The branch, master has been updated
via 1dfa193232c s3:winbind: Remove unused functions
via 7b573599895 examples: Update winbind.stp and generate script
via c68f21f26f1 s3:winbind: Convert PAM_AUTH_CRAP from struct based to
NDR based
via dd69be80208 s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv}
via 0b4d581d358 s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv}
via f8fa3331085 s3:winbind: Use temp memory context in
winbindd_pam_auth_pac_verify()
via d4564d989f2 s3:rpc_client: Fix memory allocation hierarchy
via 74a511a8eab s3:winbind: Move big NTLMv2 blob checks to parent
process
via efc97296d95 s3:winbind: Use uint8_t for authoritative flag
via fc4cb625063 s3:winbind: Remove unnecessary jump to label
via 8f7adb9e760 s3:winbind: Remove unnecesary condition to reduce
indentation level
via d900e93931e s3:winbind: Pass the challenge to
winbind_dual_SamLogon() as a data blob
from fe7daae8c46 s3: smbd: Allow a durable handle on a leased stat-open.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 1dfa193232c857224f01e86f3f987a0582fdb933
Author: Samuel Cabrero <scabr...@samba.org>
Date: Fri Feb 25 14:26:07 2022 +0100
s3:winbind: Remove unused functions
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Sat Apr 30 01:07:12 UTC 2022 on sn-devel-184
commit 7b573599895cd0c85fcdeaae909ab4d20d85a6f8
Author: Samuel Cabrero <scabr...@samba.org>
Date: Fri Feb 25 14:53:16 2022 +0100
examples: Update winbind.stp and generate script
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit c68f21f26f10b60ca1ac294b7294bfbf37c9bb86
Author: Samuel Cabrero <scabr...@samba.org>
Date: Fri Feb 25 11:32:14 2022 +0100
s3:winbind: Convert PAM_AUTH_CRAP from struct based to NDR based
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit dd69be802085d96af8875f2137a8261231d453b1
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Feb 24 18:02:42 2022 +0100
s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv}
The winbindd_dual_pam_auth_crap() will be converted to a local RPC call
handler and the winbindd_response won't be filled by the child process
but in the parent's winbindd_pam_auth_crap_recv() function.
Move all code filling the winbindd_response struct to a common place,
winbindd_pam_auth_crap_recv().
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 0b4d581d35815e7ddc7d79e1433a5a5888b31e29
Author: Samuel Cabrero <scabr...@samba.org>
Date: Fri Feb 18 15:29:13 2022 +0100
s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv}
Move the code filling the winbindd_response to a common place,
winbindd_pam_auth_crap_recv().
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit f8fa3331085877e0e9dff6df1b267818d3f92423
Author: Samuel Cabrero <scabr...@samba.org>
Date: Fri Feb 25 12:11:36 2022 +0100
s3:winbind: Use temp memory context in winbindd_pam_auth_pac_verify()
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit d4564d989f28becdbeda6d5175ebe050a895e346
Author: Samuel Cabrero <scabr...@samba.org>
Date: Fri Feb 25 13:36:31 2022 +0100
s3:rpc_client: Fix memory allocation hierarchy
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 74a511a8eab72cc82940738a1e20e63e12b81374
Author: Samuel Cabrero <scabr...@samba.org>
Date: Thu Feb 24 17:48:27 2022 +0100
s3:winbind: Move big NTLMv2 blob checks to parent process
The winbindd_dual_pam_auth_crap() function will be converted to a local
RPC call handler and it won't receive a winbindd_cli_state struct. Move
the checks accessing this struct to the parent.
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit efc97296d95a6f00005a9d5313ce37c8db14b5a5
Author: Samuel Cabrero <scabr...@samba.org>
Date: Mon Apr 18 16:44:23 2022 +0200
s3:winbind: Use uint8_t for authoritative flag
It is the type used in the winbindd_response struct.
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit fc4cb625063b7a09b0a83fe2168c29f0921adf3c
Author: Samuel Cabrero <scabr...@samba.org>
Date: Tue Jun 15 14:18:22 2021 +0200
s3:winbind: Remove unnecessary jump to label
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit 8f7adb9e760fb2260a253a8575406ff6ee73286a
Author: Samuel Cabrero <scabr...@samba.org>
Date: Tue Jun 15 14:16:25 2021 +0200
s3:winbind: Remove unnecesary condition to reduce indentation level
Best viewed with git show --ignore-space-change.
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
commit d900e93931e18fb86252b9eef96b236f5a39cf61
Author: Samuel Cabrero <scabr...@samba.org>
Date: Tue Jun 15 14:06:27 2021 +0200
s3:winbind: Pass the challenge to winbind_dual_SamLogon() as a data blob
Next commits will covert the winbindd_dual_pam_auth_crap() function to a
local RPC call handler receiving the challenge as a DATA_BLOB in the 'r'
struct.
Signed-off-by: Samuel Cabrero <scabr...@samba.org>
Reviewed-by: Jeremy Allison <j...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
examples/systemtap/generate-winbindd.stp.sh | 1 +
examples/systemtap/winbindd.stp | 22 ++-
librpc/idl/winbind.idl | 21 ++
source3/rpc_client/cli_netlogon.c | 9 +-
source3/rpc_client/cli_netlogon.h | 2 +-
source3/rpc_client/util_netlogon.c | 2 +-
source3/winbindd/winbindd_domain.c | 4 -
source3/winbindd/winbindd_dual_srv.c | 9 +-
source3/winbindd/winbindd_pam.c | 296 ++++++++++------------------
source3/winbindd/winbindd_pam_auth_crap.c | 227 +++++++++++++--------
source3/winbindd/winbindd_proto.h | 7 +-
11 files changed, 315 insertions(+), 285 deletions(-)
Changeset truncated at 500 lines:
diff --git a/examples/systemtap/generate-winbindd.stp.sh
b/examples/systemtap/generate-winbindd.stp.sh
index 28b2dbc58c1..18695232f43 100755
--- a/examples/systemtap/generate-winbindd.stp.sh
+++ b/examples/systemtap/generate-winbindd.stp.sh
@@ -10,6 +10,7 @@ winbindd_dual_pam_chng_pswd_auth_crap
winbindd_dual_pam_chauthtok
_wbint_Ping
_wbint_PamAuth
+_wbint_PamAuthCrap
_wbint_ListTrustedDomains
_wbint_LookupSid
_wbint_LookupSids
diff --git a/examples/systemtap/winbindd.stp b/examples/systemtap/winbindd.stp
index 58926017595..5b8e72fea6c 100644
--- a/examples/systemtap/winbindd.stp
+++ b/examples/systemtap/winbindd.stp
@@ -2,7 +2,7 @@
#
# Systemtap script to instrument winbindd
#
-# Generated by examples/systemtap/generate-winbindd.stp.sh on jue 31 mar 2022
12:34:16 CEST, do not edit
+# Generated by examples/systemtap/generate-winbindd.stp.sh on vie 01 abr 2022
16:21:52 CEST, do not edit
#
# Usage:
#
@@ -183,6 +183,26 @@ probe
process("winbindd").function("_wbint_PamAuth").return {
dc_svctime["_wbint_PamAuth"] <<< duration
}
+#
+# winbind domain child function _wbint_PamAuthCrap
+#
+
+probe process("winbindd").function("_wbint_PamAuthCrap") {
+ dc_running[tid(), "_wbint_PamAuthCrap"] = gettimeofday_us()
+}
+
+probe process("winbindd").function("_wbint_PamAuthCrap").return {
+ if (!([tid(), "_wbint_PamAuthCrap"] in dc_running))
+ next
+
+ end = gettimeofday_us()
+ begin = dc_running[tid(), "_wbint_PamAuthCrap"]
+ delete dc_running[tid(), "_wbint_PamAuthCrap"]
+
+ duration = end - begin
+ dc_svctime["_wbint_PamAuthCrap"] <<< duration
+}
+
#
# winbind domain child function _wbint_ListTrustedDomains
#
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index 2737c563c69..8a50a53eea1 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -196,6 +196,27 @@ interface winbind
[out,ref] wbint_Validation *validation
);
+ typedef [public] struct {
+ uint16 level;
+ [switch_is(level)] netr_Validation *validation;
+ } wbint_PamAuthCrapValidation;
+
+ NTSTATUS wbint_PamAuthCrap(
+ [in,string,charset(UTF8)] char *client_name,
+ [in] hyper client_pid,
+ [in] uint32 flags,
+ [in, string,charset(UTF8)] char *user,
+ [in, string,charset(UTF8)] char *domain,
+ [in, string,charset(UTF8)] char *workstation,
+ [in] DATA_BLOB lm_resp,
+ [in] DATA_BLOB nt_resp,
+ [in] DATA_BLOB chal,
+ [in] uint32 logon_parameters,
+ [in] wbint_SidArray *require_membership_of_sid,
+ [out,ref] uint8 *authoritative,
+ [out,ref] wbint_PamAuthCrapValidation *validation
+ );
+
/* Public methods available via IRPC */
typedef [switch_type(uint16)] union netr_LogonLevel netr_LogonLevel;
diff --git a/source3/rpc_client/cli_netlogon.c
b/source3/rpc_client/cli_netlogon.c
index 50dae9d7f3e..f446f0c8724 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -644,7 +644,7 @@ NTSTATUS rpccli_netlogon_network_logon(
const char *domain,
const char *workstation,
const uint64_t logon_id,
- const uint8_t chal[8],
+ DATA_BLOB chal,
DATA_BLOB lm_response,
DATA_BLOB nt_response,
enum netr_LogonInfoClass logon_type,
@@ -715,7 +715,12 @@ NTSTATUS rpccli_netlogon_network_logon(
network_info->identity_info.account_name.string = username;
network_info->identity_info.workstation.string =
workstation_name_slash;
- memcpy(network_info->challenge, chal, 8);
+ if (chal.length != 8) {
+ DBG_WARNING("Invalid challenge length %zd\n", chal.length);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ memcpy(network_info->challenge, chal.data, chal.length);
network_info->nt = nt;
network_info->lm = lm;
diff --git a/source3/rpc_client/cli_netlogon.h
b/source3/rpc_client/cli_netlogon.h
index 362321f312f..464492520fb 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -83,7 +83,7 @@ NTSTATUS rpccli_netlogon_network_logon(
const char *domain,
const char *workstation,
const uint64_t logon_id,
- const uint8_t chal[8],
+ DATA_BLOB chal,
DATA_BLOB lm_response,
DATA_BLOB nt_response,
enum netr_LogonInfoClass logon_type,
diff --git a/source3/rpc_client/util_netlogon.c
b/source3/rpc_client/util_netlogon.c
index e24f0ff1e4f..52bd40b49f9 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -375,7 +375,7 @@ NTSTATUS map_info6_to_validation(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- status = copy_netr_SamInfo6(mem_ctx,
+ status = copy_netr_SamInfo6(validation,
info6,
&validation->sam6);
if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/winbindd/winbindd_domain.c
b/source3/winbindd/winbindd_domain.c
index 6f85d0779a0..80df55a5819 100644
--- a/source3/winbindd/winbindd_domain.c
+++ b/source3/winbindd/winbindd_domain.c
@@ -30,10 +30,6 @@ static const struct winbindd_child_dispatch_table
domain_dispatch_table[] = {
.name = "INIT_CONNECTION",
.struct_cmd = WINBINDD_INIT_CONNECTION,
.struct_fn = winbindd_dual_init_connection,
- },{
- .name = "AUTH_CRAP",
- .struct_cmd = WINBINDD_PAM_AUTH_CRAP,
- .struct_fn = winbindd_dual_pam_auth_crap,
},{
.name = "PAM_LOGOFF",
.struct_cmd = WINBINDD_PAM_LOGOFF,
diff --git a/source3/winbindd/winbindd_dual_srv.c
b/source3/winbindd/winbindd_dual_srv.c
index a59ecafe695..ae2bd77c8a6 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -941,9 +941,8 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
struct winbindd_domain *domain;
NTSTATUS status;
struct netr_IdentityInfo *identity_info = NULL;
- const uint8_t chal_zero[8] = {0, };
- const uint8_t *challenge = chal_zero;
DATA_BLOB lm_response, nt_response;
+ DATA_BLOB challenge = data_blob_null;
uint32_t flags = 0;
uint16_t validation_level;
union netr_Validation *validation = NULL;
@@ -981,7 +980,7 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
interactive = true;
identity_info = &r->in.logon.password->identity_info;
- challenge = chal_zero;
+ challenge = data_blob_null;
lm_response = data_blob_talloc(p->mem_ctx,
r->in.logon.password->lmpassword.hash,
sizeof(r->in.logon.password->lmpassword.hash));
@@ -999,7 +998,9 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
interactive = false;
identity_info = &r->in.logon.network->identity_info;
- challenge = r->in.logon.network->challenge;
+ challenge = data_blob_talloc(p->mem_ctx,
+ r->in.logon.network->challenge,
+ 8);
lm_response = data_blob_talloc(p->mem_ctx,
r->in.logon.network->lm.data,
r->in.logon.network->lm.length);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 78bc6c932f3..49a2cd7c83b 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1653,7 +1653,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct
winbindd_domain *domain,
const char *workstation,
const uint64_t logon_id,
bool plaintext_given,
- const uint8_t chal[8],
+ DATA_BLOB chal,
DATA_BLOB lm_response,
DATA_BLOB nt_response,
bool interactive,
@@ -2093,7 +2093,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(
lp_netbios_name(),
logon_id,
true, /* plaintext_given */
- NULL,
+ data_blob_null,
data_blob_null, data_blob_null,
true, /* interactive */
&authoritative,
@@ -2111,58 +2111,6 @@ done:
return NT_STATUS_OK;
}
-/*
- * @brief build a tsocket_address for the remote address of the supplied socket
- *
- */
-static struct tsocket_address *get_remote_address(TALLOC_CTX *mem_ctx, int
sock)
-{
- struct sockaddr_storage st = {0};
- struct sockaddr *sar = (struct sockaddr *)&st;
- socklen_t sa_len = sizeof(st);
- struct tsocket_address *remote = NULL;
- int ret = 0;
-
- ret = getpeername(sock, sar, &sa_len);
- if (ret != 0) {
- DBG_ERR("getpeername failed - %s", strerror(errno));
- return NULL;
- }
- ret = tsocket_address_bsd_from_sockaddr(mem_ctx, sar, sa_len, &remote);
- if (ret != 0) {
- DBG_ERR("tsocket_address_bsd_from_sockaddr failed - %s",
- strerror(errno));
- return NULL;
- }
- return remote;
-}
-
-/*
- * @brief build a tsocket_address for the local address of the supplied socket
- *
- */
-static struct tsocket_address *get_local_address(TALLOC_CTX *mem_ctx, int sock)
-{
- struct sockaddr_storage st = {0};
- struct sockaddr *sar = (struct sockaddr *)&st;
- socklen_t sa_len = sizeof(st);
- struct tsocket_address *local = NULL;
- int ret = 0;
-
- ret = getsockname(sock, sar, &sa_len);
- if (ret != 0) {
- DBG_ERR("getsockname failed - %s", strerror(errno));
- return NULL;
- }
- ret = tsocket_address_bsd_from_sockaddr(mem_ctx, sar, sa_len, &local);
- if (ret != 0) {
- DBG_ERR("tsocket_address_bsd_from_sockaddr failed - %s",
- strerror(errno));
- return NULL;
- }
- return local;
-}
-
/*
* @brief generate an authentication message in the logs.
*
@@ -2672,7 +2620,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain
*domain,
const uint64_t logon_id,
const char* client_name,
const int client_pid,
- const uint8_t chal[8],
+ DATA_BLOB chal_blob,
DATA_BLOB lm_response,
DATA_BLOB nt_response,
const struct tsocket_address *remote,
@@ -2697,8 +2645,6 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain
*domain,
* we need to check against domain->name.
*/
if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
- DATA_BLOB chal_blob = data_blob_const(
- chal, 8);
struct netr_SamInfo3 *info3 = NULL;
result = winbindd_dual_auth_passdb(
@@ -2745,7 +2691,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain
*domain,
workstation, /* We carefully set
this above so use it... */
logon_id,
false, /* plaintext_given */
- chal,
+ chal_blob,
lm_response,
nt_response,
interactive,
@@ -2838,79 +2784,52 @@ done:
return NT_STATUS_OK;
}
-enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain
*domain,
- struct winbindd_cli_state
*state)
+NTSTATUS _wbint_PamAuthCrap(struct pipes_struct *p, struct wbint_PamAuthCrap
*r)
{
+ struct winbindd_domain *domain = wb_child_domain();
NTSTATUS result;
- const char *name_user = NULL;
- const char *name_domain = NULL;
- const char *workstation;
uint64_t logon_id = 0;
uint8_t authoritative = 1;
uint32_t flags = 0;
uint16_t validation_level = UINT16_MAX;
union netr_Validation *validation = NULL;
- DATA_BLOB lm_resp = { 0 }, nt_resp = { 0 };
const struct timeval start_time = timeval_current();
const struct tsocket_address *remote = NULL;
const struct tsocket_address *local = NULL;
+ struct netr_SamInfo3 *info3 = NULL;
+ pid_t client_pid;
- /* This is child-only, so no check for privileged access is needed
- anymore */
-
- /* Ensure null termination */
-
state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
-
state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
+ if (domain == NULL) {
+ return NT_STATUS_REQUEST_NOT_ACCEPTED;
+ }
- name_user = state->request->data.auth_crap.user;
- name_domain = state->request->data.auth_crap.domain;
- workstation = state->request->data.auth_crap.workstation;
- logon_id = generate_random_u64();
- remote = get_remote_address(state->mem_ctx, state->sock);
- local = get_local_address(state->mem_ctx, state->sock);
-
- DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned
long)state->pid,
- name_domain, name_user));
-
- if (state->request->data.auth_crap.lm_resp_len >
sizeof(state->request->data.auth_crap.lm_resp)
- || state->request->data.auth_crap.nt_resp_len >
sizeof(state->request->data.auth_crap.nt_resp)) {
- if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
- state->request->extra_len !=
state->request->data.auth_crap.nt_resp_len) {
- DEBUG(0, ("winbindd_pam_auth_crap: invalid password
length %u/%u\n",
- state->request->data.auth_crap.lm_resp_len,
- state->request->data.auth_crap.nt_resp_len));
- result = NT_STATUS_INVALID_PARAMETER;
- goto done;
- }
+ /* Cut client_pid to 32bit */
+ client_pid = r->in.client_pid;
+ if ((uint64_t)client_pid != r->in.client_pid) {
+ DBG_DEBUG("pid out of range\n");
+ return NT_STATUS_INVALID_PARAMETER;
}
- lm_resp = data_blob_talloc(state->mem_ctx,
state->request->data.auth_crap.lm_resp,
-
state->request->data.auth_crap.lm_resp_len);
+ logon_id = generate_random_u64();
+ remote = dcesrv_connection_get_remote_address(p->dce_call->conn);
+ local = dcesrv_connection_get_local_address(p->dce_call->conn);
- if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
- nt_resp = data_blob_talloc(state->mem_ctx,
- state->request->extra_data.data,
-
state->request->data.auth_crap.nt_resp_len);
- } else {
- nt_resp = data_blob_talloc(state->mem_ctx,
-
state->request->data.auth_crap.nt_resp,
-
state->request->data.auth_crap.nt_resp_len);
- }
+ DBG_NOTICE("[%"PRIu32"]: pam auth crap domain: %s user: %s\n",
+ client_pid, r->in.domain, r->in.user);
result = winbind_dual_SamLogon(domain,
- state->mem_ctx,
+ p->mem_ctx,
false, /* interactive */
-
state->request->data.auth_crap.logon_parameters,
- name_user,
- name_domain,
- /* Bug #3248 - found by Stefan Burkei. */
- workstation, /* We carefully set this
above so use it... */
+ r->in.logon_parameters,
+ r->in.user,
+ r->in.domain,
+ r->in.workstation,
logon_id,
- state->request->client_name,
- state->request->pid,
- state->request->data.auth_crap.chal,
- lm_resp,
- nt_resp,
+ r->in.client_name,
+ client_pid,
+ r->in.chal,
+ r->in.lm_resp,
+ r->in.nt_resp,
remote,
local,
&authoritative,
@@ -2922,97 +2841,79 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct
winbindd_domain *domain,
goto done;
}
- if (NT_STATUS_IS_OK(result)) {
- struct netr_SamInfo3 *info3 = NULL;
- struct wbint_SidArray *sid_array = NULL;
-
- result = map_validation_to_info3(state->mem_ctx,
- validation_level,
- validation,
- &info3);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
-
- result = extra_data_to_sid_array(
-
state->request->data.auth_crap.require_membership_of_sid,
- state->mem_ctx,
- &sid_array);
- if (!NT_STATUS_IS_OK(result)) {
- DBG_ERR("Failed to parse '%s' into a sid array: %s\n",
-
state->request->data.auth_crap.require_membership_of_sid,
- nt_errstr(result));
- goto done;
- }
+ result = map_validation_to_info3(p->mem_ctx,
+ validation_level,
+ validation,
+ &info3);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto done;
+ }
- /* Check if the user is in the right group */
- result = check_info3_in_group(info3, sid_array);
- if (!NT_STATUS_IS_OK(result)) {
- char *s = NDR_PRINT_STRUCT_STRING(state->mem_ctx,
- wbint_SidArray,
- sid_array);
- DBG_NOTICE("User %s is not in the required groups:\n",
- state->request->data.auth_crap.user);
- DEBUGADD(DBGLVL_NOTICE, ("%s", s));
- DEBUGADD(DBGLVL_NOTICE,
- ("CRAP authentication is rejected\n"));
- TALLOC_FREE(sid_array);
- goto done;
- }
- TALLOC_FREE(sid_array);
+ /* Check if the user is in the right group */
+ result = check_info3_in_group(info3, r->in.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
+ char *s = NDR_PRINT_STRUCT_STRING(p->mem_ctx,
+ wbint_SidArray,
+
r->in.require_membership_of_sid);
+ DBG_NOTICE("User %s is not in the required groups:\n",
+ r->in.user);
+ DEBUGADD(DBGLVL_NOTICE, ("%s", s));
+ DEBUGADD(DBGLVL_NOTICE,
+ ("CRAP authentication is rejected\n"));
+ goto done;
+ }
- if (!is_allowed_domain(info3->base.logon_domain.string)) {
- DBG_NOTICE("Authentication failed for user [%s] "
- "from firewalled domain [%s]\n",
- info3->base.account_name.string,
- info3->base.logon_domain.string);
- result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
- goto done;
- }
+ if (!is_allowed_domain(info3->base.logon_domain.string)) {
+ DBG_NOTICE("Authentication failed for user [%s] "
+ "from firewalled domain [%s]\n",
+ info3->base.account_name.string,
+ info3->base.logon_domain.string);
+ result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+ goto done;
+ }
- result = append_auth_data(state->mem_ctx, state->response,
- state->request->flags,
- validation_level,
- validation,
- name_domain, name_user);
- if (!NT_STATUS_IS_OK(result)) {
- goto done;
- }
+ r->out.validation = talloc_zero(p->mem_ctx,
+ struct wbint_PamAuthCrapValidation);
+ if (r->out.validation == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
}
+ r->out.validation->level = validation_level;
+ r->out.validation->validation = talloc_move(r->out.validation,
+ &validation);
--
Samba Shared Repository
