diff options
-rw-r--r-- | auth/kerberos/kerberos_pac.c | 85 | ||||
-rw-r--r-- | auth/kerberos/pac_utils.h | 10 | ||||
-rw-r--r-- | source3/libads/kerberos_proto.h | 7 | ||||
-rw-r--r-- | source3/utils/net_ads.c | 1 |
4 files changed, 97 insertions, 6 deletions
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 0ab0e9a4594..650c851bf13 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -30,6 +30,8 @@ #ifdef HAVE_KRB5 #include "librpc/gen_ndr/ndr_krb5pac.h" +#include "librpc/gen_ndr/auth.h" +#include "auth/common_auth.h" #include "auth/kerberos/pac_utils.h" krb5_error_code check_pac_checksum(DATA_BLOB pac_data, @@ -466,4 +468,87 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +static NTSTATUS auth4_context_fetch_PAC_DATA_CTR( + struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *princ_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + struct PAC_DATA_CTR *pac_data_ctr = NULL; + NTSTATUS status; + + if (pac_blob == NULL) { + return NT_STATUS_NO_IMPERSONATION_TOKEN; + } + + pac_data_ctr = talloc_zero(mem_ctx, struct PAC_DATA_CTR); + if (pac_data_ctr == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + status = kerberos_decode_pac(pac_data_ctr, + *pac_blob, + NULL, + NULL, + NULL, + NULL, + 0, + &pac_data_ctr->pac_data); + if (!NT_STATUS_IS_OK(status)) { + goto fail; + } + + pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr, + pac_blob->data, + pac_blob->length); + if (pac_data_ctr->pac_blob.length != pac_blob->length) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + *session_info = talloc_zero(mem_ctx, struct auth_session_info); + if (*session_info == NULL) { + status = NT_STATUS_NO_MEMORY; + goto fail; + } + + TALLOC_FREE(auth_ctx->private_data); + auth_ctx->private_data = talloc_move(auth_ctx, &pac_data_ctr); + + return NT_STATUS_OK; + +fail: + TALLOC_FREE(pac_data_ctr); + + return status; +} + +struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx) +{ + struct auth4_context *auth_ctx = NULL; + + auth_ctx = talloc_zero(mem_ctx, struct auth4_context); + if (auth_ctx == NULL) { + return NULL; + } + auth_ctx->generate_session_info_pac = auth4_context_fetch_PAC_DATA_CTR; + + return auth_ctx; +} + +struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx) +{ + struct PAC_DATA_CTR *p = NULL; + SMB_ASSERT(auth_ctx->generate_session_info_pac == auth4_context_fetch_PAC_DATA_CTR); + p = talloc_get_type_abort(auth_ctx->private_data, struct PAC_DATA_CTR); + auth_ctx->private_data = NULL; + return talloc_move(mem_ctx, &p); +} + #endif diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h index d09e7b643d4..36fd60c3349 100644 --- a/auth/kerberos/pac_utils.h +++ b/auth/kerberos/pac_utils.h @@ -53,6 +53,16 @@ NTSTATUS kerberos_pac_logon_info(TALLOC_CTX *mem_ctx, time_t tgs_authtime, struct PAC_LOGON_INFO **logon_info); +struct PAC_DATA; +struct PAC_DATA_CTR { + DATA_BLOB pac_blob; + struct PAC_DATA *pac_data; +}; + +struct auth4_context *auth4_context_for_PAC_DATA_CTR(TALLOC_CTX *mem_ctx); +struct PAC_DATA_CTR *auth4_context_get_PAC_DATA_CTR(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx); + NTSTATUS gssapi_obtain_pac_blob(TALLOC_CTX *mem_ctx, gss_ctx_id_t gssapi_context, gss_name_t gss_client_name, diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index 433bce9e0ec..3d7b5bc074b 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -32,12 +32,7 @@ #include "system/kerberos.h" -struct PAC_DATA; - -struct PAC_DATA_CTR { - DATA_BLOB pac_blob; - struct PAC_DATA *pac_data; -}; +struct PAC_DATA_CTR; #define DEFAULT_KRB5_PORT 88 diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 95a6ed74b78..702ec096d28 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -40,6 +40,7 @@ #include "libsmb/libsmb.h" #include "lib/param/loadparm.h" #include "utils/net_dns.h" +#include "auth/kerberos/pac_utils.h" #ifdef HAVE_JANSSON #include <jansson.h> |