diff options
Diffstat (limited to 'meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch')
-rw-r--r-- | meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch | 988 |
1 files changed, 988 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch new file mode 100644 index 000000000..a939e7066 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.1.12/13-fix-aes-enctype.patch | |||
@@ -0,0 +1,988 @@ | |||
1 | From cbef7b5e10f4477d9f2e648ac6c654eef1165b82 Mon Sep 17 00:00:00 2001 | ||
2 | From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | ||
3 | Date: Wed, 24 Sep 2014 22:16:20 +0200 | ||
4 | Subject: [PATCH 1/4] s3-net: add "net ads enctypes {list,set,delete}". | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | Guenther | ||
10 | |||
11 | Signed-off-by: Günther Deschner <gd@samba.org> | ||
12 | Reviewed-by: Andreas Schneider <asn@samba.org> | ||
13 | Reviewed-by: Stefan Metzmacher <metze@samba.org> | ||
14 | --- | ||
15 | source3/utils/net_ads.c | 308 ++++++++++++++++++++++++++++++++++++++++++++++++ | ||
16 | 1 file changed, 308 insertions(+) | ||
17 | |||
18 | diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c | ||
19 | index 8b8e719..5f18bf4 100644 | ||
20 | --- a/source3/utils/net_ads.c | ||
21 | +++ b/source3/utils/net_ads.c | ||
22 | @@ -2860,6 +2860,306 @@ int net_ads_kerberos(struct net_context *c, int argc, const char **argv) | ||
23 | return net_run_function(c, argc, argv, "net ads kerberos", func); | ||
24 | } | ||
25 | |||
26 | +static int net_ads_enctype_lookup_account(struct net_context *c, | ||
27 | + ADS_STRUCT *ads, | ||
28 | + const char *account, | ||
29 | + LDAPMessage **res, | ||
30 | + const char **enctype_str) | ||
31 | +{ | ||
32 | + const char *filter; | ||
33 | + const char *attrs[] = { | ||
34 | + "msDS-SupportedEncryptionTypes", | ||
35 | + NULL | ||
36 | + }; | ||
37 | + int count; | ||
38 | + int ret = -1; | ||
39 | + ADS_STATUS status; | ||
40 | + | ||
41 | + filter = talloc_asprintf(c, "(&(objectclass=user)(sAMAccountName=%s))", | ||
42 | + account); | ||
43 | + if (filter == NULL) { | ||
44 | + goto done; | ||
45 | + } | ||
46 | + | ||
47 | + status = ads_search(ads, res, filter, attrs); | ||
48 | + if (!ADS_ERR_OK(status)) { | ||
49 | + d_printf(_("no account found with filter: %s\n"), filter); | ||
50 | + goto done; | ||
51 | + } | ||
52 | + | ||
53 | + count = ads_count_replies(ads, *res); | ||
54 | + switch (count) { | ||
55 | + case 1: | ||
56 | + break; | ||
57 | + case 0: | ||
58 | + d_printf(_("no account found with filter: %s\n"), filter); | ||
59 | + goto done; | ||
60 | + default: | ||
61 | + d_printf(_("multiple accounts found with filter: %s\n"), filter); | ||
62 | + goto done; | ||
63 | + } | ||
64 | + | ||
65 | + if (enctype_str) { | ||
66 | + *enctype_str = ads_pull_string(ads, c, *res, | ||
67 | + "msDS-SupportedEncryptionTypes"); | ||
68 | + if (*enctype_str == NULL) { | ||
69 | + d_printf(_("no msDS-SupportedEncryptionTypes attribute found\n")); | ||
70 | + goto done; | ||
71 | + } | ||
72 | + } | ||
73 | + | ||
74 | + ret = 0; | ||
75 | + done: | ||
76 | + return ret; | ||
77 | +} | ||
78 | + | ||
79 | +static void net_ads_enctype_dump_enctypes(const char *username, | ||
80 | + const char *enctype_str) | ||
81 | +{ | ||
82 | + int enctypes; | ||
83 | + | ||
84 | + d_printf(_("'%s' uses \"msDS-SupportedEncryptionTypes\":\n"), username); | ||
85 | + | ||
86 | + enctypes = atoi(enctype_str); | ||
87 | + | ||
88 | + printf("[%s] 0x%08x DES-CBC-CRC\n", | ||
89 | + enctypes & ENC_CRC32 ? "X" : " ", | ||
90 | + ENC_CRC32); | ||
91 | + printf("[%s] 0x%08x DES-CBC-MD5\n", | ||
92 | + enctypes & ENC_RSA_MD5 ? "X" : " ", | ||
93 | + ENC_RSA_MD5); | ||
94 | + printf("[%s] 0x%08x RC4-HMAC\n", | ||
95 | + enctypes & ENC_RC4_HMAC_MD5 ? "X" : " ", | ||
96 | + ENC_RC4_HMAC_MD5); | ||
97 | + printf("[%s] 0x%08x AES128-CTS-HMAC-SHA1-96\n", | ||
98 | + enctypes & ENC_HMAC_SHA1_96_AES128 ? "X" : " ", | ||
99 | + ENC_HMAC_SHA1_96_AES128); | ||
100 | + printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n", | ||
101 | + enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ", | ||
102 | + ENC_HMAC_SHA1_96_AES256); | ||
103 | +} | ||
104 | + | ||
105 | +static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv) | ||
106 | +{ | ||
107 | + int ret = -1; | ||
108 | + ADS_STATUS status; | ||
109 | + ADS_STRUCT *ads = NULL; | ||
110 | + LDAPMessage *res = NULL; | ||
111 | + const char *str = NULL; | ||
112 | + | ||
113 | + if (c->display_usage || (argc < 1)) { | ||
114 | + d_printf( "%s\n" | ||
115 | + "net ads enctypes list\n" | ||
116 | + " %s\n", | ||
117 | + _("Usage:"), | ||
118 | + _("List supported enctypes")); | ||
119 | + return 0; | ||
120 | + } | ||
121 | + | ||
122 | + status = ads_startup(c, false, &ads); | ||
123 | + if (!ADS_ERR_OK(status)) { | ||
124 | + printf("startup failed\n"); | ||
125 | + return ret; | ||
126 | + } | ||
127 | + | ||
128 | + ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str); | ||
129 | + if (ret) { | ||
130 | + goto done; | ||
131 | + } | ||
132 | + | ||
133 | + net_ads_enctype_dump_enctypes(argv[0], str); | ||
134 | + | ||
135 | + ret = 0; | ||
136 | + done: | ||
137 | + ads_msgfree(ads, res); | ||
138 | + ads_destroy(&ads); | ||
139 | + | ||
140 | + return ret; | ||
141 | +} | ||
142 | + | ||
143 | +static int net_ads_enctypes_set(struct net_context *c, int argc, const char **argv) | ||
144 | +{ | ||
145 | + int ret = -1; | ||
146 | + ADS_STATUS status; | ||
147 | + ADS_STRUCT *ads; | ||
148 | + LDAPMessage *res = NULL; | ||
149 | + const char *etype_list_str; | ||
150 | + const char *dn; | ||
151 | + ADS_MODLIST mods; | ||
152 | + uint32_t etype_list; | ||
153 | + const char *str; | ||
154 | + | ||
155 | + if (c->display_usage || argc < 1) { | ||
156 | + d_printf( "%s\n" | ||
157 | + "net ads enctypes set <sAMAccountName> [enctypes]\n" | ||
158 | + " %s\n", | ||
159 | + _("Usage:"), | ||
160 | + _("Set supported enctypes")); | ||
161 | + return 0; | ||
162 | + } | ||
163 | + | ||
164 | + status = ads_startup(c, false, &ads); | ||
165 | + if (!ADS_ERR_OK(status)) { | ||
166 | + printf("startup failed\n"); | ||
167 | + return ret; | ||
168 | + } | ||
169 | + | ||
170 | + ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL); | ||
171 | + if (ret) { | ||
172 | + goto done; | ||
173 | + } | ||
174 | + | ||
175 | + dn = ads_get_dn(ads, c, res); | ||
176 | + if (dn == NULL) { | ||
177 | + goto done; | ||
178 | + } | ||
179 | + | ||
180 | + etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; | ||
181 | +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 | ||
182 | + etype_list |= ENC_HMAC_SHA1_96_AES128; | ||
183 | +#endif | ||
184 | +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 | ||
185 | + etype_list |= ENC_HMAC_SHA1_96_AES256; | ||
186 | +#endif | ||
187 | + | ||
188 | + if (argv[1] != NULL) { | ||
189 | + sscanf(argv[1], "%i", &etype_list); | ||
190 | + } | ||
191 | + | ||
192 | + etype_list_str = talloc_asprintf(c, "%d", etype_list); | ||
193 | + if (!etype_list_str) { | ||
194 | + goto done; | ||
195 | + } | ||
196 | + | ||
197 | + mods = ads_init_mods(c); | ||
198 | + if (!mods) { | ||
199 | + goto done; | ||
200 | + } | ||
201 | + | ||
202 | + status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", | ||
203 | + etype_list_str); | ||
204 | + if (!ADS_ERR_OK(status)) { | ||
205 | + goto done; | ||
206 | + } | ||
207 | + | ||
208 | + status = ads_gen_mod(ads, dn, mods); | ||
209 | + if (!ADS_ERR_OK(status)) { | ||
210 | + d_printf(_("failed to add msDS-SupportedEncryptionTypes: %s\n"), | ||
211 | + ads_errstr(status)); | ||
212 | + goto done; | ||
213 | + } | ||
214 | + | ||
215 | + ads_msgfree(ads, res); | ||
216 | + | ||
217 | + ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, &str); | ||
218 | + if (ret) { | ||
219 | + goto done; | ||
220 | + } | ||
221 | + | ||
222 | + net_ads_enctype_dump_enctypes(argv[0], str); | ||
223 | + | ||
224 | + ret = 0; | ||
225 | + done: | ||
226 | + ads_msgfree(ads, res); | ||
227 | + ads_destroy(&ads); | ||
228 | + | ||
229 | + return ret; | ||
230 | +} | ||
231 | + | ||
232 | +static int net_ads_enctypes_delete(struct net_context *c, int argc, const char **argv) | ||
233 | +{ | ||
234 | + int ret = -1; | ||
235 | + ADS_STATUS status; | ||
236 | + ADS_STRUCT *ads; | ||
237 | + LDAPMessage *res = NULL; | ||
238 | + const char *dn; | ||
239 | + ADS_MODLIST mods; | ||
240 | + | ||
241 | + if (c->display_usage || argc < 1) { | ||
242 | + d_printf( "%s\n" | ||
243 | + "net ads enctypes delete <sAMAccountName>\n" | ||
244 | + " %s\n", | ||
245 | + _("Usage:"), | ||
246 | + _("Delete supported enctypes")); | ||
247 | + return 0; | ||
248 | + } | ||
249 | + | ||
250 | + status = ads_startup(c, false, &ads); | ||
251 | + if (!ADS_ERR_OK(status)) { | ||
252 | + printf("startup failed\n"); | ||
253 | + return ret; | ||
254 | + } | ||
255 | + | ||
256 | + ret = net_ads_enctype_lookup_account(c, ads, argv[0], &res, NULL); | ||
257 | + if (ret) { | ||
258 | + goto done; | ||
259 | + } | ||
260 | + | ||
261 | + dn = ads_get_dn(ads, c, res); | ||
262 | + if (dn == NULL) { | ||
263 | + goto done; | ||
264 | + } | ||
265 | + | ||
266 | + mods = ads_init_mods(c); | ||
267 | + if (!mods) { | ||
268 | + goto done; | ||
269 | + } | ||
270 | + | ||
271 | + status = ads_mod_str(c, &mods, "msDS-SupportedEncryptionTypes", NULL); | ||
272 | + if (!ADS_ERR_OK(status)) { | ||
273 | + goto done; | ||
274 | + } | ||
275 | + | ||
276 | + status = ads_gen_mod(ads, dn, mods); | ||
277 | + if (!ADS_ERR_OK(status)) { | ||
278 | + d_printf(_("failed to remove msDS-SupportedEncryptionTypes: %s\n"), | ||
279 | + ads_errstr(status)); | ||
280 | + goto done; | ||
281 | + } | ||
282 | + | ||
283 | + ret = 0; | ||
284 | + | ||
285 | + done: | ||
286 | + ads_msgfree(ads, res); | ||
287 | + ads_destroy(&ads); | ||
288 | + return ret; | ||
289 | +} | ||
290 | + | ||
291 | +static int net_ads_enctypes(struct net_context *c, int argc, const char **argv) | ||
292 | +{ | ||
293 | + struct functable func[] = { | ||
294 | + { | ||
295 | + "list", | ||
296 | + net_ads_enctypes_list, | ||
297 | + NET_TRANSPORT_ADS, | ||
298 | + N_("List the supported encryption types"), | ||
299 | + N_("net ads enctypes list\n" | ||
300 | + " List the supported encryption types") | ||
301 | + }, | ||
302 | + { | ||
303 | + "set", | ||
304 | + net_ads_enctypes_set, | ||
305 | + NET_TRANSPORT_ADS, | ||
306 | + N_("Set the supported encryption types"), | ||
307 | + N_("net ads enctypes set\n" | ||
308 | + " Set the supported encryption types") | ||
309 | + }, | ||
310 | + { | ||
311 | + "delete", | ||
312 | + net_ads_enctypes_delete, | ||
313 | + NET_TRANSPORT_ADS, | ||
314 | + N_("Delete the supported encryption types"), | ||
315 | + N_("net ads enctypes delete\n" | ||
316 | + " Delete the supported encryption types") | ||
317 | + }, | ||
318 | + | ||
319 | + {NULL, NULL, 0, NULL, NULL} | ||
320 | + }; | ||
321 | + | ||
322 | + return net_run_function(c, argc, argv, "net ads enctypes", func); | ||
323 | +} | ||
324 | + | ||
325 | + | ||
326 | int net_ads(struct net_context *c, int argc, const char **argv) | ||
327 | { | ||
328 | struct functable func[] = { | ||
329 | @@ -3015,6 +3315,14 @@ int net_ads(struct net_context *c, int argc, const char **argv) | ||
330 | N_("net ads kerberos\n" | ||
331 | " Manage kerberos keytab") | ||
332 | }, | ||
333 | + { | ||
334 | + "enctypes", | ||
335 | + net_ads_enctypes, | ||
336 | + NET_TRANSPORT_ADS, | ||
337 | + N_("List/modify supported encryption types"), | ||
338 | + N_("net ads enctypes\n" | ||
339 | + " List/modify enctypes") | ||
340 | + }, | ||
341 | {NULL, NULL, 0, NULL, NULL} | ||
342 | }; | ||
343 | |||
344 | -- | ||
345 | 1.9.3 | ||
346 | |||
347 | |||
348 | From a19f1e51bd7d48b238ad22ec9e27af53dfa5bf44 Mon Sep 17 00:00:00 2001 | ||
349 | From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | ||
350 | Date: Wed, 24 Sep 2014 23:36:19 +0200 | ||
351 | Subject: [PATCH 2/4] s3-net: add manpage documentation for "net ads enctypes". | ||
352 | MIME-Version: 1.0 | ||
353 | Content-Type: text/plain; charset=UTF-8 | ||
354 | Content-Transfer-Encoding: 8bit | ||
355 | |||
356 | Guenther | ||
357 | |||
358 | Signed-off-by: Günther Deschner <gd@samba.org> | ||
359 | Reviewed-by: Andreas Schneider <asn@samba.org> | ||
360 | Reviewed-by: Stefan Metzmacher <metze@samba.org> | ||
361 | --- | ||
362 | docs-xml/manpages/net.8.xml | 53 +++++++++++++++++++++++++++++++++++++++++++++ | ||
363 | 1 file changed, 53 insertions(+) | ||
364 | |||
365 | diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml | ||
366 | index f39b420..9e982e3 100644 | ||
367 | --- a/docs-xml/manpages/net.8.xml | ||
368 | +++ b/docs-xml/manpages/net.8.xml | ||
369 | @@ -1339,6 +1339,59 @@ to show in the result. | ||
370 | </refsect2> | ||
371 | |||
372 | <refsect2> | ||
373 | + <title>ADS ENCTYPES</title> | ||
374 | + | ||
375 | +<para> | ||
376 | + List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD. | ||
377 | +</para> | ||
378 | + | ||
379 | +<para> | ||
380 | + This attribute allows to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values: | ||
381 | +</para> | ||
382 | + | ||
383 | +<para>0x00000001 DES-CBC-CRC</para> | ||
384 | +<para>0x00000002 DES-CBC-MD5</para> | ||
385 | +<para>0x00000004 RC4-HMAC</para> | ||
386 | +<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para> | ||
387 | +<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para> | ||
388 | + | ||
389 | +</refsect2> | ||
390 | + | ||
391 | +<refsect2> | ||
392 | + <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title> | ||
393 | + | ||
394 | +<para> | ||
395 | + List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account. | ||
396 | +</para> | ||
397 | + | ||
398 | +<para>Example: <userinput>net ads enctypes list Computername</userinput></para> | ||
399 | + | ||
400 | +</refsect2> | ||
401 | + | ||
402 | +<refsect2> | ||
403 | + <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title> | ||
404 | + | ||
405 | +<para> | ||
406 | + Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is ommitted, the value is set to 31 which enables all the currently supported encryption types. | ||
407 | +</para> | ||
408 | + | ||
409 | +<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para> | ||
410 | + | ||
411 | +</refsect2> | ||
412 | + | ||
413 | +<refsect2> | ||
414 | + <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title> | ||
415 | + | ||
416 | +<para> | ||
417 | + Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME. | ||
418 | +</para> | ||
419 | + | ||
420 | +<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para> | ||
421 | + | ||
422 | +</refsect2> | ||
423 | + | ||
424 | + | ||
425 | +<refsect2> | ||
426 | <title>SAM CREATEBUILTINGROUP <NAME></title> | ||
427 | |||
428 | <para> | ||
429 | -- | ||
430 | 1.9.3 | ||
431 | |||
432 | |||
433 | From 0f42d123afde57ee74d89bdc742185cef718cf0f Mon Sep 17 00:00:00 2001 | ||
434 | From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | ||
435 | Date: Fri, 23 Nov 2012 12:34:27 +0100 | ||
436 | Subject: [PATCH 3/4] s3-libnet: set list of allowed krb5 encryption types in | ||
437 | AD >= 2008. | ||
438 | MIME-Version: 1.0 | ||
439 | Content-Type: text/plain; charset=UTF-8 | ||
440 | Content-Transfer-Encoding: 8bit | ||
441 | |||
442 | Guenther | ||
443 | |||
444 | Signed-off-by: Günther Deschner <gd@samba.org> | ||
445 | Reviewed-by: Andreas Schneider <asn@samba.org> | ||
446 | Reviewed-by: Stefan Metzmacher <metze@samba.org> | ||
447 | --- | ||
448 | source3/libnet/libnet_join.c | 65 ++++++++++++++++++++++++++++++++++++++++++++ | ||
449 | 1 file changed, 65 insertions(+) | ||
450 | |||
451 | diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c | ||
452 | index 381a59c..e70e11a 100644 | ||
453 | --- a/source3/libnet/libnet_join.c | ||
454 | +++ b/source3/libnet/libnet_join.c | ||
455 | @@ -605,6 +605,52 @@ static ADS_STATUS libnet_join_set_os_attributes(TALLOC_CTX *mem_ctx, | ||
456 | /**************************************************************** | ||
457 | ****************************************************************/ | ||
458 | |||
459 | +static ADS_STATUS libnet_join_set_etypes(TALLOC_CTX *mem_ctx, | ||
460 | + struct libnet_JoinCtx *r) | ||
461 | +{ | ||
462 | + ADS_STATUS status; | ||
463 | + ADS_MODLIST mods; | ||
464 | + uint32_t etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5; | ||
465 | + const char *etype_list_str; | ||
466 | + | ||
467 | +#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96 | ||
468 | + etype_list |= ENC_HMAC_SHA1_96_AES128; | ||
469 | +#endif | ||
470 | +#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96 | ||
471 | + etype_list |= ENC_HMAC_SHA1_96_AES256; | ||
472 | +#endif | ||
473 | + | ||
474 | + etype_list_str = talloc_asprintf(mem_ctx, "%d", etype_list); | ||
475 | + if (!etype_list_str) { | ||
476 | + return ADS_ERROR(LDAP_NO_MEMORY); | ||
477 | + } | ||
478 | + | ||
479 | + /* Find our DN */ | ||
480 | + | ||
481 | + status = libnet_join_find_machine_acct(mem_ctx, r); | ||
482 | + if (!ADS_ERR_OK(status)) { | ||
483 | + return status; | ||
484 | + } | ||
485 | + | ||
486 | + /* now do the mods */ | ||
487 | + | ||
488 | + mods = ads_init_mods(mem_ctx); | ||
489 | + if (!mods) { | ||
490 | + return ADS_ERROR(LDAP_NO_MEMORY); | ||
491 | + } | ||
492 | + | ||
493 | + status = ads_mod_str(mem_ctx, &mods, "msDS-SupportedEncryptionTypes", | ||
494 | + etype_list_str); | ||
495 | + if (!ADS_ERR_OK(status)) { | ||
496 | + return status; | ||
497 | + } | ||
498 | + | ||
499 | + return ads_gen_mod(r->in.ads, r->out.dn, mods); | ||
500 | +} | ||
501 | + | ||
502 | +/**************************************************************** | ||
503 | +****************************************************************/ | ||
504 | + | ||
505 | static bool libnet_join_create_keytab(TALLOC_CTX *mem_ctx, | ||
506 | struct libnet_JoinCtx *r) | ||
507 | { | ||
508 | @@ -679,6 +725,7 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, | ||
509 | struct libnet_JoinCtx *r) | ||
510 | { | ||
511 | ADS_STATUS status; | ||
512 | + uint32_t func_level = 0; | ||
513 | |||
514 | if (!r->in.ads) { | ||
515 | status = libnet_join_connect_ads(mem_ctx, r); | ||
516 | @@ -713,6 +760,24 @@ static ADS_STATUS libnet_join_post_processing_ads(TALLOC_CTX *mem_ctx, | ||
517 | return status; | ||
518 | } | ||
519 | |||
520 | + status = ads_domain_func_level(r->in.ads, &func_level); | ||
521 | + if (!ADS_ERR_OK(status)) { | ||
522 | + libnet_join_set_error_string(mem_ctx, r, | ||
523 | + "failed to query domain controller functional level: %s", | ||
524 | + ads_errstr(status)); | ||
525 | + return status; | ||
526 | + } | ||
527 | + | ||
528 | + if (func_level >= DS_DOMAIN_FUNCTION_2008) { | ||
529 | + status = libnet_join_set_etypes(mem_ctx, r); | ||
530 | + if (!ADS_ERR_OK(status)) { | ||
531 | + libnet_join_set_error_string(mem_ctx, r, | ||
532 | + "failed to set machine kerberos encryption types: %s", | ||
533 | + ads_errstr(status)); | ||
534 | + return status; | ||
535 | + } | ||
536 | + } | ||
537 | + | ||
538 | if (!libnet_join_derive_salting_principal(mem_ctx, r)) { | ||
539 | return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); | ||
540 | } | ||
541 | -- | ||
542 | 1.9.3 | ||
543 | |||
544 | |||
545 | From adb206481ac56c8f438e70f7b9e986aeba9586b1 Mon Sep 17 00:00:00 2001 | ||
546 | From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | ||
547 | Date: Fri, 26 Sep 2014 21:06:38 +0200 | ||
548 | Subject: [PATCH 4/4] s4-auth/kerberos: fix salting principal, make sure | ||
549 | hostname is lowercase. | ||
550 | MIME-Version: 1.0 | ||
551 | Content-Type: text/plain; charset=UTF-8 | ||
552 | Content-Transfer-Encoding: 8bit | ||
553 | |||
554 | Found at MS interop event while working on AES kerberos key support. | ||
555 | |||
556 | Guenther | ||
557 | |||
558 | Signed-off-by: Günther Deschner <gd@samba.org> | ||
559 | Reviewed-by: Andrew Bartlett <abartlet@samba.org> | ||
560 | --- | ||
561 | source4/auth/kerberos/srv_keytab.c | 2 +- | ||
562 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
563 | |||
564 | diff --git a/source4/auth/kerberos/srv_keytab.c b/source4/auth/kerberos/srv_keytab.c | ||
565 | index d81e27d..3baba14 100644 | ||
566 | --- a/source4/auth/kerberos/srv_keytab.c | ||
567 | +++ b/source4/auth/kerberos/srv_keytab.c | ||
568 | @@ -143,7 +143,7 @@ static krb5_error_code salt_principal(TALLOC_CTX *parent_ctx, | ||
569 | return ENOMEM; | ||
570 | } | ||
571 | |||
572 | - machine_username = talloc_strdup(tmp_ctx, samAccountName); | ||
573 | + machine_username = strlower_talloc(tmp_ctx, samAccountName); | ||
574 | if (!machine_username) { | ||
575 | *error_string = "Cannot duplicate samAccountName"; | ||
576 | talloc_free(tmp_ctx); | ||
577 | -- | ||
578 | 1.9.3 | ||
579 | |||
580 | From d423e8b759af2e0a7cdce39d3f7a6c8d9c1764b4 Mon Sep 17 00:00:00 2001 | ||
581 | From: Jeremy Allison <jra@samba.org> | ||
582 | Date: Mon, 16 Jun 2014 22:49:29 -0700 | ||
583 | Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 * | ||
584 | arguments of copy_netr_SamInfo3() and make_server_info_info3() | ||
585 | |||
586 | Both functions only read from the struct netr_SamInfo3 * argument. | ||
587 | |||
588 | Signed-off-by: Jeremy Allison <jra@samba.org> | ||
589 | Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> | ||
590 | Reviewed-by: Simo Sorce <idra@samba.org> | ||
591 | |||
592 | Conflicts: | ||
593 | source3/auth/proto.h | ||
594 | source3/auth/server_info.c | ||
595 | --- | ||
596 | source3/auth/auth_util.c | 2 +- | ||
597 | source3/auth/proto.h | 4 ++-- | ||
598 | source3/auth/server_info.c | 2 +- | ||
599 | 3 files changed, 4 insertions(+), 4 deletions(-) | ||
600 | |||
601 | diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c | ||
602 | index ceaa706..afa78ec 100644 | ||
603 | --- a/source3/auth/auth_util.c | ||
604 | +++ b/source3/auth/auth_util.c | ||
605 | @@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, | ||
606 | const char *sent_nt_username, | ||
607 | const char *domain, | ||
608 | struct auth_serversupplied_info **server_info, | ||
609 | - struct netr_SamInfo3 *info3) | ||
610 | + const struct netr_SamInfo3 *info3) | ||
611 | { | ||
612 | static const char zeros[16] = {0, }; | ||
613 | |||
614 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | ||
615 | index 76661fc..6ec206e 100644 | ||
616 | --- a/source3/auth/proto.h | ||
617 | +++ b/source3/auth/proto.h | ||
618 | @@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, | ||
619 | const char *sent_nt_username, | ||
620 | const char *domain, | ||
621 | struct auth_serversupplied_info **server_info, | ||
622 | - struct netr_SamInfo3 *info3); | ||
623 | + const struct netr_SamInfo3 *info3); | ||
624 | struct wbcAuthUserInfo; | ||
625 | NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, | ||
626 | const char *sent_nt_username, | ||
627 | @@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, | ||
628 | const struct passwd *pwd, | ||
629 | struct netr_SamInfo3 **pinfo3); | ||
630 | struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, | ||
631 | - struct netr_SamInfo3 *orig); | ||
632 | + const struct netr_SamInfo3 *orig); | ||
633 | struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, | ||
634 | const struct wbcAuthUserInfo *info); | ||
635 | |||
636 | diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c | ||
637 | index d2b7d6e..066b9a8 100644 | ||
638 | --- a/source3/auth/server_info.c | ||
639 | +++ b/source3/auth/server_info.c | ||
640 | @@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, | ||
641 | } } while(0) | ||
642 | |||
643 | struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, | ||
644 | - struct netr_SamInfo3 *orig) | ||
645 | + const struct netr_SamInfo3 *orig) | ||
646 | { | ||
647 | struct netr_SamInfo3 *info3; | ||
648 | unsigned int i; | ||
649 | -- | ||
650 | 1.9.3 | ||
651 | |||
652 | |||
653 | From cab0cda9df0bb0eda2d7957c0bb8dbcb51ba7ef7 Mon Sep 17 00:00:00 2001 | ||
654 | From: Jeremy Allison <jra@samba.org> | ||
655 | Date: Mon, 16 Jun 2014 22:54:45 -0700 | ||
656 | Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const | ||
657 | struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO. | ||
658 | |||
659 | make_server_info_info3() only reads from the info3 pointer. | ||
660 | |||
661 | Signed-off-by: Jeremy Allison <jra@samba.org> | ||
662 | Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> | ||
663 | Reviewed-by: Simo Sorce <idra@samba.org> | ||
664 | --- | ||
665 | source3/auth/auth_generic.c | 2 +- | ||
666 | source3/auth/proto.h | 2 +- | ||
667 | source3/auth/user_krb5.c | 8 ++++---- | ||
668 | 3 files changed, 6 insertions(+), 6 deletions(-) | ||
669 | |||
670 | diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c | ||
671 | index a2ba4e3..2880bc9 100644 | ||
672 | --- a/source3/auth/auth_generic.c | ||
673 | +++ b/source3/auth/auth_generic.c | ||
674 | @@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, | ||
675 | |||
676 | status = make_session_info_krb5(mem_ctx, | ||
677 | ntuser, ntdomain, username, pw, | ||
678 | - logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, | ||
679 | + &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, | ||
680 | session_info); | ||
681 | if (!NT_STATUS_IS_OK(status)) { | ||
682 | DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", | ||
683 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | ||
684 | index 6ec206e..75d1097 100644 | ||
685 | --- a/source3/auth/proto.h | ||
686 | +++ b/source3/auth/proto.h | ||
687 | @@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, | ||
688 | char *ntdomain, | ||
689 | char *username, | ||
690 | struct passwd *pw, | ||
691 | - struct PAC_LOGON_INFO *logon_info, | ||
692 | + const struct netr_SamInfo3 *info3, | ||
693 | bool mapped_to_guest, bool username_was_mapped, | ||
694 | DATA_BLOB *session_key, | ||
695 | struct auth_session_info **session_info); | ||
696 | diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c | ||
697 | index 974a8aa..0a538b4 100644 | ||
698 | --- a/source3/auth/user_krb5.c | ||
699 | +++ b/source3/auth/user_krb5.c | ||
700 | @@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, | ||
701 | char *ntdomain, | ||
702 | char *username, | ||
703 | struct passwd *pw, | ||
704 | - struct PAC_LOGON_INFO *logon_info, | ||
705 | + const struct netr_SamInfo3 *info3, | ||
706 | bool mapped_to_guest, bool username_was_mapped, | ||
707 | DATA_BLOB *session_key, | ||
708 | struct auth_session_info **session_info) | ||
709 | @@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, | ||
710 | return status; | ||
711 | } | ||
712 | |||
713 | - } else if (logon_info) { | ||
714 | + } else if (info3) { | ||
715 | /* pass the unmapped username here since map_username() | ||
716 | will be called again in make_server_info_info3() */ | ||
717 | |||
718 | status = make_server_info_info3(mem_ctx, | ||
719 | ntuser, ntdomain, | ||
720 | &server_info, | ||
721 | - &logon_info->info3); | ||
722 | + info3); | ||
723 | if (!NT_STATUS_IS_OK(status)) { | ||
724 | DEBUG(1, ("make_server_info_info3 failed: %s!\n", | ||
725 | nt_errstr(status))); | ||
726 | @@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, | ||
727 | char *ntdomain, | ||
728 | char *username, | ||
729 | struct passwd *pw, | ||
730 | - struct PAC_LOGON_INFO *logon_info, | ||
731 | + const struct netr_SamInfo3 *info3, | ||
732 | bool mapped_to_guest, bool username_was_mapped, | ||
733 | DATA_BLOB *session_key, | ||
734 | struct auth_session_info **session_info) | ||
735 | -- | ||
736 | 1.9.3 | ||
737 | |||
738 | |||
739 | From 102335441aaa7967367abcc5690fe7229807546a Mon Sep 17 00:00:00 2001 | ||
740 | From: Jeremy Allison <jra@samba.org> | ||
741 | Date: Mon, 16 Jun 2014 23:11:58 -0700 | ||
742 | Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to | ||
743 | create a new info3 and merge resource group SIDs into it. | ||
744 | |||
745 | Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>. | ||
746 | |||
747 | Signed-off-by: Jeremy Allison <jra@samba.org> | ||
748 | Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> | ||
749 | Reviewed-by: Simo Sorce <idra@samba.org> | ||
750 | --- | ||
751 | source3/auth/proto.h | 3 ++ | ||
752 | source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++ | ||
753 | 2 files changed, 80 insertions(+) | ||
754 | |||
755 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | ||
756 | index 75d1097..cc51698 100644 | ||
757 | --- a/source3/auth/proto.h | ||
758 | +++ b/source3/auth/proto.h | ||
759 | @@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in | ||
760 | struct netr_SamInfo3 *sam3); | ||
761 | NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, | ||
762 | struct netr_SamInfo6 *sam6); | ||
763 | +NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, | ||
764 | + const struct PAC_LOGON_INFO *logon_info, | ||
765 | + struct netr_SamInfo3 **pp_info3); | ||
766 | NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, | ||
767 | struct samu *samu, | ||
768 | const char *login_server, | ||
769 | diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c | ||
770 | index 066b9a8..dc84794 100644 | ||
771 | --- a/source3/auth/server_info.c | ||
772 | +++ b/source3/auth/server_info.c | ||
773 | @@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3, | ||
774 | return NT_STATUS_OK; | ||
775 | } | ||
776 | |||
777 | +/* | ||
778 | + * Merge resource SIDs, if any, into the passed in info3 structure. | ||
779 | + */ | ||
780 | + | ||
781 | +static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info, | ||
782 | + struct netr_SamInfo3 *info3) | ||
783 | +{ | ||
784 | + uint32_t i = 0; | ||
785 | + | ||
786 | + if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) { | ||
787 | + return NT_STATUS_OK; | ||
788 | + } | ||
789 | + | ||
790 | + /* | ||
791 | + * If there are any resource groups (SID Compression) add | ||
792 | + * them to the extra sids portion of the info3 in the PAC. | ||
793 | + * | ||
794 | + * This makes the info3 look like it would if we got the info | ||
795 | + * from the DC rather than the PAC. | ||
796 | + */ | ||
797 | + | ||
798 | + /* | ||
799 | + * Construct a SID for each RID in the list and then append it | ||
800 | + * to the info3. | ||
801 | + */ | ||
802 | + for (i = 0; i < logon_info->res_groups.count; i++) { | ||
803 | + NTSTATUS status; | ||
804 | + struct dom_sid new_sid; | ||
805 | + uint32_t attributes = logon_info->res_groups.rids[i].attributes; | ||
806 | + | ||
807 | + sid_compose(&new_sid, | ||
808 | + logon_info->res_group_dom_sid, | ||
809 | + logon_info->res_groups.rids[i].rid); | ||
810 | + | ||
811 | + DEBUG(10, ("Adding SID %s to extra SIDS\n", | ||
812 | + sid_string_dbg(&new_sid))); | ||
813 | + | ||
814 | + status = append_netr_SidAttr(info3, &info3->sids, | ||
815 | + &info3->sidcount, | ||
816 | + &new_sid, | ||
817 | + attributes); | ||
818 | + if (!NT_STATUS_IS_OK(status)) { | ||
819 | + DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n", | ||
820 | + sid_string_dbg(&new_sid), | ||
821 | + nt_errstr(status))); | ||
822 | + return status; | ||
823 | + } | ||
824 | + } | ||
825 | + | ||
826 | + return NT_STATUS_OK; | ||
827 | +} | ||
828 | + | ||
829 | +/* | ||
830 | + * Create a copy of an info3 struct from the struct PAC_LOGON_INFO, | ||
831 | + * then merge resource SIDs, if any, into it. If successful return | ||
832 | + * the created info3 struct. | ||
833 | + */ | ||
834 | + | ||
835 | +NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, | ||
836 | + const struct PAC_LOGON_INFO *logon_info, | ||
837 | + struct netr_SamInfo3 **pp_info3) | ||
838 | +{ | ||
839 | + NTSTATUS status; | ||
840 | + struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx, | ||
841 | + &logon_info->info3); | ||
842 | + if (info3 == NULL) { | ||
843 | + return NT_STATUS_NO_MEMORY; | ||
844 | + } | ||
845 | + status = merge_resource_sids(logon_info, info3); | ||
846 | + if (!NT_STATUS_IS_OK(status)) { | ||
847 | + TALLOC_FREE(info3); | ||
848 | + return status; | ||
849 | + } | ||
850 | + *pp_info3 = info3; | ||
851 | + return NT_STATUS_OK; | ||
852 | +} | ||
853 | + | ||
854 | #define RET_NOMEM(ptr) do { \ | ||
855 | if (!ptr) { \ | ||
856 | TALLOC_FREE(info3); \ | ||
857 | -- | ||
858 | 1.9.3 | ||
859 | |||
860 | |||
861 | From fda9cefd3d4a0808af67595631dd755d5b73aacf Mon Sep 17 00:00:00 2001 | ||
862 | From: Jeremy Allison <jra@samba.org> | ||
863 | Date: Mon, 16 Jun 2014 23:15:21 -0700 | ||
864 | Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use | ||
865 | a copy of the info3 struct from the struct PAC_LOGON_INFO. | ||
866 | |||
867 | Call create_info3_from_pac_logon_info() to add in any resource SIDs | ||
868 | from the struct PAC_LOGON_INFO to the info3. | ||
869 | |||
870 | Signed-off-by: Jeremy Allison <jra@samba.org> | ||
871 | Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> | ||
872 | Reviewed-by: Simo Sorce <idra@samba.org> | ||
873 | --- | ||
874 | source3/auth/auth_generic.c | 11 +++++++++-- | ||
875 | 1 file changed, 9 insertions(+), 2 deletions(-) | ||
876 | |||
877 | diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c | ||
878 | index 2880bc9..f841f0c 100644 | ||
879 | --- a/source3/auth/auth_generic.c | ||
880 | +++ b/source3/auth/auth_generic.c | ||
881 | @@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, | ||
882 | { | ||
883 | TALLOC_CTX *tmp_ctx; | ||
884 | struct PAC_LOGON_INFO *logon_info = NULL; | ||
885 | + struct netr_SamInfo3 *info3_copy = NULL; | ||
886 | bool is_mapped; | ||
887 | bool is_guest; | ||
888 | char *ntuser; | ||
889 | @@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, | ||
890 | |||
891 | /* save the PAC data if we have it */ | ||
892 | if (logon_info) { | ||
893 | - netsamlogon_cache_store(ntuser, &logon_info->info3); | ||
894 | + status = create_info3_from_pac_logon_info(tmp_ctx, | ||
895 | + logon_info, | ||
896 | + &info3_copy); | ||
897 | + if (!NT_STATUS_IS_OK(status)) { | ||
898 | + goto done; | ||
899 | + } | ||
900 | + netsamlogon_cache_store(ntuser, info3_copy); | ||
901 | } | ||
902 | |||
903 | /* setup the string used by %U */ | ||
904 | @@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, | ||
905 | |||
906 | status = make_session_info_krb5(mem_ctx, | ||
907 | ntuser, ntdomain, username, pw, | ||
908 | - &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, | ||
909 | + info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, | ||
910 | session_info); | ||
911 | if (!NT_STATUS_IS_OK(status)) { | ||
912 | DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", | ||
913 | -- | ||
914 | 1.9.3 | ||
915 | |||
916 | |||
917 | From 9ed711f88685fc2d4860c9d6b7fa651bd2a52558 Mon Sep 17 00:00:00 2001 | ||
918 | From: Jeremy Allison <jra@samba.org> | ||
919 | Date: Mon, 16 Jun 2014 23:27:35 -0700 | ||
920 | Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a | ||
921 | new info3 and merge in resource groups from a trusted PAC. | ||
922 | |||
923 | Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>. | ||
924 | |||
925 | Signed-off-by: Jeremy Allison <jra@samba.org> | ||
926 | Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> | ||
927 | Reviewed-by: Simo Sorce <idra@samba.org> | ||
928 | |||
929 | Autobuild-User(master): Jeremy Allison <jra@samba.org> | ||
930 | Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104 | ||
931 | --- | ||
932 | source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++-- | ||
933 | 1 file changed, 22 insertions(+), 2 deletions(-) | ||
934 | |||
935 | diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c | ||
936 | index c356686..0f1ca28 100644 | ||
937 | --- a/source3/winbindd/winbindd_pam.c | ||
938 | +++ b/source3/winbindd/winbindd_pam.c | ||
939 | @@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, | ||
940 | struct winbindd_request *req = state->request; | ||
941 | DATA_BLOB pac_blob; | ||
942 | struct PAC_LOGON_INFO *logon_info = NULL; | ||
943 | + struct netr_SamInfo3 *info3_copy = NULL; | ||
944 | NTSTATUS result; | ||
945 | |||
946 | pac_blob = data_blob_const(req->extra_data.data, req->extra_len); | ||
947 | @@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, | ||
948 | |||
949 | if (logon_info) { | ||
950 | /* Signature verification succeeded, trust the PAC */ | ||
951 | - netsamlogon_cache_store(NULL, &logon_info->info3); | ||
952 | + result = create_info3_from_pac_logon_info(state->mem_ctx, | ||
953 | + logon_info, | ||
954 | + &info3_copy); | ||
955 | + if (!NT_STATUS_IS_OK(result)) { | ||
956 | + return result; | ||
957 | + } | ||
958 | + netsamlogon_cache_store(NULL, info3_copy); | ||
959 | |||
960 | } else { | ||
961 | /* Try without signature verification */ | ||
962 | @@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, | ||
963 | nt_errstr(result))); | ||
964 | return result; | ||
965 | } | ||
966 | + if (logon_info) { | ||
967 | + /* | ||
968 | + * Don't strictly need to copy here, | ||
969 | + * but it makes it explicit we're | ||
970 | + * returning a copy talloc'ed off | ||
971 | + * the state->mem_ctx. | ||
972 | + */ | ||
973 | + info3_copy = copy_netr_SamInfo3(state->mem_ctx, | ||
974 | + &logon_info->info3); | ||
975 | + if (info3_copy == NULL) { | ||
976 | + return NT_STATUS_NO_MEMORY; | ||
977 | + } | ||
978 | + } | ||
979 | } | ||
980 | |||
981 | - *info3 = &logon_info->info3; | ||
982 | + *info3 = info3_copy; | ||
983 | |||
984 | return NT_STATUS_OK; | ||
985 | } | ||
986 | -- | ||
987 | 1.9.3 | ||
988 | |||