winbindd: use add_trusted_domain_from_auth

After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.

Signed-off-by: Ralph Boehme <slow@samba.org>

diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index 7ff448889755f34f00aef7f87df015216cb8b000..b35a17cf319b834634b0e2507f564db8461d8bec 100644 (file)
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "winbindd.h"
+#include "libcli/security/dom_sid.h"
 
 struct winbindd_pam_auth_state {
        struct winbindd_request *request;
@@ -127,6 +128,20 @@ NTSTATUS winbindd_pam_auth_recv(struct tevent_req *req,
                return status;
        }
 
+       if (state->request->flags & WBFLAG_PAM_INFO3_TEXT) {
+               bool ok;
+
+               ok = add_trusted_domain_from_auth(
+                       state->response->data.auth.validation_level,
+                       &state->response->data.auth.info3,
+                       &state->response->data.auth.info6);
+               if (!ok) {
+                       DBG_ERR("add_trusted_domain_from_auth failed\n");
+                       set_auth_errors(response, NT_STATUS_LOGON_FAILURE);
+                       return NT_STATUS_LOGON_FAILURE;
+               }
+       }
+
        if (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) {
 
                /* Store in-memory creds for single-signon using ntlm_auth. */

diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
index 695ee1d0864a09cb7a9e221bd03bb78d53038739..eb4087b1c2cb19b62f15e2c4b39fbb56aaed4af2 100644 (file)
--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -20,6 +20,7 @@
 #include "includes.h"
 #include "winbindd.h"
 #include "rpc_client/util_netlogon.h"
+#include "libcli/security/dom_sid.h"
 
 struct winbindd_pam_auth_crap_state {
        struct winbindd_response *response;
@@ -46,10 +47,11 @@ struct tevent_req *winbindd_pam_auth_crap_send(
                return NULL;
        }
 
-       if (request->flags & WBFLAG_PAM_AUTH_PAC) {
+       state->flags = request->flags;
+
+       if (state->flags & WBFLAG_PAM_AUTH_PAC) {
                NTSTATUS status;
 
-               state->flags = request->flags;
                status = winbindd_pam_auth_pac_send(cli, &state->info3);
                if (NT_STATUS_IS_OK(status)) {
                        /* Defer filling out response to recv */
@@ -132,7 +134,7 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
                return status;
        }
 
-       if (state->flags & WBFLAG_PAM_AUTH_PAC) {
+       if (state->flags & WBFLAG_PAM_AUTH_PAC) {
                uint16_t validation_level;
                union netr_Validation *validation = NULL;
 
@@ -155,6 +157,22 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
 
        }
 
+       if (NT_STATUS_IS_OK(NT_STATUS(state->response->data.auth.nt_status)) &&
+           (state->flags & WBFLAG_PAM_INFO3_TEXT))
+       {
+               bool ok;
+
+               ok = add_trusted_domain_from_auth(
+                       state->response->data.auth.validation_level,
+                       &state->response->data.auth.info3,
+                       &state->response->data.auth.info6);
+               if (!ok) {
+                       DBG_ERR("add_trusted_domain_from_auth failed\n");
+                       set_auth_errors(response, NT_STATUS_LOGON_FAILURE);
+                       return NT_STATUS_LOGON_FAILURE;
+               }
+       }
+
        *response = *state->response;
        response->result = WINBINDD_PENDING;
        state->response = talloc_move(response, &state->response);