mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s3:winbind: Convert PamLogOff from struct based to ndr based
Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
parent
c27135adc7
commit
ce0be638b4
@ -217,6 +217,15 @@ interface winbind
|
||||
[out,ref] wbint_PamAuthCrapValidation *validation
|
||||
);
|
||||
|
||||
NTSTATUS wbint_PamLogOff(
|
||||
[in,string,charset(UTF8)] char *client_name,
|
||||
[in] hyper client_pid,
|
||||
[in] uint32 flags,
|
||||
[in,string,charset(UTF8)] char *user,
|
||||
[in,string,charset(UTF8)] char *krb5ccname,
|
||||
[in] hyper uid
|
||||
);
|
||||
|
||||
/* Public methods available via IRPC */
|
||||
|
||||
typedef [switch_type(uint16)] union netr_LogonLevel netr_LogonLevel;
|
||||
|
@ -30,10 +30,6 @@ static const struct winbindd_child_dispatch_table domain_dispatch_table[] = {
|
||||
.name = "INIT_CONNECTION",
|
||||
.struct_cmd = WINBINDD_INIT_CONNECTION,
|
||||
.struct_fn = winbindd_dual_init_connection,
|
||||
},{
|
||||
.name = "PAM_LOGOFF",
|
||||
.struct_cmd = WINBINDD_PAM_LOGOFF,
|
||||
.struct_fn = winbindd_dual_pam_logoff,
|
||||
},{
|
||||
.name = "CHNG_PSWD_AUTH_CRAP",
|
||||
.struct_cmd = WINBINDD_PAM_CHNG_PSWD_AUTH_CRAP,
|
||||
|
@ -3081,51 +3081,68 @@ process_result:
|
||||
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
|
||||
}
|
||||
|
||||
enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
|
||||
struct winbindd_cli_state *state)
|
||||
NTSTATUS _wbint_PamLogOff(struct pipes_struct *p, struct wbint_PamLogOff *r)
|
||||
{
|
||||
struct winbindd_domain *domain = wb_child_domain();
|
||||
NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
|
||||
pid_t client_pid;
|
||||
uid_t user_uid;
|
||||
|
||||
DEBUG(3, ("[%5lu]: pam dual logoff %s\n", (unsigned long)state->pid,
|
||||
state->request->data.logoff.user));
|
||||
if (domain == NULL) {
|
||||
return NT_STATUS_REQUEST_NOT_ACCEPTED;
|
||||
}
|
||||
|
||||
if (!(state->request->flags & WBFLAG_PAM_KRB5)) {
|
||||
/* Cut client_pid to 32bit */
|
||||
client_pid = r->in.client_pid;
|
||||
if ((uint64_t)client_pid != r->in.client_pid) {
|
||||
DBG_DEBUG("pid out of range\n");
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
/* Cut uid to 32bit */
|
||||
user_uid = r->in.uid;
|
||||
if ((uint64_t)user_uid != r->in.uid) {
|
||||
DBG_DEBUG("uid out of range\n");
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
DBG_NOTICE("[%"PRIu32"]: pam dual logoff %s\n", client_pid, r->in.user);
|
||||
|
||||
if (!(r->in.flags & WBFLAG_PAM_KRB5)) {
|
||||
result = NT_STATUS_OK;
|
||||
goto process_result;
|
||||
}
|
||||
|
||||
if (state->request->data.logoff.krb5ccname[0] == '\0') {
|
||||
if ((r->in.krb5ccname == NULL) || (strlen(r->in.krb5ccname) == 0)) {
|
||||
result = NT_STATUS_OK;
|
||||
goto process_result;
|
||||
}
|
||||
|
||||
#ifdef HAVE_KRB5
|
||||
|
||||
if (state->request->data.logoff.uid == (uid_t)-1) {
|
||||
DEBUG(0,("winbindd_pam_logoff: invalid uid\n"));
|
||||
if (user_uid == (uid_t)-1) {
|
||||
DBG_DEBUG("Invalid uid for user '%s'\n", r->in.user);
|
||||
goto process_result;
|
||||
}
|
||||
|
||||
/* what we need here is to find the corresponding krb5 ccache name *we*
|
||||
* created for a given username and destroy it */
|
||||
|
||||
if (!ccache_entry_exists(state->request->data.logoff.user)) {
|
||||
if (!ccache_entry_exists(r->in.user)) {
|
||||
result = NT_STATUS_OK;
|
||||
DEBUG(10,("winbindd_pam_logoff: no entry found.\n"));
|
||||
DBG_DEBUG("No entry found for user '%s'.\n", r->in.user);
|
||||
goto process_result;
|
||||
}
|
||||
|
||||
if (!ccache_entry_identical(state->request->data.logoff.user,
|
||||
state->request->data.logoff.uid,
|
||||
state->request->data.logoff.krb5ccname)) {
|
||||
DEBUG(0,("winbindd_pam_logoff: cached entry differs.\n"));
|
||||
if (!ccache_entry_identical(r->in.user, user_uid, r->in.krb5ccname)) {
|
||||
DBG_DEBUG("Cached entry differs for user '%s'\n", r->in.user);
|
||||
goto process_result;
|
||||
}
|
||||
|
||||
result = remove_ccache(state->request->data.logoff.user);
|
||||
result = remove_ccache(r->in.user);
|
||||
if (!NT_STATUS_IS_OK(result)) {
|
||||
DEBUG(0,("winbindd_pam_logoff: failed to remove ccache: %s\n",
|
||||
nt_errstr(result)));
|
||||
DBG_DEBUG("Failed to remove ccache for user '%s': %s\n",
|
||||
r->in.user, nt_errstr(result));
|
||||
goto process_result;
|
||||
}
|
||||
|
||||
@ -3134,7 +3151,7 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
|
||||
* we might be using for krb5 ticket renewal.
|
||||
*/
|
||||
|
||||
winbindd_delete_memory_creds(state->request->data.logoff.user);
|
||||
winbindd_delete_memory_creds(r->in.user);
|
||||
|
||||
#else
|
||||
result = NT_STATUS_NOT_SUPPORTED;
|
||||
@ -3142,10 +3159,7 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
|
||||
|
||||
process_result:
|
||||
|
||||
|
||||
set_auth_errors(state->response, result);
|
||||
|
||||
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
|
||||
return result;
|
||||
}
|
||||
|
||||
/* Change user password with auth crap*/
|
||||
|
@ -20,10 +20,10 @@
|
||||
#include "includes.h"
|
||||
#include "winbindd.h"
|
||||
#include "lib/global_contexts.h"
|
||||
#include "librpc/gen_ndr/ndr_winbind_c.h"
|
||||
|
||||
struct winbindd_pam_logoff_state {
|
||||
struct winbindd_request *request;
|
||||
struct winbindd_response *response;
|
||||
struct wbint_PamLogOff r;
|
||||
};
|
||||
|
||||
static void winbindd_pam_logoff_done(struct tevent_req *subreq);
|
||||
@ -47,7 +47,6 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
|
||||
if (req == NULL) {
|
||||
return NULL;
|
||||
}
|
||||
state->request = request;
|
||||
|
||||
/* Ensure null termination */
|
||||
/* Ensure null termination */
|
||||
@ -99,8 +98,28 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
|
||||
break;
|
||||
}
|
||||
|
||||
subreq = wb_domain_request_send(state, global_event_context(), domain,
|
||||
request);
|
||||
state->r.in.client_name = talloc_strdup(state, request->client_name);
|
||||
if (tevent_req_nomem(state->r.in.client_name, req)) {
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
state->r.in.client_pid = request->pid;
|
||||
|
||||
state->r.in.flags = request->flags;
|
||||
state->r.in.user = talloc_strdup(state, request->data.logoff.user);
|
||||
if (tevent_req_nomem(state->r.in.user, req)) {
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
state->r.in.uid = request->data.logoff.uid;
|
||||
state->r.in.krb5ccname = talloc_strdup(state,
|
||||
request->data.logoff.krb5ccname);
|
||||
if (tevent_req_nomem(state->r.in.krb5ccname, req)) {
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
|
||||
subreq = dcerpc_wbint_PamLogOff_r_send(state,
|
||||
global_event_context(),
|
||||
dom_child_handle(domain),
|
||||
&state->r);
|
||||
if (tevent_req_nomem(subreq, req)) {
|
||||
return tevent_req_post(req, ev);
|
||||
}
|
||||
@ -118,14 +137,14 @@ static void winbindd_pam_logoff_done(struct tevent_req *subreq)
|
||||
subreq, struct tevent_req);
|
||||
struct winbindd_pam_logoff_state *state = tevent_req_data(
|
||||
req, struct winbindd_pam_logoff_state);
|
||||
int res, err;
|
||||
NTSTATUS status;
|
||||
|
||||
res = wb_domain_request_recv(subreq, state, &state->response, &err);
|
||||
status = dcerpc_wbint_PamLogOff_r_recv(subreq, state);
|
||||
TALLOC_FREE(subreq);
|
||||
if (res == -1) {
|
||||
tevent_req_nterror(req, map_nt_error_from_unix(err));
|
||||
if (tevent_req_nterror(req, status)) {
|
||||
return;
|
||||
}
|
||||
|
||||
tevent_req_done(req);
|
||||
}
|
||||
|
||||
@ -134,20 +153,19 @@ NTSTATUS winbindd_pam_logoff_recv(struct tevent_req *req,
|
||||
{
|
||||
struct winbindd_pam_logoff_state *state = tevent_req_data(
|
||||
req, struct winbindd_pam_logoff_state);
|
||||
NTSTATUS status;
|
||||
NTSTATUS status = NT_STATUS_OK;
|
||||
|
||||
if (tevent_req_is_nterror(req, &status)) {
|
||||
set_auth_errors(response, status);
|
||||
return status;
|
||||
}
|
||||
*response = *state->response;
|
||||
response->result = WINBINDD_PENDING;
|
||||
state->response = talloc_move(response, &state->response);
|
||||
|
||||
status = NT_STATUS(response->data.auth.nt_status);
|
||||
if (!NT_STATUS_IS_OK(status)) {
|
||||
return status;
|
||||
response->result = WINBINDD_PENDING;
|
||||
set_auth_errors(response, state->r.out.result);
|
||||
|
||||
if (NT_STATUS_IS_OK(state->r.out.result)) {
|
||||
winbindd_delete_memory_creds(state->r.in.user);
|
||||
}
|
||||
winbindd_delete_memory_creds(state->request->data.logoff.user);
|
||||
return status;
|
||||
|
||||
return NT_STATUS(response->data.auth.nt_status);
|
||||
}
|
||||
|
@ -445,8 +445,8 @@ NTSTATUS _wbint_PamAuthCrap(struct pipes_struct *p,
|
||||
struct wbint_PamAuthCrap *r);
|
||||
enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact_domain,
|
||||
struct winbindd_cli_state *state);
|
||||
enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
|
||||
struct winbindd_cli_state *state) ;
|
||||
NTSTATUS _wbint_PamLogOff(struct pipes_struct *p,
|
||||
struct wbint_PamLogOff *r);
|
||||
enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state);
|
||||
NTSTATUS winbindd_pam_auth_pac_verify(struct winbindd_cli_state *state,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
|
Loading…
Reference in New Issue
Block a user