diff options
Diffstat (limited to 'meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch')
| -rw-r--r-- | meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch | 962 |
1 files changed, 0 insertions, 962 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch deleted file mode 100644 index 26a4caf01c..0000000000 --- a/meta-networking/recipes-connectivity/samba/samba-4.1.12/03-net-ads-kerberos-pac.patch +++ /dev/null @@ -1,962 +0,0 @@ -From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> -Date: Fri, 17 Jan 2014 14:29:03 +0100 -Subject: [PATCH 1/8] s3-libads: pass down local_service to - kerberos_return_pac(). -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Guenther - -Signed-off-by: Günther Deschner <gd@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source3/libads/authdata.c | 6 +----- - source3/libads/kerberos_proto.h | 1 + - source3/utils/net_ads.c | 8 ++++++++ - source3/winbindd/winbindd_pam.c | 9 +++++++++ - 4 files changed, 19 insertions(+), 5 deletions(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index 801e551..dd80dc2 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - bool add_netbios_addr, - time_t renewable_time, - const char *impersonate_princ_s, -+ const char *local_service, - struct PAC_LOGON_INFO **_logon_info) - { - krb5_error_code ret; - NTSTATUS status = NT_STATUS_INVALID_PARAMETER; - DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1; - const char *auth_princ = NULL; -- const char *local_service = NULL; - const char *cc = "MEMORY:kerberos_return_pac"; - struct auth_session_info *session_info; - struct gensec_security *gensec_server_context; -@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - } - NT_STATUS_HAVE_NO_MEMORY(auth_princ); - -- local_service = talloc_asprintf(mem_ctx, "%s$@%s", -- lp_netbios_name(), lp_realm()); -- NT_STATUS_HAVE_NO_MEMORY(local_service); -- - ret = kerberos_kinit_password_ext(auth_princ, - pass, - time_offset, -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h -index 2559634..1151d66 100644 ---- a/source3/libads/kerberos_proto.h -+++ b/source3/libads/kerberos_proto.h -@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - bool add_netbios_addr, - time_t renewable_time, - const char *impersonate_princ_s, -+ const char *local_service, - struct PAC_LOGON_INFO **logon_info); - - /* The following definitions come from libads/krb5_setpw.c */ -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 89eebf3..5a073b1 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - NTSTATUS status; - int ret = -1; - const char *impersonate_princ_s = NULL; -+ const char *local_service = NULL; - - if (c->display_usage) { - d_printf( "%s\n" -@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - impersonate_princ_s = argv[0]; - } - -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s", -+ lp_netbios_name(), lp_realm()); -+ if (local_service == NULL) { -+ goto out; -+ } -+ - c->opt_password = net_prompt_pass(c, c->opt_user_name); - - status = kerberos_return_pac(mem_ctx, -@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - true, - 2592000, /* one month */ - impersonate_princ_s, -+ local_service, - &info); - if (!NT_STATUS_IS_OK(status)) { - d_printf(_("failed to query kerberos PAC: %s\n"), -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 3f3ec70..61e2cef 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - time_t time_offset = 0; - const char *user_ccache_file; - struct PAC_LOGON_INFO *logon_info = NULL; -+ const char *local_service; - - *info3 = NULL; - -@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - return NT_STATUS_NO_MEMORY; - } - -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s", -+ lp_netbios_name(), lp_realm()); -+ if (local_service == NULL) { -+ return NT_STATUS_NO_MEMORY; -+ } -+ -+ - /* if this is a user ccache, we need to act as the user to let the krb5 - * library handle the chown, etc. */ - -@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - true, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, -+ local_service, - &logon_info); - if (user_ccache_file != NULL) { - gain_root_privilege(); --- -1.8.5.3 - - -From baed403983a5bb2e728249443fdfc9167a87f526 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> -Date: Mon, 3 Mar 2014 12:14:51 +0100 -Subject: [PATCH 2/8] auth/kerberos: fix a typo. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Guenther - -Signed-off-by: Günther Deschner <gd@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - auth/kerberos/kerberos_pac.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c -index 81f7f21..8f55c8f 100644 ---- a/auth/kerberos/kerberos_pac.c -+++ b/auth/kerberos/kerberos_pac.c -@@ -79,7 +79,7 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, - } - - /** --* @brief Decode a blob containing a NDR envoded PAC structure -+* @brief Decode a blob containing a NDR encoded PAC structure - * - * @param mem_ctx - The memory context - * @param pac_data_blob - The data blob containing the NDR encoded data --- -1.8.5.3 - - -From 9725a86e60bb6ef6e912621e81acc955ae2f70a8 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> -Date: Mon, 10 Mar 2014 15:11:18 +0100 -Subject: [PATCH 3/8] s3-net: change the way impersonation principals are used - in "net ads kerberos pac". -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Guenther - -Signed-off-by: Günther Deschner <gd@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source3/utils/net_ads.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 5a073b1..ac6346f 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2605,6 +2605,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - int ret = -1; - const char *impersonate_princ_s = NULL; - const char *local_service = NULL; -+ int i; - - if (c->display_usage) { - d_printf( "%s\n" -@@ -2615,15 +2616,20 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - return 0; - } - -+ for (i=0; i<argc; i++) { -+ if (strnequal(argv[i], "impersonate", strlen("impersonate"))) { -+ impersonate_princ_s = get_string_param(argv[i]); -+ if (impersonate_princ_s == NULL) { -+ return -1; -+ } -+ } -+ } -+ - mem_ctx = talloc_init("net_ads_kerberos_pac"); - if (!mem_ctx) { - goto out; - } - -- if (argc > 0) { -- impersonate_princ_s = argv[0]; -- } -- - local_service = talloc_asprintf(mem_ctx, "%s$@%s", - lp_netbios_name(), lp_realm()); - if (local_service == NULL) { --- -1.8.5.3 - - -From 35a1ed22f65473fabb2f4846f6d2b50da1847f6a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> -Date: Tue, 11 Mar 2014 16:34:36 +0100 -Subject: [PATCH 4/8] s3-net: allow to provide custom local_service in "net ads - kerberos pac". -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Guenther - -Signed-off-by: Günther Deschner <gd@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source3/utils/net_ads.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index ac6346f..c53c8c6 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2623,6 +2623,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - return -1; - } - } -+ if (strnequal(argv[i], "local_service", strlen("local_service"))) { -+ local_service = get_string_param(argv[i]); -+ if (local_service == NULL) { -+ return -1; -+ } -+ } - } - - mem_ctx = talloc_init("net_ads_kerberos_pac"); -@@ -2630,10 +2636,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - goto out; - } - -- local_service = talloc_asprintf(mem_ctx, "%s$@%s", -- lp_netbios_name(), lp_realm()); - if (local_service == NULL) { -- goto out; -+ local_service = talloc_asprintf(mem_ctx, "%s$@%s", -+ lp_netbios_name(), lp_realm()); -+ if (local_service == NULL) { -+ goto out; -+ } - } - - c->opt_password = net_prompt_pass(c, c->opt_user_name); --- -1.8.5.3 - - -From 1270e35ba70a4e4881512d375c767023512f67bd Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> -Date: Fri, 21 Feb 2014 18:56:04 +0100 -Subject: [PATCH 5/8] s3-kerberos: return a full PAC in kerberos_return_pac(). -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Guenther - -Signed-off-by: Günther Deschner <gd@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source3/libads/authdata.c | 28 +++++++++++++++++----------- - source3/libads/kerberos_proto.h | 4 ++-- - source3/utils/net_ads.c | 17 ++++++++++++++++- - source3/winbindd/winbindd_pam.c | 22 +++++++++++++++++++++- - 4 files changed, 56 insertions(+), 15 deletions(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index dd80dc2..53e40ef 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -52,7 +52,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, - struct auth_session_info **session_info) - { - TALLOC_CTX *tmp_ctx; -- struct PAC_LOGON_INFO *logon_info = NULL; -+ struct PAC_DATA *pac_data = NULL; - NTSTATUS status = NT_STATUS_INTERNAL_ERROR; - - tmp_ctx = talloc_new(mem_ctx); -@@ -61,16 +61,22 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, - } - - if (pac_blob) { -- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, -- NULL, NULL, 0, &logon_info); -+ status = kerberos_decode_pac(tmp_ctx, -+ *pac_blob, -+ NULL, -+ NULL, -+ NULL, -+ NULL, -+ 0, -+ &pac_data); - if (!NT_STATUS_IS_OK(status)) { - goto done; - } - } - -- talloc_set_name_const(logon_info, "struct PAC_LOGON_INFO"); -+ talloc_set_name_const(pac_data, "struct PAC_DATA"); - -- auth_ctx->private_data = talloc_steal(auth_ctx, logon_info); -+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data); - *session_info = talloc_zero(mem_ctx, struct auth_session_info); - if (!*session_info) { - status = NT_STATUS_NO_MEMORY; -@@ -102,7 +108,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -- struct PAC_LOGON_INFO **_logon_info) -+ struct PAC_DATA **_pac_data) - { - krb5_error_code ret; - NTSTATUS status = NT_STATUS_INVALID_PARAMETER; -@@ -116,7 +122,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - size_t idx = 0; - struct auth4_context *auth_context; - struct loadparm_context *lp_ctx; -- struct PAC_LOGON_INFO *logon_info = NULL; -+ struct PAC_DATA *pac_data = NULL; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); -@@ -272,15 +278,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - goto out; - } - -- logon_info = talloc_get_type_abort(gensec_server_context->auth_context->private_data, -- struct PAC_LOGON_INFO); -- if (logon_info == NULL) { -+ pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data, -+ struct PAC_DATA); -+ if (pac_data == NULL) { - DEBUG(1,("no PAC\n")); - status = NT_STATUS_INVALID_PARAMETER; - goto out; - } - -- *_logon_info = talloc_move(mem_ctx, &logon_info); -+ *_pac_data = talloc_move(mem_ctx, &pac_data); - - out: - talloc_free(tmp_ctx); -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h -index 1151d66..b2f7486 100644 ---- a/source3/libads/kerberos_proto.h -+++ b/source3/libads/kerberos_proto.h -@@ -32,7 +32,7 @@ - - #include "system/kerberos.h" - --struct PAC_LOGON_INFO; -+struct PAC_DATA; - - #include "libads/ads_status.h" - -@@ -78,7 +78,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -- struct PAC_LOGON_INFO **logon_info); -+ struct PAC_DATA **pac_data); - - /* The following definitions come from libads/krb5_setpw.c */ - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index c53c8c6..19da6da 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2600,6 +2600,7 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** - static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) - { - struct PAC_LOGON_INFO *info = NULL; -+ struct PAC_DATA *pac_data = NULL; - TALLOC_CTX *mem_ctx = NULL; - NTSTATUS status; - int ret = -1; -@@ -2658,13 +2659,27 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - 2592000, /* one month */ - impersonate_princ_s, - local_service, -- &info); -+ &pac_data); - if (!NT_STATUS_IS_OK(status)) { - d_printf(_("failed to query kerberos PAC: %s\n"), - nt_errstr(status)); - goto out; - } - -+ for (i=0; i < pac_data->num_buffers; i++) { -+ -+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { -+ continue; -+ } -+ -+ info = pac_data->buffers[i].info->logon_info.info; -+ if (!info) { -+ goto out; -+ } -+ -+ break; -+ } -+ - if (info) { - const char *s; - s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info); -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index 61e2cef..a8daae51 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -576,7 +576,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - time_t time_offset = 0; - const char *user_ccache_file; - struct PAC_LOGON_INFO *logon_info = NULL; -+ struct PAC_DATA *pac_data = NULL; - const char *local_service; -+ int i; - - *info3 = NULL; - -@@ -662,7 +664,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - local_service, -- &logon_info); -+ &pac_data); - if (user_ccache_file != NULL) { - gain_root_privilege(); - } -@@ -673,6 +675,24 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - goto failed; - } - -+ if (pac_data == NULL) { -+ goto failed; -+ } -+ -+ for (i=0; i < pac_data->num_buffers; i++) { -+ -+ if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { -+ continue; -+ } -+ -+ logon_info = pac_data->buffers[i].info->logon_info.info; -+ if (!logon_info) { -+ return NT_STATUS_INVALID_PARAMETER; -+ } -+ -+ break; -+ } -+ - *info3 = &logon_info->info3; - - DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", --- -1.8.5.3 - - -From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> -Date: Tue, 11 Mar 2014 18:07:11 +0100 -Subject: [PATCH 6/8] s3-kerberos: let kerberos_return_pac() return a PAC - container. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Guenther - -Signed-off-by: Günther Deschner <gd@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source3/libads/authdata.c | 29 +++++++++++++++++++++-------- - source3/libads/kerberos_proto.h | 7 ++++++- - source3/utils/net_ads.c | 5 ++++- - source3/winbindd/winbindd_pam.c | 8 +++++++- - 4 files changed, 38 insertions(+), 11 deletions(-) - -diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c -index 53e40ef..276408d 100644 ---- a/source3/libads/authdata.c -+++ b/source3/libads/authdata.c -@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, - { - TALLOC_CTX *tmp_ctx; - struct PAC_DATA *pac_data = NULL; -+ struct PAC_DATA_CTR *pac_data_ctr = NULL; - NTSTATUS status = NT_STATUS_INTERNAL_ERROR; - - tmp_ctx = talloc_new(mem_ctx); -@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx, - } - } - -- talloc_set_name_const(pac_data, "struct PAC_DATA"); -+ pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR); -+ if (pac_data_ctr == NULL) { -+ status = NT_STATUS_NO_MEMORY; -+ goto done; -+ } -+ -+ talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR"); -+ -+ pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data); -+ pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr, -+ pac_blob->data, -+ pac_blob->length); -+ -+ auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr); - -- auth_ctx->private_data = talloc_steal(auth_ctx, pac_data); - *session_info = talloc_zero(mem_ctx, struct auth_session_info); - if (!*session_info) { - status = NT_STATUS_NO_MEMORY; -@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -- struct PAC_DATA **_pac_data) -+ struct PAC_DATA_CTR **_pac_data_ctr) - { - krb5_error_code ret; - NTSTATUS status = NT_STATUS_INVALID_PARAMETER; -@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - size_t idx = 0; - struct auth4_context *auth_context; - struct loadparm_context *lp_ctx; -- struct PAC_DATA *pac_data = NULL; -+ struct PAC_DATA_CTR *pac_data_ctr = NULL; - - TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); - NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); -@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - goto out; - } - -- pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data, -- struct PAC_DATA); -- if (pac_data == NULL) { -+ pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data, -+ struct PAC_DATA_CTR); -+ if (pac_data_ctr == NULL) { - DEBUG(1,("no PAC\n")); - status = NT_STATUS_INVALID_PARAMETER; - goto out; - } - -- *_pac_data = talloc_move(mem_ctx, &pac_data); -+ *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr); - - out: - talloc_free(tmp_ctx); -diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h -index b2f7486..3d0ad4b 100644 ---- a/source3/libads/kerberos_proto.h -+++ b/source3/libads/kerberos_proto.h -@@ -34,6 +34,11 @@ - - struct PAC_DATA; - -+struct PAC_DATA_CTR { -+ DATA_BLOB pac_blob; -+ struct PAC_DATA *pac_data; -+}; -+ - #include "libads/ads_status.h" - - /* The following definitions come from libads/kerberos.c */ -@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx, - time_t renewable_time, - const char *impersonate_princ_s, - const char *local_service, -- struct PAC_DATA **pac_data); -+ struct PAC_DATA_CTR **pac_data_ctr); - - /* The following definitions come from libads/krb5_setpw.c */ - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 19da6da..19c28b1 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - { - struct PAC_LOGON_INFO *info = NULL; - struct PAC_DATA *pac_data = NULL; -+ struct PAC_DATA_CTR *pac_data_ctr = NULL; - TALLOC_CTX *mem_ctx = NULL; - NTSTATUS status; - int ret = -1; -@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - 2592000, /* one month */ - impersonate_princ_s, - local_service, -- &pac_data); -+ &pac_data_ctr); - if (!NT_STATUS_IS_OK(status)) { - d_printf(_("failed to query kerberos PAC: %s\n"), - nt_errstr(status)); - goto out; - } - -+ pac_data = pac_data_ctr->pac_data; -+ - for (i=0; i < pac_data->num_buffers; i++) { - - if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { -diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c -index a8daae51..b41291e 100644 ---- a/source3/winbindd/winbindd_pam.c -+++ b/source3/winbindd/winbindd_pam.c -@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - const char *user_ccache_file; - struct PAC_LOGON_INFO *logon_info = NULL; - struct PAC_DATA *pac_data = NULL; -+ struct PAC_DATA_CTR *pac_data_ctr = NULL; - const char *local_service; - int i; - -@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, - NULL, - local_service, -- &pac_data); -+ &pac_data_ctr); - if (user_ccache_file != NULL) { - gain_root_privilege(); - } -@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, - goto failed; - } - -+ if (pac_data_ctr == NULL) { -+ goto failed; -+ } -+ -+ pac_data = pac_data_ctr->pac_data; - if (pac_data == NULL) { - goto failed; - } --- -1.8.5.3 - - -From 9e01f3cbc4752539128e5452f567ff2e73c3ec9d Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> -Date: Tue, 11 Mar 2014 18:14:39 +0100 -Subject: [PATCH 7/8] s3-net: modify the current "net ads kerberos pac" - command. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Rename it to "net ads kerberos pac dump" and add a "type=num" option to allow -dumping of individial pac buffer types. Ommitting type= or using type=0 will -dump the whole PAC structure on stdout. - -Guenther - -Signed-off-by: Günther Deschner <gd@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source3/utils/net_ads.c | 115 ++++++++++++++++++++++++++++++++---------------- - 1 file changed, 77 insertions(+), 38 deletions(-) - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index 19c28b1..f54cf23 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2597,27 +2597,15 @@ static int net_ads_kerberos_renew(struct net_context *c, int argc, const char ** - return ret; - } - --static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) -+static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const char **argv, -+ struct PAC_DATA_CTR **pac_data_ctr) - { -- struct PAC_LOGON_INFO *info = NULL; -- struct PAC_DATA *pac_data = NULL; -- struct PAC_DATA_CTR *pac_data_ctr = NULL; -- TALLOC_CTX *mem_ctx = NULL; - NTSTATUS status; - int ret = -1; - const char *impersonate_princ_s = NULL; - const char *local_service = NULL; - int i; - -- if (c->display_usage) { -- d_printf( "%s\n" -- "net ads kerberos pac [impersonation_principal]\n" -- " %s\n", -- _("Usage:"), -- _("Dump the Kerberos PAC")); -- return 0; -- } -- - for (i=0; i<argc; i++) { - if (strnequal(argv[i], "impersonate", strlen("impersonate"))) { - impersonate_princ_s = get_string_param(argv[i]); -@@ -2633,13 +2621,8 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - } - } - -- mem_ctx = talloc_init("net_ads_kerberos_pac"); -- if (!mem_ctx) { -- goto out; -- } -- - if (local_service == NULL) { -- local_service = talloc_asprintf(mem_ctx, "%s$@%s", -+ local_service = talloc_asprintf(c, "%s$@%s", - lp_netbios_name(), lp_realm()); - if (local_service == NULL) { - goto out; -@@ -2648,7 +2631,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - - c->opt_password = net_prompt_pass(c, c->opt_user_name); - -- status = kerberos_return_pac(mem_ctx, -+ status = kerberos_return_pac(c, - c->opt_user_name, - c->opt_password, - 0, -@@ -2660,39 +2643,95 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - 2592000, /* one month */ - impersonate_princ_s, - local_service, -- &pac_data_ctr); -+ pac_data_ctr); - if (!NT_STATUS_IS_OK(status)) { - d_printf(_("failed to query kerberos PAC: %s\n"), - nt_errstr(status)); - goto out; - } - -- pac_data = pac_data_ctr->pac_data; -+ ret = 0; -+ out: -+ return ret; -+} - -- for (i=0; i < pac_data->num_buffers; i++) { -+static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char **argv) -+{ -+ struct PAC_DATA_CTR *pac_data_ctr = NULL; -+ int i; -+ int ret = -1; -+ enum PAC_TYPE type = 0; - -- if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) { -- continue; -+ if (c->display_usage) { -+ d_printf( "%s\n" -+ "net ads kerberos pac dump [impersonate=string] [local_service=string] [pac_buffer_type=int]\n" -+ " %s\n", -+ _("Usage:"), -+ _("Dump the Kerberos PAC")); -+ return -1; -+ } -+ -+ for (i=0; i<argc; i++) { -+ if (strnequal(argv[i], "pac_buffer_type", strlen("pac_buffer_type"))) { -+ type = get_int_param(argv[i]); - } -+ } - -- info = pac_data->buffers[i].info->logon_info.info; -- if (!info) { -- goto out; -+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr); -+ if (ret) { -+ return ret; -+ } -+ -+ if (type == 0) { -+ -+ char *s = NULL; -+ -+ s = NDR_PRINT_STRUCT_STRING(c, PAC_DATA, -+ pac_data_ctr->pac_data); -+ if (s != NULL) { -+ d_printf(_("The Pac: %s\n"), s); -+ talloc_free(s); - } - -- break; -+ return 0; - } - -- if (info) { -- const char *s; -- s = NDR_PRINT_STRUCT_STRING(mem_ctx, PAC_LOGON_INFO, info); -- d_printf(_("The Pac: %s\n"), s); -+ for (i=0; i < pac_data_ctr->pac_data->num_buffers; i++) { -+ -+ char *s = NULL; -+ -+ if (pac_data_ctr->pac_data->buffers[i].type != type) { -+ continue; -+ } -+ -+ s = NDR_PRINT_UNION_STRING(c, PAC_INFO, type, -+ pac_data_ctr->pac_data->buffers[i].info); -+ if (s != NULL) { -+ d_printf(_("The Pac: %s\n"), s); -+ talloc_free(s); -+ } -+ break; - } - -- ret = 0; -- out: -- TALLOC_FREE(mem_ctx); -- return ret; -+ return 0; -+} -+ -+static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) -+{ -+ struct functable func[] = { -+ { -+ "dump", -+ net_ads_kerberos_pac_dump, -+ NET_TRANSPORT_ADS, -+ N_("Dump Kerberos PAC"), -+ N_("net ads kerberos pac dump\n" -+ " Dump a Kerberos PAC to stdout") -+ }, -+ -+ {NULL, NULL, 0, NULL, NULL} -+ }; -+ -+ return net_run_function(c, argc, argv, "net ads kerberos pac", func); - } - - static int net_ads_kerberos_kinit(struct net_context *c, int argc, const char **argv) --- -1.8.5.3 - - -From 91ceace4ee8fd141cac5dbe5282bed141c38bee7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> -Date: Tue, 11 Mar 2014 18:16:40 +0100 -Subject: [PATCH 8/8] s3-net: add a new "net ads kerberos pac save" tool. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Use "filename=string" to define a file where to save the unencrypted PAC to. - -Guenther - -Signed-off-by: Günther Deschner <gd@samba.org> -Reviewed-by: Andreas Schneider <asn@samba.org> ---- - source3/utils/net_ads.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 52 insertions(+) - -diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c -index f54cf23..8b8e719 100644 ---- a/source3/utils/net_ads.c -+++ b/source3/utils/net_ads.c -@@ -2716,6 +2716,50 @@ static int net_ads_kerberos_pac_dump(struct net_context *c, int argc, const char - return 0; - } - -+static int net_ads_kerberos_pac_save(struct net_context *c, int argc, const char **argv) -+{ -+ struct PAC_DATA_CTR *pac_data_ctr = NULL; -+ char *filename = NULL; -+ int ret = -1; -+ int i; -+ -+ if (c->display_usage) { -+ d_printf( "%s\n" -+ "net ads kerberos pac save [impersonate=string] [local_service=string] [filename=string]\n" -+ " %s\n", -+ _("Usage:"), -+ _("Save the Kerberos PAC")); -+ return -1; -+ } -+ -+ for (i=0; i<argc; i++) { -+ if (strnequal(argv[i], "filename", strlen("filename"))) { -+ filename = get_string_param(argv[i]); -+ if (filename == NULL) { -+ return -1; -+ } -+ } -+ } -+ -+ ret = net_ads_kerberos_pac_common(c, argc, argv, &pac_data_ctr); -+ if (ret) { -+ return ret; -+ } -+ -+ if (filename == NULL) { -+ d_printf(_("please define \"filename=<filename>\" to save the PAC\n")); -+ return -1; -+ } -+ -+ /* save the raw format */ -+ if (!file_save(filename, pac_data_ctr->pac_blob.data, pac_data_ctr->pac_blob.length)) { -+ d_printf(_("failed to save PAC in %s\n"), filename); -+ return -1; -+ } -+ -+ return 0; -+} -+ - static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **argv) - { - struct functable func[] = { -@@ -2727,6 +2771,14 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar - N_("net ads kerberos pac dump\n" - " Dump a Kerberos PAC to stdout") - }, -+ { -+ "save", -+ net_ads_kerberos_pac_save, -+ NET_TRANSPORT_ADS, -+ N_("Save Kerberos PAC"), -+ N_("net ads kerberos pac save\n" -+ " Save a Kerberos PAC in a file") -+ }, - - {NULL, NULL, 0, NULL, NULL} - }; --- -1.8.5.3 - |