mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s3-kerberos: return a full PAC in kerberos_return_pac().
Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
parent
35a1ed22f6
commit
1270e35ba7
@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
|
||||
struct auth_session_info **session_info)
|
||||
{
|
||||
TALLOC_CTX *tmp_ctx;
|
||||
struct PAC_LOGON_INFO *logon_info = NULL;
|
||||
struct PAC_DATA *pac_data = NULL;
|
||||
NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
|
||||
|
||||
tmp_ctx = talloc_new(mem_ctx);
|
||||
@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
|
||||
}
|
||||
|
||||
if (pac_blob) {
|
||||
status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
|
||||
NULL, NULL, 0, &logon_info);
|
||||
status = kerberos_decode_pac(tmp_ctx,
|
||||
*pac_blob,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
NULL,
|
||||
0,
|
||||
&pac_data);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
goto done;
|
||||
}
|
||||
}
|
||||
|
||||
talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
|
||||
talloc_set_name_const(pac_data, "struct PAC_DATA");
|
||||
|
||||
auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
|
||||
auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
|
||||
*session_info = talloc_zero(mem_ctx, struct auth_session_info);
|
||||
if (!*session_info) {
|
||||
status = NT_STATUS_NO_MEMORY;
|
||||
@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
time_t renewable_time,
|
||||
const char *impersonate_princ_s,
|
||||
const char *local_service,
|
||||
struct PAC_LOGON_INFO **_logon_info)
|
||||
struct PAC_DATA **_pac_data)
|
||||
{
|
||||
krb5_error_code ret;
|
||||
NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
|
||||
@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
size_t idx = 0;
|
||||
struct auth4_context *auth_context;
|
||||
struct loadparm_context *lp_ctx;
|
||||
struct PAC_LOGON_INFO *logon_info = NULL;
|
||||
struct PAC_DATA *pac_data = NULL;
|
||||
|
||||
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
|
||||
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
|
||||
@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
goto out;
|
||||
}
|
||||
|
||||
logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
|
||||
struct PAC_LOGON_INFO);
|
||||
if (logon_info == NULL) {
|
||||
pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
|
||||
struct PAC_DATA);
|
||||
if (pac_data == NULL) {
|
||||
DEBUG(1,("no PAC\n"));
|
||||
status = NT_STATUS_INVALID_PARAMETER;
|
||||
goto out;
|
||||
}
|
||||
|
||||
*_logon_info = talloc_move(mem_ctx, &logon_info);
|
||||
*_pac_data = talloc_move(mem_ctx, &pac_data);
|
||||
|
||||
out:
|
||||
talloc_free(tmp_ctx);
|
||||
|
@ -32,7 +32,7 @@
|
||||
|
||||
#include "system/kerberos.h"
|
||||
|
||||
struct PAC_LOGON_INFO;
|
||||
struct PAC_DATA;
|
||||
|
||||
#include "libads/ads_status.h"
|
||||
|
||||
@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
|
||||
time_t renewable_time,
|
||||
const char *impersonate_princ_s,
|
||||
const char *local_service,
|
||||
struct PAC_LOGON_INFO **logon_info);
|
||||
struct PAC_DATA **pac_data);
|
||||
|
||||
/* The following definitions come from libads/krb5_setpw.c */
|
||||
|
||||
|
@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
|
||||
static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
|
||||
{
|
||||
struct PAC_LOGON_INFO *info = NULL;
|
||||
struct PAC_DATA *pac_data = NULL;
|
||||
TALLOC_CTX *mem_ctx = NULL;
|
||||
NTSTATUS status;
|
||||
int ret = -1;
|
||||
@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
|
||||
2592000, /* one month */
|
||||
impersonate_princ_s,
|
||||
local_service,
|
||||
&info);
|
||||
&pac_data);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
d_printf(_("failed to query kerberos PAC: %s\n"),
|
||||
nt_errstr(status));
|
||||
goto out;
|
||||
}
|
||||
|
||||
for (i=0; i < pac_data->num_buffers; i++) {
|
||||
|
||||
if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
|
||||
continue;
|
||||
}
|
||||
|
||||
info = pac_data->buffers[i].info->logon_info.info;
|
||||
if (!info) {
|
||||
goto out;
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
if (info) {
|
||||
const char *s;
|
||||
s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
|
||||
|
@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||
time_t time_offset = 0;
|
||||
const char *user_ccache_file;
|
||||
struct PAC_LOGON_INFO *logon_info = NULL;
|
||||
struct PAC_DATA *pac_data = NULL;
|
||||
const char *local_service;
|
||||
int i;
|
||||
|
||||
*info3 = NULL;
|
||||
|
||||
@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
|
||||
NULL,
|
||||
local_service,
|
||||
&logon_info);
|
||||
&pac_data);
|
||||
if (user_ccache_file != NULL) {
|
||||
gain_root_privilege();
|
||||
}
|
||||
@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
|
||||
goto failed;
|
||||
}
|
||||
|
||||
if (pac_data == NULL) {
|
||||
goto failed;
|
||||
}
|
||||
|
||||
for (i=0; i < pac_data->num_buffers; i++) {
|
||||
|
||||
if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
|
||||
continue;
|
||||
}
|
||||
|
||||
logon_info = pac_data->buffers[i].info->logon_info.info;
|
||||
if (!logon_info) {
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
|
||||
*info3 = &logon_info->info3;
|
||||
|
||||
DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
|
||||
|
Loading…
Reference in New Issue
Block a user