get_{local,remote}_address() in winbindd_dual_pam_auth()
Stefan Metzmacher
metze at samba.org
Wed May 12 10:09:52 UTC 2021
Hi Gary,
in commit c8b7b7918b49f3598706190975a82be258aa9c44
Author: Gary Lockyer <gary at catalyst.net.nz>
AuthorDate: Mon Jan 28 15:31:46 2019 +1300
Commit: Andrew Bartlett <abartlet at samba.org>
CommitDate: Wed Feb 20 06:03:09 2019 +0100
winbind: Log PAM and NTLM authentications.
Generate JSON authentication messages for winbind PAM_AUTH and
PAM_AUTH_CRAP requests. The logon_id in these messages can be used to
link them to the SamLogon messages.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
You added get_local_address(), get_remote_address(), which take a socket filedescriptor
in order to the addresses from the socket.
However all you pass in is the socket fd that's created in
fork_domain_child() via socketpair(AF_UNIX, SOCK_STREAM, 0, fdpair).
I'm wondering how this could ever be useful in any way?
Also in _winbind_SamLogon() your passing down
p->{local,remote}_address from pipes_struct, which were not used
before in winbindd and are both NULL.
It means that make_user_info() in winbindd_dual_auth_passdb() will always
return NT_STATUS_NO_MEMORY. Luckily that code path is not triggered from auth_winbind.
Before we used tsocket_address_inet_from_strings(frame, "ip", "127.0.0.1", 0)
only in winbindd_dual_auth_passdb().
You are also using the wrong pid for client_pid, it's state->pid instead
of state->request->pid, state->pid comes from fork_domain_child():
state.cli.pid = getpid(); and is the pid of the winbindd parent process.
Maybe winbindd's parent should check request->pid against SO_PEERCRED/SO_PEERID?
before using it for auth logging?
How did you tested this (beside making sure it compiles)?
What would be the correct way out of this?
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20210512/cf684f07/OpenPGP_signature.sig>
More information about the samba-technical
mailing list