diff options
| author | Christof Schmitt <christof.schmitt@us.ibm.com> | 2012-07-18 14:38:47 -0700 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2012-09-20 19:49:32 -0700 |
| commit | 1bc2f28b9420829645ed571daf2a17e6688b2103 (patch) | |
| tree | 24001ed654ed1634f3f9f48f075010a02a4052d7 /nsswitch/libwbclient | |
| parent | 8a6a13ab51f404525ff18f65d5a22132c465898e (diff) | |
| download | samba-1bc2f28b9420829645ed571daf2a17e6688b2103.tar.gz | |
winbind: Extend wbcAuthenticateUserEx to provide PAC
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.
The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'nsswitch/libwbclient')
| -rw-r--r-- | nsswitch/libwbclient/wbc_pam.c | 16 | ||||
| -rw-r--r-- | nsswitch/libwbclient/wbclient.h | 42 |
2 files changed, 37 insertions, 21 deletions
diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c index f7fb9f23f67..f183cc61b1e 100644 --- a/nsswitch/libwbclient/wbc_pam.c +++ b/nsswitch/libwbclient/wbc_pam.c @@ -364,7 +364,7 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, BAIL_ON_WBC_ERROR(wbc_status); } - if (!params->account_name) { + if (params->level != WBC_AUTH_USER_LEVEL_PAC && !params->account_name) { wbc_status = WBC_ERR_INVALID_PARAM; BAIL_ON_WBC_ERROR(wbc_status); } @@ -491,6 +491,20 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params, request.data.auth_crap.nt_resp_len); } break; + + case WBC_AUTH_USER_LEVEL_PAC: + cmd = WINBINDD_PAM_AUTH_CRAP; + request.flags = WBFLAG_PAM_AUTH_PAC | WBFLAG_PAM_INFO3_TEXT; + request.extra_data.data = malloc(params->password.pac.length); + if (request.extra_data.data == NULL) { + wbc_status = WBC_ERR_NO_MEMORY; + BAIL_ON_WBC_ERROR(wbc_status); + } + memcpy(request.extra_data.data, params->password.pac.data, + params->password.pac.length); + request.extra_len = params->password.pac.length; + break; + default: break; } diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h index cb70cbd5138..473c9019d67 100644 --- a/nsswitch/libwbclient/wbclient.h +++ b/nsswitch/libwbclient/wbclient.h @@ -197,6 +197,25 @@ struct wbcDomainInfo { #define WBC_DOMINFO_TRUSTTYPE_EXTERNAL 0x00000003 /** + * @brief Generic Blob + **/ + +struct wbcBlob { + uint8_t *data; + size_t length; +}; + +/** + * @brief Named Blob + **/ + +struct wbcNamedBlob { + const char *name; + uint32_t flags; + struct wbcBlob blob; +}; + +/** * @brief Auth User Parameters **/ @@ -212,7 +231,8 @@ struct wbcAuthUserParams { enum wbcAuthUserLevel { WBC_AUTH_USER_LEVEL_PLAIN = 1, WBC_AUTH_USER_LEVEL_HASH = 2, - WBC_AUTH_USER_LEVEL_RESPONSE = 3 + WBC_AUTH_USER_LEVEL_RESPONSE = 3, + WBC_AUTH_USER_LEVEL_PAC = 4 } level; union { const char *plaintext; @@ -227,29 +247,11 @@ struct wbcAuthUserParams { uint32_t lm_length; uint8_t *lm_data; } response; + struct wbcBlob pac; } password; }; /** - * @brief Generic Blob - **/ - -struct wbcBlob { - uint8_t *data; - size_t length; -}; - -/** - * @brief Named Blob - **/ - -struct wbcNamedBlob { - const char *name; - uint32_t flags; - struct wbcBlob blob; -}; - -/** * @brief Logon User Parameters **/ |