{
struct winbindd_domain *domain;
fstring name_domain, name_user;
+ NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
+ struct WINBINDD_MEMORY_CREDS *entry;
+ DATA_BLOB initial, challenge, auth;
+ uint32 initial_blob_len, challenge_blob_len, extra_len;
/* Ensure null termination */
state->request->data.ccache_ntlm_auth.user[
return;
}
- sendto_domain(state, domain);
-}
-
-enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *domain,
- struct winbindd_cli_state *state)
-{
- NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
- struct WINBINDD_MEMORY_CREDS *entry;
- DATA_BLOB initial, challenge, auth;
- fstring name_domain, name_user;
- uint32 initial_blob_len, challenge_blob_len, extra_len;
-
- /* Ensure null termination */
- state->request->data.ccache_ntlm_auth.user[
- sizeof(state->request->data.ccache_ntlm_auth.user)-1]='\0';
-
- DEBUG(3, ("winbindd_dual_ccache_ntlm_auth: [%5lu]: perform NTLM auth on "
- "behalf of user %s (dual)\n", (unsigned long)state->pid,
- state->request->data.ccache_ntlm_auth.user));
-
/* validate blob lengths */
initial_blob_len = state->request->data.ccache_ntlm_auth.initial_blob_len;
challenge_blob_len = state->request->data.ccache_ntlm_auth.challenge_blob_len;
data_blob_free(&auth);
process_result:
- return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
+ if (!NT_STATUS_IS_OK(result)) {
+ request_error(state);
+ return;
+ }
+ request_ok(state);
}
void winbindd_ccache_save(struct winbindd_cli_state *state)
{
struct winbindd_domain *domain;
fstring name_domain, name_user;
+ NTSTATUS status;
/* Ensure null termination */
state->request->data.ccache_save.user[
return;
}
- domain = find_auth_domain(state->request->flags, name_domain);
+ /*
+ * The domain is checked here only for compatibility
+ * reasons. We used to do the winbindd memory ccache for
+ * ntlm_auth in the domain child. With that code, we had to
+ * make sure that we do have a domain around to send this
+ * to. Now we do the memory cache in the parent winbindd,
+ * where it would not matter if we have a domain or not.
+ */
+ domain = find_auth_domain(state->request->flags, name_domain);
if (domain == NULL) {
DEBUG(5, ("winbindd_ccache_save: can't get domain [%s]\n",
name_domain));
return;
}
- sendto_domain(state, domain);
-}
-
-enum winbindd_result winbindd_dual_ccache_save(
- struct winbindd_domain *domain, struct winbindd_cli_state *state)
-{
- NTSTATUS status = NT_STATUS_NOT_SUPPORTED;
-
- /* Ensure null termination */
- state->request->data.ccache_save.user[
- sizeof(state->request->data.ccache_save.user)-1]='\0';
- state->request->data.ccache_save.pass[
- sizeof(state->request->data.ccache_save.pass)-1]='\0';
-
- DEBUG(3, ("winbindd_dual_ccache_save: [%5lu]: save password of user "
- "%s\n", (unsigned long)state->pid,
- state->request->data.ccache_save.user));
-
status = winbindd_add_memory_creds(
state->request->data.ccache_save.user,
state->request->data.ccache_save.uid,
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("winbindd_add_memory_creds failed %s\n",
nt_errstr(status)));
- return WINBINDD_ERROR;
+ request_error(state);
+ return;
}
-
- return WINBINDD_OK;
+ request_ok(state);
}
.name = "PAM_CHAUTHTOK",
.struct_cmd = WINBINDD_PAM_CHAUTHTOK,
.struct_fn = winbindd_dual_pam_chauthtok,
- },{
- .name = "CCACHE_NTLM_AUTH",
- .struct_cmd = WINBINDD_CCACHE_NTLMAUTH,
- .struct_fn = winbindd_dual_ccache_ntlm_auth,
- },{
- .name = "CCACHE_SAVE",
- .struct_cmd = WINBINDD_CCACHE_SAVE,
- .struct_fn = winbindd_dual_ccache_save,
},{
.name = "NDRCMD",
.struct_cmd = WINBINDD_DUAL_NDRCMD,
#endif
-static uid_t get_uid_from_state(struct winbindd_cli_state *state)
+uid_t get_uid_from_request(struct winbindd_request *request)
{
uid_t uid;
- uid = state->request->data.auth.uid;
+ uid = request->data.auth.uid;
if (uid < 0) {
DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
return uid;
}
+static uid_t get_uid_from_state(struct winbindd_cli_state *state)
+{
+ return get_uid_from_request(state->request);
+}
+
/**********************************************************************
Authenticate a user with a clear text password using Kerberos and fill up
ccache if required
if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
- /* Store in-memory creds for single-signon using ntlm_auth. */
- result = winbindd_add_memory_creds(state->request->data.auth.user,
- get_uid_from_state(state),
- state->request->data.auth.pass);
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("Failed to store memory creds: %s\n", nt_errstr(result)));
- goto done;
- }
-
if (lp_winbind_offline_logon()) {
result = winbindd_store_creds(domain,
state->mem_ctx,
state->request->data.auth.user,
state->request->data.auth.pass,
info3, NULL);
- if (!NT_STATUS_IS_OK(result)) {
-
- /* Release refcount. */
- winbindd_delete_memory_creds(state->request->data.auth.user);
-
- DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
- goto done;
- }
}
}
done:
if (NT_STATUS_IS_OK(result) && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
-
- /* Update the single sign-on memory creds. */
- result = winbindd_replace_memory_creds(state->request->data.chauthtok.user,
- newpass);
-
- /* When we login from gdm or xdm and password expires,
- * we change password, but there are no memory crendentials
- * So, winbindd_replace_memory_creds() returns
- * NT_STATUS_OBJECT_NAME_NOT_FOUND. This is not a failure.
- * --- BoYang
- * */
- if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
- result = NT_STATUS_OK;
- }
-
- if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
- goto process_result;
- }
-
if (lp_winbind_offline_logon()) {
result = winbindd_update_creds_by_name(contact_domain,
state->mem_ctx, user,
process_result:
- winbindd_delete_memory_creds(state->request->data.logoff.user);
set_auth_errors(state->response, result);
#include "winbindd.h"
struct winbindd_pam_auth_state {
+ struct winbindd_request *request;
struct winbindd_response *response;
};
if (req == NULL) {
return NULL;
}
+ state->request = request;
/* Ensure null termination */
request->data.auth.user[sizeof(request->data.auth.user)-1] = '\0';
*response = *state->response;
response->result = WINBINDD_PENDING;
state->response = talloc_move(response, &state->response);
- return NT_STATUS(response->data.auth.nt_status);
+
+ status = NT_STATUS(response->data.auth.nt_status);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) {
+
+ /* Store in-memory creds for single-signon using ntlm_auth. */
+
+ status = winbindd_add_memory_creds(
+ state->request->data.auth.user,
+ get_uid_from_request(state->request),
+ state->request->data.auth.pass);
+ DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
+ nt_errstr(status)));
+ }
+
+ return status;
}
#include "winbindd.h"
struct winbindd_pam_chauthtok_state {
+ struct winbindd_request *request;
struct winbindd_response *response;
};
if (req == NULL) {
return NULL;
}
+ state->request = request;
/* Ensure null termination */
request->data.chauthtok.user[
*response = *state->response;
response->result = WINBINDD_PENDING;
state->response = talloc_move(response, &state->response);
- return NT_STATUS(response->data.auth.nt_status);
+
+ status = NT_STATUS(response->data.auth.nt_status);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) {
+
+ /* Update the single sign-on memory creds. */
+ status = winbindd_replace_memory_creds(
+ state->request->data.chauthtok.user,
+ state->request->data.chauthtok.newpass);
+
+ DEBUG(10, ("winbindd_replace_memory_creds returned %s\n",
+ nt_errstr(status)));
+
+ /*
+ * When we login from gdm or xdm and password expires,
+ * we change password, but there are no memory
+ * crendentials So, winbindd_replace_memory_creds()
+ * returns NT_STATUS_OBJECT_NAME_NOT_FOUND. This is
+ * not a failure. --- BoYang
+ */
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ status = NT_STATUS_OK;
+ }
+ }
+ return status;
}
#include "winbindd.h"
struct winbindd_pam_logoff_state {
+ struct winbindd_request *request;
struct winbindd_response *response;
};
if (req == NULL) {
return NULL;
}
+ state->request = request;
/* Ensure null termination */
/* Ensure null termination */
*response = *state->response;
response->result = WINBINDD_PENDING;
state->response = talloc_move(response, &state->response);
- return NT_STATUS(response->data.auth.nt_status);
+
+ status = NT_STATUS(response->data.auth.nt_status);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ winbindd_delete_memory_creds(state->request->data.logoff.user);
+ return status;
}
/* The following definitions come from winbindd/winbindd_pam.c */
bool check_request_flags(uint32_t flags);
+uid_t get_uid_from_request(struct winbindd_request *request);
struct winbindd_domain *find_auth_domain(uint8_t flags,
const char *domain_name);
enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,