The branch, master has been updated
via e907f84 s3: auth: Fix winbindd_pam_auth_pac_send() to create a new
info3 and merge in resource groups from a trusted PAC.
via 0e5a9f4 s3: auth: Change auth3_generate_session_info_pac() to use a
copy of the info3 struct from the struct PAC_LOGON_INFO.
via db775c6 s3: auth: Add create_info3_from_pac_logon_info() to create
a new info3 and merge resource group SIDs into it.
via 527f7b5 s3: auth: Change make_server_info_info3() to take a const
struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
via c241176 s3: auth: Add some const to the struct netr_SamInfo3 *
arguments of copy_netr_SamInfo3() and make_server_info_info3()
via 6c6357b lib: Use BVAL macro in interpret_long_date
from a4c50e2 autobuild: fix samba-ctdb samba build to pick up right tdb
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e907f8415639d2a7cbc1cc2e40e2e35bfa0024de
Author: Jeremy Allison <[email protected]>
Date: Mon Jun 16 23:27:35 2014 -0700
s3: auth: Fix winbindd_pam_auth_pac_send() to create a new info3 and merge
in resource groups from a trusted PAC.
Based on a patch from Richard Sharpe <[email protected]>.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Richard Sharpe <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
Autobuild-User(master): Jeremy Allison <[email protected]>
Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104
commit 0e5a9f44e4b08b93bc4b501d1e14b59ed7b3647c
Author: Jeremy Allison <[email protected]>
Date: Mon Jun 16 23:15:21 2014 -0700
s3: auth: Change auth3_generate_session_info_pac() to use a copy of the
info3 struct from the struct PAC_LOGON_INFO.
Call create_info3_from_pac_logon_info() to add in any resource SIDs
from the struct PAC_LOGON_INFO to the info3.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Richard Sharpe <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6
Author: Jeremy Allison <[email protected]>
Date: Mon Jun 16 23:11:58 2014 -0700
s3: auth: Add create_info3_from_pac_logon_info() to create a new info3 and
merge resource group SIDs into it.
Originally written by Richard Sharpe Richard Sharpe
<[email protected]>.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Richard Sharpe <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
commit 527f7b54388713acaaf7b66c718cc0f7114fc368
Author: Jeremy Allison <[email protected]>
Date: Mon Jun 16 22:54:45 2014 -0700
s3: auth: Change make_server_info_info3() to take a const struct
netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
make_server_info_info3() only reads from the info3 pointer.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Richard Sharpe <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
commit c2411767adb5ce48a4619349075f6f8faae41aab
Author: Jeremy Allison <[email protected]>
Date: Mon Jun 16 22:49:29 2014 -0700
s3: auth: Add some const to the struct netr_SamInfo3 * arguments of
copy_netr_SamInfo3() and make_server_info_info3()
Both functions only read from the struct netr_SamInfo3 * argument.
Signed-off-by: Jeremy Allison <[email protected]>
Reviewed-by: Richard Sharpe <[email protected]>
Reviewed-by: Simo Sorce <[email protected]>
commit 6c6357b6bdba3341b3eec5900c4b9ad952b8db81
Author: Volker Lendecke <[email protected]>
Date: Mon Jun 16 15:00:33 2014 +0000
lib: Use BVAL macro in interpret_long_date
Signed-off-by: Volker Lendecke <[email protected]>
Reviewed-by: Jeremy Allison <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth_generic.c | 11 ++++-
source3/auth/auth_util.c | 2 +-
source3/auth/proto.h | 9 +++-
source3/auth/server_info.c | 79 ++++++++++++++++++++++++++++++++++++++-
source3/auth/user_krb5.c | 8 ++--
source3/lib/time.c | 2 +-
source3/winbindd/winbindd_pam.c | 24 +++++++++++-
7 files changed, 121 insertions(+), 14 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 05c4ddc..1da4961 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -45,6 +45,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct
auth4_context *auth_ctx,
{
TALLOC_CTX *tmp_ctx;
struct PAC_LOGON_INFO *logon_info = NULL;
+ struct netr_SamInfo3 *info3_copy = NULL;
bool is_mapped;
bool is_guest;
char *ntuser;
@@ -102,7 +103,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct
auth4_context *auth_ctx,
/* save the PAC data if we have it */
if (logon_info) {
- netsamlogon_cache_store(ntuser, &logon_info->info3);
+ status = create_info3_from_pac_logon_info(tmp_ctx,
+ logon_info,
+ &info3_copy);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+ netsamlogon_cache_store(ntuser, info3_copy);
}
/* setup the string used by %U */
@@ -113,7 +120,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct
auth4_context *auth_ctx,
status = make_session_info_krb5(mem_ctx,
ntuser, ntdomain, username, pw,
- logon_info, is_guest, is_mapped, NULL
/* No session key for now, caller will sort it out */,
+ info3_copy, is_guest, is_mapped, NULL
/* No session key for now, caller will sort it out */,
session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index cab77b4..2986fb4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1335,7 +1335,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
- struct netr_SamInfo3 *info3)
+ const struct netr_SamInfo3 *info3)
{
static const char zeros[16] = {0, };
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 9e11a0c..1da0c44 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -242,7 +242,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
const char *domain,
struct auth_serversupplied_info **server_info,
- struct netr_SamInfo3 *info3);
+ const struct netr_SamInfo3 *info3);
struct wbcAuthUserInfo;
NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
const char *sent_nt_username,
@@ -294,6 +294,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct
auth_serversupplied_info *server_in
struct netr_SamInfo3 *sam3);
NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
struct netr_SamInfo6 *sam6);
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+ const struct PAC_LOGON_INFO
*logon_info,
+ struct netr_SamInfo3 **pp_info3);
NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
struct samu *samu,
const char *login_server,
@@ -304,7 +307,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
const struct passwd *pwd,
struct netr_SamInfo3 **pinfo3);
struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *orig);
+ const struct netr_SamInfo3 *orig);
/* The following definitions come from auth/auth_wbc.c */
@@ -372,7 +375,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntdomain,
char *username,
struct passwd *pw,
- struct PAC_LOGON_INFO *logon_info,
+ const struct netr_SamInfo3 *info3,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info);
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index df0be54..8fd3b0d 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -253,6 +253,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3
*info3,
return NT_STATUS_OK;
}
+/*
+ * Merge resource SIDs, if any, into the passed in info3 structure.
+ */
+
+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
+ struct netr_SamInfo3 *info3)
+{
+ uint32_t i = 0;
+
+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * If there are any resource groups (SID Compression) add
+ * them to the extra sids portion of the info3 in the PAC.
+ *
+ * This makes the info3 look like it would if we got the info
+ * from the DC rather than the PAC.
+ */
+
+ /*
+ * Construct a SID for each RID in the list and then append it
+ * to the info3.
+ */
+ for (i = 0; i < logon_info->res_groups.count; i++) {
+ NTSTATUS status;
+ struct dom_sid new_sid;
+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
+
+ sid_compose(&new_sid,
+ logon_info->res_group_dom_sid,
+ logon_info->res_groups.rids[i].rid);
+
+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
+ sid_string_dbg(&new_sid)));
+
+ status = append_netr_SidAttr(info3, &info3->sids,
+ &info3->sidcount,
+ &new_sid,
+ attributes);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
+ sid_string_dbg(&new_sid),
+ nt_errstr(status)));
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
+ * then merge resource SIDs, if any, into it. If successful return
+ * the created info3 struct.
+ */
+
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+ const struct PAC_LOGON_INFO *logon_info,
+ struct netr_SamInfo3 **pp_info3)
+{
+ NTSTATUS status;
+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
+ &logon_info->info3);
+ if (info3 == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ status = merge_resource_sids(logon_info, info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(info3);
+ return status;
+ }
+ *pp_info3 = info3;
+ return NT_STATUS_OK;
+}
+
#define RET_NOMEM(ptr) do { \
if (!ptr) { \
TALLOC_FREE(info3); \
@@ -580,7 +657,7 @@ done:
} } while(0)
struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *orig)
+ const struct netr_SamInfo3 *orig)
{
struct netr_SamInfo3 *info3;
unsigned int i;
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 6b8fad2..7442ea4 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntdomain,
char *username,
struct passwd *pw,
- struct PAC_LOGON_INFO *logon_info,
+ const struct netr_SamInfo3 *info3,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info)
@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
return status;
}
- } else if (logon_info) {
+ } else if (info3) {
/* pass the unmapped username here since map_username()
will be called again in make_server_info_info3() */
status = make_server_info_info3(mem_ctx,
ntuser, ntdomain,
&server_info,
- &logon_info->info3);
+ info3);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("make_server_info_info3 failed: %s!\n",
nt_errstr(status)));
@@ -298,7 +298,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
char *ntdomain,
char *username,
struct passwd *pw,
- struct PAC_LOGON_INFO *logon_info,
+ const struct netr_SamInfo3 *info3,
bool mapped_to_guest, bool username_was_mapped,
DATA_BLOB *session_key,
struct auth_session_info **session_info)
diff --git a/source3/lib/time.c b/source3/lib/time.c
index b4b9d19..dab9b31 100644
--- a/source3/lib/time.c
+++ b/source3/lib/time.c
@@ -243,7 +243,7 @@ time_t srv_make_unix_date3(const void *date_ptr)
struct timespec interpret_long_date(const char *p)
{
NTTIME nt;
- nt = IVAL(p,0) + ((uint64_t)IVAL(p,4) << 32);
+ nt = BVAL(p, 0);
if (nt == (uint64_t)-1) {
struct timespec ret;
ret.tv_sec = (time_t)-1;
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 1fb4360..1112b21 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2450,6 +2450,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct
winbindd_cli_state *state,
struct winbindd_request *req = state->request;
DATA_BLOB pac_blob;
struct PAC_LOGON_INFO *logon_info = NULL;
+ struct netr_SamInfo3 *info3_copy = NULL;
NTSTATUS result;
pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
@@ -2463,7 +2464,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct
winbindd_cli_state *state,
if (logon_info) {
/* Signature verification succeeded, trust the PAC */
- netsamlogon_cache_store(NULL, &logon_info->info3);
+ result = create_info3_from_pac_logon_info(state->mem_ctx,
+ logon_info,
+ &info3_copy);
+ if (!NT_STATUS_IS_OK(result)) {
+ return result;
+ }
+ netsamlogon_cache_store(NULL, info3_copy);
} else {
/* Try without signature verification */
@@ -2475,9 +2482,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct
winbindd_cli_state *state,
nt_errstr(result)));
return result;
}
+ if (logon_info) {
+ /*
+ * Don't strictly need to copy here,
+ * but it makes it explicit we're
+ * returning a copy talloc'ed off
+ * the state->mem_ctx.
+ */
+ info3_copy = copy_netr_SamInfo3(state->mem_ctx,
+ &logon_info->info3);
+ if (info3_copy == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
}
- *info3 = &logon_info->info3;
+ *info3 = info3_copy;
return NT_STATUS_OK;
}
--
Samba Shared Repository
