The branch, master has been updated via 149f8f1 s4-gensec: Move parsing of the PAC blob and creating the session_info into auth via fc226f8 s4-gensec: fix cyrus sasl module after update() protype change via f320fb3 auth/kerberos: Make pac_data_out in kerberos_decode_pac() optional via 5815a1b s4-auth Remove unused auth_context_create_from_ldb() via f7a866a s4-gensec: Allow a PAC to be obtained from any GSS mech via 9a085b0 auth/kerberos: Move gssapi_parse.c to the top level via 1baf916 credentials: Always honour the return value of E_deshash() via cfb9a9d s4-ntlmssp Do not allow LM key without a LM password via e387721 s3-auth Fix talloc parent for s4 event context in auth_samba4 via d76abd1 s3-auth: Remove protype for already-removed auth_ntlmssp_start via 4b7b26e gensec: Allow an alternate set of modules to be specified from 1364eb7 lib/charset: Remove an unused variable
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 149f8f16be79dc9d142971fb74633cfc5b186840 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 28 17:48:45 2011 +1100 s4-gensec: Move parsing of the PAC blob and creating the session_info into auth This uses a single callback to handle the PAC from the DATA_BLOB format until it becomes a struct auth_session_info. This allows a seperation between the GSS acceptor code and the PAC interpretation code based on the supplied auth context. Andrew Bartlett Autobuild-User: Andrew Bartlett <abart...@samba.org> Autobuild-Date: Thu Dec 29 01:10:59 CET 2011 on sn-devel-104 commit fc226f81c6c14b1afc9b98692463ff1e2f9b2464 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 28 17:31:03 2011 +1100 s4-gensec: fix cyrus sasl module after update() protype change commit f320fb3df4fd9f52ecb18b1f2ef3dc34e85ccc8e Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 28 16:01:38 2011 +1100 auth/kerberos: Make pac_data_out in kerberos_decode_pac() optional commit 5815a1b7778cd93ca4aad568535e63d06b29fece Author: Andrew Bartlett <abart...@samba.org> Date: Wed Dec 28 10:38:52 2011 +1100 s4-auth Remove unused auth_context_create_from_ldb() commit f7a866a17cd66d95e36248d7b88d9316d7e86e99 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 27 22:02:16 2011 +1100 s4-gensec: Allow a PAC to be obtained from any GSS mech This may allow Luke Howard's moonshot to work with a little less effort at some point in the future. Andrew Bartlett commit 9a085b0b80d1528e2b7a65ae8a4647cffff74a0c Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 27 22:00:22 2011 +1100 auth/kerberos: Move gssapi_parse.c to the top level This will help with writing a gensec module for the s3 gse layer. Andrew Bartlett commit 1baf91639919a96d305196da03e38097ed6ba46f Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 27 21:30:49 2011 +1100 credentials: Always honour the return value of E_deshash() When this returns false, the hash value is not correct as the password could not be converted into an uppercase, 14 char or less ASCII string. Andrew Bartlett commit cfb9a9d650a0217eaa751963f055f8cdd7aa3392 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 27 19:50:36 2011 +1100 s4-ntlmssp Do not allow LM key without a LM password commit e387721bc53d7caa6d8f578ada242f4c5fa78716 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 26 22:59:17 2011 +1100 s3-auth Fix talloc parent for s4 event context in auth_samba4 commit d76abd1c45de32eea0b7a001eb819152435d66ef Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 26 11:51:08 2011 +1100 s3-auth: Remove protype for already-removed auth_ntlmssp_start commit 4b7b26e3c05f0fe38fe6c843df48d665db75c0f6 Author: Andrew Bartlett <abart...@samba.org> Date: Mon Dec 26 10:53:56 2011 +1100 gensec: Allow an alternate set of modules to be specified This will allow s3 to specify modules to use as a list, rather than needing to start the individual module with gensec_start_mech_by_ops() Andrew Bartlett ----------------------------------------------------------------------- Summary of changes: auth/credentials/credentials_ntlm.c | 6 +- auth/gensec/gensec.h | 6 + auth/gensec/gensec_start.c | 7 +- {source4/auth => auth}/kerberos/gssapi_parse.c | 10 +- auth/kerberos/kerberos_pac.c | 35 ++++++- auth/kerberos/wscript_build | 4 +- lib/param/loadparm.c | 2 +- libcli/auth/krb5_wrap.h | 4 + source3/auth/auth_samba4.c | 2 +- source3/auth/proto.h | 1 - source4/auth/auth.h | 17 ++-- source4/auth/gensec/cyrus_sasl.c | 1 + source4/auth/gensec/gensec_gssapi.c | 123 +++++++----------------- source4/auth/gensec/gensec_krb5.c | 79 ++++------------ source4/auth/gensec/gensec_util.c | 97 ++++++++++++++++++ source4/auth/gensec/wscript_build | 6 +- source4/auth/kerberos/kerberos_pac.c | 1 + source4/auth/kerberos/wscript_build | 4 +- source4/auth/ntlm/auth.c | 125 ++++++++++++++++-------- source4/auth/ntlm/wscript_build | 2 +- source4/auth/ntlmssp/ntlmssp_client.c | 8 +- 21 files changed, 313 insertions(+), 227 deletions(-) rename {source4/auth => auth}/kerberos/gssapi_parse.c (99%) Changeset truncated at 500 lines: diff --git a/auth/credentials/credentials_ntlm.c b/auth/credentials/credentials_ntlm.c index 7f4af4f..2d6d6f6 100644 --- a/auth/credentials/credentials_ntlm.c +++ b/auth/credentials/credentials_ntlm.c @@ -174,8 +174,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred lm_response = nt_response; /* LM Key is incompatible with 'long' passwords */ *flags &= ~CLI_CRED_LANMAN_AUTH; - } else { - E_deshash(password, lm_hash); + } else if (E_deshash(password, lm_hash)) { lm_session_key = data_blob_talloc(mem_ctx, NULL, 16); memcpy(lm_session_key.data, lm_hash, 8); memset(&lm_session_key.data[8], '\0', 8); @@ -193,8 +192,7 @@ _PUBLIC_ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred *flags &= ~CLI_CRED_LANMAN_AUTH; password = cli_credentials_get_password(cred); - if (password) { - E_deshash(password, lm_hash); + if (password && E_deshash(password, lm_hash)) { lm_session_key = data_blob_talloc(mem_ctx, NULL, 16); memcpy(lm_session_key.data, lm_hash, 8); memset(&lm_session_key.data[8], '\0', 8); diff --git a/auth/gensec/gensec.h b/auth/gensec/gensec.h index acfc549..be330e9 100644 --- a/auth/gensec/gensec.h +++ b/auth/gensec/gensec.h @@ -73,10 +73,16 @@ struct cli_credentials; struct gensec_settings; struct tevent_context; struct tevent_req; +struct smb_krb5_context; struct gensec_settings { struct loadparm_context *lp_ctx; const char *target_hostname; + + /* this allows callers to specify a specific set of ops that + * should be used, rather than those loaded by the plugin + * mechanism */ + struct gensec_security_ops **backends; }; struct gensec_security_ops { diff --git a/auth/gensec/gensec_start.c b/auth/gensec/gensec_start.c index c38b970..9576e53 100644 --- a/auth/gensec/gensec_start.c +++ b/auth/gensec/gensec_start.c @@ -118,14 +118,19 @@ struct gensec_security_ops **gensec_security_mechs(struct gensec_security *gense TALLOC_CTX *mem_ctx) { struct gensec_security_ops **backends; - backends = gensec_security_all(); if (!gensec_security) { + backends = gensec_security_all(); if (!talloc_reference(mem_ctx, backends)) { return NULL; } return backends; } else { struct cli_credentials *creds = gensec_get_credentials(gensec_security); + if (gensec_security->settings->backends) { + backends = gensec_security->settings->backends; + } else { + backends = gensec_security_all(); + } if (!creds) { if (!talloc_reference(mem_ctx, backends)) { return NULL; diff --git a/source4/auth/kerberos/gssapi_parse.c b/auth/kerberos/gssapi_parse.c similarity index 99% rename from source4/auth/kerberos/gssapi_parse.c rename to auth/kerberos/gssapi_parse.c index b538d82..6e9eddc 100644 --- a/source4/auth/kerberos/gssapi_parse.c +++ b/auth/kerberos/gssapi_parse.c @@ -1,4 +1,4 @@ -/* +/* Unix SMB/CIFS implementation. simple GSSAPI wrappers @@ -6,17 +6,17 @@ Copyright (C) Andrew Tridgell 2001 Copyright (C) Jim McDonough <j...@us.ibm.com> 2002 Copyright (C) Luke Howard 2003 - + This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. - + You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. */ @@ -117,5 +117,3 @@ bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid) return ret; } - - diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 79d51b2..a262c01 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -77,7 +77,7 @@ krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx, * * @return - A NTSTATUS error code */ -NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, +NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx_out, DATA_BLOB pac_data_blob, krb5_context context, const krb5_keyblock *krbtgt_keyblock, @@ -109,13 +109,21 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, bool bool_ret; - *pac_data_out = NULL; + TALLOC_CTX *mem_ctx = talloc_new(mem_ctx_out); + if (!mem_ctx) { + return NT_STATUS_NO_MEMORY; + } + + if (pac_data_out) { + *pac_data_out = NULL; + } pac_data = talloc(mem_ctx, struct PAC_DATA); pac_data_raw = talloc(mem_ctx, struct PAC_DATA_RAW); kdc_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); srv_sig_wipe = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); if (!pac_data_raw || !pac_data || !kdc_sig_wipe || !srv_sig_wipe) { + talloc_free(mem_ctx); return NT_STATUS_NO_MEMORY; } @@ -125,12 +133,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, status = ndr_map_error2ntstatus(ndr_err); DEBUG(0,("can't parse the PAC: %s\n", nt_errstr(status))); + talloc_free(mem_ctx); return status; } if (pac_data->num_buffers < 4) { /* we need logon_ingo, service_key and kdc_key */ DEBUG(0,("less than 4 PAC buffers\n")); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } @@ -141,12 +151,14 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, status = ndr_map_error2ntstatus(ndr_err); DEBUG(0,("can't parse the PAC: %s\n", nt_errstr(status))); + talloc_free(mem_ctx); return status; } if (pac_data_raw->num_buffers < 4) { /* we need logon_ingo, service_key and kdc_key */ DEBUG(0,("less than 4 PAC buffers\n")); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } @@ -155,6 +167,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, DEBUG(0, ("misparse! PAC_DATA has %d buffers while " "PAC_DATA_RAW has %d\n", pac_data->num_buffers, pac_data_raw->num_buffers)); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } @@ -166,6 +179,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, DEBUG(0, ("misparse! PAC_DATA buffer %d has type " "%d while PAC_DATA_RAW has %d\n", i, data_buf->type, raw_buf->type)); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } switch (data_buf->type) { @@ -199,21 +213,25 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, if (!logon_info) { DEBUG(0,("PAC no logon_info\n")); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } if (!logon_name) { DEBUG(0,("PAC no logon_name\n")); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } if (!srv_sig_ptr || !srv_sig_blob) { DEBUG(0,("PAC no srv_key\n")); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } if (!kdc_sig_ptr || !kdc_sig_blob) { DEBUG(0,("PAC no kdc_key\n")); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } @@ -229,6 +247,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, status = ndr_map_error2ntstatus(ndr_err); DEBUG(0,("can't parse the KDC signature: %s\n", nt_errstr(status))); + talloc_free(mem_ctx); return status; } @@ -239,6 +258,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, status = ndr_map_error2ntstatus(ndr_err); DEBUG(0,("can't parse the SRV signature: %s\n", nt_errstr(status))); + talloc_free(mem_ctx); return status; } @@ -256,6 +276,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, status = ndr_map_error2ntstatus(ndr_err); DEBUG(0,("can't repack the KDC signature: %s\n", nt_errstr(status))); + talloc_free(mem_ctx); return status; } ndr_err = ndr_push_struct_blob( @@ -265,6 +286,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, status = ndr_map_error2ntstatus(ndr_err); DEBUG(0,("can't repack the SRV signature: %s\n", nt_errstr(status))); + talloc_free(mem_ctx); return status; } @@ -276,6 +298,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, status = ndr_map_error2ntstatus(ndr_err); DEBUG(0,("can't repack the RAW PAC: %s\n", nt_errstr(status))); + talloc_free(mem_ctx); return status; } @@ -299,6 +322,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, if (ret) { DEBUG(1, ("PAC Decode: Failed to verify the KDC signature: %s\n", smb_get_krb5_error_message(context, ret, mem_ctx))); + talloc_free(mem_ctx); return NT_STATUS_ACCESS_DENIED; } } @@ -315,6 +339,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, nt_time_string(mem_ctx, logon_name->logon_time))); DEBUG(2, ("PAC Decode: Ticket: %s\n", nt_time_string(mem_ctx, tgs_authtime_nttime))); + talloc_free(mem_ctx); return NT_STATUS_ACCESS_DENIED; } } @@ -326,6 +351,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, if (ret) { DEBUG(2, ("Could not parse name from PAC: [%s]:%s\n", logon_name->account_name, error_message(ret))); + talloc_free(mem_ctx); return NT_STATUS_INVALID_PARAMETER; } @@ -338,6 +364,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, if (!bool_ret) { DEBUG(2, ("Name in PAC [%s] does not match principal name " "in ticket\n", logon_name->account_name)); + talloc_free(mem_ctx); return NT_STATUS_ACCESS_DENIED; } } @@ -356,7 +383,9 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx, } } - *pac_data_out = pac_data; + if (pac_data_out) { + *pac_data_out = talloc_steal(mem_ctx_out, pac_data); + } return NT_STATUS_OK; } diff --git a/auth/kerberos/wscript_build b/auth/kerberos/wscript_build index 2421b16..fe38b76 100644 --- a/auth/kerberos/wscript_build +++ b/auth/kerberos/wscript_build @@ -1,3 +1,3 @@ bld.SAMBA_SUBSYSTEM('KRB5_PAC', - source='gssapi_pac.c kerberos_pac.c', - deps='gssapi_krb5 krb5 ndr-krb5pac com_err') + source='gssapi_pac.c kerberos_pac.c gssapi_parse.c', + deps='gssapi_krb5 krb5 ndr-krb5pac com_err asn1util') diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 006fa8a..949c404 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3727,7 +3727,7 @@ _PUBLIC_ char *lpcfg_tls_dhpfile(TALLOC_CTX *mem_ctx, struct loadparm_context *l struct gensec_settings *lpcfg_gensec_settings(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) { - struct gensec_settings *settings = talloc(mem_ctx, struct gensec_settings); + struct gensec_settings *settings = talloc_zero(mem_ctx, struct gensec_settings); if (settings == NULL) return NULL; SMB_ASSERT(lp_ctx != NULL); diff --git a/libcli/auth/krb5_wrap.h b/libcli/auth/krb5_wrap.h index 82769ae..affb892 100644 --- a/libcli/auth/krb5_wrap.h +++ b/libcli/auth/krb5_wrap.h @@ -77,3 +77,7 @@ NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, gss_ctx_id_t gssapi_context, gss_name_t gss_client_name, DATA_BLOB *pac_data); +DATA_BLOB gensec_gssapi_gen_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *ticket, const uint8_t tok_id[2]); + +bool gensec_gssapi_parse_krb5_wrap(TALLOC_CTX *mem_ctx, const DATA_BLOB *blob, DATA_BLOB *ticket, uint8_t tok_id[2]); +bool gensec_gssapi_check_oid(const DATA_BLOB *blob, const char *oid); diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c index 21c7b44..119099d 100644 --- a/source3/auth/auth_samba4.c +++ b/source3/auth/auth_samba4.c @@ -114,7 +114,7 @@ static NTSTATUS prepare_gensec(TALLOC_CTX *mem_ctx, TALLOC_FREE(frame); return NT_STATUS_INVALID_SERVER_STATE; } - event_ctx = s4_event_context_init(mem_ctx); + event_ctx = s4_event_context_init(frame); if (event_ctx == NULL) { DEBUG(1, ("s4_event_context_init failed\n")); TALLOC_FREE(frame); diff --git a/source3/auth/proto.h b/source3/auth/proto.h index 125ac14..074da79 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -71,7 +71,6 @@ NTSTATUS auth_netlogond_init(void); NTSTATUS auth_generic_prepare(const struct tsocket_address *remote_address, struct auth_generic_state **auth_ntlmssp_state); -NTSTATUS auth_ntlmssp_start(struct auth_generic_state *auth_ntlmssp_state); NTSTATUS auth_generic_start(struct auth_generic_state *auth_ntlmssp_state, const char *oid); NTSTATUS auth_generic_authtype_start(struct auth_generic_state *auth_ntlmssp_state, uint8_t auth_type, uint8_t auth_level); diff --git a/source4/auth/auth.h b/source4/auth/auth.h index ac2327d..bb2cd57 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -55,6 +55,7 @@ struct auth_check_password_request; struct auth4_context; struct auth_session_info; struct ldb_dn; +struct smb_krb5_context; struct auth_operations { const char *name; @@ -129,17 +130,20 @@ struct auth4_context { NTSTATUS (*set_challenge)(struct auth4_context *auth_ctx, const uint8_t chal[8], const char *set_by); - NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, - struct auth4_context *auth_ctx, - const char *principal, - struct ldb_dn *user_dn, - struct auth_user_info_dc **user_info_dc); - NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx, struct auth4_context *auth_context, struct auth_user_info_dc *user_info_dc, uint32_t session_info_flags, struct auth_session_info **session_info); + + NTSTATUS (*generate_session_info_pac)(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx_out, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info); }; /* this structure is used by backends to determine the size of some critical types */ @@ -204,7 +208,6 @@ NTSTATUS auth_context_create(TALLOC_CTX *mem_ctx, struct imessaging_context *msg, struct loadparm_context *lp_ctx, struct auth4_context **auth_ctx); -NTSTATUS auth_context_create_from_ldb(TALLOC_CTX *mem_ctx, struct ldb_context *ldb, struct auth4_context **auth_ctx); NTSTATUS auth_check_password(struct auth4_context *auth_ctx, TALLOC_CTX *mem_ctx, diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c index 136bb8d..2e733bf 100644 --- a/source4/auth/gensec/cyrus_sasl.c +++ b/source4/auth/gensec/cyrus_sasl.c @@ -205,6 +205,7 @@ static NTSTATUS gensec_sasl_client_start(struct gensec_security *gensec_security static NTSTATUS gensec_sasl_update(struct gensec_security *gensec_security, TALLOC_CTX *out_mem_ctx, + struct tevent_context *ev, const DATA_BLOB in, DATA_BLOB *out) { struct gensec_sasl_state *gensec_sasl_state = talloc_get_type(gensec_security->private_data, diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c index 55c2970..1e7a0a3 100644 --- a/source4/auth/gensec/gensec_gssapi.c +++ b/source4/auth/gensec/gensec_gssapi.c @@ -1307,23 +1307,38 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi TALLOC_CTX *mem_ctx; struct gensec_gssapi_state *gensec_gssapi_state = talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state); - struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; OM_uint32 maj_stat, min_stat; - DATA_BLOB pac_blob; - struct PAC_SIGNATURE_DATA *pac_srv_sig = NULL; - struct PAC_SIGNATURE_DATA *pac_kdc_sig = NULL; + DATA_BLOB pac_blob, *pac_blob_ptr = NULL; + + gss_buffer_desc name_token; + char *principal_string; - if ((gensec_gssapi_state->gss_oid->length != gss_mech_krb5->length) - || (memcmp(gensec_gssapi_state->gss_oid->elements, gss_mech_krb5->elements, - gensec_gssapi_state->gss_oid->length) != 0)) { - DEBUG(1, ("NO session info available for this mech\n")); - return NT_STATUS_INVALID_PARAMETER; - } - mem_ctx = talloc_named(mem_ctx_out, 0, "gensec_gssapi_session_info context"); NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + maj_stat = gss_display_name (&min_stat, + gensec_gssapi_state->client_name, + &name_token, + NULL); + if (GSS_ERROR(maj_stat)) { + DEBUG(1, ("GSS display_name failed: %s\n", + gssapi_error_string(mem_ctx, maj_stat, min_stat, gensec_gssapi_state->gss_oid))); + talloc_free(mem_ctx); + return NT_STATUS_FOOBAR; + } + + principal_string = talloc_strndup(mem_ctx, + (const char *)name_token.value, + name_token.length); + + gss_release_buffer(&min_stat, &name_token); + + if (!principal_string) { + talloc_free(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + nt_status = gssapi_obtain_pac_blob(mem_ctx, gensec_gssapi_state->gssapi_context, gensec_gssapi_state->client_name, &pac_blob); @@ -1333,78 +1348,14 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi * kind... */ if (NT_STATUS_IS_OK(nt_status)) { - pac_srv_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_srv_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - pac_kdc_sig = talloc(mem_ctx, struct PAC_SIGNATURE_DATA); - if (!pac_kdc_sig) { - talloc_free(mem_ctx); - return NT_STATUS_NO_MEMORY; - } - - nt_status = kerberos_pac_blob_to_user_info_dc(mem_ctx, - pac_blob, - gensec_gssapi_state->smb_krb5_context->krb5_context, - &user_info_dc, - pac_srv_sig, - pac_kdc_sig); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(mem_ctx); - return nt_status; - } - } else { -- Samba Shared Repository