[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Sat Apr 30 01:08:01 UTC 2022


The branch, master has been updated
       via  1dfa193232c s3:winbind: Remove unused functions
       via  7b573599895 examples: Update winbind.stp and generate script
       via  c68f21f26f1 s3:winbind: Convert PAM_AUTH_CRAP from struct based to NDR based
       via  dd69be80208 s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv}
       via  0b4d581d358 s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv}
       via  f8fa3331085 s3:winbind: Use temp memory context in winbindd_pam_auth_pac_verify()
       via  d4564d989f2 s3:rpc_client: Fix memory allocation hierarchy
       via  74a511a8eab s3:winbind: Move big NTLMv2 blob checks to parent process
       via  efc97296d95 s3:winbind: Use uint8_t for authoritative flag
       via  fc4cb625063 s3:winbind: Remove unnecessary jump to label
       via  8f7adb9e760 s3:winbind: Remove unnecesary condition to reduce indentation level
       via  d900e93931e s3:winbind: Pass the challenge to winbind_dual_SamLogon() as a data blob
      from  fe7daae8c46 s3: smbd: Allow a durable handle on a leased stat-open.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1dfa193232c857224f01e86f3f987a0582fdb933
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Fri Feb 25 14:26:07 2022 +0100

    s3:winbind: Remove unused functions
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat Apr 30 01:07:12 UTC 2022 on sn-devel-184

commit 7b573599895cd0c85fcdeaae909ab4d20d85a6f8
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Fri Feb 25 14:53:16 2022 +0100

    examples: Update winbind.stp and generate script
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit c68f21f26f10b60ca1ac294b7294bfbf37c9bb86
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Fri Feb 25 11:32:14 2022 +0100

    s3:winbind: Convert PAM_AUTH_CRAP from struct based to NDR based
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit dd69be802085d96af8875f2137a8261231d453b1
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Thu Feb 24 18:02:42 2022 +0100

    s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv}
    
    The winbindd_dual_pam_auth_crap() will be converted to a local RPC call
    handler and the winbindd_response won't be filled by the child process
    but in the parent's winbindd_pam_auth_crap_recv() function.
    
    Move all code filling the winbindd_response struct to a common place,
    winbindd_pam_auth_crap_recv().
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 0b4d581d35815e7ddc7d79e1433a5a5888b31e29
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Fri Feb 18 15:29:13 2022 +0100

    s3:winbind: Refactor winbindd_pam_auth_crap_{send,recv}
    
    Move the code filling the winbindd_response to a common place,
    winbindd_pam_auth_crap_recv().
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit f8fa3331085877e0e9dff6df1b267818d3f92423
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Fri Feb 25 12:11:36 2022 +0100

    s3:winbind: Use temp memory context in winbindd_pam_auth_pac_verify()
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit d4564d989f28becdbeda6d5175ebe050a895e346
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Fri Feb 25 13:36:31 2022 +0100

    s3:rpc_client: Fix memory allocation hierarchy
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 74a511a8eab72cc82940738a1e20e63e12b81374
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Thu Feb 24 17:48:27 2022 +0100

    s3:winbind: Move big NTLMv2 blob checks to parent process
    
    The winbindd_dual_pam_auth_crap() function will be converted to a local
    RPC call handler and it won't receive a winbindd_cli_state struct. Move
    the checks accessing this struct to the parent.
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit efc97296d95a6f00005a9d5313ce37c8db14b5a5
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Mon Apr 18 16:44:23 2022 +0200

    s3:winbind: Use uint8_t for authoritative flag
    
    It is the type used in the winbindd_response struct.
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit fc4cb625063b7a09b0a83fe2168c29f0921adf3c
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Tue Jun 15 14:18:22 2021 +0200

    s3:winbind: Remove unnecessary jump to label
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 8f7adb9e760fb2260a253a8575406ff6ee73286a
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Tue Jun 15 14:16:25 2021 +0200

    s3:winbind: Remove unnecesary condition to reduce indentation level
    
    Best viewed with git show --ignore-space-change.
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit d900e93931e18fb86252b9eef96b236f5a39cf61
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Tue Jun 15 14:06:27 2021 +0200

    s3:winbind: Pass the challenge to winbind_dual_SamLogon() as a data blob
    
    Next commits will covert the winbindd_dual_pam_auth_crap() function to a
    local RPC call handler receiving the challenge as a DATA_BLOB in the 'r'
    struct.
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 examples/systemtap/generate-winbindd.stp.sh |   1 +
 examples/systemtap/winbindd.stp             |  22 ++-
 librpc/idl/winbind.idl                      |  21 ++
 source3/rpc_client/cli_netlogon.c           |   9 +-
 source3/rpc_client/cli_netlogon.h           |   2 +-
 source3/rpc_client/util_netlogon.c          |   2 +-
 source3/winbindd/winbindd_domain.c          |   4 -
 source3/winbindd/winbindd_dual_srv.c        |   9 +-
 source3/winbindd/winbindd_pam.c             | 296 ++++++++++------------------
 source3/winbindd/winbindd_pam_auth_crap.c   | 227 +++++++++++++--------
 source3/winbindd/winbindd_proto.h           |   7 +-
 11 files changed, 315 insertions(+), 285 deletions(-)


Changeset truncated at 500 lines:

diff --git a/examples/systemtap/generate-winbindd.stp.sh b/examples/systemtap/generate-winbindd.stp.sh
index 28b2dbc58c1..18695232f43 100755
--- a/examples/systemtap/generate-winbindd.stp.sh
+++ b/examples/systemtap/generate-winbindd.stp.sh
@@ -10,6 +10,7 @@ winbindd_dual_pam_chng_pswd_auth_crap
 winbindd_dual_pam_chauthtok
 _wbint_Ping
 _wbint_PamAuth
+_wbint_PamAuthCrap
 _wbint_ListTrustedDomains
 _wbint_LookupSid
 _wbint_LookupSids
diff --git a/examples/systemtap/winbindd.stp b/examples/systemtap/winbindd.stp
index 58926017595..5b8e72fea6c 100644
--- a/examples/systemtap/winbindd.stp
+++ b/examples/systemtap/winbindd.stp
@@ -2,7 +2,7 @@
 #
 # Systemtap script to instrument winbindd
 #
-# Generated by examples/systemtap/generate-winbindd.stp.sh on jue 31 mar 2022 12:34:16 CEST, do not edit
+# Generated by examples/systemtap/generate-winbindd.stp.sh on vie 01 abr 2022 16:21:52 CEST, do not edit
 #
 # Usage:
 #
@@ -183,6 +183,26 @@ probe process("winbindd").function("_wbint_PamAuth").return {
 	dc_svctime["_wbint_PamAuth"] <<< duration
 }
 
+#
+# winbind domain child function _wbint_PamAuthCrap
+#
+
+probe process("winbindd").function("_wbint_PamAuthCrap") {
+	dc_running[tid(), "_wbint_PamAuthCrap"] = gettimeofday_us()
+}
+
+probe process("winbindd").function("_wbint_PamAuthCrap").return {
+	if (!([tid(), "_wbint_PamAuthCrap"] in dc_running))
+		next
+
+	end = gettimeofday_us()
+	begin = dc_running[tid(), "_wbint_PamAuthCrap"]
+	delete dc_running[tid(), "_wbint_PamAuthCrap"]
+
+	duration = end - begin
+	dc_svctime["_wbint_PamAuthCrap"] <<< duration
+}
+
 #
 # winbind domain child function _wbint_ListTrustedDomains
 #
diff --git a/librpc/idl/winbind.idl b/librpc/idl/winbind.idl
index 2737c563c69..8a50a53eea1 100644
--- a/librpc/idl/winbind.idl
+++ b/librpc/idl/winbind.idl
@@ -196,6 +196,27 @@ interface winbind
         [out,ref] wbint_Validation *validation
         );
 
+    typedef [public] struct {
+        uint16 level;
+        [switch_is(level)] netr_Validation *validation;
+    } wbint_PamAuthCrapValidation;
+
+    NTSTATUS wbint_PamAuthCrap(
+        [in,string,charset(UTF8)] char *client_name,
+        [in] hyper client_pid,
+        [in] uint32 flags,
+        [in, string,charset(UTF8)] char *user,
+        [in, string,charset(UTF8)] char *domain,
+        [in, string,charset(UTF8)] char *workstation,
+        [in] DATA_BLOB lm_resp,
+        [in] DATA_BLOB nt_resp,
+        [in] DATA_BLOB chal,
+        [in] uint32 logon_parameters,
+        [in] wbint_SidArray *require_membership_of_sid,
+        [out,ref] uint8 *authoritative,
+        [out,ref] wbint_PamAuthCrapValidation *validation
+        );
+
   /* Public methods available via IRPC */
 
     typedef [switch_type(uint16)] union netr_LogonLevel netr_LogonLevel;
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index 50dae9d7f3e..f446f0c8724 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -644,7 +644,7 @@ NTSTATUS rpccli_netlogon_network_logon(
 	const char *domain,
 	const char *workstation,
 	const uint64_t logon_id,
-	const uint8_t chal[8],
+	DATA_BLOB chal,
 	DATA_BLOB lm_response,
 	DATA_BLOB nt_response,
 	enum netr_LogonInfoClass logon_type,
@@ -715,7 +715,12 @@ NTSTATUS rpccli_netlogon_network_logon(
 	network_info->identity_info.account_name.string		= username;
 	network_info->identity_info.workstation.string		= workstation_name_slash;
 
-	memcpy(network_info->challenge, chal, 8);
+	if (chal.length != 8) {
+		DBG_WARNING("Invalid challenge length %zd\n", chal.length);
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	memcpy(network_info->challenge, chal.data, chal.length);
 	network_info->nt = nt;
 	network_info->lm = lm;
 
diff --git a/source3/rpc_client/cli_netlogon.h b/source3/rpc_client/cli_netlogon.h
index 362321f312f..464492520fb 100644
--- a/source3/rpc_client/cli_netlogon.h
+++ b/source3/rpc_client/cli_netlogon.h
@@ -83,7 +83,7 @@ NTSTATUS rpccli_netlogon_network_logon(
 	const char *domain,
 	const char *workstation,
 	const uint64_t logon_id,
-	const uint8_t chal[8],
+	DATA_BLOB chal,
 	DATA_BLOB lm_response,
 	DATA_BLOB nt_response,
 	enum netr_LogonInfoClass logon_type,
diff --git a/source3/rpc_client/util_netlogon.c b/source3/rpc_client/util_netlogon.c
index e24f0ff1e4f..52bd40b49f9 100644
--- a/source3/rpc_client/util_netlogon.c
+++ b/source3/rpc_client/util_netlogon.c
@@ -375,7 +375,7 @@ NTSTATUS map_info6_to_validation(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = copy_netr_SamInfo6(mem_ctx,
+	status = copy_netr_SamInfo6(validation,
 				    info6,
 				    &validation->sam6);
 	if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/winbindd/winbindd_domain.c b/source3/winbindd/winbindd_domain.c
index 6f85d0779a0..80df55a5819 100644
--- a/source3/winbindd/winbindd_domain.c
+++ b/source3/winbindd/winbindd_domain.c
@@ -30,10 +30,6 @@ static const struct winbindd_child_dispatch_table domain_dispatch_table[] = {
 		.name		= "INIT_CONNECTION",
 		.struct_cmd	= WINBINDD_INIT_CONNECTION,
 		.struct_fn	= winbindd_dual_init_connection,
-	},{
-		.name		= "AUTH_CRAP",
-		.struct_cmd	= WINBINDD_PAM_AUTH_CRAP,
-		.struct_fn	= winbindd_dual_pam_auth_crap,
 	},{
 		.name		= "PAM_LOGOFF",
 		.struct_cmd	= WINBINDD_PAM_LOGOFF,
diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c
index a59ecafe695..ae2bd77c8a6 100644
--- a/source3/winbindd/winbindd_dual_srv.c
+++ b/source3/winbindd/winbindd_dual_srv.c
@@ -941,9 +941,8 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
 	struct winbindd_domain *domain;
 	NTSTATUS status;
 	struct netr_IdentityInfo *identity_info = NULL;
-	const uint8_t chal_zero[8] = {0, };
-	const uint8_t *challenge = chal_zero;
 	DATA_BLOB lm_response, nt_response;
+	DATA_BLOB challenge = data_blob_null;
 	uint32_t flags = 0;
 	uint16_t validation_level;
 	union netr_Validation *validation = NULL;
@@ -981,7 +980,7 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
 		interactive = true;
 		identity_info = &r->in.logon.password->identity_info;
 
-		challenge = chal_zero;
+		challenge = data_blob_null;
 		lm_response = data_blob_talloc(p->mem_ctx,
 					r->in.logon.password->lmpassword.hash,
 					sizeof(r->in.logon.password->lmpassword.hash));
@@ -999,7 +998,9 @@ NTSTATUS _winbind_SamLogon(struct pipes_struct *p,
 		interactive = false;
 		identity_info = &r->in.logon.network->identity_info;
 
-		challenge = r->in.logon.network->challenge;
+		challenge = data_blob_talloc(p->mem_ctx,
+					r->in.logon.network->challenge,
+					8);
 		lm_response = data_blob_talloc(p->mem_ctx,
 					r->in.logon.network->lm.data,
 					r->in.logon.network->lm.length);
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 78bc6c932f3..49a2cd7c83b 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -1653,7 +1653,7 @@ static NTSTATUS winbind_samlogon_retry_loop(struct winbindd_domain *domain,
 					    const char *workstation,
 					    const uint64_t logon_id,
 					    bool plaintext_given,
-					    const uint8_t chal[8],
+					    DATA_BLOB chal,
 					    DATA_BLOB lm_response,
 					    DATA_BLOB nt_response,
 					    bool interactive,
@@ -2093,7 +2093,7 @@ static NTSTATUS winbindd_dual_pam_auth_samlogon(
 					     lp_netbios_name(),
 					     logon_id,
 					     true, /* plaintext_given */
-					     NULL,
+					     data_blob_null,
 					     data_blob_null, data_blob_null,
 					     true, /* interactive */
 					     &authoritative,
@@ -2111,58 +2111,6 @@ done:
 	return NT_STATUS_OK;
 }
 
-/*
- * @brief build a tsocket_address for the remote address of the supplied socket
- *
- */
-static struct tsocket_address *get_remote_address(TALLOC_CTX *mem_ctx, int sock)
-{
-	struct sockaddr_storage st = {0};
-	struct sockaddr *sar = (struct sockaddr *)&st;
-	socklen_t sa_len = sizeof(st);
-	struct tsocket_address *remote = NULL;
-	int ret = 0;
-
-	ret = getpeername(sock, sar, &sa_len);
-	if (ret != 0) {
-		DBG_ERR("getpeername failed - %s", strerror(errno));
-		return NULL;
-	}
-	ret = tsocket_address_bsd_from_sockaddr(mem_ctx, sar, sa_len, &remote);
-	if (ret != 0) {
-		DBG_ERR("tsocket_address_bsd_from_sockaddr failed - %s",
-			strerror(errno));
-		return NULL;
-	}
-	return remote;
-}
-
-/*
- * @brief build a tsocket_address for the local address of the supplied socket
- *
- */
-static struct tsocket_address *get_local_address(TALLOC_CTX *mem_ctx, int sock)
-{
-	struct sockaddr_storage st = {0};
-	struct sockaddr *sar = (struct sockaddr *)&st;
-	socklen_t sa_len = sizeof(st);
-	struct tsocket_address *local = NULL;
-	int ret = 0;
-
-	ret = getsockname(sock, sar, &sa_len);
-	if (ret != 0) {
-		DBG_ERR("getsockname failed - %s", strerror(errno));
-		return NULL;
-	}
-	ret = tsocket_address_bsd_from_sockaddr(mem_ctx, sar, sa_len, &local);
-	if (ret != 0) {
-		DBG_ERR("tsocket_address_bsd_from_sockaddr failed - %s",
-			strerror(errno));
-		return NULL;
-	}
-	return local;
-}
-
 /*
  * @brief generate an authentication message in the logs.
  *
@@ -2672,7 +2620,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 			       const uint64_t logon_id,
 			       const char* client_name,
 			       const int client_pid,
-			       const uint8_t chal[8],
+			       DATA_BLOB chal_blob,
 			       DATA_BLOB lm_response,
 			       DATA_BLOB nt_response,
 			       const struct tsocket_address *remote,
@@ -2697,8 +2645,6 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 	 * we need to check against domain->name.
 	 */
 	if (!skip_sam && strequal(domain->name, get_global_sam_name())) {
-		DATA_BLOB chal_blob = data_blob_const(
-			chal, 8);
 		struct netr_SamInfo3 *info3 = NULL;
 
 		result = winbindd_dual_auth_passdb(
@@ -2745,7 +2691,7 @@ NTSTATUS winbind_dual_SamLogon(struct winbindd_domain *domain,
 					     workstation, /* We carefully set this above so use it... */
 					     logon_id,
 					     false, /* plaintext_given */
-					     chal,
+					     chal_blob,
 					     lm_response,
 					     nt_response,
 					     interactive,
@@ -2838,79 +2784,52 @@ done:
 	return NT_STATUS_OK;
 }
 
-enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
-						 struct winbindd_cli_state *state)
+NTSTATUS _wbint_PamAuthCrap(struct pipes_struct *p, struct wbint_PamAuthCrap *r)
 {
+	struct winbindd_domain *domain = wb_child_domain();
 	NTSTATUS result;
-	const char *name_user = NULL;
-	const char *name_domain = NULL;
-	const char *workstation;
 	uint64_t logon_id = 0;
 	uint8_t authoritative = 1;
 	uint32_t flags = 0;
 	uint16_t validation_level = UINT16_MAX;
 	union netr_Validation *validation = NULL;
-	DATA_BLOB lm_resp = { 0 }, nt_resp = { 0 };
 	const struct timeval start_time = timeval_current();
 	const struct tsocket_address *remote = NULL;
 	const struct tsocket_address *local = NULL;
+	struct netr_SamInfo3 *info3 = NULL;
+	pid_t client_pid;
 
-	/* This is child-only, so no check for privileged access is needed
-	   anymore */
-
-	/* Ensure null termination */
-	state->request->data.auth_crap.user[sizeof(state->request->data.auth_crap.user)-1]=0;
-	state->request->data.auth_crap.domain[sizeof(state->request->data.auth_crap.domain)-1]=0;
+	if (domain == NULL) {
+		return NT_STATUS_REQUEST_NOT_ACCEPTED;
+	}
 
-	name_user = state->request->data.auth_crap.user;
-	name_domain = state->request->data.auth_crap.domain;
-	workstation = state->request->data.auth_crap.workstation;
-	logon_id = generate_random_u64();
-	remote = get_remote_address(state->mem_ctx, state->sock);
-	local = get_local_address(state->mem_ctx, state->sock);
-
-	DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
-		  name_domain, name_user));
-
-	if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
-		|| state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
-		if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
-		     state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
-			DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
-				  state->request->data.auth_crap.lm_resp_len,
-				  state->request->data.auth_crap.nt_resp_len));
-			result = NT_STATUS_INVALID_PARAMETER;
-			goto done;
-		}
+	/* Cut client_pid to 32bit */
+	client_pid = r->in.client_pid;
+	if ((uint64_t)client_pid != r->in.client_pid) {
+		DBG_DEBUG("pid out of range\n");
+		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
-					state->request->data.auth_crap.lm_resp_len);
+	logon_id = generate_random_u64();
+	remote = dcesrv_connection_get_remote_address(p->dce_call->conn);
+	local = dcesrv_connection_get_local_address(p->dce_call->conn);
 
-	if (state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) {
-		nt_resp = data_blob_talloc(state->mem_ctx,
-					   state->request->extra_data.data,
-					   state->request->data.auth_crap.nt_resp_len);
-	} else {
-		nt_resp = data_blob_talloc(state->mem_ctx,
-					   state->request->data.auth_crap.nt_resp,
-					   state->request->data.auth_crap.nt_resp_len);
-	}
+	DBG_NOTICE("[%"PRIu32"]: pam auth crap domain: %s user: %s\n",
+		   client_pid, r->in.domain, r->in.user);
 
 	result = winbind_dual_SamLogon(domain,
-				       state->mem_ctx,
+				       p->mem_ctx,
 				       false, /* interactive */
-				       state->request->data.auth_crap.logon_parameters,
-				       name_user,
-				       name_domain,
-				       /* Bug #3248 - found by Stefan Burkei. */
-				       workstation, /* We carefully set this above so use it... */
+				       r->in.logon_parameters,
+				       r->in.user,
+				       r->in.domain,
+				       r->in.workstation,
 				       logon_id,
-				       state->request->client_name,
-				       state->request->pid,
-				       state->request->data.auth_crap.chal,
-				       lm_resp,
-				       nt_resp,
+				       r->in.client_name,
+				       client_pid,
+				       r->in.chal,
+				       r->in.lm_resp,
+				       r->in.nt_resp,
 				       remote,
 				       local,
 				       &authoritative,
@@ -2922,97 +2841,79 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 		goto done;
 	}
 
-	if (NT_STATUS_IS_OK(result)) {
-		struct netr_SamInfo3 *info3 = NULL;
-		struct wbint_SidArray *sid_array = NULL;
-
-		result = map_validation_to_info3(state->mem_ctx,
-						 validation_level,
-						 validation,
-						 &info3);
-		if (!NT_STATUS_IS_OK(result)) {
-			goto done;
-		}
-
-		result = extra_data_to_sid_array(
-			state->request->data.auth_crap.require_membership_of_sid,
-			state->mem_ctx,
-			&sid_array);
-		if (!NT_STATUS_IS_OK(result)) {
-			DBG_ERR("Failed to parse '%s' into a sid array: %s\n",
-				state->request->data.auth_crap.require_membership_of_sid,
-				nt_errstr(result));
-			goto done;
-		}
+	result = map_validation_to_info3(p->mem_ctx,
+					 validation_level,
+					 validation,
+					 &info3);
+	if (!NT_STATUS_IS_OK(result)) {
+		goto done;
+	}
 
-		/* Check if the user is in the right group */
-		result = check_info3_in_group(info3, sid_array);
-		if (!NT_STATUS_IS_OK(result)) {
-			char *s = NDR_PRINT_STRUCT_STRING(state->mem_ctx,
-							  wbint_SidArray,
-							  sid_array);
-			DBG_NOTICE("User %s is not in the required groups:\n",
-				   state->request->data.auth_crap.user);
-			DEBUGADD(DBGLVL_NOTICE, ("%s", s));
-			DEBUGADD(DBGLVL_NOTICE,
-				 ("CRAP authentication is rejected\n"));
-			TALLOC_FREE(sid_array);
-			goto done;
-		}
-		TALLOC_FREE(sid_array);
+	/* Check if the user is in the right group */
+	result = check_info3_in_group(info3, r->in.require_membership_of_sid);
+	if (!NT_STATUS_IS_OK(result)) {
+		char *s = NDR_PRINT_STRUCT_STRING(p->mem_ctx,
+						  wbint_SidArray,
+						  r->in.require_membership_of_sid);
+		DBG_NOTICE("User %s is not in the required groups:\n",
+			   r->in.user);
+		DEBUGADD(DBGLVL_NOTICE, ("%s", s));
+		DEBUGADD(DBGLVL_NOTICE,
+			 ("CRAP authentication is rejected\n"));
+		goto done;
+	}
 
-		if (!is_allowed_domain(info3->base.logon_domain.string)) {
-			DBG_NOTICE("Authentication failed for user [%s] "
-				   "from firewalled domain [%s]\n",
-				   info3->base.account_name.string,
-				   info3->base.logon_domain.string);
-			result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
-			goto done;
-		}
+	if (!is_allowed_domain(info3->base.logon_domain.string)) {
+		DBG_NOTICE("Authentication failed for user [%s] "
+			   "from firewalled domain [%s]\n",
+			   info3->base.account_name.string,
+			   info3->base.logon_domain.string);
+		result = NT_STATUS_AUTHENTICATION_FIREWALL_FAILED;
+		goto done;
+	}
 
-		result = append_auth_data(state->mem_ctx, state->response,
-					  state->request->flags,
-					  validation_level,
-					  validation,
-					  name_domain, name_user);
-		if (!NT_STATUS_IS_OK(result)) {
-			goto done;
-		}
+	r->out.validation = talloc_zero(p->mem_ctx,
+					struct wbint_PamAuthCrapValidation);
+	if (r->out.validation == NULL) {
+		result = NT_STATUS_NO_MEMORY;
+		goto done;
 	}
 
+	r->out.validation->level = validation_level;
+	r->out.validation->validation = talloc_move(r->out.validation,
+						    &validation);


-- 
Samba Shared Repository



More information about the samba-cvs mailing list