Author: gd Date: 2007-08-14 20:06:11 +0000 (Tue, 14 Aug 2007) New Revision: 24434
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24434 Log: Simplify winbindd_raw_kerberos_login(). Guenther Modified: branches/SAMBA_3_2/source/nsswitch/winbindd_pam.c branches/SAMBA_3_2_0/source/nsswitch/winbindd_pam.c Changeset: Modified: branches/SAMBA_3_2/source/nsswitch/winbindd_pam.c =================================================================== --- branches/SAMBA_3_2/source/nsswitch/winbindd_pam.c 2007-08-14 20:02:11 UTC (rev 24433) +++ branches/SAMBA_3_2/source/nsswitch/winbindd_pam.c 2007-08-14 20:06:11 UTC (rev 24434) @@ -422,13 +422,6 @@ #ifdef HAVE_KRB5 NTSTATUS result = NT_STATUS_UNSUCCESSFUL; krb5_error_code krb5_ret; - DATA_BLOB tkt, session_key_krb5; - DATA_BLOB ap_rep, session_key; - PAC_DATA *pac_data = NULL; - PAC_LOGON_INFO *logon_info = NULL; - char *client_princ = NULL; - char *client_princ_out = NULL; - char *local_service = NULL; const char *cc = NULL; const char *principal_s = NULL; const char *service = NULL; @@ -441,11 +434,6 @@ time_t time_offset = 0; BOOL internal_ccache = True; - ZERO_STRUCT(session_key); - ZERO_STRUCT(session_key_krb5); - ZERO_STRUCT(tkt); - ZERO_STRUCT(ap_rep); - ZERO_STRUCTP(info3); *info3 = NULL; @@ -497,115 +485,37 @@ /* if this is a user ccache, we need to act as the user to let the krb5 * library handle the chown, etc. */ - /************************ NON-ROOT **********************/ + /************************ ENTERING NON-ROOT **********************/ if (!internal_ccache) { - set_effective_uid(uid); DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid)); } - krb5_ret = kerberos_kinit_password_ext(principal_s, - state->request.data.auth.pass, - time_offset, - &ticket_lifetime, - &renewal_until, - cc, - True, - True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - &result); - - if (krb5_ret) { - DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", - principal_s, error_message(krb5_ret), krb5_ret)); - goto failed; - } - - /* does http_timestring use heimdals libroken strftime?? - Guenther */ - DEBUG(10,("got TGT for %s in %s (valid until: %s (%d), renewable till: %s (%d))\n", - principal_s, cc, - http_timestring(ticket_lifetime), (int)ticket_lifetime, - http_timestring(renewal_until), (int)renewal_until)); - - /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set, - * in that case fallback to NTLM - gd */ - - if ((ticket_lifetime == 0) && (renewal_until == 0)) { - result = NT_STATUS_INVALID_LOGON_TYPE; - goto failed; - } - - client_princ = talloc_strdup(state->mem_ctx, global_myname()); - if (client_princ == NULL) { - result = NT_STATUS_NO_MEMORY; - goto failed; - } - strlower_m(client_princ); - - local_service = talloc_asprintf(state->mem_ctx, "[EMAIL PROTECTED]", client_princ, lp_realm()); - if (local_service == NULL) { - DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n")); - result = NT_STATUS_NO_MEMORY; - goto failed; - } - - krb5_ret = cli_krb5_get_ticket(local_service, - time_offset, - &tkt, - &session_key_krb5, - 0, - cc, - NULL); - if (krb5_ret) { - DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", - local_service, error_message(krb5_ret))); - result = krb5_to_nt_status(krb5_ret); - goto failed; - } - + result = kerberos_return_info3_from_pac(state->mem_ctx, + principal_s, + state->request.data.auth.pass, + time_offset, + &ticket_lifetime, + &renewal_until, + cc, + True, + True, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + info3); if (!internal_ccache) { gain_root_privilege(); } - /************************ NON-ROOT **********************/ + /************************ RETURNED TO ROOT **********************/ - result = ads_verify_ticket(state->mem_ctx, - lp_realm(), - time_offset, - &tkt, - &client_princ_out, - &pac_data, - &ap_rep, - &session_key, False); if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n", - nt_errstr(result))); goto failed; } - if (!pac_data) { - DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n")); - result = NT_STATUS_INVALID_PARAMETER; - goto failed; - } - - logon_info = get_logon_info_from_pac(pac_data); - if (logon_info == NULL) { - DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n")); - result = NT_STATUS_INVALID_PARAMETER; - goto failed; - } + DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", + principal_s)); - DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", - local_service)); - - - /* last step: - * put results together */ - - *info3 = &logon_info->info3; - /* if we had a user's ccache then return that string for the pam * environment */ @@ -666,17 +576,7 @@ } done: - data_blob_free(&session_key); - data_blob_free(&session_key_krb5); - data_blob_free(&ap_rep); - data_blob_free(&tkt); - SAFE_FREE(client_princ_out); - - if (!internal_ccache) { - gain_root_privilege(); - } - return result; #else return NT_STATUS_NOT_SUPPORTED; Modified: branches/SAMBA_3_2_0/source/nsswitch/winbindd_pam.c =================================================================== --- branches/SAMBA_3_2_0/source/nsswitch/winbindd_pam.c 2007-08-14 20:02:11 UTC (rev 24433) +++ branches/SAMBA_3_2_0/source/nsswitch/winbindd_pam.c 2007-08-14 20:06:11 UTC (rev 24434) @@ -422,13 +422,6 @@ #ifdef HAVE_KRB5 NTSTATUS result = NT_STATUS_UNSUCCESSFUL; krb5_error_code krb5_ret; - DATA_BLOB tkt, session_key_krb5; - DATA_BLOB ap_rep, session_key; - PAC_DATA *pac_data = NULL; - PAC_LOGON_INFO *logon_info = NULL; - char *client_princ = NULL; - char *client_princ_out = NULL; - char *local_service = NULL; const char *cc = NULL; const char *principal_s = NULL; const char *service = NULL; @@ -441,11 +434,6 @@ time_t time_offset = 0; BOOL internal_ccache = True; - ZERO_STRUCT(session_key); - ZERO_STRUCT(session_key_krb5); - ZERO_STRUCT(tkt); - ZERO_STRUCT(ap_rep); - ZERO_STRUCTP(info3); *info3 = NULL; @@ -497,115 +485,37 @@ /* if this is a user ccache, we need to act as the user to let the krb5 * library handle the chown, etc. */ - /************************ NON-ROOT **********************/ + /************************ ENTERING NON-ROOT **********************/ if (!internal_ccache) { - set_effective_uid(uid); DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid)); } - krb5_ret = kerberos_kinit_password_ext(principal_s, - state->request.data.auth.pass, - time_offset, - &ticket_lifetime, - &renewal_until, - cc, - True, - True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - &result); - - if (krb5_ret) { - DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", - principal_s, error_message(krb5_ret), krb5_ret)); - goto failed; - } - - /* does http_timestring use heimdals libroken strftime?? - Guenther */ - DEBUG(10,("got TGT for %s in %s (valid until: %s (%d), renewable till: %s (%d))\n", - principal_s, cc, - http_timestring(ticket_lifetime), (int)ticket_lifetime, - http_timestring(renewal_until), (int)renewal_until)); - - /* we cannot continue with krb5 when UF_DONT_REQUIRE_PREAUTH is set, - * in that case fallback to NTLM - gd */ - - if ((ticket_lifetime == 0) && (renewal_until == 0)) { - result = NT_STATUS_INVALID_LOGON_TYPE; - goto failed; - } - - client_princ = talloc_strdup(state->mem_ctx, global_myname()); - if (client_princ == NULL) { - result = NT_STATUS_NO_MEMORY; - goto failed; - } - strlower_m(client_princ); - - local_service = talloc_asprintf(state->mem_ctx, "[EMAIL PROTECTED]", client_princ, lp_realm()); - if (local_service == NULL) { - DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n")); - result = NT_STATUS_NO_MEMORY; - goto failed; - } - - krb5_ret = cli_krb5_get_ticket(local_service, - time_offset, - &tkt, - &session_key_krb5, - 0, - cc, - NULL); - if (krb5_ret) { - DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", - local_service, error_message(krb5_ret))); - result = krb5_to_nt_status(krb5_ret); - goto failed; - } - + result = kerberos_return_info3_from_pac(state->mem_ctx, + principal_s, + state->request.data.auth.pass, + time_offset, + &ticket_lifetime, + &renewal_until, + cc, + True, + True, + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + info3); if (!internal_ccache) { gain_root_privilege(); } - /************************ NON-ROOT **********************/ + /************************ RETURNED TO ROOT **********************/ - result = ads_verify_ticket(state->mem_ctx, - lp_realm(), - time_offset, - &tkt, - &client_princ_out, - &pac_data, - &ap_rep, - &session_key, False); if (!NT_STATUS_IS_OK(result)) { - DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n", - nt_errstr(result))); goto failed; } - if (!pac_data) { - DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n")); - result = NT_STATUS_INVALID_PARAMETER; - goto failed; - } - - logon_info = get_logon_info_from_pac(pac_data); - if (logon_info == NULL) { - DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n")); - result = NT_STATUS_INVALID_PARAMETER; - goto failed; - } + DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", + principal_s)); - DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", - local_service)); - - - /* last step: - * put results together */ - - *info3 = &logon_info->info3; - /* if we had a user's ccache then return that string for the pam * environment */ @@ -666,17 +576,7 @@ } done: - data_blob_free(&session_key); - data_blob_free(&session_key_krb5); - data_blob_free(&ap_rep); - data_blob_free(&tkt); - SAFE_FREE(client_princ_out); - - if (!internal_ccache) { - gain_root_privilege(); - } - return result; #else return NT_STATUS_NOT_SUPPORTED;
