[SCM] Samba Shared Repository - branch master updated - tevent-0-9-8-772-gdc8538b
Volker Lendecke
vlendec at samba.org
Mon Sep 28 09:54:55 MDT 2009
The branch, master has been updated
via dc8538b405c506c7a84682b2bb984dc01a05b8f9 (commit)
via f18d0b036c00ff24f082855a4fbb28681c39de70 (commit)
via def5bf57c550862196528515cbedc8bbc79db59a (commit)
via 93db77adcb140d2510af07dab5002709dd14549f (commit)
from 388470f1f34111f7027e2abae5dbdf490f0992df (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit dc8538b405c506c7a84682b2bb984dc01a05b8f9
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 27 12:47:24 2009 +0200
s3:winbind: Make check_info3_in_group, sanitize its memory handling
commit f18d0b036c00ff24f082855a4fbb28681c39de70
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 27 11:51:07 2009 +0200
s3:winbind: Make "check_request_flags" publically available
commit def5bf57c550862196528515cbedc8bbc79db59a
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 27 11:49:11 2009 +0200
s3:winbind: Sanitize the args for find_auth_domain: It only needs the flags
commit 93db77adcb140d2510af07dab5002709dd14549f
Author: Volker Lendecke <vl at samba.org>
Date: Sun Sep 27 11:39:38 2009 +0200
s3:winbind: Make append_data publically available as append_auth_data
-----------------------------------------------------------------------
Summary of changes:
source3/winbindd/winbindd_ccache_access.c | 2 +-
source3/winbindd/winbindd_pam.c | 68 ++++++++++++++++------------
source3/winbindd/winbindd_proto.h | 11 ++++-
3 files changed, 49 insertions(+), 32 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/winbindd/winbindd_ccache_access.c b/source3/winbindd/winbindd_ccache_access.c
index ffb20ac..86017e2 100644
--- a/source3/winbindd/winbindd_ccache_access.c
+++ b/source3/winbindd/winbindd_ccache_access.c
@@ -169,7 +169,7 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
return;
}
- domain = find_auth_domain(state, name_domain);
+ domain = find_auth_domain(state->request->flags, name_domain);
if (domain == NULL) {
DEBUG(5,("winbindd_ccache_ntlm_auth: can't get domain [%s]\n",
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index b87d2a8..b58a9da 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -231,9 +231,8 @@ static NTSTATUS append_afs_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *info3,
- const char *group_sid)
+NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
+ const char *group_sid)
/**
* Check whether a user belongs to a group or list of groups.
*
@@ -253,7 +252,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
DOM_SID sid;
size_t i;
struct nt_user_token *token;
- TALLOC_CTX *frame = NULL;
+ TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS status;
/* Parse the 'required group' SID */
@@ -263,8 +262,10 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
- if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
+ token = talloc_zero(talloc_tos(), struct nt_user_token);
+ if (token == NULL) {
DEBUG(0, ("talloc failed\n"));
+ TALLOC_FREE(frame);
return NT_STATUS_NO_MEMORY;
}
@@ -273,8 +274,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
p = group_sid;
- frame = talloc_stackframe();
- while (next_token_talloc(frame, &p, &req_sid, ",")) {
+ while (next_token_talloc(talloc_tos(), &p, &req_sid, ",")) {
if (!string_to_sid(&sid, req_sid)) {
DEBUG(0, ("check_info3_in_group: could not parse %s "
"as a SID!", req_sid));
@@ -282,7 +282,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- status = add_sid_to_array(mem_ctx, &sid,
+ status = add_sid_to_array(talloc_tos(), &sid,
&require_membership_of_sid,
&num_require_membership_of_sid);
if (!NT_STATUS_IS_OK(status)) {
@@ -292,13 +292,12 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
}
}
- TALLOC_FREE(frame);
-
- status = sid_array_from_info3(mem_ctx, info3,
+ status = sid_array_from_info3(talloc_tos(), info3,
&token->user_sids,
&token->num_sids,
true, false);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(frame);
return status;
}
@@ -308,6 +307,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
token))) {
DEBUG(3, ("could not add aliases: %s\n",
nt_errstr(status)));
+ TALLOC_FREE(frame);
return status;
}
@@ -319,17 +319,19 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
if (nt_token_check_sid(&require_membership_of_sid[i],
token)) {
DEBUG(10, ("Access ok\n"));
+ TALLOC_FREE(frame);
return NT_STATUS_OK;
}
}
/* Do not distinguish this error from a wrong username/pw */
+ TALLOC_FREE(frame);
return NT_STATUS_LOGON_FAILURE;
}
-struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
- const char *domain_name)
+struct winbindd_domain *find_auth_domain(uint8_t flags,
+ const char *domain_name)
{
struct winbindd_domain *domain;
@@ -351,7 +353,7 @@ struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
}
/* we can auth against trusted domains */
- if (state->request->flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
+ if (flags & WBFLAG_PAM_CONTACT_TRUSTDOM) {
domain = find_domain_from_name_noinit(domain_name);
if (domain == NULL) {
DEBUG(3, ("Authentication for domain [%s] skipped "
@@ -705,7 +707,7 @@ failed:
/****************************************************************
****************************************************************/
-static bool check_request_flags(uint32_t flags)
+bool check_request_flags(uint32_t flags)
{
uint32_t flags_edata = WBFLAG_PAM_AFS_TOKEN |
WBFLAG_PAM_INFO3_TEXT |
@@ -718,7 +720,8 @@ static bool check_request_flags(uint32_t flags)
return true;
}
- DEBUG(1,("check_request_flags: invalid request flags[0x%08X]\n",flags));
+ DEBUG(1, ("check_request_flags: invalid request flags[0x%08X]\n",
+ flags));
return false;
}
@@ -726,10 +729,10 @@ static bool check_request_flags(uint32_t flags)
/****************************************************************
****************************************************************/
-static NTSTATUS append_data(struct winbindd_cli_state *state,
- struct netr_SamInfo3 *info3,
- const char *name_domain,
- const char *name_user)
+NTSTATUS append_auth_data(struct winbindd_cli_state *state,
+ struct netr_SamInfo3 *info3,
+ const char *name_domain,
+ const char *name_user)
{
NTSTATUS result;
uint32_t flags = state->request->flags;
@@ -835,7 +838,7 @@ void winbindd_pam_auth(struct winbindd_cli_state *state)
goto done;
}
- domain = find_auth_domain(state, name_domain);
+ domain = find_auth_domain(state->request->flags, name_domain);
if (domain == NULL) {
result = NT_STATUS_NO_SUCH_USER;
@@ -1627,15 +1630,18 @@ process_result:
/* Check if the user is in the right group */
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
- state->request->data.auth.require_membership_of_sid))) {
+ result = check_info3_in_group(
+ info3,
+ state->request->data.auth.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
state->request->data.auth.user,
state->request->data.auth.require_membership_of_sid));
goto done;
}
- result = append_data(state, info3, name_domain, name_user);
+ result = append_auth_data(state, info3, name_domain,
+ name_user);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
@@ -1763,7 +1769,7 @@ void winbindd_pam_auth_crap(struct winbindd_cli_state *state)
}
if (domain_name != NULL)
- domain = find_auth_domain(state, domain_name);
+ domain = find_auth_domain(state->request->flags, domain_name);
if (domain != NULL) {
sendto_domain(state, domain);
@@ -1950,8 +1956,10 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
/* Check if the user is in the right group */
- if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
- state->request->data.auth_crap.require_membership_of_sid))) {
+ result = check_info3_in_group(
+ info3,
+ state->request->data.auth_crap.require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(result)) {
DEBUG(3, ("User %s is not in the required group (%s), so "
"crap authentication is rejected\n",
state->request->data.auth_crap.user,
@@ -1959,7 +1967,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
goto done;
}
- result = append_data(state, info3, name_domain, name_user);
+ result = append_auth_data(state, info3, name_domain,
+ name_user);
if (!NT_STATUS_IS_OK(result)) {
goto done;
}
@@ -2222,7 +2231,8 @@ void winbindd_pam_logoff(struct winbindd_cli_state *state)
goto failed;
}
- if ((domain = find_auth_domain(state, name_domain)) == NULL) {
+ if ((domain = find_auth_domain(state->request->flags,
+ name_domain)) == NULL) {
goto failed;
}
diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 49034d7..3072258 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -494,8 +494,15 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
/* The following definitions come from winbindd/winbindd_pam.c */
-struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
- const char *domain_name);
+bool check_request_flags(uint32_t flags);
+struct winbindd_domain *find_auth_domain(uint8_t flags,
+ const char *domain_name);
+NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
+ const char *group_sid);
+NTSTATUS append_auth_data(struct winbindd_cli_state *state,
+ struct netr_SamInfo3 *info3,
+ const char *name_domain,
+ const char *name_user);
void winbindd_pam_auth(struct winbindd_cli_state *state);
enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
struct winbindd_cli_state *state) ;
--
Samba Shared Repository
More information about the samba-cvs
mailing list