From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Fri, 17 Jan 2014 14:29:03 +0100

Subject: [PATCH 1/8] s3-libads: pass down local_service to

 kerberos_return_pac().

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/libads/authdata.c       | 6 +-----

 source3/libads/kerberos_proto.h | 1 +

 source3/utils/net_ads.c         | 8 ++++++++

 source3/winbindd/winbindd_pam.c | 9 +++++++++

 4 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c

index 801e551..dd80dc2 100644

--- a/source3/libads/authdata.c

+++ b/source3/libads/authdata.c

@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 			     bool add_netbios_addr,

 			     time_t renewable_time,

 			     const char *impersonate_princ_s,

+			     const char *local_service,

 			     struct PAC_LOGON_INFO **_logon_info)

 {

 	krb5_error_code ret;

 	NTSTATUS status = NT_STATUS_INVALID_PARAMETER;

 	DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;

 	const char *auth_princ = NULL;

-	const char *local_service = NULL;

 	const char *cc = "MEMORY:kerberos_return_pac";

 	struct auth_session_info *session_info;

 	struct gensec_security *gensec_server_context;

@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 	}

 	NT_STATUS_HAVE_NO_MEMORY(auth_princ);

-	local_service = talloc_asprintf(mem_ctx, "%s$@%s",

-					lp_netbios_name(), lp_realm());

-	NT_STATUS_HAVE_NO_MEMORY(local_service);

-

 	ret = kerberos_kinit_password_ext(auth_princ,

 					  pass,

 					  time_offset,

diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h

index 2559634..1151d66 100644

--- a/source3/libads/kerberos_proto.h

+++ b/source3/libads/kerberos_proto.h

@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 			     bool add_netbios_addr,

 			     time_t renewable_time,

 			     const char *impersonate_princ_s,

+			     const char *local_service,

 			     struct PAC_LOGON_INFO **logon_info);

 /* The following definitions come from libads/krb5_setpw.c  */

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c

index 89eebf3..5a073b1 100644

--- a/source3/utils/net_ads.c

+++ b/source3/utils/net_ads.c

@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 	NTSTATUS status;

 	int ret = -1;

 	const char *impersonate_princ_s = NULL;

+	const char *local_service = NULL;

 	if (c->display_usage) {

 		d_printf(  "%s\n"

@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 		impersonate_princ_s = argv[0];

 	}

+	local_service = talloc_asprintf(mem_ctx, "%s$@%s",

+					lp_netbios_name(), lp_realm());

+	if (local_service == NULL) {

+		goto out;

+	}

+

 	c->opt_password = net_prompt_pass(c, c->opt_user_name);

 	status = kerberos_return_pac(mem_ctx,

@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 				     true,

 				     2592000, /* one month */

 				     impersonate_princ_s,

+				     local_service,

 				     &info;;

 	if (!NT_STATUS_IS_OK(status)) {

 		d_printf(_("failed to query kerberos PAC: %s\n"),

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index 3f3ec70..61e2cef 100644

--- a/source3/winbindd/winbindd_pam.c

+++ b/source3/winbindd/winbindd_pam.c

@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 	time_t time_offset = 0;

 	const char *user_ccache_file;

 	struct PAC_LOGON_INFO *logon_info = NULL;

+	const char *local_service;

 	*info3 = NULL;

@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 		return NT_STATUS_NO_MEMORY;

 	}

+	local_service = talloc_asprintf(mem_ctx, "%s$@%s",

+					lp_netbios_name(), lp_realm());

+	if (local_service == NULL) {

+		return NT_STATUS_NO_MEMORY;

+	}

+

+

 	/* if this is a user ccache, we need to act as the user to let the krb5

 	 * library handle the chown, etc. */

@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 				     true,

 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,

 				     NULL,

+				     local_service,

 				     &logon_info);

 	if (user_ccache_file != NULL) {

 		gain_root_privilege();

-- 

1.8.5.3

From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Mon, 3 Mar 2014 12:14:51 +0100

Subject: [PATCH 2/8] auth/kerberos: fix a typo.

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 auth/kerberos/kerberos_pac.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c

index 81f7f21..8f55c8f 100644

--- a/auth/kerberos/kerberos_pac.c

+++ b/auth/kerberos/kerberos_pac.c

@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,

 }

 /**

-* @brief Decode a blob containing a NDR envoded PAC structure

+* @brief Decode a blob containing a NDR encoded PAC structure

 *

 * @param mem_ctx	  - The memory context

 * @param pac_data_blob	  - The data blob containing the NDR encoded data

-- 

1.8.5.3

From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Mon, 10 Mar 2014 15:11:18 +0100

Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used

 in "net ads kerberos pac".

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/utils/net_ads.c | 14 ++++++++++----

 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c

index 5a073b1..ac6346f 100644

--- a/source3/utils/net_ads.c

+++ b/source3/utils/net_ads.c

@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 	int ret = -1;

 	const char *impersonate_princ_s = NULL;

 	const char *local_service = NULL;

+	int i;

 	if (c->display_usage) {

 		d_printf(  "%s\n"

@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 		return 0;

 	}

+	for (i=0; i

+		if (strnequal(argv[i], "impersonate", strlen("impersonate"))) {

+			impersonate_princ_s = get_string_param(argv[i]);

+			if (impersonate_princ_s == NULL) {

+				return -1;

+			}

+		}

+	}

+

 	mem_ctx = talloc_init("net_ads_kerberos_pac");

 	if (!mem_ctx) {

 		goto out;

 	}

-	if (argc > 0) {

-		impersonate_princ_s = argv[0];

-	}

-

 	local_service = talloc_asprintf(mem_ctx, "%s$@%s",

 					lp_netbios_name(), lp_realm());

 	if (local_service == NULL) {

-- 

1.8.5.3

From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Tue, 11 Mar 2014 16:34:36 +0100

Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads

 kerberos pac".

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/utils/net_ads.c | 14 +++++++++++---

 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c

index ac6346f..c53c8c6 100644

--- a/source3/utils/net_ads.c

+++ b/source3/utils/net_ads.c

@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 				return -1;

 			}

 		}

+		if (strnequal(argv[i], "local_service", strlen("local_service"))) {

+			local_service = get_string_param(argv[i]);

+			if (local_service == NULL) {

+				return -1;

+			}

+		}

 	}

 	mem_ctx = talloc_init("net_ads_kerberos_pac");

@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 		goto out;

 	}

-	local_service = talloc_asprintf(mem_ctx, "%s$@%s",

-					lp_netbios_name(), lp_realm());

 	if (local_service == NULL) {

-		goto out;

+		local_service = talloc_asprintf(mem_ctx, "%s$@%s",

+						lp_netbios_name(), lp_realm());

+		if (local_service == NULL) {

+			goto out;

+		}

 	}

 	c->opt_password = net_prompt_pass(c, c->opt_user_name);

-- 

1.8.5.3

From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Fri, 21 Feb 2014 18:56:04 +0100

Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac().

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/libads/authdata.c       | 28 +++++++++++++++++-----------

 source3/libads/kerberos_proto.h |  4 ++--

 source3/utils/net_ads.c         | 17 ++++++++++++++++-

 source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++-

 4 files changed, 56 insertions(+), 15 deletions(-)

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c

index dd80dc2..53e40ef 100644

--- a/source3/libads/authdata.c

+++ b/source3/libads/authdata.c

@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,

 				   struct auth_session_info **session_info)

 {

 	TALLOC_CTX *tmp_ctx;

-	struct PAC_LOGON_INFO *logon_info = NULL;

+	struct PAC_DATA *pac_data = NULL;

 	NTSTATUS status = NT_STATUS_INTERNAL_ERROR;

 	tmp_ctx = talloc_new(mem_ctx);

@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,

 	}

 	if (pac_blob) {

-		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,

-						 NULL, NULL, 0, &logon_info);

+		status = kerberos_decode_pac(tmp_ctx,

+					     *pac_blob,

+					     NULL,

+					     NULL,

+					     NULL,

+					     NULL,

+					     0,

+					     &pac_data);

 		if (!NT_STATUS_IS_OK(status)) {

 			goto done;

 		}

 	}

-	talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO");

+	talloc_set_name_const(pac_data, "struct PAC_DATA");

-	auth_ctx->private_data = talloc_steal(auth_ctx, logon_info);

+	auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);

 	*session_info = talloc_zero(mem_ctx, struct auth_session_info);

 	if (!*session_info) {

 		status = NT_STATUS_NO_MEMORY;

@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 			     time_t renewable_time,

 			     const char *impersonate_princ_s,

 			     const char *local_service,

-			     struct PAC_LOGON_INFO **_logon_info)

+			     struct PAC_DATA **_pac_data)

 {

 	krb5_error_code ret;

 	NTSTATUS status = NT_STATUS_INVALID_PARAMETER;

@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 	size_t idx = 0;

 	struct auth4_context *auth_context;

 	struct loadparm_context *lp_ctx;

-	struct PAC_LOGON_INFO *logon_info = NULL;

+	struct PAC_DATA *pac_data = NULL;

 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);

 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);

@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 		goto out;

 	}

-	logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data,

-					   struct PAC_LOGON_INFO);

-	if (logon_info == NULL) {

+	pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,

+					 struct PAC_DATA);

+	if (pac_data == NULL) {

 		DEBUG(1,("no PAC\n"));

 		status = NT_STATUS_INVALID_PARAMETER;

 		goto out;

 	}

-	*_logon_info = talloc_move(mem_ctx, &logon_info);

+	*_pac_data = talloc_move(mem_ctx, &pac_data);

 out:

 	talloc_free(tmp_ctx);

diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h

index 1151d66..b2f7486 100644

--- a/source3/libads/kerberos_proto.h

+++ b/source3/libads/kerberos_proto.h

@@ -32,7 +32,7 @@

 #include "system/kerberos.h"

-struct PAC_LOGON_INFO;

+struct PAC_DATA;

 #include "libads/ads_status.h"

@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 			     time_t renewable_time,

 			     const char *impersonate_princ_s,

 			     const char *local_service,

-			     struct PAC_LOGON_INFO **logon_info);

+			     struct PAC_DATA **pac_data);

 /* The following definitions come from libads/krb5_setpw.c  */

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c

index c53c8c6..19da6da 100644

--- a/source3/utils/net_ads.c

+++ b/source3/utils/net_ads.c

@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **

 static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)

 {

 	struct PAC_LOGON_INFO *info = NULL;

+	struct PAC_DATA *pac_data = NULL;

 	TALLOC_CTX *mem_ctx = NULL;

 	NTSTATUS status;

 	int ret = -1;

@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 				     2592000, /* one month */

 				     impersonate_princ_s,

 				     local_service,

-				     &info;;

+				     &pac_data);

 	if (!NT_STATUS_IS_OK(status)) {

 		d_printf(_("failed to query kerberos PAC: %s\n"),

 			nt_errstr(status));

 		goto out;

 	}

+	for (i=0; i < pac_data->num_buffers; i++) {

+

+		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {

+			continue;

+		}

+

+		info = pac_data->buffers[i].info->logon_info.info;

+		if (!info) {

+			goto out;

+		}

+

+		break;

+	}

+

 	if (info) {

 		const char *s;

 		s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info);

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index 61e2cef..a8daae51 100644

--- a/source3/winbindd/winbindd_pam.c

+++ b/source3/winbindd/winbindd_pam.c

@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 	time_t time_offset = 0;

 	const char *user_ccache_file;

 	struct PAC_LOGON_INFO *logon_info = NULL;

+	struct PAC_DATA *pac_data = NULL;

 	const char *local_service;

+	int i;

 	*info3 = NULL;

@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,

 				     NULL,

 				     local_service,

-				     &logon_info);

+				     &pac_data);

 	if (user_ccache_file != NULL) {

 		gain_root_privilege();

 	}

@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 		goto failed;

 	}

+	if (pac_data == NULL) {

+		goto failed;

+	}

+

+	for (i=0; i < pac_data->num_buffers; i++) {

+

+		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {

+			continue;

+		}

+

+		logon_info = pac_data->buffers[i].info->logon_info.info;

+		if (!logon_info) {

+			return NT_STATUS_INVALID_PARAMETER;

+		}

+

+		break;

+	}

+

 	*info3 = &logon_info->info3;

 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",

-- 

1.8.5.3

From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Tue, 11 Mar 2014 18:07:11 +0100

Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC

 container.

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/libads/authdata.c       | 29 +++++++++++++++++++++--------

 source3/libads/kerberos_proto.h |  7 ++++++-

 source3/utils/net_ads.c         |  5 ++++-

 source3/winbindd/winbindd_pam.c |  8 +++++++-

 4 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c

index 53e40ef..276408d 100644

--- a/source3/libads/authdata.c

+++ b/source3/libads/authdata.c

@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,

 {

 	TALLOC_CTX *tmp_ctx;

 	struct PAC_DATA *pac_data = NULL;

+	struct PAC_DATA_CTR *pac_data_ctr = NULL;

 	NTSTATUS status = NT_STATUS_INTERNAL_ERROR;

 	tmp_ctx = talloc_new(mem_ctx);

@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,

 		}

 	}

-	talloc_set_name_const(pac_data, "struct PAC_DATA");

+	pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);

+	if (pac_data_ctr == NULL) {

+		status = NT_STATUS_NO_MEMORY;

+		goto done;

+	}

+

+	talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");

+

+	pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);

+	pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,

+						  pac_blob->data,

+						  pac_blob->length);

+

+	auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);

-	auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);

 	*session_info = talloc_zero(mem_ctx, struct auth_session_info);

 	if (!*session_info) {

 		status = NT_STATUS_NO_MEMORY;

@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 			     time_t renewable_time,

 			     const char *impersonate_princ_s,

 			     const char *local_service,

-			     struct PAC_DATA **_pac_data)

+			     struct PAC_DATA_CTR **_pac_data_ctr)

 {

 	krb5_error_code ret;

 	NTSTATUS status = NT_STATUS_INVALID_PARAMETER;

@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 	size_t idx = 0;

 	struct auth4_context *auth_context;

 	struct loadparm_context *lp_ctx;

-	struct PAC_DATA *pac_data = NULL;

+	struct PAC_DATA_CTR *pac_data_ctr = NULL;

 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);

 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);

@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 		goto out;

 	}

-	pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,

-					 struct PAC_DATA);

-	if (pac_data == NULL) {

+	pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,

+					     struct PAC_DATA_CTR);

+	if (pac_data_ctr == NULL) {

 		DEBUG(1,("no PAC\n"));

 		status = NT_STATUS_INVALID_PARAMETER;

 		goto out;

 	}

-	*_pac_data = talloc_move(mem_ctx, &pac_data);

+	*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);

 out:

 	talloc_free(tmp_ctx);

diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h

index b2f7486..3d0ad4b 100644

--- a/source3/libads/kerberos_proto.h

+++ b/source3/libads/kerberos_proto.h

@@ -34,6 +34,11 @@

 struct PAC_DATA;

+struct PAC_DATA_CTR {

+	DATA_BLOB pac_blob;

+	struct PAC_DATA *pac_data;

+};

+

 #include "libads/ads_status.h"

 /* The following definitions come from libads/kerberos.c  */

@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,

 			     time_t renewable_time,

 			     const char *impersonate_princ_s,

 			     const char *local_service,

-			     struct PAC_DATA **pac_data);

+			     struct PAC_DATA_CTR **pac_data_ctr);

 /* The following definitions come from libads/krb5_setpw.c  */

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c

index 19da6da..19c28b1 100644

--- a/source3/utils/net_ads.c

+++ b/source3/utils/net_ads.c

@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 {

 	struct PAC_LOGON_INFO *info = NULL;

 	struct PAC_DATA *pac_data = NULL;

+	struct PAC_DATA_CTR *pac_data_ctr = NULL;

 	TALLOC_CTX *mem_ctx = NULL;

 	NTSTATUS status;

 	int ret = -1;

@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar

 				     2592000, /* one month */

 				     impersonate_princ_s,

 				     local_service,

-				     &pac_data);

+				     &pac_data_ctr);

 	if (!NT_STATUS_IS_OK(status)) {

 		d_printf(_("failed to query kerberos PAC: %s\n"),

 			nt_errstr(status));

 		goto out;

 	}

+	pac_data = pac_data_ctr->pac_data;

+

 	for (i=0; i < pac_data->num_buffers; i++) {

 		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index a8daae51..b41291e 100644

--- a/source3/winbindd/winbindd_pam.c

+++ b/source3/winbindd/winbindd_pam.c

@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 	const char *user_ccache_file;

 	struct PAC_LOGON_INFO *logon_info = NULL;

 	struct PAC_DATA *pac_data = NULL;

+	struct PAC_DATA_CTR *pac_data_ctr = NULL;

 	const char *local_service;

 	int i;

@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,

 				     NULL,

 				     local_service,

-				     &pac_data);

+				     &pac_data_ctr);

 	if (user_ccache_file != NULL) {

 		gain_root_privilege();

 	}

@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,

 		goto failed;

 	}

+	if (pac_data_ctr == NULL) {

+		goto failed;

+	}

+

+	pac_data = pac_data_ctr->pac_data;

 	if (pac_data == NULL) {

 		goto failed;

 	}

-- 

1.8.5.3

From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>

Date: Tue, 11 Mar 2014 18:14:39 +0100

Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac"

 command.

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow

dumping of individial pac buffer types. Ommitting type= or using type=0 will

dump the whole PAC structure on stdout.

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>

Reviewed-by: Andreas Schneider <asn@samba.org>

---

 source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++----------------

 1 file changed, 77 insertions(+), 38 deletions(-)

diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c

index 19c28b1..f54cf23 100644

--- a/source3/utils/net_ads.c

+++ b/source3/utils/net_ads.c

@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char **

 	return ret;

 }

-static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv)

+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv,

+				       struct PAC_DATA_CTR **pac_data_ctr)

 {

-	struct PAC_LOGON_INFO *info = NULL;

-	struct PAC_DATA *pac_data = NULL;

-	struct PAC_DATA_CTR *pac_data_ctr = NULL;

-	TALLOC_CTX *mem_ctx = NULL;

 	NTSTATUS status;

 	int ret = -1;

 	const char *impersonate_princ_s = NULL;

 	const char *local_service = NULL;

 	int i;