr->ccname)); @@ -516,7 +516,7 @@ static errno_t fork_child(struct krb5child_req *kr) * ccache file. In this case we can drop the privileges, too. */ if (!dp_opt_get_bool(kr->krb5_ctx->opts, KRB5_VALIDATE) || kr->pd->authtok_size == 0) { - ret = become_user(kr->pd->pw_uid, kr->pd->gr_gid); + ret = become_user(kr->uid, kr->gid); if (ret != EOK) { DEBUG(1, ("become_user failed.\n")); return ret; @@ -718,7 +718,7 @@ void krb5_pam_handler(struct be_req *be_req) goto done; } - attrs = talloc_array(be_req, const char *, 4); + attrs = talloc_array(be_req, const char *, 6); if (attrs == NULL) { goto done; } @@ -726,7 +726,9 @@ void krb5_pam_handler(struct be_req *be_req) attrs[0] = SYSDB_UPN; attrs[1] = SYSDB_HOMEDIR; attrs[2] = SYSDB_CCACHE_FILE; - attrs[3] = NULL; + attrs[3] = SYSDB_UIDNUM; + attrs[4] = SYSDB_GIDNUM; + attrs[5] = NULL; ret = sysdb_get_user_attr(be_req, be_req->be_ctx->sysdb, be_req->be_ctx->domain, pd->user, attrs, @@ -753,7 +755,7 @@ static void get_user_attr_done(void *pvt, int err, struct ldb_result *res) krb5_error_code kerr; int ret; struct pam_data *pd = talloc_get_type(be_req->req_data, struct pam_data); - int pam_status=PAM_SYSTEM_ERR; + int pam_status = PAM_SYSTEM_ERR; int dp_err = DP_ERR_FATAL; const char *ccache_file = NULL; const char *realm; @@ -784,15 +786,15 @@ static void get_user_attr_done(void *pvt, int err, struct ldb_result *res) break; case 1: - pd->upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL); - if (pd->upn == NULL) { + kr->upn = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_UPN, NULL); + if (kr->upn == NULL) { /* NOTE: this is a hack, works only in some environments */ - pd->upn = talloc_asprintf(be_req, "%s@%s", pd->user, realm); - if (pd->upn == NULL) { + kr->upn = talloc_asprintf(be_req, "%s@%s", pd->user, realm); + if (kr->upn == NULL) { DEBUG(1, ("failed to build simple upn.\n")); goto failed; } - DEBUG(9, ("Using simple UPN [%s].\n", pd->upn)); + DEBUG(9, ("Using simple UPN [%s].\n", kr->upn)); } kr->homedir = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_HOMEDIR, @@ -801,18 +803,30 @@ static void get_user_attr_done(void *pvt, int err, struct ldb_result *res) DEBUG(4, ("Home directory for user [%s] not known.\n", pd->user)); } + kr->uid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_UIDNUM, 0); + if (kr->uid == 0) { + DEBUG(4, ("UID for user [%s] not known.\n", pd->user)); + goto failed; + } + + kr->gid = ldb_msg_find_attr_as_uint64(res->msgs[0], SYSDB_GIDNUM, 0); + if (kr->gid == 0) { + DEBUG(4, ("GID for user [%s] not known.\n", pd->user)); + goto failed; + } + ccache_file = ldb_msg_find_attr_as_string(res->msgs[0], SYSDB_CCACHE_FILE, NULL); if (ccache_file != NULL) { - ret = check_if_ccache_file_is_used(pd->pw_uid, ccache_file, + ret = check_if_ccache_file_is_used(kr->uid, ccache_file, &kr->active_ccache_present); if (ret != EOK) { DEBUG(1, ("check_if_ccache_file_is_used failed.\n")); goto failed; } - kerr = check_for_valid_tgt(ccache_file, realm, pd->upn, + kerr = check_for_valid_tgt(ccache_file, realm, kr->upn, &kr->valid_tgt_present); if (kerr != 0) { DEBUG(1, ("check_for_valid_tgt failed.\n")); |