mirror of
https://github.com/samba-team/samba.git
synced 2025-02-22 05:57:43 +03:00
r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix the
naming of the require_membership_of parameter in pam_winbind and fix the error code for 'you didn't specify a domain' in ntlm_auth. Andrew Bartlett (This used to be commit 4bf0b94011fe6bfbec5635e58cafbfe3dc898569)
This commit is contained in:
Andrew Bartlett
Gerald (Jerry) Carter
parent
90cd0c339c
commit
f219db7d69
@ -45,7 +45,9 @@ static int _pam_parse(int argc, const char **argv)
|
||||
ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
|
||||
else if (!strcasecmp(*argv, "unknown_ok"))
|
||||
ctrl |= WINBIND_UNKNOWN_OK_ARG;
|
||||
else if (!strncasecmp(*argv, "required_membership", strlen("required_membership")))
|
||||
else if (!strncasecmp(*argv, "require_membership_of", strlen("require_membership_of")))
|
||||
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
|
||||
else if (!strncasecmp(*argv, "require-membership-of", strlen("require-membership-of")))
|
||||
ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
|
||||
else {
|
||||
_pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv);
|
||||
@ -213,8 +215,8 @@ static int winbind_auth_request(const char *user, const char *pass, const char *
|
||||
/* lookup name? */
|
||||
if (!strncmp("S-", member, 2) == 0) {
|
||||
|
||||
struct winbindd_request request;
|
||||
struct winbindd_response response;
|
||||
struct winbindd_request sid_request;
|
||||
struct winbindd_response sid_response;
|
||||
|
||||
ZERO_STRUCT(request);
|
||||
ZERO_STRUCT(response);
|
||||
@ -230,11 +232,11 @@ static int winbind_auth_request(const char *user, const char *pass, const char *
|
||||
return PAM_AUTH_ERR;
|
||||
}
|
||||
|
||||
member = strdup(response.data.sid.sid);
|
||||
member = response.data.sid.sid;
|
||||
}
|
||||
|
||||
strncpy(request.data.auth.required_membership_sid, member,
|
||||
sizeof(request.data.auth.required_membership_sid)-1);
|
||||
strncpy(request.data.auth.require_membership_of_sid, member,
|
||||
sizeof(request.data.auth.require_membership_of_sid)-1);
|
||||
|
||||
return pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user);
|
||||
}
|
||||
@ -488,7 +490,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||
/* Retrieve membership-string here */
|
||||
for ( i=0; i<argc; i++ ) {
|
||||
|
||||
if (!strncmp(argv[i], "required_membership", strlen("required_membership"))) {
|
||||
if (!strncmp(argv[i], "require_membership_of", strlen("require_membership_of"))) {
|
||||
|
||||
char *p;
|
||||
char *parm = strdup(argv[i]);
|
||||
|
||||
@ -567,18 +567,10 @@ static BOOL wbinfo_auth_crap(char *username)
|
||||
|
||||
parse_wbinfo_domain_user(username, name_domain, name_user);
|
||||
|
||||
if (push_utf8_fstring(request.data.auth_crap.user, name_user) == -1) {
|
||||
d_printf("unable to create utf8 string for '%s'\n",
|
||||
name_user);
|
||||
return False;
|
||||
}
|
||||
fstrcpy(request.data.auth_crap.user, name_user);
|
||||
|
||||
if (push_utf8_fstring(request.data.auth_crap.domain,
|
||||
name_domain) == -1) {
|
||||
d_printf("unable to create utf8 string for '%s'\n",
|
||||
name_domain);
|
||||
return False;
|
||||
}
|
||||
fstrcpy(request.data.auth_crap.domain,
|
||||
name_domain);
|
||||
|
||||
generate_random_buffer(request.data.auth_crap.chal, 8);
|
||||
|
||||
|
||||
@ -181,7 +181,7 @@ struct winbindd_request {
|
||||
character is. */
|
||||
fstring user;
|
||||
fstring pass;
|
||||
fstring required_membership_sid;
|
||||
fstring require_membership_of_sid;
|
||||
} auth; /* pam_winbind auth module */
|
||||
struct {
|
||||
unsigned char chal[8];
|
||||
@ -192,7 +192,7 @@ struct winbindd_request {
|
||||
fstring nt_resp;
|
||||
uint16 nt_resp_len;
|
||||
fstring workstation;
|
||||
fstring required_membership_sid;
|
||||
fstring require_membership_of_sid;
|
||||
} auth_crap;
|
||||
struct {
|
||||
fstring user;
|
||||
|
||||
@ -59,7 +59,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
|
||||
NET_USER_INFO_3 *info3,
|
||||
const char *group_sid)
|
||||
{
|
||||
DOM_SID required_membership_sid;
|
||||
DOM_SID require_membership_of_sid;
|
||||
DOM_SID *all_sids;
|
||||
size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids);
|
||||
size_t i, j = 0;
|
||||
@ -71,7 +71,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
if (!string_to_sid(&required_membership_sid, group_sid)) {
|
||||
if (!string_to_sid(&require_membership_of_sid, group_sid)) {
|
||||
DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
|
||||
group_sid));
|
||||
|
||||
@ -133,9 +133,9 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
|
||||
fstring sid1, sid2;
|
||||
DEBUG(10, ("User has SID: %s\n",
|
||||
sid_to_string(sid1, &all_sids[i])));
|
||||
if (sid_equal(&required_membership_sid, &all_sids[i])) {
|
||||
if (sid_equal(&require_membership_of_sid, &all_sids[i])) {
|
||||
DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n",
|
||||
sid_to_string(sid1, &required_membership_sid), sid_to_string(sid2, &all_sids[i])));
|
||||
sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i])));
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
}
|
||||
@ -334,10 +334,10 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
|
||||
|
||||
/* Check if the user is in the right group */
|
||||
|
||||
if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.required_membership_sid))) {
|
||||
if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.require_membership_of_sid))) {
|
||||
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
|
||||
state->request.data.auth.user,
|
||||
state->request.data.auth.required_membership_sid));
|
||||
state->request.data.auth.require_membership_of_sid));
|
||||
}
|
||||
}
|
||||
|
||||
@ -414,7 +414,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
|
||||
NET_USER_INFO_3 info3;
|
||||
struct cli_state *cli = NULL;
|
||||
TALLOC_CTX *mem_ctx = NULL;
|
||||
char *name_user = NULL;
|
||||
const char *name_user = NULL;
|
||||
const char *name_domain = NULL;
|
||||
const char *workstation;
|
||||
struct winbindd_domain *contact_domain;
|
||||
@ -432,7 +432,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
|
||||
/* send a better message than ACCESS_DENIED */
|
||||
asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on %s are set correctly.",
|
||||
get_winbind_priv_pipe_dir());
|
||||
push_utf8_fstring(state->response.data.auth.error_string, error_string);
|
||||
fstrcpy(state->response.data.auth.error_string, error_string);
|
||||
SAFE_FREE(error_string);
|
||||
result = NT_STATUS_ACCESS_DENIED;
|
||||
goto done;
|
||||
@ -442,26 +442,16 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
|
||||
state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
|
||||
state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
|
||||
|
||||
if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
|
||||
if (!(mem_ctx = talloc_init("winbind pam auth crap for %s", state->request.data.auth_crap.user))) {
|
||||
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
|
||||
result = NT_STATUS_NO_MEMORY;
|
||||
goto done;
|
||||
}
|
||||
|
||||
if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) {
|
||||
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
|
||||
result = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
name_user = state->request.data.auth_crap.user;
|
||||
|
||||
if (*state->request.data.auth_crap.domain) {
|
||||
char *dom = NULL;
|
||||
if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) {
|
||||
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
|
||||
result = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
name_domain = dom;
|
||||
name_domain = state->request.data.auth_crap.domain;
|
||||
} else if (lp_winbind_use_default_domain()) {
|
||||
name_domain = lp_workgroup();
|
||||
} else {
|
||||
@ -475,13 +465,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
|
||||
name_domain, name_user));
|
||||
|
||||
if (*state->request.data.auth_crap.workstation) {
|
||||
char *wrk = NULL;
|
||||
if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) {
|
||||
DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
|
||||
result = NT_STATUS_UNSUCCESSFUL;
|
||||
goto done;
|
||||
}
|
||||
workstation = wrk;
|
||||
workstation = state->request.data.auth_crap.workstation;
|
||||
} else {
|
||||
workstation = global_myname();
|
||||
}
|
||||
@ -587,10 +571,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
|
||||
netsamlogon_cache_store( cli->mem_ctx, name_user, &info3 );
|
||||
wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
|
||||
|
||||
if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.required_membership_sid))) {
|
||||
if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.require_membership_of_sid))) {
|
||||
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
|
||||
state->request.data.auth_crap.user,
|
||||
state->request.data.auth_crap.required_membership_sid));
|
||||
state->request.data.auth_crap.require_membership_of_sid));
|
||||
goto done;
|
||||
}
|
||||
|
||||
@ -616,8 +600,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
|
||||
|
||||
DEBUG(5, ("Setting unix username to [%s]\n", username_out));
|
||||
|
||||
/* this interface is in UTF8 */
|
||||
if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
|
||||
state->response.extra_data = strdup(username_out);
|
||||
if (!state->response.extra_data) {
|
||||
result = NT_STATUS_NO_MEMORY;
|
||||
goto done;
|
||||
}
|
||||
@ -643,11 +627,11 @@ done:
|
||||
}
|
||||
|
||||
state->response.data.auth.nt_status = NT_STATUS_V(result);
|
||||
push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
|
||||
fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
|
||||
|
||||
/* we might have given a more useful error above */
|
||||
if (!*state->response.data.auth.error_string)
|
||||
push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
|
||||
fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
|
||||
state->response.data.auth.pam_error = nt_status_to_pam(result);
|
||||
|
||||
DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2,
|
||||
@ -677,7 +661,7 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
|
||||
DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
|
||||
state->request.data.chauthtok.user));
|
||||
|
||||
if (!(mem_ctx = talloc_init("winbind password change for (utf8) %s",
|
||||
if (!(mem_ctx = talloc_init("winbind password change for %s",
|
||||
state->request.data.chauthtok.user))) {
|
||||
DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
|
||||
result = NT_STATUS_NO_MEMORY;
|
||||
|
||||
@ -90,7 +90,7 @@ static int request_lm_key;
|
||||
static int request_user_session_key;
|
||||
|
||||
static const char *require_membership_of;
|
||||
static const char *require_membership_sid;
|
||||
static const char *require_membership_of_sid;
|
||||
|
||||
static char winbind_separator(void)
|
||||
{
|
||||
@ -214,7 +214,7 @@ static BOOL get_require_membership_sid(void) {
|
||||
return True;
|
||||
}
|
||||
|
||||
if (require_membership_sid) {
|
||||
if (require_membership_of_sid) {
|
||||
return True;
|
||||
}
|
||||
|
||||
@ -238,9 +238,9 @@ static BOOL get_require_membership_sid(void) {
|
||||
return False;
|
||||
}
|
||||
|
||||
require_membership_sid = strdup(response.data.sid.sid);
|
||||
require_membership_of_sid = strdup(response.data.sid.sid);
|
||||
|
||||
if (require_membership_sid)
|
||||
if (require_membership_of_sid)
|
||||
return True;
|
||||
|
||||
return False;
|
||||
@ -265,8 +265,8 @@ static BOOL check_plaintext_auth(const char *user, const char *pass,
|
||||
|
||||
fstrcpy(request.data.auth.user, user);
|
||||
fstrcpy(request.data.auth.pass, pass);
|
||||
if (require_membership_sid)
|
||||
fstrcpy(request.data.auth.required_membership_sid, require_membership_sid);
|
||||
if (require_membership_of_sid)
|
||||
fstrcpy(request.data.auth.require_membership_of_sid, require_membership_of_sid);
|
||||
|
||||
result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response);
|
||||
|
||||
@ -323,27 +323,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
|
||||
|
||||
request.flags = flags;
|
||||
|
||||
if (require_membership_sid)
|
||||
fstrcpy(request.data.auth_crap.required_membership_sid, require_membership_sid);
|
||||
if (require_membership_of_sid)
|
||||
fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
|
||||
|
||||
if (push_utf8_fstring(request.data.auth_crap.user, username) == -1) {
|
||||
*error_string = smb_xstrdup(
|
||||
"unable to create utf8 string for username");
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
fstrcpy(request.data.auth_crap.user, username);
|
||||
fstrcpy(request.data.auth_crap.domain, domain);
|
||||
|
||||
if (push_utf8_fstring(request.data.auth_crap.domain, domain) == -1) {
|
||||
*error_string = smb_xstrdup(
|
||||
"unable to create utf8 string for domain");
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
|
||||
if (push_utf8_fstring(request.data.auth_crap.workstation,
|
||||
workstation) == -1) {
|
||||
*error_string = smb_xstrdup(
|
||||
"unable to create utf8 string for workstation");
|
||||
return NT_STATUS_UNSUCCESSFUL;
|
||||
}
|
||||
fstrcpy(request.data.auth_crap.workstation,
|
||||
workstation);
|
||||
|
||||
memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
|
||||
|
||||
@ -391,7 +378,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
|
||||
}
|
||||
|
||||
if (flags & WBFLAG_PAM_UNIX_NAME) {
|
||||
if (pull_utf8_allocate(unix_name, (char *)response.extra_data) == -1) {
|
||||
*unix_name = strdup((char *)response.extra_data);
|
||||
if (!*unix_name) {
|
||||
free_response(&response);
|
||||
return NT_STATUS_NO_MEMORY;
|
||||
}
|
||||
@ -478,7 +466,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_st
|
||||
NTSTATUS status;
|
||||
if ( (opt_username == NULL) || (opt_domain == NULL) ) {
|
||||
DEBUG(1, ("Need username and domain for NTLMSSP\n"));
|
||||
return status;
|
||||
return NT_STATUS_INVALID_PARAMETER;
|
||||
}
|
||||
|
||||
status = ntlmssp_client_start(client_ntlmssp_state);
|
||||
@ -1817,7 +1805,7 @@ enum {
|
||||
|
||||
case OPT_REQUIRE_MEMBERSHIP:
|
||||
if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
|
||||
require_membership_sid = require_membership_of;
|
||||
require_membership_of_sid = require_membership_of;
|
||||
}
|
||||
break;
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user