From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 17 Jan 2014 14:29:03 +0100 Subject: [PATCH 1/8] s3-libads: pass down local_service to kerberos_return_pac(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider --- source3/libads/authdata.c | 6 +----- source3/libads/kerberos_proto.h | 1 + source3/utils/net_ads.c | 8 ++++++++ source3/winbindd/winbindd_pam.c | 9 +++++++++ 4 files changed, 19 insertions(+), 5 deletions(-) diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 801e551..dd80dc2 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, bool add_netbios_addr, time_t renewable_time, const char *impersonate_princ_s, + const char *local_service, struct PAC_LOGON_INFO **_logon_info) { krb5_error_code ret; NTSTATUS status = NT_STATUS_INVALID_PARAMETER; DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; const char *auth_princ = NULL; - const char *local_service = NULL; const char *cc = "MEMORY:kerberos_return_pac"; struct auth_session_info *session_info; struct gensec_security *gensec_server_context; @@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, } NT_STATUS_HAVE_NO_MEMORY(auth_princ); - local_service = talloc_asprintf(mem_ctx, "%s$@%s", - lp_netbios_name(), lp_realm()); - NT_STATUS_HAVE_NO_MEMORY(local_service); - ret = kerberos_kinit_password_ext(auth_princ, pass, time_offset, diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index 2559634..1151d66 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, bool add_netbios_addr, time_t renewable_time, const char *impersonate_princ_s, + const char *local_service, struct PAC_LOGON_INFO **logon_info); /* The following definitions come from libads/krb5_setpw.c */ diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 89eebf3..5a073b1 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar NTSTATUS status; int ret = -1; const char *impersonate_princ_s = NULL; + const char *local_service = NULL; if (c->display_usage) { d_printf( "%s\n" @@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar impersonate_princ_s = argv[0]; } + local_service = talloc_asprintf(mem_ctx, "%s$@%s", + lp_netbios_name(), lp_realm()); + if (local_service == NULL) { + goto out; + } + c->opt_password = net_prompt_pass(c, c->opt_user_name); status = kerberos_return_pac(mem_ctx, @@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar true, 2592000, /* one month */ impersonate_princ_s, + local_service, &info); if (!NT_STATUS_IS_OK(status)) { d_printf(_("failed to query kerberos PAC: %s\n"), diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 3f3ec70..61e2cef 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, time_t time_offset = 0; const char *user_ccache_file; struct PAC_LOGON_INFO *logon_info = NULL; + const char *local_service; *info3 = NULL; @@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } + local_service = talloc_asprintf(mem_ctx, "%s$@%s", + lp_netbios_name(), lp_realm()); + if (local_service == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* if this is a user ccache, we need to act as the user to let the krb5 * library handle the chown, etc. */ @@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, true, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, NULL, + local_service, &logon_info); if (user_ccache_file != NULL) { gain_root_privilege(); -- 1.8.5.3 From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Mon, 3 Mar 2014 12:14:51 +0100 Subject: [PATCH 2/8] auth/kerberos: fix a typo. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider --- auth/kerberos/kerberos_pac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c index 81f7f21..8f55c8f 100644 --- a/auth/kerberos/kerberos_pac.c +++ b/auth/kerberos/kerberos_pac.c @@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, } /** -* @brief Decode a blob containing a NDR envoded PAC structure +* @brief Decode a blob containing a NDR encoded PAC structure * * @param mem_ctx - The memory context * @param pac_data_blob - The data blob containing the NDR encoded data -- 1.8.5.3 From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Mon, 10 Mar 2014 15:11:18 +0100 Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used in "net ads kerberos pac". MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider --- source3/utils/net_ads.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 5a073b1..ac6346f 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar int ret = -1; const char *impersonate_princ_s = NULL; const char *local_service = NULL; + int i; if (c->display_usage) { d_printf( "%s\n" @@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar return 0; } + for (i=0; i 0) { - impersonate_princ_s = argv[0]; - } - local_service = talloc_asprintf(mem_ctx, "%s$@%s", lp_netbios_name(), lp_realm()); if (local_service == NULL) { -- 1.8.5.3 From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 11 Mar 2014 16:34:36 +0100 Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads kerberos pac". MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider --- source3/utils/net_ads.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index ac6346f..c53c8c6 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar return -1; } } + if (strnequal(argv[i], "local_service", strlen("local_service"))) { + local_service = get_string_param(argv[i]); + if (local_service == NULL) { + return -1; + } + } } mem_ctx = talloc_init("net_ads_kerberos_pac"); @@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar goto out; } - local_service = talloc_asprintf(mem_ctx, "%s$@%s", - lp_netbios_name(), lp_realm()); if (local_service == NULL) { - goto out; + local_service = talloc_asprintf(mem_ctx, "%s$@%s", + lp_netbios_name(), lp_realm()); + if (local_service == NULL) { + goto out; + } } c->opt_password = net_prompt_pass(c, c->opt_user_name); -- 1.8.5.3 From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Fri, 21 Feb 2014 18:56:04 +0100 Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider --- source3/libads/authdata.c | 28 +++++++++++++++++----------- source3/libads/kerberos_proto.h | 4 ++-- source3/utils/net_ads.c | 17 ++++++++++++++++- source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++- 4 files changed, 56 insertions(+), 15 deletions(-) diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index dd80dc2..53e40ef 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, struct auth_session_info **session_info) { TALLOC_CTX *tmp_ctx; - struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; NTSTATUS status = NT_STATUS_INTERNAL_ERROR; tmp_ctx = talloc_new(mem_ctx); @@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, } if (pac_blob) { - status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, - NULL, NULL, 0, &logon_info); + status = kerberos_decode_pac(tmp_ctx, + *pac_blob, + NULL, + NULL, + NULL, + NULL, + 0, + &pac_data); if (!NT_STATUS_IS_OK(status)) { goto done; } } - talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO"); + talloc_set_name_const(pac_data, "struct PAC_DATA"); - auth_ctx->private_data = talloc_steal(auth_ctx, logon_info); + auth_ctx->private_data = talloc_steal(auth_ctx, pac_data); *session_info = talloc_zero(mem_ctx, struct auth_session_info); if (!*session_info) { status = NT_STATUS_NO_MEMORY; @@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t renewable_time, const char *impersonate_princ_s, const char *local_service, - struct PAC_LOGON_INFO **_logon_info) + struct PAC_DATA **_pac_data) { krb5_error_code ret; NTSTATUS status = NT_STATUS_INVALID_PARAMETER; @@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, size_t idx = 0; struct auth4_context *auth_context; struct loadparm_context *lp_ctx; - struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); @@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, goto out; } - logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data, - struct PAC_LOGON_INFO); - if (logon_info == NULL) { + pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data, + struct PAC_DATA); + if (pac_data == NULL) { DEBUG(1,("no PAC\n")); status = NT_STATUS_INVALID_PARAMETER; goto out; } - *_logon_info = talloc_move(mem_ctx, &logon_info); + *_pac_data = talloc_move(mem_ctx, &pac_data); out: talloc_free(tmp_ctx); diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index 1151d66..b2f7486 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -32,7 +32,7 @@ #include "system/kerberos.h" -struct PAC_LOGON_INFO; +struct PAC_DATA; #include "libads/ads_status.h" @@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t renewable_time, const char *impersonate_princ_s, const char *local_service, - struct PAC_LOGON_INFO **logon_info); + struct PAC_DATA **pac_data); /* The following definitions come from libads/krb5_setpw.c */ diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index c53c8c6..19da6da 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) { struct PAC_LOGON_INFO *info = NULL; + struct PAC_DATA *pac_data = NULL; TALLOC_CTX *mem_ctx = NULL; NTSTATUS status; int ret = -1; @@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar 2592000, /* one month */ impersonate_princ_s, local_service, - &info); + &pac_data); if (!NT_STATUS_IS_OK(status)) { d_printf(_("failed to query kerberos PAC: %s\n"), nt_errstr(status)); goto out; } + for (i=0; i < pac_data->num_buffers; i++) { + + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { + continue; + } + + info = pac_data->buffers[i].info->logon_info.info; + if (!info) { + goto out; + } + + break; + } + if (info) { const char *s; s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info); diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 61e2cef..a8daae51 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, time_t time_offset = 0; const char *user_ccache_file; struct PAC_LOGON_INFO *logon_info = NULL; + struct PAC_DATA *pac_data = NULL; const char *local_service; + int i; *info3 = NULL; @@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, NULL, local_service, - &logon_info); + &pac_data); if (user_ccache_file != NULL) { gain_root_privilege(); } @@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, goto failed; } + if (pac_data == NULL) { + goto failed; + } + + for (i=0; i < pac_data->num_buffers; i++) { + + if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { + continue; + } + + logon_info = pac_data->buffers[i].info->logon_info.info; + if (!logon_info) { + return NT_STATUS_INVALID_PARAMETER; + } + + break; + } + *info3 = &logon_info->info3; DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", -- 1.8.5.3 From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 11 Mar 2014 18:07:11 +0100 Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC container. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider --- source3/libads/authdata.c | 29 +++++++++++++++++++++-------- source3/libads/kerberos_proto.h | 7 ++++++- source3/utils/net_ads.c | 5 ++++- source3/winbindd/winbindd_pam.c | 8 +++++++- 4 files changed, 38 insertions(+), 11 deletions(-) diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c index 53e40ef..276408d 100644 --- a/source3/libads/authdata.c +++ b/source3/libads/authdata.c @@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, { TALLOC_CTX *tmp_ctx; struct PAC_DATA *pac_data = NULL; + struct PAC_DATA_CTR *pac_data_ctr = NULL; NTSTATUS status = NT_STATUS_INTERNAL_ERROR; tmp_ctx = talloc_new(mem_ctx); @@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, } } - talloc_set_name_const(pac_data, "struct PAC_DATA"); + pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR); + if (pac_data_ctr == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR"); + + pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data); + pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr, + pac_blob->data, + pac_blob->length); + + auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr); - auth_ctx->private_data = talloc_steal(auth_ctx, pac_data); *session_info = talloc_zero(mem_ctx, struct auth_session_info); if (!*session_info) { status = NT_STATUS_NO_MEMORY; @@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t renewable_time, const char *impersonate_princ_s, const char *local_service, - struct PAC_DATA **_pac_data) + struct PAC_DATA_CTR **_pac_data_ctr) { krb5_error_code ret; NTSTATUS status = NT_STATUS_INVALID_PARAMETER; @@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, size_t idx = 0; struct auth4_context *auth_context; struct loadparm_context *lp_ctx; - struct PAC_DATA *pac_data = NULL; + struct PAC_DATA_CTR *pac_data_ctr = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); @@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, goto out; } - pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data, - struct PAC_DATA); - if (pac_data == NULL) { + pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data, + struct PAC_DATA_CTR); + if (pac_data_ctr == NULL) { DEBUG(1,("no PAC\n")); status = NT_STATUS_INVALID_PARAMETER; goto out; } - *_pac_data = talloc_move(mem_ctx, &pac_data); + *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); out: talloc_free(tmp_ctx); diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h index b2f7486..3d0ad4b 100644 --- a/source3/libads/kerberos_proto.h +++ b/source3/libads/kerberos_proto.h @@ -34,6 +34,11 @@ struct PAC_DATA; +struct PAC_DATA_CTR { + DATA_BLOB pac_blob; + struct PAC_DATA *pac_data; +}; + #include "libads/ads_status.h" /* The following definitions come from libads/kerberos.c */ @@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, time_t renewable_time, const char *impersonate_princ_s, const char *local_service, - struct PAC_DATA **pac_data); + struct PAC_DATA_CTR **pac_data_ctr); /* The following definitions come from libads/krb5_setpw.c */ diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 19da6da..19c28b1 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar { struct PAC_LOGON_INFO *info = NULL; struct PAC_DATA *pac_data = NULL; + struct PAC_DATA_CTR *pac_data_ctr = NULL; TALLOC_CTX *mem_ctx = NULL; NTSTATUS status; int ret = -1; @@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar 2592000, /* one month */ impersonate_princ_s, local_service, - &pac_data); + &pac_data_ctr); if (!NT_STATUS_IS_OK(status)) { d_printf(_("failed to query kerberos PAC: %s\n"), nt_errstr(status)); goto out; } + pac_data = pac_data_ctr->pac_data; + for (i=0; i < pac_data->num_buffers; i++) { if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index a8daae51..b41291e 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, const char *user_ccache_file; struct PAC_LOGON_INFO *logon_info = NULL; struct PAC_DATA *pac_data = NULL; + struct PAC_DATA_CTR *pac_data_ctr = NULL; const char *local_service; int i; @@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, NULL, local_service, - &pac_data); + &pac_data_ctr); if (user_ccache_file != NULL) { gain_root_privilege(); } @@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, goto failed; } + if (pac_data_ctr == NULL) { + goto failed; + } + + pac_data = pac_data_ctr->pac_data; if (pac_data == NULL) { goto failed; } -- 1.8.5.3 From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 11 Mar 2014 18:14:39 +0100 Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac" command. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow dumping of individial pac buffer types. Ommitting type= or using type=0 will dump the whole PAC structure on stdout. Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider --- source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++---------------- 1 file changed, 77 insertions(+), 38 deletions(-) diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index 19c28b1..f54cf23 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** return ret; } -static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) +static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv, + struct PAC_DATA_CTR **pac_data_ctr) { - struct PAC_LOGON_INFO *info = NULL; - struct PAC_DATA *pac_data = NULL; - struct PAC_DATA_CTR *pac_data_ctr = NULL; - TALLOC_CTX *mem_ctx = NULL; NTSTATUS status; int ret = -1; const char *impersonate_princ_s = NULL; const char *local_service = NULL; int i; - if (c->display_usage) { - d_printf( "%s\n" - "net ads kerberos pac [impersonation_principal]\n" - " %s\n", - _("Usage:"), - _("Dump the Kerberos PAC")); - return 0; - } - for (i=0; iopt_password = net_prompt_pass(c, c->opt_user_name); - status = kerberos_return_pac(mem_ctx, + status = kerberos_return_pac(c, c->opt_user_name, c->opt_password, 0, @@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar 2592000, /* one month */ impersonate_princ_s, local_service, - &pac_data_ctr); + pac_data_ctr); if (!NT_STATUS_IS_OK(status)) { d_printf(_("failed to query kerberos PAC: %s\n"), nt_errstr(status)); goto out; } - pac_data = pac_data_ctr->pac_data; + ret = 0; + out: + return ret; +} - for (i=0; i < pac_data->num_buffers; i++) { +static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv) +{ + struct PAC_DATA_CTR *pac_data_ctr = NULL; + int i; + int ret = -1; + enum PAC_TYPE type = 0; - if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { - continue; + if (c->display_usage) { + d_printf( "%s\n" + "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n" + " %s\n", + _("Usage:"), + _("Dump the Kerberos PAC")); + return -1; + } + + for (i=0; ibuffers[i].info->logon_info.info; - if (!info) { - goto out; + ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr); + if (ret) { + return ret; + } + + if (type == 0) { + + char *s = NULL; + + s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA, + pac_data_ctr->pac_data); + if (s != NULL) { + d_printf(_("The Pac: %s\n"), s); + talloc_free(s); } - break; + return 0; } - if (info) { - const char *s; - s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info); - d_printf(_("The Pac: %s\n"), s); + for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) { + + char *s = NULL; + + if (pac_data_ctr->pac_data->buffers[i].type != type) { + continue; + } + + s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type, + pac_data_ctr->pac_data->buffers[i].info); + if (s != NULL) { + d_printf(_("The Pac: %s\n"), s); + talloc_free(s); + } + break; } - ret = 0; - out: - TALLOC_FREE(mem_ctx); - return ret; + return 0; +} + +static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) +{ + struct functable func[] = { + { + "dump", + net_ads_kerberos_pac_dump, + NET_TRANSPORT_ADS, + N_("Dump Kerberos PAC"), + N_("net ads kerberos pac dump\n" + " Dump a Kerberos PAC to stdout") + }, + + {NULL, NULL, 0, NULL, NULL} + }; + + return net_run_function(c, argc, argv, "net ads kerberos pac", func); } static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv) -- 1.8.5.3 From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Tue, 11 Mar 2014 18:16:40 +0100 Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use "filename=string" to define a file where to save the unencrypted PAC to. Guenther Signed-off-by: Günther Deschner Reviewed-by: Andreas Schneider --- source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index f54cf23..8b8e719 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char return 0; } +static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv) +{ + struct PAC_DATA_CTR *pac_data_ctr = NULL; + char *filename = NULL; + int ret = -1; + int i; + + if (c->display_usage) { + d_printf( "%s\n" + "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n" + " %s\n", + _("Usage:"), + _("Save the Kerberos PAC")); + return -1; + } + + for (i=0; i\" to save the PAC\n")); + return -1; + } + + /* save the raw format */ + if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) { + d_printf(_("failed to save PAC in %s\n"), filename); + return -1; + } + + return 0; +} + static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) { struct functable func[] = { @@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar N_("net ads kerberos pac dump\n" " Dump a Kerberos PAC to stdout") }, + { + "save", + net_ads_kerberos_pac_save, + NET_TRANSPORT_ADS, + N_("Save Kerberos PAC"), + N_("net ads kerberos pac save\n" + " Save a Kerberos PAC in a file") + }, {NULL, NULL, 0, NULL, NULL} }; -- 1.8.5.3