[Patches] require a PAC within a Kerberos ticket/map to guest = bad uid

Stefan Metzmacher metze at samba.org
Fri Mar 16 10:27:01 UTC 2018


Am 16.03.2018 um 10:59 schrieb Andreas Schneider:
> On Friday, 16 March 2018 10:39:35 CET Stefan Metzmacher via samba-technical 
> wrote:
>> Hi,
> 
> Hi Metze,
> 
>> I recently noticed that we have fallback code that tries to build
>> an auth_session_info from a Kerberos principal if there's no
>> PAC present in the ticket.
>>
>> I think think allowing that is completely stupid.
>>
>> This can only happen if the service has UF_NO_AUTH_DATA_REQUIRED
>> and we never set this, so we'll always get a PAC.
>>
>> The attached patches let us require a valid PAC blob
>> in side Kerberos service tickets.
>>
>> Please review and push:-)
> 
> In the first second patch, shouldn't we do:
> 
> +	DATA_BLOB pac_blob = data_blob_null;

Done.

> As we pass that down by pointer I would prefer it being initialized. Also 
> talloc_free() -> TALLOC_FREE()?

I added a new patch
"s3:gse: make use of talloc_stackframe() in gensec_gse_session_info()"

But I left gensec_gssapi_session_info() with talloc_free(),
all other places in that function use this and it's right before
the return.

> In the 8th patch, I would do:
> 
> +	struct wbcAuthUserParams params = {
> +		.level = WBC_AUTH_USER_LEVEL_PAC,
> +  };
> 
> for the init of params.

The goal was that "git show -w" gives a trivial diff,
so I left it untouched.

A new patchset is attached.

>> In source3 we also have code that implements "map to guest = bad uid"
>> and maps a kerberos authenticated user to guest.
>>
>> Now that we require a running winbindd on a member server,
>> we should remove the "bad uid" hacks. Would anyone object
>> to that? It would simplify a lot and might make it possible
>> to understand all the strange code paths we have to construct
>> an auth_session_info.
>>
>> I guess it is not needed to deprecate it first
>> as this can only happen if /etc/nsswitch.conf is not configured correctly.
>>
>> Should I prepare patches to remove this ("bad uid")?
> 
> Yes, please. :-)

Ok, I'll see what I can do:-)

metze

-------------- next part --------------
From 3ca5639d7f774e67090f988e641d5d2fb6b7680f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 4 Mar 2018 11:55:11 +0100
Subject: [PATCH 1/9] s3:gse: require a PAC in the kerberos ticket.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/librpc/crypto/gse.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 70e29c2..101153b 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -1215,8 +1215,7 @@ static NTSTATUS gensec_gse_session_info(struct gensec_security *gensec_security,
 	TALLOC_CTX *tmp_ctx;
 	struct auth_session_info *session_info = NULL;
 	OM_uint32 maj_stat, min_stat;
-	DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
-
+	DATA_BLOB pac_blob = data_blob_null;
 	gss_buffer_desc name_token;
 	char *principal_string;
 
@@ -1245,20 +1244,21 @@ static NTSTATUS gensec_gse_session_info(struct gensec_security *gensec_security,
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	/*
+	 * We require a PAC in the ticket.
+	 */
 	nt_status = gssapi_obtain_pac_blob(tmp_ctx,  gse_ctx->gssapi_context,
 					   gse_ctx->client_name,
 					   &pac_blob);
-
-	/* IF we have the PAC - otherwise we need to get this
-	 * data from elsewere
-	 */
-	if (NT_STATUS_IS_OK(nt_status)) {
-		pac_blob_ptr = &pac_blob;
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return nt_status;
 	}
+
 	nt_status = gensec_generate_session_info_pac(tmp_ctx,
 						     gensec_security,
 						     NULL,
-						     pac_blob_ptr, principal_string,
+						     &pac_blob, principal_string,
 						     gensec_get_remote_address(gensec_security),
 						     &session_info);
 	if (!NT_STATUS_IS_OK(nt_status)) {
-- 
1.9.1


From a109ed5f1b2f8b8ec7bdb7a55c76c979384a6b48 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Fri, 16 Mar 2018 11:07:31 +0100
Subject: [PATCH 2/9] s3:gse: make use of talloc_stackframe() in
 gensec_gse_session_info()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/librpc/crypto/gse.c | 25 +++++++++++--------------
 1 file changed, 11 insertions(+), 14 deletions(-)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 101153b..edc4468 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -1211,70 +1211,67 @@ static NTSTATUS gensec_gse_session_info(struct gensec_security *gensec_security,
 	struct gse_context *gse_ctx =
 		talloc_get_type_abort(gensec_security->private_data,
 		struct gse_context);
+	TALLOC_CTX *frame = talloc_stackframe();
 	NTSTATUS nt_status;
-	TALLOC_CTX *tmp_ctx;
 	struct auth_session_info *session_info = NULL;
 	OM_uint32 maj_stat, min_stat;
 	DATA_BLOB pac_blob = data_blob_null;
 	gss_buffer_desc name_token;
 	char *principal_string;
 
-	tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gse_session_info context");
-	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
-
 	maj_stat = gss_display_name(&min_stat,
 				    gse_ctx->client_name,
 				    &name_token,
 				    NULL);
 	if (GSS_ERROR(maj_stat)) {
 		DEBUG(1, ("GSS display_name failed: %s\n",
-			  gse_errstr(talloc_tos(), maj_stat, min_stat)));
-		talloc_free(tmp_ctx);
+			  gse_errstr(frame, maj_stat, min_stat)));
+		TALLOC_FREE(frame);
 		return NT_STATUS_FOOBAR;
 	}
 
-	principal_string = talloc_strndup(tmp_ctx,
+	principal_string = talloc_strndup(frame,
 					  (const char *)name_token.value,
 					  name_token.length);
 
 	gss_release_buffer(&min_stat, &name_token);
 
 	if (!principal_string) {
-		talloc_free(tmp_ctx);
+		TALLOC_FREE(frame);
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	/*
 	 * We require a PAC in the ticket.
 	 */
-	nt_status = gssapi_obtain_pac_blob(tmp_ctx,  gse_ctx->gssapi_context,
+	nt_status = gssapi_obtain_pac_blob(frame,  gse_ctx->gssapi_context,
 					   gse_ctx->client_name,
 					   &pac_blob);
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(tmp_ctx);
+		TALLOC_FREE(frame);
 		return nt_status;
 	}
 
-	nt_status = gensec_generate_session_info_pac(tmp_ctx,
+	nt_status = gensec_generate_session_info_pac(frame,
 						     gensec_security,
 						     NULL,
 						     &pac_blob, principal_string,
 						     gensec_get_remote_address(gensec_security),
 						     &session_info);
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(tmp_ctx);
+		TALLOC_FREE(frame);
 		return nt_status;
 	}
 
 	nt_status = gensec_gse_session_key(gensec_security, session_info,
 					   &session_info->session_key);
 	if (!NT_STATUS_IS_OK(nt_status)) {
-		talloc_free(tmp_ctx);
+		TALLOC_FREE(frame);
 		return nt_status;
 	}
 
 	*_session_info = talloc_move(mem_ctx, &session_info);
-	talloc_free(tmp_ctx);
+	TALLOC_FREE(frame);
 
 	return NT_STATUS_OK;
 }
-- 
1.9.1


From 117b4e4e1eea26caaa5ab2ac35878dfce4ed5ab9 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 4 Mar 2018 11:55:11 +0100
Subject: [PATCH 3/9] s4:gensec_gssapi: require a PAC in the kerberos ticket.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/auth/gensec/gensec_gssapi.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a61b2b2..8149ee3 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1466,8 +1466,7 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		= talloc_get_type(gensec_security->private_data, struct gensec_gssapi_state);
 	struct auth_session_info *session_info = NULL;
 	OM_uint32 maj_stat, min_stat;
-	DATA_BLOB pac_blob, *pac_blob_ptr = NULL;
-
+	DATA_BLOB pac_blob = data_blob_null;
 	gss_buffer_desc name_token;
 	char *principal_string;
 	
@@ -1496,21 +1495,21 @@ static NTSTATUS gensec_gssapi_session_info(struct gensec_security *gensec_securi
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	/*
+	 * We require a PAC in the ticket.
+	 */
 	nt_status = gssapi_obtain_pac_blob(tmp_ctx,  gensec_gssapi_state->gssapi_context,
 					   gensec_gssapi_state->client_name,
 					   &pac_blob);
-	
-	/* IF we have the PAC - otherwise we need to get this
-	 * data from elsewere - local ldb, or (TODO) lookup of some
-	 * kind... 
-	 */
-	if (NT_STATUS_IS_OK(nt_status)) {
-		pac_blob_ptr = &pac_blob;
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(tmp_ctx);
+		return nt_status;
 	}
+
 	nt_status = gensec_generate_session_info_pac(tmp_ctx,
 						     gensec_security,
 						     gensec_gssapi_state->smb_krb5_context,
-						     pac_blob_ptr, principal_string,
+						     &pac_blob, principal_string,
 						     gensec_get_remote_address(gensec_security),
 						     &session_info);
 	if (!NT_STATUS_IS_OK(nt_status)) {
-- 
1.9.1


From 9056cc4a763b99303b8574d8d9e13326d9d07e52 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 4 Mar 2018 11:55:11 +0100
Subject: [PATCH 4/9] auth:gensec: require a PAC in the kerberos ticket in
 gensec_generate_session_info_pac()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 auth/gensec/gensec_util.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c
index 20c9c2a..74a3e7c 100644
--- a/auth/gensec/gensec_util.c
+++ b/auth/gensec/gensec_util.c
@@ -45,14 +45,10 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
 
 	session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
 
-	if (!pac_blob) {
-		if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
-			DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
-				  principal_string));
-			return NT_STATUS_ACCESS_DENIED;
-		}
-		DBG_NOTICE("Unable to find PAC for %s, resorting to local "
-			   "user lookup\n", principal_string);
+	if (pac_blob == NULL) {
+		DBG_WARNING("Unable to find PAC in ticket from %s, "
+			    "failing to allow access\n", principal_string);
+		return NT_STATUS_ACCESS_DENIED;
 	}
 
 	if (gensec_security->auth_context && gensec_security->auth_context->generate_session_info_pac) {
-- 
1.9.1


From 8af512d0bc91da01754e4bb2c24159e636582411 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 4 Mar 2018 11:55:11 +0100
Subject: [PATCH 5/9] s4:auth: require a PAC in the kerberos ticket in
 auth_generate_session_info_pac()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/auth/ntlm/auth.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 7e10a55..5133472 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -89,6 +89,7 @@ PAC isn't available, and for tokenGroups in the DSDB stack.
 
  Supply either a principal or a DN
 ****************************************************************************/
+#if 0
 static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
 						  TALLOC_CTX *mem_ctx,
 						  const char *principal,
@@ -124,6 +125,7 @@ static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_
 
 	return NT_STATUS_NOT_IMPLEMENTED;
 }
+#endif
 
 /**
  * Check a user's Plaintext, LM or NTLM password.
@@ -652,9 +654,11 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
 	struct auth_user_info_dc *user_info_dc;
 	TALLOC_CTX *tmp_ctx;
 
-	if (!pac_blob) {
-		return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name,
-						       NULL, session_info_flags, session_info);
+	if (pac_blob == NULL) {
+		/*
+		 * The caller should have already checked this!
+		 */
+		return NT_STATUS_INTERNAL_ERROR;
 	}
 
 	tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context");
-- 
1.9.1


From 400d0ff3918af90588681d466952919fd17911f5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Wed, 7 Mar 2018 10:08:05 +0100
Subject: [PATCH 6/9] s4:auth: remove unused
 auth_generate_session_info_principal()

We still make authsam_get_user_info_dc_principal(), but it's
not required to tunnel this through the auth methods.

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source4/auth/auth.h          |  6 ------
 source4/auth/ntlm/auth.c     | 44 --------------------------------------------
 source4/auth/ntlm/auth_sam.c | 12 ------------
 3 files changed, 62 deletions(-)

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index f88489b..7880d92 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -74,12 +74,6 @@ struct auth_operations {
 				struct auth_user_info_dc **interim_info,
 				bool *authoritative);
 
-	/* Lookup a 'session info interim' return based only on the principal or DN */
-	NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx,
-						       struct auth4_context *auth_context,
-						       const char *principal,
-						       struct ldb_dn *user_dn,
-						       struct auth_user_info_dc **interim_info);
 	uint32_t flags;
 };
 
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 5133472..560f8cd 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -83,50 +83,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(struct auth4_context *auth_ctx, uint8_t cha
 	return NT_STATUS_OK;
 }
 
-/****************************************************************************
-Used in the gensec_gssapi and gensec_krb5 server-side code, where the
-PAC isn't available, and for tokenGroups in the DSDB stack.
-
- Supply either a principal or a DN
-****************************************************************************/
-#if 0
-static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx,
-						  TALLOC_CTX *mem_ctx,
-						  const char *principal,
-						  struct ldb_dn *user_dn,
-                                                  uint32_t session_info_flags,
-                                                  struct auth_session_info **session_info)
-{
-	NTSTATUS nt_status;
-	struct auth_method_context *method;
-	struct auth_user_info_dc *user_info_dc;
-
-	for (method = auth_ctx->methods; method; method = method->next) {
-		if (!method->ops->get_user_info_dc_principal) {
-			continue;
-		}
-
-		nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc);
-		if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) {
-			continue;
-		}
-		if (!NT_STATUS_IS_OK(nt_status)) {
-			return nt_status;
-		}
-
-		nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx, 
-							       user_info_dc,
-							       user_info_dc->info->account_name,
-							       session_info_flags, session_info);
-		talloc_free(user_info_dc);
-
-		return nt_status;
-	}
-
-	return NT_STATUS_NOT_IMPLEMENTED;
-}
-#endif
-
 /**
  * Check a user's Plaintext, LM or NTLM password.
  * (sync version)
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index d63a7d1..f44c4d0 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -851,28 +851,16 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 	return NT_STATUS_OK;
 }
 
-/* Wrapper for the auth subsystem pointer */
-static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx,
-							  struct auth4_context *auth_context,
-							  const char *principal,
-							  struct ldb_dn *user_dn,
-							  struct auth_user_info_dc **user_info_dc)
-{
-	return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx,
-						 principal, user_dn, user_info_dc);
-}
 static const struct auth_operations sam_ignoredomain_ops = {
 	.name		           = "sam_ignoredomain",
 	.want_check	           = authsam_ignoredomain_want_check,
 	.check_password	           = authsam_check_password_internals,
-	.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
 };
 
 static const struct auth_operations sam_ops = {
 	.name		           = "sam",
 	.want_check	           = authsam_want_check,
 	.check_password	           = authsam_check_password_internals,
-	.get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper,
 };
 
 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *);
-- 
1.9.1


From 2415f85a21914bb3e78cf0fdeb080685225072bb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 4 Mar 2018 11:55:11 +0100
Subject: [PATCH 7/9] s3:auth: require a PAC in the kerberos ticket in
 auth3_generate_session_info_pac()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_generic.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 167d4e0..971fc5f 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -59,6 +59,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 	NTSTATUS status;
 	int rc;
 
+	if (pac_blob == NULL) {
+		/*
+		 * The caller should have already checked this!
+		 */
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
 	tmp_ctx = talloc_new(mem_ctx);
 	if (!tmp_ctx) {
 		return NT_STATUS_NO_MEMORY;
-- 
1.9.1


From 8e0640754dad991eead3c270702fc054dbb2b6a1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 4 Mar 2018 11:55:11 +0100
Subject: [PATCH 8/9] s3:auth: simplify the #ifdef HAVE_KRB5 logic in
 auth3_generate_session_info_pac()

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_generic.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 971fc5f..df852e6 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -46,6 +46,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 						uint32_t session_info_flags,
 						struct auth_session_info **session_info)
 {
+#ifdef HAVE_KRB5
 	TALLOC_CTX *tmp_ctx;
 	struct PAC_LOGON_INFO *logon_info = NULL;
 	struct netr_SamInfo3 *info3_copy = NULL;
@@ -72,7 +73,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 	}
 
 	if (pac_blob) {
-#ifdef HAVE_KRB5
 		struct wbcAuthUserParams params = {};
 		struct wbcAuthUserInfo *info = NULL;
 		struct wbcAuthErrorInfo *err = NULL;
@@ -120,9 +120,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
 						 NULL, NULL, 0, &logon_info);
-#else
-		status = NT_STATUS_ACCESS_DENIED;
-#endif
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
@@ -191,6 +188,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 done:
 	TALLOC_FREE(tmp_ctx);
 	return status;
+#else
+	/*
+	 * This should never be called if
+	 * we don't support kerberos.
+	 */
+	return NT_STATUS_INTERNAL_ERROR;
+#endif
 }
 
 static struct auth4_context *make_auth4_context_s3(TALLOC_CTX *mem_ctx, struct auth_context *auth_context)
-- 
1.9.1


From aa94cf5dfbbdaa008e163850b58f397295e27f68 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze at samba.org>
Date: Sun, 4 Mar 2018 11:55:11 +0100
Subject: [PATCH 9/9] s3:auth: remove unused indentation level in
 auth3_generate_session_info_pac()

We always require a pac_blob now.

Check with git show -w

Signed-off-by: Stefan Metzmacher <metze at samba.org>
---
 source3/auth/auth_generic.c | 91 ++++++++++++++++++++++-----------------------
 1 file changed, 44 insertions(+), 47 deletions(-)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index df852e6..0081e11 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -59,6 +59,10 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 	struct passwd *pw;
 	NTSTATUS status;
 	int rc;
+	struct wbcAuthUserParams params = {};
+	struct wbcAuthUserInfo *info = NULL;
+	struct wbcAuthErrorInfo *err = NULL;
+	wbcErr wbc_err;
 
 	if (pac_blob == NULL) {
 		/*
@@ -72,57 +76,50 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	if (pac_blob) {
-		struct wbcAuthUserParams params = {};
-		struct wbcAuthUserInfo *info = NULL;
-		struct wbcAuthErrorInfo *err = NULL;
-		wbcErr wbc_err;
-
-		/*
-		 * Let winbind decode the PAC.
-		 * This will also store the user
-		 * data in the netsamlogon cache.
-		 *
-		 * We need to do this *before* we
-		 * call get_user_from_kerberos_info()
-		 * as that does a user lookup that
-		 * expects info in the netsamlogon cache.
-		 *
-		 * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
-		 */
-		params.level = WBC_AUTH_USER_LEVEL_PAC;
-		params.password.pac.data = pac_blob->data;
-		params.password.pac.length = pac_blob->length;
-
-		become_root();
-		wbc_err = wbcAuthenticateUserEx(&params, &info, &err);
-		unbecome_root();
+	/*
+	 * Let winbind decode the PAC.
+	 * This will also store the user
+	 * data in the netsamlogon cache.
+	 *
+	 * We need to do this *before* we
+	 * call get_user_from_kerberos_info()
+	 * as that does a user lookup that
+	 * expects info in the netsamlogon cache.
+	 *
+	 * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
+	 */
+	params.level = WBC_AUTH_USER_LEVEL_PAC;
+	params.password.pac.data = pac_blob->data;
+	params.password.pac.length = pac_blob->length;
 
-		/*
-		 * As this is merely a cache prime
-		 * WBC_ERR_WINBIND_NOT_AVAILABLE
-		 * is not a fatal error, treat it
-		 * as success.
-		 */
+	become_root();
+	wbc_err = wbcAuthenticateUserEx(&params, &info, &err);
+	unbecome_root();
 
-		switch (wbc_err) {
-			case WBC_ERR_WINBIND_NOT_AVAILABLE:
-			case WBC_ERR_SUCCESS:
-				break;
-			case WBC_ERR_AUTH_ERROR:
-				status = NT_STATUS(err->nt_status);
-				wbcFreeMemory(err);
-				goto done;
-			default:
-				status = NT_STATUS_LOGON_FAILURE;
-				goto done;
-		}
+	/*
+	 * As this is merely a cache prime
+	 * WBC_ERR_WINBIND_NOT_AVAILABLE
+	 * is not a fatal error, treat it
+	 * as success.
+	 */
 
-		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
-						 NULL, NULL, 0, &logon_info);
-		if (!NT_STATUS_IS_OK(status)) {
+	switch (wbc_err) {
+		case WBC_ERR_WINBIND_NOT_AVAILABLE:
+		case WBC_ERR_SUCCESS:
+			break;
+		case WBC_ERR_AUTH_ERROR:
+			status = NT_STATUS(err->nt_status);
+			wbcFreeMemory(err);
 			goto done;
-		}
+		default:
+			status = NT_STATUS_LOGON_FAILURE;
+			goto done;
+	}
+
+	status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+					 NULL, NULL, 0, &logon_info);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
 	}
 
 	rc = get_remote_hostname(remote_address,
-- 
1.9.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180316/fd3acd05/signature.sig>


More information about the samba-technical mailing list