Author: gd Date: 2006-03-29 09:40:42 +0000 (Wed, 29 Mar 2006) New Revision: 14753
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14753 Log: Fix the kerberized pam_auth: As we could have created a new credential cache with a valid TGT in it but we werent able to get or verify the service ticket for this local host afterwards and therefor didn't get the PAC, we need to remove that ccache entirely. Also remove an ugly pair of (not needed) seteuid calls around the ticket destroy wrapper. Guenther Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c trunk/source/nsswitch/winbindd_pam.c Changeset: Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c =================================================================== --- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-03-28 17:10:20 UTC (rev 14752) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-03-29 09:40:42 UTC (rev 14753) @@ -342,7 +342,7 @@ goto done; memory_ccache: - gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbind_cache"); + gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache"); done: if (gen_cc == NULL) { @@ -495,7 +495,7 @@ DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", principal_s, error_message(krb5_ret), krb5_ret)); result = krb5_to_nt_status(krb5_ret); - goto done; + goto failed; } /* does http_timestring use heimdals libroken strftime?? - Guenther */ @@ -507,7 +507,7 @@ client_princ = talloc_strdup(state->mem_ctx, global_myname()); if (client_princ == NULL) { result = NT_STATUS_NO_MEMORY; - goto done; + goto failed; } strlower_m(client_princ); @@ -515,7 +515,7 @@ if (local_service == NULL) { DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n")); result = NT_STATUS_NO_MEMORY; - goto done; + goto failed; } krb5_ret = cli_krb5_get_ticket(local_service, @@ -525,10 +525,10 @@ 0, cc); if (krb5_ret) { - DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for: %s\n", - local_service)); + DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", + local_service, error_message(krb5_ret))); result = krb5_to_nt_status(krb5_ret); - goto done; + goto failed; } if (!internal_ccache) { @@ -547,7 +547,7 @@ if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n", nt_errstr(result))); - goto done; + goto failed; } DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", @@ -556,14 +556,14 @@ if (!pac_data) { DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n")); result = NT_STATUS_INVALID_PARAMETER; - goto done; + goto failed; } logon_info = get_logon_info_from_pac(pac_data); if (logon_info == NULL) { DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n")); result = NT_STATUS_INVALID_PARAMETER; - goto done; + goto failed; } @@ -599,6 +599,22 @@ result = NT_STATUS_OK; + goto done; + +failed: + + /* we could have created a new credential cache with a valid tgt in it + * but we werent able to get or verify the service ticket for this + * local host and therefor didn't get the PAC, we need to remove that + * cache entirely now */ + + krb5_ret = ads_kdestroy(cc); + if (krb5_ret) { + DEBUG(0,("winbindd_raw_kerberos_login: " + "could not destroy krb5 credential cache: " + "%s\n", error_message(krb5_ret))); + } + done: data_blob_free(&session_key); data_blob_free(&session_key_krb5); @@ -1802,12 +1818,8 @@ goto process_result; } - seteuid(entry->uid); - ret = ads_kdestroy(entry->ccname); - seteuid(0); - if (ret) { DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n", entry->ccname, error_message(ret))); Modified: trunk/source/nsswitch/winbindd_pam.c =================================================================== --- trunk/source/nsswitch/winbindd_pam.c 2006-03-28 17:10:20 UTC (rev 14752) +++ trunk/source/nsswitch/winbindd_pam.c 2006-03-29 09:40:42 UTC (rev 14753) @@ -342,7 +342,7 @@ goto done; memory_ccache: - gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbind_cache"); + gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache"); done: if (gen_cc == NULL) { @@ -495,7 +495,7 @@ DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", principal_s, error_message(krb5_ret), krb5_ret)); result = krb5_to_nt_status(krb5_ret); - goto done; + goto failed; } /* does http_timestring use heimdals libroken strftime?? - Guenther */ @@ -507,7 +507,7 @@ client_princ = talloc_strdup(state->mem_ctx, global_myname()); if (client_princ == NULL) { result = NT_STATUS_NO_MEMORY; - goto done; + goto failed; } strlower_m(client_princ); @@ -515,7 +515,7 @@ if (local_service == NULL) { DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n")); result = NT_STATUS_NO_MEMORY; - goto done; + goto failed; } krb5_ret = cli_krb5_get_ticket(local_service, @@ -525,10 +525,10 @@ 0, cc); if (krb5_ret) { - DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for: %s\n", - local_service)); + DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", + local_service, error_message(krb5_ret))); result = krb5_to_nt_status(krb5_ret); - goto done; + goto failed; } if (!internal_ccache) { @@ -547,7 +547,7 @@ if (!NT_STATUS_IS_OK(result)) { DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n", nt_errstr(result))); - goto done; + goto failed; } DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", @@ -556,14 +556,14 @@ if (!pac_data) { DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n")); result = NT_STATUS_INVALID_PARAMETER; - goto done; + goto failed; } logon_info = get_logon_info_from_pac(pac_data); if (logon_info == NULL) { DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n")); result = NT_STATUS_INVALID_PARAMETER; - goto done; + goto failed; } @@ -599,6 +599,22 @@ result = NT_STATUS_OK; + goto done; + +failed: + + /* we could have created a new credential cache with a valid tgt in it + * but we werent able to get or verify the service ticket for this + * local host and therefor didn't get the PAC, we need to remove that + * cache entirely now */ + + krb5_ret = ads_kdestroy(cc); + if (krb5_ret) { + DEBUG(0,("winbindd_raw_kerberos_login: " + "could not destroy krb5 credential cache: " + "%s\n", error_message(krb5_ret))); + } + done: data_blob_free(&session_key); data_blob_free(&session_key_krb5); @@ -1802,12 +1818,8 @@ goto process_result; } - seteuid(entry->uid); - ret = ads_kdestroy(entry->ccname); - seteuid(0); - if (ret) { DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n", entry->ccname, error_message(ret)));
