From 29218c61b0ad240fa7c88f93a914063fb28f52e0 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 22 Feb 2022 13:08:56 +0100 Subject: [PATCH] s3:libads: Return canonical principal and realm from kerberos_return_pac() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14979 Signed-off-by: Samuel Cabrero Reviewed-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 00b1f44a7e8f66976757535bcbc6bea97fb1c29f) --- source3/libads/authdata.c | 22 +++++++++++++++++++++- source3/libads/kerberos_proto.h | 2 ++ source3/utils/net_ads.c | 2 ++ source3/winbindd/winbindd_pam.c | 2 ++ 4 files changed, 27 insertions(+), 1 deletion(-) diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index c048510d480..bf9a2335445 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t renewable_time, const char *impersonate_princ_s, const char *local_service, + char **_canon_principal, + char **_canon_realm, struct PAC_DATA_CTR **_pac_data_ctr) { krb5_error_code ret; @@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context; struct loadparm_context *lp_ctx; struct PAC_DATA_CTR *pac_data_ctr = NULL; + char *canon_principal = NULL; + char *canon_realm = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); @@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, goto out; } + if (_canon_principal != NULL) { + *_canon_principal = NULL; + } + + if (_canon_realm != NULL) { + *_canon_realm = NULL; + } + if (cache_name) { cc = cache_name; } @@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, request_pac, add_netbios_addr, renewable_time, - NULL, NULL, NULL, + tmp_ctx, + &canon_principal, + &canon_realm, &status); if (ret) { DEBUG(1,("kinit failed for '%s' with: %s (%d)\n", @@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, } *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); + if (_canon_principal != NULL) { + *_canon_principal = talloc_move(mem_ctx, &canon_principal); + } + if (_canon_realm != NULL) { + *_canon_realm = talloc_move(mem_ctx, &canon_realm); + } out: talloc_free(tmp_ctx); diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index 3d7b5bc074b..807381248c8 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t renewable_time, const char *impersonate_princ_s, const char *local_service, + char **_canon_principal, + char **_canon_realm, struct PAC_DATA_CTR **pac_data_ctr); /* The following definitions come from libads/krb5_setpw.c */ diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 8f993f9ba4c..c41fb0afe9c 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -3273,6 +3273,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch 2592000, /* one month */ impersonate_princ_s, local_service, + NULL, + NULL, pac_data_ctr); if (!NT_STATUS_IS_OK(status)) { d_printf(_("failed to query kerberos PAC: %s\n"), diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 7606bfb4ecd..025a5cbc111 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, NULL, local_service, + NULL, + NULL, &pac_data_ctr); if (user_ccache_file != NULL) { gain_root_privilege();