[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Tue May 11 14:57:29 MDT 2010


The branch, master has been updated
       via  454b0b3... s3:kerberos Return PAC_LOGON_INFO rather than the full PAC_DATA
       via  d0a87f0... s4-smbtorture: test netservergetinfo level 1 also against s3.
      from  1a44111... not all versions of env like more than one argument...

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 454b0b3f20ee8bdf56a12930261391e06567169c
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Thu May 6 12:45:14 2010 +1000

    s3:kerberos Return PAC_LOGON_INFO rather than the full PAC_DATA
    
    All the callers just want the PAC_LOGON_INFO, so search for that in
    ads_verify_ticket(), and don't bother the callers with the rest of the
    PAC.
    
    This change makes sense on it's own (removing boilerplate wrappers
    that just confuse the code), but it also makes it much easier to
    implement a matching ads_verify_ticket() function in Samba4 for the
    s3compat proposal.
    
    Andrew Bartlett
    
    Signed-off-by: Günther Deschner <gd at samba.org>

commit d0a87f0098073b2b7c8b637eccbb9bd91aaa8a80
Author: Günther Deschner <gd at samba.org>
Date:   Tue May 11 13:39:37 2010 +0200

    s4-smbtorture: test netservergetinfo level 1 also against s3.
    
    Guenther

-----------------------------------------------------------------------

Summary of changes:
 source3/include/proto.h          |   17 +-----
 source3/libads/authdata.c        |  122 ++------------------------------------
 source3/libads/kerberos_verify.c |   25 ++++++--
 source3/smbd/sesssetup.c         |   10 +--
 source3/utils/net_ads.c          |    6 +-
 source3/utils/ntlm_auth.c        |    4 +-
 source3/winbindd/winbindd_pam.c  |   29 +++++----
 source4/torture/rap/rap.c        |    8 +-
 source4/torture/rap/rpc.c        |    4 -
 9 files changed, 54 insertions(+), 171 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/include/proto.h b/source3/include/proto.h
index f883cd2..0d0864e 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1732,7 +1732,6 @@ const char *ads_get_ldap_server_name(ADS_STRUCT *ads);
 
 /* The following definitions come from libads/authdata.c  */
 
-struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data);
 NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     const char *name,
 			     const char *pass,
@@ -1744,19 +1743,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     bool add_netbios_addr,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
-			     struct PAC_DATA **pac_ret);
-NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
-					const char *name,
-					const char *pass,
-					time_t time_offset,
-					time_t *expire_time,
-					time_t *renew_till_time,
-					const char *cache_name,
-					bool request_pac,
-					bool add_netbios_addr,
-					time_t renewable_time,
-					const char *impersonate_princ_s,
-					struct netr_SamInfo3 **info3);
+			     struct PAC_LOGON_INFO **logon_info);
 
 /* The following definitions come from libads/cldap.c  */
 bool ads_cldap_netlogon(TALLOC_CTX *mem_ctx,
@@ -1850,7 +1837,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 			   time_t time_offset,
 			   const DATA_BLOB *ticket,
 			   char **principal,
-			   struct PAC_DATA **pac_data,
+			   struct PAC_LOGON_INFO **logon_info,
 			   DATA_BLOB *ap_rep,
 			   DATA_BLOB *session_key,
 			   bool use_replay_cache);
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index ee2dbde..e34220f 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -325,25 +325,9 @@ static krb5_error_code check_pac_checksum(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************
-****************************************************************/
-
-struct PAC_LOGON_INFO *get_logon_info_from_pac(struct PAC_DATA *pac_data)
-{
-	int i;
-
-	for (i=0; i < pac_data->num_buffers; i++) {
-
-		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
-			continue;
-		}
-
-		return pac_data->buffers[i].info->logon_info.info;
-	}
-
-	return NULL;
-}
-
-/****************************************************************
+Given a username, password and other details, return the
+PAC_LOGON_INFO (the structure containing the important user
+information such as groups).
 ****************************************************************/
 
 NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
@@ -357,12 +341,11 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     bool add_netbios_addr,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
-			     struct PAC_DATA **pac_ret)
+			     struct PAC_LOGON_INFO **logon_info)
 {
 	krb5_error_code ret;
 	NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
 	DATA_BLOB tkt, ap_rep, sesskey1, sesskey2;
-	struct PAC_DATA *pac_data = NULL;
 	char *client_princ_out = NULL;
 	const char *auth_princ = NULL;
 	const char *local_service = NULL;
@@ -453,7 +436,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 				   time_offset,
 				   &tkt,
 				   &client_princ_out,
-				   &pac_data,
+				   logon_info,
 				   &ap_rep,
 				   &sesskey2,
 				   False);
@@ -463,14 +446,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 		goto out;
 	}
 
-	if (!pac_data) {
+	if (!*logon_info) {
 		DEBUG(1,("no PAC\n"));
 		status = NT_STATUS_INVALID_PARAMETER;
 		goto out;
 	}
 
-	*pac_ret = pac_data;
-
 out:
 	if (cc != cache_name) {
 		ads_kdestroy(cc);
@@ -486,95 +467,4 @@ out:
 	return status;
 }
 
-/****************************************************************
-****************************************************************/
-
-static NTSTATUS kerberos_return_pac_logon_info(TALLOC_CTX *mem_ctx,
-					       const char *name,
-					       const char *pass,
-					       time_t time_offset,
-					       time_t *expire_time,
-					       time_t *renew_till_time,
-					       const char *cache_name,
-					       bool request_pac,
-					       bool add_netbios_addr,
-					       time_t renewable_time,
-					       const char *impersonate_princ_s,
-					       struct PAC_LOGON_INFO **logon_info)
-{
-	NTSTATUS status;
-	struct PAC_DATA *pac_data = NULL;
-	struct PAC_LOGON_INFO *info = NULL;
-
-	status = kerberos_return_pac(mem_ctx,
-				     name,
-				     pass,
-				     time_offset,
-				     expire_time,
-				     renew_till_time,
-				     cache_name,
-				     request_pac,
-				     add_netbios_addr,
-				     renewable_time,
-				     impersonate_princ_s,
-				     &pac_data);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	if (!pac_data) {
-		DEBUG(3,("no pac\n"));
-		return NT_STATUS_INVALID_USER_BUFFER;
-	}
-
-	info = get_logon_info_from_pac(pac_data);
-	if (!info) {
-		DEBUG(1,("no logon_info\n"));
-		return NT_STATUS_INVALID_USER_BUFFER;
-	}
-
-	*logon_info = info;
-
-	return NT_STATUS_OK;
-}
-
-/****************************************************************
-****************************************************************/
-
-NTSTATUS kerberos_return_info3_from_pac(TALLOC_CTX *mem_ctx,
-					const char *name,
-					const char *pass,
-					time_t time_offset,
-					time_t *expire_time,
-					time_t *renew_till_time,
-					const char *cache_name,
-					bool request_pac,
-					bool add_netbios_addr,
-					time_t renewable_time,
-					const char *impersonate_princ_s,
-					struct netr_SamInfo3 **info3)
-{
-	NTSTATUS status;
-	struct PAC_LOGON_INFO *logon_info = NULL;
-
-	status = kerberos_return_pac_logon_info(mem_ctx,
-						name,
-						pass,
-						time_offset,
-						expire_time,
-						renew_till_time,
-						cache_name,
-						request_pac,
-						add_netbios_addr,
-						renewable_time,
-						impersonate_princ_s,
-						&logon_info);
-	if (!NT_STATUS_IS_OK(status)) {
-		return status;
-	}
-
-	*info3 = &logon_info->info3;
-
-	return NT_STATUS_OK;
-}
 #endif
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c
index bf9bca6..4d7bb8d 100644
--- a/source3/libads/kerberos_verify.c
+++ b/source3/libads/kerberos_verify.c
@@ -405,7 +405,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 			   time_t time_offset,
 			   const DATA_BLOB *ticket,
 			   char **principal,
-			   struct PAC_DATA **pac_data,
+			   struct PAC_LOGON_INFO **logon_info,
 			   DATA_BLOB *ap_rep,
 			   DATA_BLOB *session_key,
 			   bool use_replay_cache)
@@ -433,7 +433,7 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 	ZERO_STRUCT(auth_data);
 
 	*principal = NULL;
-	*pac_data = NULL;
+	*logon_info = NULL;
 	*ap_rep = data_blob_null;
 	*session_key = data_blob_null;
 
@@ -611,12 +611,27 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
 	}
 
 	if (got_auth_data) {
-		pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, pac_data);
+		struct PAC_DATA *pac_data;
+		pac_ret = decode_pac_data(mem_ctx, &auth_data, context, keyblock, client_principal, authtime, &pac_data);
+		data_blob_free(&auth_data);
 		if (!NT_STATUS_IS_OK(pac_ret)) {
 			DEBUG(3,("ads_verify_ticket: failed to decode PAC_DATA: %s\n", nt_errstr(pac_ret)));
-			*pac_data = NULL;
+		} else {
+			uint32_t i;
+			for (i=0; i < pac_data->num_buffers; i++) {
+
+				if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+					continue;
+				}
+
+				*logon_info = pac_data->buffers[i].info->logon_info.info;
+			}
+
+			if (!*logon_info) {
+				DEBUG(1,("correctly decoded PAC but found no logon_info!  This should not happen\n"));
+				return NT_STATUS_INVALID_USER_BUFFER;
+			}
 		}
-		data_blob_free(&auth_data);
 	}
 
 #if 0
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index a00a362..df39aed 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -243,7 +243,6 @@ static void reply_spnego_kerberos(struct smb_request *req,
 	fstring user;
 	int sess_vuid = req->vuid;
 	NTSTATUS ret = NT_STATUS_OK;
-	struct PAC_DATA *pac_data = NULL;
 	DATA_BLOB ap_rep, ap_rep_wrapped, response;
 	struct auth_serversupplied_info *server_info = NULL;
 	DATA_BLOB session_key = data_blob_null;
@@ -276,7 +275,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 	}
 
 	ret = ads_verify_ticket(mem_ctx, lp_realm(), 0, &ticket,
-				&client, &pac_data, &ap_rep,
+				&client, &logon_info, &ap_rep,
 				&session_key, True);
 
 	data_blob_free(&ticket);
@@ -353,11 +352,8 @@ static void reply_spnego_kerberos(struct smb_request *req,
 
 	/* save the PAC data if we have it */
 
-	if (pac_data) {
-		logon_info = get_logon_info_from_pac(pac_data);
-		if (logon_info) {
-			netsamlogon_cache_store( client, &logon_info->info3 );
-		}
+	if (logon_info) {
+		netsamlogon_cache_store( client, &logon_info->info3 );
 	}
 
 	if (!strequal(p+1, lp_realm())) {
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 53cb9ac..5989fec 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2379,7 +2379,6 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **
 
 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)
 {
-	struct PAC_DATA *pac = NULL;
 	struct PAC_LOGON_INFO *info = NULL;
 	TALLOC_CTX *mem_ctx = NULL;
 	NTSTATUS status;
@@ -2409,7 +2408,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
 	status = kerberos_return_pac(mem_ctx,
 				     c->opt_user_name,
 				     c->opt_password,
-			     	     0,
+				     0,
 				     NULL,
 				     NULL,
 				     NULL,
@@ -2417,14 +2416,13 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
 				     true,
 				     2592000, /* one month */
 				     impersonate_princ_s,
-				     &pac);
+				     &info);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf(_("failed to query kerberos PAC: %s\n"),
 			nt_errstr(status));
 		goto out;
 	}
 
-	info = get_logon_info_from_pac(pac);
 	if (info) {
 		const char *s;
 		s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 9bd7b5a..2c8dbfc 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -1316,7 +1316,7 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state,
 			char *principal;
 			DATA_BLOB ap_rep;
 			DATA_BLOB session_key;
-			struct PAC_DATA *pac_data = NULL;
+			struct PAC_LOGON_INFO *logon_info = NULL;
 
 			if ( request.negTokenInit.mechToken.data == NULL ) {
 				DEBUG(1, ("Client did not provide Kerberos data\n"));
@@ -1332,7 +1332,7 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state,
 
 			status = ads_verify_ticket(mem_ctx, lp_realm(), 0,
 						   &request.negTokenInit.mechToken,
-						   &principal, &pac_data, &ap_rep,
+						   &principal, &logon_info, &ap_rep,
 						   &session_key, True);
 
 			/* Now in "principal" we have the name we are
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a025433..9554339 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -564,8 +564,7 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 	ADS_STRUCT *ads;
 	time_t time_offset = 0;
 	bool internal_ccache = true;
-
-	ZERO_STRUCTP(info3);
+	struct PAC_LOGON_INFO *logon_info = NULL;
 
 	*info3 = NULL;
 
@@ -623,18 +622,18 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 		DEBUG(10,("winbindd_raw_kerberos_login: uid is %d\n", uid));
 	}
 
-	result = kerberos_return_info3_from_pac(state->mem_ctx,
-						principal_s,
-						state->request->data.auth.pass,
-						time_offset,
-						&ticket_lifetime,
-						&renewal_until,
-						cc,
-						true,
-						true,
-						WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
-						NULL,
-						info3);
+	result = kerberos_return_pac(state->mem_ctx,
+				     principal_s,
+				     state->request->data.auth.pass,
+				     time_offset,
+				     &ticket_lifetime,
+				     &renewal_until,
+				     cc,
+				     true,
+				     true,
+				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
+				     NULL,
+				     &logon_info);
 	if (!internal_ccache) {
 		gain_root_privilege();
 	}
@@ -645,6 +644,8 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain,
 		goto failed;
 	}
 
+	*info3 = &logon_info->info3;
+
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
 		principal_s));
 
diff --git a/source4/torture/rap/rap.c b/source4/torture/rap/rap.c
index 4e490bc..74f7188 100644
--- a/source4/torture/rap/rap.c
+++ b/source4/torture/rap/rap.c
@@ -1720,15 +1720,15 @@ static bool test_netservergetinfo(struct torture_context *tctx,
 	torture_assert_ntstatus_ok(tctx,
 		smbcli_rap_netservergetinfo(cli->tree, lp_iconv_convenience(tctx->lp_ctx), tctx, &r),
 		"rap_netservergetinfo level 0 failed");
-
-	if (torture_setting_bool(tctx, "samba3", false)) {
-		torture_skip(tctx, "skipping netservergetinfo level 1 against samba3");
-	}
+	torture_assert_werr_ok(tctx, W_ERROR(r.out.status),
+		"rap_netservergetinfo level 0 failed");
 
 	r.in.level = 1;
 	torture_assert_ntstatus_ok(tctx,
 		smbcli_rap_netservergetinfo(cli->tree, lp_iconv_convenience(tctx->lp_ctx), tctx, &r),
 		"rap_netservergetinfo level 1 failed");
+	torture_assert_werr_ok(tctx, W_ERROR(r.out.status),
+		"rap_netservergetinfo level 1 failed");
 
 	return res;
 }
diff --git a/source4/torture/rap/rpc.c b/source4/torture/rap/rpc.c
index 7696ed8..4528240 100644
--- a/source4/torture/rap/rpc.c
+++ b/source4/torture/rap/rpc.c
@@ -67,10 +67,6 @@ static bool test_rpc_netservergetinfo(struct torture_context *tctx,
 
 	torture_assert_str_equal(tctx, (const char *)r.out.info.info0.name, server_name, "server name");
 
-	if (torture_setting_bool(tctx, "samba3", false)) {
-		torture_skip(tctx, "skipping netservergetinfo level 1 against samba3");
-	}
-
 	r.in.level = 1;
 
 	torture_assert_ntstatus_ok(tctx,


-- 
Samba Shared Repository


More information about the samba-cvs mailing list