diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-01-07 14:55:07 +0100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-07-22 23:34:22 +0200 |
commit | 8b1f5cad958a4022edc947b6abdb198ffad1a525 (patch) | |
tree | 76b5cd0fc76419c8810dd5c87715d217247a0517 | |
parent | 1854252816bf19b9afd104098e750d8495ad85b6 (diff) | |
download | samba-8b1f5cad958a4022edc947b6abdb198ffad1a525.tar.gz |
auth/auth_sam_reply: fill user_principal_* and dns_domain_name in make_user_info_dc_pac()
This is required in order to support netr_SamInfo6 and PAC_UPN_DNS_INFO
correctly.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | auth/auth_sam_reply.c | 22 | ||||
-rw-r--r-- | auth/auth_sam_reply.h | 1 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 35 |
3 files changed, 58 insertions, 0 deletions
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 1929cd9d848..15d17b0745e 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -506,6 +506,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, */ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, const struct PAC_LOGON_INFO *pac_logon_info, + const struct PAC_UPN_DNS_INFO *pac_upn_dns_info, struct auth_user_info_dc **_user_info_dc) { uint32_t i; @@ -574,6 +575,27 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, user_info_dc->num_sids++; } } + + if (pac_upn_dns_info != NULL) { + user_info_dc->info->user_principal_name = + talloc_strdup(user_info_dc->info, + pac_upn_dns_info->upn_name); + if (user_info_dc->info->user_principal_name == NULL) { + return NT_STATUS_NO_MEMORY; + } + + user_info_dc->info->dns_domain_name = + talloc_strdup(user_info_dc->info, + pac_upn_dns_info->dns_domain_name); + if (user_info_dc->info->dns_domain_name == NULL) { + return NT_STATUS_NO_MEMORY; + } + + if (pac_upn_dns_info->flags & PAC_UPN_DNS_FLAG_CONSTRUCTED) { + user_info_dc->info->user_principal_constructed = true; + } + } + *_user_info_dc = user_info_dc; return NT_STATUS_OK; } diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h index 5d86830b328..617fae7ad0e 100644 --- a/auth/auth_sam_reply.h +++ b/auth/auth_sam_reply.h @@ -63,6 +63,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, */ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, const struct PAC_LOGON_INFO *pac_logon_info, + const struct PAC_UPN_DNS_INFO *pac_upn_dns_info, struct auth_user_info_dc **_user_info_dc); /* The following definitions come from auth/wbc_auth_util.c */ diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index 27fb19b6e2f..f511aae7a88 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -288,8 +288,12 @@ krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx, DATA_BLOB pac_logon_info_in, pac_srv_checksum_in, pac_kdc_checksum_in; krb5_data k5pac_logon_info_in, k5pac_srv_checksum_in, k5pac_kdc_checksum_in; + DATA_BLOB pac_upn_dns_info_in; + krb5_data k5pac_upn_dns_info_in; union PAC_INFO info; + union PAC_INFO _upn_dns_info; + const struct PAC_UPN_DNS_INFO *upn_dns_info = NULL; struct auth_user_info_dc *user_info_dc_out; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -322,9 +326,40 @@ krb5_error_code kerberos_pac_to_user_info_dc(TALLOC_CTX *mem_ctx, return EINVAL; } + ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_UPN_DNS_INFO, + &k5pac_upn_dns_info_in); + if (ret == ENOENT) { + ZERO_STRUCT(k5pac_upn_dns_info_in); + ret = 0; + } + if (ret != 0) { + talloc_free(tmp_ctx); + return EINVAL; + } + + pac_upn_dns_info_in = data_blob_const(k5pac_upn_dns_info_in.data, + k5pac_upn_dns_info_in.length); + + if (pac_upn_dns_info_in.length != 0) { + ndr_err = ndr_pull_union_blob(&pac_upn_dns_info_in, tmp_ctx, + &_upn_dns_info, + PAC_TYPE_UPN_DNS_INFO, + (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO); + kerberos_free_data_contents(context, &k5pac_upn_dns_info_in); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + nt_status = ndr_map_error2ntstatus(ndr_err); + DEBUG(0,("can't parse the PAC UPN_DNS_INFO: %s\n", + nt_errstr(nt_status))); + talloc_free(tmp_ctx); + return EINVAL; + } + upn_dns_info = &_upn_dns_info.upn_dns_info; + } + /* Pull this right into the normal auth sysstem structures */ nt_status = make_user_info_dc_pac(mem_ctx, info.logon_info.info, + upn_dns_info, &user_info_dc_out); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); |