s3:libads: Return canonical principal and realm from kerberos_return_pac()

author Samuel Cabrero <scabrero@suse.de>

Tue, 22 Feb 2022 12:08:56 +0000 (13:08 +0100)

committer Jule Anger <janger@samba.org>

Fri, 25 Feb 2022 10:31:13 +0000 (10:31 +0000)
author Samuel Cabrero <scabrero@suse.de>
Tue, 22 Feb 2022 12:08:56 +0000 (13:08 +0100)
committer Jule Anger <janger@samba.org>
Fri, 25 Feb 2022 10:31:13 +0000 (10:31 +0000)
diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c

index c048510d480fc4fb4bf03e3ddc90c7a85c6ab700..bf9a2335445720130ebd399e995f861619d23218 100644 (file)
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -57,6 +57,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                              time_t renewable_time,
                              const char *impersonate_princ_s,
                              const char *local_service,
+                            char **_canon_principal,
+                            char **_canon_realm,
                              struct PAC_DATA_CTR **_pac_data_ctr)
  {
         krb5_error_code ret;
@@ -75,6 +77,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
         struct auth4_context *auth_context;
         struct loadparm_context *lp_ctx;
         struct PAC_DATA_CTR *pac_data_ctr = NULL;
+       char *canon_principal = NULL;
+       char *canon_realm = NULL;
  
         TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
         NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -88,6 +92,14 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                 goto out;
         }
  
+       if (_canon_principal != NULL) {
+               *_canon_principal = NULL;
+       }
+
+       if (_canon_realm != NULL) {
+               *_canon_realm = NULL;
+       }
+
         if (cache_name) {
                 cc = cache_name;
         }
@@ -109,7 +121,9 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                                           request_pac,
                                           add_netbios_addr,
                                           renewable_time,
-                                         NULL, NULL, NULL,
+                                         tmp_ctx,
+                                         &canon_principal,
+                                         &canon_realm,
                                           &status);
         if (ret) {
                 DEBUG(1,("kinit failed for '%s' with: %s (%d)\n",
@@ -243,6 +257,12 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
         }
  
         *_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
+       if (_canon_principal != NULL) {
+               *_canon_principal = talloc_move(mem_ctx, &canon_principal);
+       }
+       if (_canon_realm != NULL) {
+               *_canon_realm = talloc_move(mem_ctx, &canon_realm);
+       }
  
  out:
         talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h

index 3d7b5bc074b6aa7ef59648ce3ae058416140f5f2..807381248c82462db04840ba50849f93e8643f92 100644 (file)
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -78,6 +78,8 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
                              time_t renewable_time,
                              const char *impersonate_princ_s,
                              const char *local_service,
+                            char **_canon_principal,
+                            char **_canon_realm,
                              struct PAC_DATA_CTR **pac_data_ctr);
  
  /* The following definitions come from libads/krb5_setpw.c  */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c

index c8b18a9c281bf0f904e972973e12d26a91528a7d..bec206e653b73a34c4a19b37833b2d2fcff68264 100644 (file)
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3246,6 +3246,8 @@ static int net_ads_kerberos_pac_common(struct net_context *c, int argc, const ch
                                      2592000, /* one month */
                                      impersonate_princ_s,
                                      local_service,
+                                    NULL,
+                                    NULL,
                                      pac_data_ctr);
         if (!NT_STATUS_IS_OK(status)) {
                 d_printf(_("failed to query kerberos PAC: %s\n"),
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c

index f71eb8197a43f1887f8906b2eecbada72c8738ad..001c711911bd01d8b578d23211844e120c62b1c3 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -789,6 +789,8 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                                      WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
                                      NULL,
                                      local_service,
+                                    NULL,
+                                    NULL,
                                      &pac_data_ctr);
         if (user_ccache_file != NULL) {
                 gain_root_privilege();
author	Samuel Cabrero <scabrero@suse.de>
	Tue, 22 Feb 2022 12:08:56 +0000 (13:08 +0100)
committer	Jule Anger <janger@samba.org>
	Fri, 25 Feb 2022 10:31:13 +0000 (10:31 +0000)
source3/libads/authdata.c		patch \| blob \| blame \| history
source3/libads/kerberos_proto.h		patch \| blob \| blame \| history
source3/utils/net_ads.c		patch \| blob \| blame \| history
source3/winbindd/winbindd_pam.c		patch \| blob \| blame \| history