diff options
| author | Christof Schmitt <christof.schmitt@us.ibm.com> | 2012-07-18 14:38:47 -0700 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2012-09-20 19:49:32 -0700 |
| commit | 1bc2f28b9420829645ed571daf2a17e6688b2103 (patch) | |
| tree | 24001ed654ed1634f3f9f48f075010a02a4052d7 /source3/winbindd/winbindd_pam_auth_crap.c | |
| parent | 8a6a13ab51f404525ff18f65d5a22132c465898e (diff) | |
| download | samba-1bc2f28b9420829645ed571daf2a17e6688b2103.tar.gz | |
winbind: Extend wbcAuthenticateUserEx to provide PAC
With this new interface, external applications that have authenticated
to an ADS can pass the PAC from the Kerberos ticket to
wbcAuthenticateUserEx. winbindd decodes and extracts the info3
information for the external application. If winbindd can verify the PAC
signature, the info3 from the PACis also added to the netsamlogon_cache.
The info3 data can be used by the external application to get the uid
and primary gid. The data in netsamlogon_cache allows to retrieve the
complete group list through the NSS function getgrouplist.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source3/winbindd/winbindd_pam_auth_crap.c')
| -rw-r--r-- | source3/winbindd/winbindd_pam_auth_crap.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c index 2fb5111510c..ffbc322fc0c 100644 --- a/source3/winbindd/winbindd_pam_auth_crap.c +++ b/source3/winbindd/winbindd_pam_auth_crap.c @@ -22,6 +22,8 @@ struct winbindd_pam_auth_crap_state { struct winbindd_response *response; + struct netr_SamInfo3 *info3; + uint32_t flags; }; static void winbindd_pam_auth_crap_done(struct tevent_req *subreq); @@ -42,6 +44,21 @@ struct tevent_req *winbindd_pam_auth_crap_send( return NULL; } + if (request->flags & WBFLAG_PAM_AUTH_PAC) { + NTSTATUS status; + + state->flags = request->flags; + status = winbindd_pam_auth_pac_send(cli, &state->info3); + if (NT_STATUS_IS_OK(status)) { + /* Defer filling out response to recv */ + tevent_req_done(req); + } else { + tevent_req_nterror(req, status); + } + + return tevent_req_post(req, ev); + } + /* Ensure null termination */ request->data.auth_crap.user[ sizeof(request->data.auth_crap.user)-1] = '\0'; @@ -114,6 +131,12 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req, set_auth_errors(response, status); return status; } + + if (state->flags & WBFLAG_PAM_AUTH_PAC) { + return append_auth_data(response, response, state->flags, + state->info3, NULL, NULL); + } + *response = *state->response; response->result = WINBINDD_PENDING; state->response = talloc_move(response, &state->response); |