return NT_STATUS_OK;
}
+NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
+ DATA_BLOB blob,
+ krb5_context context,
+ const krb5_keyblock *krbtgt_keyblock,
+ const krb5_keyblock *service_keyblock,
+ krb5_const_principal client_principal,
+ time_t tgs_authtime,
+ struct PAC_LOGON_INFO **logon_info)
+{
+ NTSTATUS nt_status;
+ struct PAC_DATA *pac_data;
+ int i;
+ nt_status = kerberos_decode_pac(mem_ctx,
+ blob,
+ context,
+ krbtgt_keyblock,
+ service_keyblock,
+ client_principal,
+ tgs_authtime,
+ &pac_data);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ *logon_info = NULL;
+ for (i=0; i < pac_data->num_buffers; i++) {
+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
+ continue;
+ }
+ *logon_info = pac_data->buffers[i].info->logon_info.info;
+ }
+ if (!*logon_info) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ return NT_STATUS_OK;
+}
+
#endif
struct PAC_SIGNATURE_DATA;
struct PAC_DATA;
+struct PAC_LOGON_INFO;
krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
struct PAC_SIGNATURE_DATA *sig,
time_t tgs_authtime,
struct PAC_DATA **pac_data_out);
+NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
+ DATA_BLOB blob,
+ krb5_context context,
+ const krb5_keyblock *krbtgt_keyblock,
+ const krb5_keyblock *service_keyblock,
+ krb5_const_principal client_principal,
+ time_t tgs_authtime,
+ struct PAC_LOGON_INFO **logon_info);
+
NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx,
gss_ctx_id_t gssapi_context,
gss_name_t gss_client_name,
struct auth_session_info **session_info)
{
TALLOC_CTX *tmp_ctx;
- struct PAC_DATA *pac_data = NULL;
struct PAC_LOGON_INFO *logon_info = NULL;
- unsigned int i;
bool is_mapped;
bool is_guest;
char *ntuser;
if (pac_blob) {
#ifdef HAVE_KRB5
- status = kerberos_decode_pac(tmp_ctx,
- *pac_blob,
- NULL, NULL, NULL, NULL, 0, &pac_data);
+ status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+ NULL, NULL, 0, &logon_info);
#else
status = NT_STATUS_ACCESS_DENIED;
#endif
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
-
- /* get logon name and logon info */
- for (i = 0; i < pac_data->num_buffers; i++) {
- struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
- switch (data_buf->type) {
- case PAC_TYPE_LOGON_INFO:
- if (!data_buf->info) {
- break;
- }
- logon_info = data_buf->info->logon_info.info;
- break;
- default:
- break;
- }
- }
- if (!logon_info) {
- DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
- status = NT_STATUS_NOT_FOUND;
- goto done;
- }
}
rc = get_remote_hostname(remote_address,
struct auth_session_info **session_info)
{
TALLOC_CTX *tmp_ctx;
- struct PAC_DATA *pac_data = NULL;
struct PAC_LOGON_INFO *logon_info = NULL;
- unsigned int i;
NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
tmp_ctx = talloc_new(mem_ctx);
}
if (pac_blob) {
- status = kerberos_decode_pac(tmp_ctx,
- *pac_blob,
- NULL, NULL, NULL, NULL, 0, &pac_data);
+ status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+ NULL, NULL, 0, &logon_info);
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
-
- /* get logon name and logon info */
- for (i = 0; i < pac_data->num_buffers; i++) {
- struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
- switch (data_buf->type) {
- case PAC_TYPE_LOGON_INFO:
- if (!data_buf->info) {
- break;
- }
- logon_info = data_buf->info->logon_info.info;
- break;
- default:
- break;
- }
- }
- if (!logon_info) {
- DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
- status = NT_STATUS_NOT_FOUND;
- goto done;
- }
}
+
talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");
auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);
struct auth_session_info **session_info)
{
TALLOC_CTX *tmp_ctx;
- struct PAC_DATA *pac_data = NULL;
struct PAC_LOGON_INFO *logon_info = NULL;
- unsigned int i;
char *unixuser;
NTSTATUS status;
char *domain = NULL;
if (pac_blob) {
#ifdef HAVE_KRB5
- status = kerberos_decode_pac(tmp_ctx,
- *pac_blob,
- NULL, NULL, NULL, NULL, 0, &pac_data);
+ status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
+ NULL, NULL, 0, &logon_info);
#else
status = NT_STATUS_ACCESS_DENIED;
#endif
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
-
- /* get logon name and logon info */
- for (i = 0; i < pac_data->num_buffers; i++) {
- struct PAC_BUFFER *data_buf = &pac_data->buffers[i];
-
- switch (data_buf->type) {
- case PAC_TYPE_LOGON_INFO:
- if (!data_buf->info) {
- break;
- }
- logon_info = data_buf->info->logon_info.info;
- break;
- default:
- break;
- }
- }
- if (!logon_info) {
- DEBUG(1, ("Invalid PAC data, missing logon info!\n"));
- status = NT_STATUS_NOT_FOUND;
- goto done;
- }
}
DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name));
#endif
/* Samba wrapper function for krb5 functionality. */
-NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
- DATA_BLOB blob,
- krb5_context context,
- const krb5_keyblock *krbtgt_keyblock,
- const krb5_keyblock *service_keyblock,
- krb5_const_principal client_principal,
- time_t tgs_authtime,
- struct PAC_LOGON_INFO **logon_info);
krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
struct PAC_DATA *pac_data,
krb5_context context,
#include "auth/kerberos/kerberos_util.h"
#include "auth/kerberos/pac_utils.h"
-_PUBLIC_ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx,
- DATA_BLOB blob,
- krb5_context context,
- const krb5_keyblock *krbtgt_keyblock,
- const krb5_keyblock *service_keyblock,
- krb5_const_principal client_principal,
- time_t tgs_authtime,
- struct PAC_LOGON_INFO **logon_info)
-{
- NTSTATUS nt_status;
- struct PAC_DATA *pac_data;
- int i;
- nt_status = kerberos_decode_pac(mem_ctx,
- blob,
- context,
- krbtgt_keyblock,
- service_keyblock,
- client_principal,
- tgs_authtime,
- &pac_data);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
- *logon_info = NULL;
- for (i=0; i < pac_data->num_buffers; i++) {
- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
- continue;
- }
- *logon_info = pac_data->buffers[i].info->logon_info.info;
- }
- if (!*logon_info) {
- return NT_STATUS_INVALID_PARAMETER;
- }
- return NT_STATUS_OK;
-}
-
krb5_error_code kerberos_encode_pac(TALLOC_CTX *mem_ctx,
struct PAC_DATA *pac_data,
krb5_context context,