svn commit: samba r14753 - branches/SAMBA_3_0/source/nsswitch trunk/source/nsswitch

gd at samba.org gd at samba.org
Wed Mar 29 09:40:43 GMT 2006 

Author: gd
Date: 2006-03-29 09:40:42 +0000 (Wed, 29 Mar 2006)
New Revision: 14753

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14753

Log:
Fix the kerberized pam_auth: As we could have created a new credential
cache with a valid TGT in it but we werent able to get or verify the
service ticket for this local host afterwards and therefor didn't get
the PAC, we need to remove that ccache entirely.

Also remove an ugly pair of (not needed) seteuid calls around the ticket
destroy wrapper.

Guenther

Modified:
   branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
   trunk/source/nsswitch/winbindd_pam.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-03-28 17:10:20 UTC (rev 14752)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c	2006-03-29 09:40:42 UTC (rev 14753)
@@ -342,7 +342,7 @@
 	goto done;
 
   memory_ccache:
-  	gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbind_cache");
+  	gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
 
   done:
   	if (gen_cc == NULL) {
@@ -495,7 +495,7 @@
 		DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", 
 			principal_s, error_message(krb5_ret), krb5_ret));
 		result = krb5_to_nt_status(krb5_ret);
-		goto done;
+		goto failed;
 	}
 
 	/* does http_timestring use heimdals libroken strftime?? - Guenther */
@@ -507,7 +507,7 @@
 	client_princ = talloc_strdup(state->mem_ctx, global_myname());
 	if (client_princ == NULL) {
 		result = NT_STATUS_NO_MEMORY;
-		goto done;
+		goto failed;
 	}
 	strlower_m(client_princ);
 
@@ -515,7 +515,7 @@
 	if (local_service == NULL) {
 		DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
 		result = NT_STATUS_NO_MEMORY;
-		goto done;
+		goto failed;
 	}
 
 	krb5_ret = cli_krb5_get_ticket(local_service, 
@@ -525,10 +525,10 @@
 				       0, 
 				       cc);
 	if (krb5_ret) {
-		DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for: %s\n", 
-			local_service));
+		DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", 
+			local_service, error_message(krb5_ret)));
 		result = krb5_to_nt_status(krb5_ret);
-		goto done;
+		goto failed;
 	}
 
 	if (!internal_ccache) {
@@ -547,7 +547,7 @@
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n", 
 			nt_errstr(result)));
-		goto done;
+		goto failed;
 	}
 
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", 
@@ -556,14 +556,14 @@
 	if (!pac_data) {
 		DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
 		result = NT_STATUS_INVALID_PARAMETER;
-		goto done;
+		goto failed;
 	}
 			
 	logon_info = get_logon_info_from_pac(pac_data);
 	if (logon_info == NULL) {
 		DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n"));
 		result = NT_STATUS_INVALID_PARAMETER;
-		goto done;
+		goto failed;
 	}
 
 
@@ -599,6 +599,22 @@
 
 	result = NT_STATUS_OK;
 
+	goto done;
+
+failed:
+
+	/* we could have created a new credential cache with a valid tgt in it
+	 * but we werent able to get or verify the service ticket for this
+	 * local host and therefor didn't get the PAC, we need to remove that
+	 * cache entirely now */
+
+	krb5_ret = ads_kdestroy(cc);
+	if (krb5_ret) {
+		DEBUG(0,("winbindd_raw_kerberos_login: "
+			 "could not destroy krb5 credential cache: "
+			 "%s\n", error_message(krb5_ret)));
+	}
+
 done:
 	data_blob_free(&session_key);
 	data_blob_free(&session_key_krb5);
@@ -1802,12 +1818,8 @@
 		goto process_result;
 	}
 
-	seteuid(entry->uid);
-
 	ret = ads_kdestroy(entry->ccname);
 
-	seteuid(0);
-
 	if (ret) {
 		DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n", 
 			entry->ccname, error_message(ret)));

Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c	2006-03-28 17:10:20 UTC (rev 14752)
+++ trunk/source/nsswitch/winbindd_pam.c	2006-03-29 09:40:42 UTC (rev 14753)
@@ -342,7 +342,7 @@
 	goto done;
 
   memory_ccache:
-  	gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbind_cache");
+  	gen_cc = talloc_strdup(mem_ctx, "MEMORY:winbindd_pam_ccache");
 
   done:
   	if (gen_cc == NULL) {
@@ -495,7 +495,7 @@
 		DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", 
 			principal_s, error_message(krb5_ret), krb5_ret));
 		result = krb5_to_nt_status(krb5_ret);
-		goto done;
+		goto failed;
 	}
 
 	/* does http_timestring use heimdals libroken strftime?? - Guenther */
@@ -507,7 +507,7 @@
 	client_princ = talloc_strdup(state->mem_ctx, global_myname());
 	if (client_princ == NULL) {
 		result = NT_STATUS_NO_MEMORY;
-		goto done;
+		goto failed;
 	}
 	strlower_m(client_princ);
 
@@ -515,7 +515,7 @@
 	if (local_service == NULL) {
 		DEBUG(0,("winbindd_raw_kerberos_login: out of memory\n"));
 		result = NT_STATUS_NO_MEMORY;
-		goto done;
+		goto failed;
 	}
 
 	krb5_ret = cli_krb5_get_ticket(local_service, 
@@ -525,10 +525,10 @@
 				       0, 
 				       cc);
 	if (krb5_ret) {
-		DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for: %s\n", 
-			local_service));
+		DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", 
+			local_service, error_message(krb5_ret)));
 		result = krb5_to_nt_status(krb5_ret);
-		goto done;
+		goto failed;
 	}
 
 	if (!internal_ccache) {
@@ -547,7 +547,7 @@
 	if (!NT_STATUS_IS_OK(result)) {
 		DEBUG(0,("winbindd_raw_kerberos_login: ads_verify_ticket failed: %s\n", 
 			nt_errstr(result)));
-		goto done;
+		goto failed;
 	}
 
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", 
@@ -556,14 +556,14 @@
 	if (!pac_data) {
 		DEBUG(3,("winbindd_raw_kerberos_login: no pac data\n"));
 		result = NT_STATUS_INVALID_PARAMETER;
-		goto done;
+		goto failed;
 	}
 			
 	logon_info = get_logon_info_from_pac(pac_data);
 	if (logon_info == NULL) {
 		DEBUG(1,("winbindd_raw_kerberos_login: no logon info\n"));
 		result = NT_STATUS_INVALID_PARAMETER;
-		goto done;
+		goto failed;
 	}
 
 
@@ -599,6 +599,22 @@
 
 	result = NT_STATUS_OK;
 
+	goto done;
+
+failed:
+
+	/* we could have created a new credential cache with a valid tgt in it
+	 * but we werent able to get or verify the service ticket for this
+	 * local host and therefor didn't get the PAC, we need to remove that
+	 * cache entirely now */
+
+	krb5_ret = ads_kdestroy(cc);
+	if (krb5_ret) {
+		DEBUG(0,("winbindd_raw_kerberos_login: "
+			 "could not destroy krb5 credential cache: "
+			 "%s\n", error_message(krb5_ret)));
+	}
+
 done:
 	data_blob_free(&session_key);
 	data_blob_free(&session_key_krb5);
@@ -1802,12 +1818,8 @@
 		goto process_result;
 	}
 
-	seteuid(entry->uid);
-
 	ret = ads_kdestroy(entry->ccname);
 
-	seteuid(0);
-
 	if (ret) {
 		DEBUG(0,("winbindd_pam_logoff: failed to destroy user ccache %s with: %s\n", 
 			entry->ccname, error_message(ret)));

More information about the samba-cvs mailing list