From: Samuel Cabrero <scabrero@samba.org>
Date: Thu, 10 Jun 2021 12:03:43 +0000 (+0200)
Subject: s3:winbind: Refactor winbindd_dual_pam_auth_kerberos(), do not take winbindd_cli_stat... 
X-Git-Tag: tevent-0.12.0~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38b947912700fed8792d77afcdc4bcd06a7d0a87;p=thirdparty%2Fsamba.git

s3:winbind: Refactor winbindd_dual_pam_auth_kerberos(), do not take winbindd_cli_state struct parameter

Refactor winbindd_dual_pam_auth_kerberos() to do not take a
winbindd_cli_state struct as parameter but its members. The kerberos
ccache name is returned as an out parameter and the caller is
responsible for copying it in the winbindd_response struct.

Later winbindd_dual_pam_auth() will be converted to a local RPC call
handler and it will not receive a winbindd_cli_state as argument so
reduce passing this struct around.

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 4c6d72c13c6..c9a7ce8c8bd 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -762,7 +762,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 					    const char *krb5_cc_type,
 					    uid_t uid,
 					    struct netr_SamInfo6 **info6,
-					    fstring krb5ccname)
+					    const char **_krb5ccname)
 {
 #ifdef HAVE_KRB5
 	NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@@ -794,6 +794,10 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if (_krb5ccname != NULL) {
+		*_krb5ccname = NULL;
+	}
+
 	/* 1st step:
 	 * prepare a krb5_cc_cache string for the user */
 
@@ -943,7 +947,9 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 
 	if (user_ccache_file != NULL) {
 
-		fstrcpy(krb5ccname, user_ccache_file);
+		if (_krb5ccname != NULL) {
+			*_krb5ccname = talloc_steal(mem_ctx, user_ccache_file);
+		}
 
 		result = add_ccache_to_list(principal_s,
 					    cc,
@@ -1431,8 +1437,13 @@ failed:
 }
 
 static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
-						struct winbindd_cli_state *state,
-						struct netr_SamInfo6 **info6)
+						const char *user,
+						const char *pass,
+						const char *krb5_cc_type,
+						uid_t uid,
+						TALLOC_CTX *mem_ctx,
+						struct netr_SamInfo6 **info6,
+						const char **_krb5ccname)
 {
 	struct winbindd_domain *contact_domain;
 	fstring name_namespace, name_domain, name_user;
@@ -1443,7 +1454,7 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 
 	/* Parse domain and username */
 
-	ok = parse_domain_user(state->request->data.auth.user,
+	ok = parse_domain_user(user,
 			       name_namespace,
 			       name_domain,
 			       name_user);
@@ -1461,7 +1472,7 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 	}
 	if (contact_domain == NULL) {
 		DEBUG(3, ("Authentication for domain for [%s] -> [%s]\\[%s] failed as %s is not a trusted domain\n",
-			  state->request->data.auth.user, name_domain, name_user, name_namespace));
+			  user, name_domain, name_user, name_namespace));
 		result = NT_STATUS_NO_SUCH_USER;
 		goto done;
 	}
@@ -1482,12 +1493,14 @@ static NTSTATUS winbindd_dual_pam_auth_kerberos(struct winbindd_domain *domain,
 	}
 try_login:
 	result = winbindd_raw_kerberos_login(
-		state->mem_ctx, contact_domain,
-		state->request->data.auth.user,
-		state->request->data.auth.pass,
-		state->request->data.auth.krb5_cc_type,
-		get_uid_from_request(state->request),
-		info6, state->response->data.auth.krb5ccname);
+		mem_ctx,
+		contact_domain,
+		user,
+		pass,
+		krb5_cc_type,
+		uid,
+		info6,
+		_krb5ccname);
 done:
 	return result;
 }
@@ -2280,14 +2293,27 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
 	/* Check for Kerberos authentication */
 	if (domain->online && (state->request->flags & WBFLAG_PAM_KRB5)) {
 		struct netr_SamInfo6 *info6 = NULL;
+		const char *krb5ccname = NULL;
+
+		result = winbindd_dual_pam_auth_kerberos(
+				domain,
+				state->request->data.auth.user,
+				state->request->data.auth.pass,
+				state->request->data.auth.krb5_cc_type,
+				get_uid_from_request(state->request),
+				state->mem_ctx,
+				&info6,
+				&krb5ccname);
 
-		result = winbindd_dual_pam_auth_kerberos(domain, state, &info6);
 		/* save for later */
 		krb5_result = result;
 
 		if (NT_STATUS_IS_OK(result)) {
 			DEBUG(10,("winbindd_dual_pam_auth_kerberos succeeded\n"));
 
+			fstrcpy(state->response->data.auth.krb5ccname,
+				krb5ccname);
+
 			result = map_info6_to_validation(state->mem_ctx,
 							 info6,
 							 &validation_level,