r2762: Remove silly conversion to and from UTF8 on the winbind pipe. Fix the

naming of the require_membership_of parameter in pam_winbind and fix
the error code for 'you didn't specify a domain' in ntlm_auth.

Andrew Bartlett

diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 64e21738221a38539fc8f019aae4a1694e5cae29..9a00ac2886c4d13b44249ab5d45ec87e9706e27d 100644 (file)
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -45,7 +45,9 @@ static int _pam_parse(int argc, const char **argv)
                        ctrl |= WINBIND_TRY_FIRST_PASS_ARG;
                else if (!strcasecmp(*argv, "unknown_ok"))
                        ctrl |= WINBIND_UNKNOWN_OK_ARG;
-               else if (!strncasecmp(*argv, "required_membership", strlen("required_membership")))
+               else if (!strncasecmp(*argv, "require_membership_of", strlen("require_membership_of")))
+                       ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
+               else if (!strncasecmp(*argv, "require-membership-of", strlen("require-membership-of")))
                        ctrl |= WINBIND_REQUIRED_MEMBERSHIP;
                else {
                        _pam_log(LOG_ERR, "pam_parse: unknown option; %s", *argv);
@@ -213,8 +215,8 @@ static int winbind_auth_request(const char *user, const char *pass, const char *
        /* lookup name? */ 
        if (!strncmp("S-", member, 2) == 0) {
                
-               struct winbindd_request request;
-               struct winbindd_response response;
+               struct winbindd_request sid_request;
+               struct winbindd_response sid_response;
 
                ZERO_STRUCT(request);
                ZERO_STRUCT(response);
@@ -230,11 +232,11 @@ static int winbind_auth_request(const char *user, const char *pass, const char *
                        return PAM_AUTH_ERR;
                }
 
-               member = strdup(response.data.sid.sid);
+               member = response.data.sid.sid;
        }
 
-       strncpy(request.data.auth.required_membership_sid, member, 
-               sizeof(request.data.auth.required_membership_sid)-1);
+       strncpy(request.data.auth.require_membership_of_sid, member, 
+               sizeof(request.data.auth.require_membership_of_sid)-1);
        
         return pam_winbind_request_log(WINBINDD_PAM_AUTH, &request, &response, ctrl, user);
 }
@@ -488,7 +490,7 @@ int pam_sm_authenticate(pam_handle_t *pamh, int flags,
      /* Retrieve membership-string here */
      for ( i=0; i<argc; i++ ) {
 
-        if (!strncmp(argv[i], "required_membership", strlen("required_membership"))) {
+        if (!strncmp(argv[i], "require_membership_of", strlen("require_membership_of"))) {
 
             char *p;
             char *parm = strdup(argv[i]);

diff --git a/source/nsswitch/wbinfo.c b/source/nsswitch/wbinfo.c
index 2abd9c69a1751f38863b57fd95782d1a0b955293..69f464f446aa3db7ca75195997a57bd019b988b7 100644 (file)
--- a/source/nsswitch/wbinfo.c
+++ b/source/nsswitch/wbinfo.c
@@ -567,18 +567,10 @@ static BOOL wbinfo_auth_crap(char *username)
                
        parse_wbinfo_domain_user(username, name_domain, name_user);
 
-       if (push_utf8_fstring(request.data.auth_crap.user, name_user) == -1) {
-               d_printf("unable to create utf8 string for '%s'\n",
-                        name_user);
-               return False;
-       }
+       fstrcpy(request.data.auth_crap.user, name_user);
 
-       if (push_utf8_fstring(request.data.auth_crap.domain, 
-                             name_domain) == -1) {
-               d_printf("unable to create utf8 string for '%s'\n",
-                        name_domain);
-               return False;
-       }
+       fstrcpy(request.data.auth_crap.domain, 
+                             name_domain);
 
        generate_random_buffer(request.data.auth_crap.chal, 8);
         

diff --git a/source/nsswitch/winbindd_nss.h b/source/nsswitch/winbindd_nss.h
index 6a457f38004a83ca1f6eb1ad95bffea7752b0072..9a99bad9d747911ca0deda208738ab9f90c24e47 100644 (file)
--- a/source/nsswitch/winbindd_nss.h
+++ b/source/nsswitch/winbindd_nss.h
@@ -181,7 +181,7 @@ struct winbindd_request {
                            character is. */    
                        fstring user;
                        fstring pass;
-                       fstring required_membership_sid;
+                       fstring require_membership_of_sid;
                } auth;              /* pam_winbind auth module */
                 struct {
                         unsigned char chal[8];
@@ -192,7 +192,7 @@ struct winbindd_request {
                         fstring nt_resp;
                         uint16 nt_resp_len;
                        fstring workstation;
-                       fstring required_membership_sid;
+                       fstring require_membership_of_sid;
                 } auth_crap;
                 struct {
                     fstring user;

diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index e8d15f470385a2f06d752b5bf6d5463d6da73e1c..e13649afe15085470919bf5d16f3c8aa6551bf7d 100644 (file)
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -59,7 +59,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
                                     NET_USER_INFO_3 *info3,
                                     const char *group_sid) 
 {
-       DOM_SID required_membership_sid;
+       DOM_SID require_membership_of_sid;
        DOM_SID *all_sids;
        size_t num_all_sids = (2 + info3->num_groups2 + info3->num_other_sids);
        size_t i, j = 0;
@@ -71,7 +71,7 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
                return NT_STATUS_OK;
        }
        
-       if (!string_to_sid(&required_membership_sid, group_sid)) {
+       if (!string_to_sid(&require_membership_of_sid, group_sid)) {
                DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!", 
                          group_sid));
 
@@ -133,9 +133,9 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
                fstring sid1, sid2;
                DEBUG(10, ("User has SID: %s\n", 
                           sid_to_string(sid1, &all_sids[i])));
-               if (sid_equal(&required_membership_sid, &all_sids[i])) {
+               if (sid_equal(&require_membership_of_sid, &all_sids[i])) {
                        DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n", 
-                                  sid_to_string(sid1, &required_membership_sid), sid_to_string(sid2, &all_sids[i])));
+                                  sid_to_string(sid1, &require_membership_of_sid), sid_to_string(sid2, &all_sids[i])));
                        return NT_STATUS_OK;
                }
        }
@@ -334,10 +334,10 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
 
                /* Check if the user is in the right group */
 
-               if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.required_membership_sid))) {
+               if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth.require_membership_of_sid))) {
                        DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
                                  state->request.data.auth.user, 
-                                 state->request.data.auth.required_membership_sid));
+                                 state->request.data.auth.require_membership_of_sid));
                }
        }
 
@@ -414,7 +414,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
         NET_USER_INFO_3 info3;
         struct cli_state *cli = NULL;
        TALLOC_CTX *mem_ctx = NULL;
-       char *name_user = NULL;
+       const char *name_user = NULL;
        const char *name_domain = NULL;
        const char *workstation;
        struct winbindd_domain *contact_domain;
@@ -432,7 +432,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
                /* send a better message than ACCESS_DENIED */
                asprintf(&error_string, "winbind client not authorized to use winbindd_pam_auth_crap.  Ensure permissions on %s are set correctly.",
                         get_winbind_priv_pipe_dir());
-               push_utf8_fstring(state->response.data.auth.error_string, error_string);
+               fstrcpy(state->response.data.auth.error_string, error_string);
                SAFE_FREE(error_string);
                result =  NT_STATUS_ACCESS_DENIED;
                goto done;
@@ -442,26 +442,16 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
        state->request.data.auth_crap.user[sizeof(state->request.data.auth_crap.user)-1]=0;
        state->request.data.auth_crap.domain[sizeof(state->request.data.auth_crap.domain)-1]=0;
 
-       if (!(mem_ctx = talloc_init("winbind pam auth crap for (utf8) %s", state->request.data.auth_crap.user))) {
+       if (!(mem_ctx = talloc_init("winbind pam auth crap for %s", state->request.data.auth_crap.user))) {
                DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
                result = NT_STATUS_NO_MEMORY;
                goto done;
        }
 
-        if (pull_utf8_talloc(mem_ctx, &name_user, state->request.data.auth_crap.user) == (size_t)-1) {
-               DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
-               result = NT_STATUS_UNSUCCESSFUL;
-               goto done;
-       }
+       name_user = state->request.data.auth_crap.user;
 
        if (*state->request.data.auth_crap.domain) {
-               char *dom = NULL;
-               if (pull_utf8_talloc(mem_ctx, &dom, state->request.data.auth_crap.domain) == (size_t)-1) {
-                       DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
-                       result = NT_STATUS_UNSUCCESSFUL;
-                       goto done;
-               }
-               name_domain = dom;
+               name_domain = state->request.data.auth_crap.domain;
        } else if (lp_winbind_use_default_domain()) {
                name_domain = lp_workgroup();
        } else {
@@ -475,13 +465,7 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
                  name_domain, name_user));
           
        if (*state->request.data.auth_crap.workstation) {
-               char *wrk = NULL;
-               if (pull_utf8_talloc(mem_ctx, &wrk, state->request.data.auth_crap.workstation) == (size_t)-1) {
-                       DEBUG(0, ("winbindd_pam_auth_crap: pull_utf8_talloc failed!\n"));
-                       result = NT_STATUS_UNSUCCESSFUL;
-                       goto done;
-               }
-               workstation = wrk;
+               workstation = state->request.data.auth_crap.workstation;
        } else {
                workstation = global_myname();
        }
@@ -587,10 +571,10 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
                netsamlogon_cache_store( cli->mem_ctx, name_user, &info3 );
                wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
                
-               if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.required_membership_sid))) {
+               if (!NT_STATUS_IS_OK(result = check_info3_in_group(mem_ctx, &info3, state->request.data.auth_crap.require_membership_of_sid))) {
                        DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
                                  state->request.data.auth_crap.user, 
-                                 state->request.data.auth_crap.required_membership_sid));
+                                 state->request.data.auth_crap.require_membership_of_sid));
                        goto done;
                }
 
@@ -616,8 +600,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
 
                        DEBUG(5, ("Setting unix username to [%s]\n", username_out));
 
-                       /* this interface is in UTF8 */
-                       if (push_utf8_allocate((char **)&state->response.extra_data, username_out) == -1) {
+                       state->response.extra_data = strdup(username_out);
+                       if (!state->response.extra_data) {
                                result = NT_STATUS_NO_MEMORY;
                                goto done;
                        }
@@ -643,11 +627,11 @@ done:
        }
        
        state->response.data.auth.nt_status = NT_STATUS_V(result);
-       push_utf8_fstring(state->response.data.auth.nt_status_string, nt_errstr(result));
+       fstrcpy(state->response.data.auth.nt_status_string, nt_errstr(result));
        
        /* we might have given a more useful error above */
        if (!*state->response.data.auth.error_string) 
-               push_utf8_fstring(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
+               fstrcpy(state->response.data.auth.error_string, get_friendly_nt_error_msg(result));
        state->response.data.auth.pam_error = nt_status_to_pam(result);
 
        DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, 
@@ -677,7 +661,7 @@ enum winbindd_result winbindd_pam_chauthtok(struct winbindd_cli_state *state)
        DEBUG(3, ("[%5lu]: pam chauthtok %s\n", (unsigned long)state->pid,
                state->request.data.chauthtok.user));
 
-       if (!(mem_ctx = talloc_init("winbind password change for (utf8) %s", 
+       if (!(mem_ctx = talloc_init("winbind password change for %s", 
                                    state->request.data.chauthtok.user))) {
                DEBUG(0, ("winbindd_pam_auth_crap: could not talloc_init()!\n"));
                result = NT_STATUS_NO_MEMORY;

diff --git a/source/utils/ntlm_auth.c b/source/utils/ntlm_auth.c
index 609b480406e9a6ba82de990d1d9673302f31a6f9..ea7db55e2dd729f15e59bb1a4570fcf9f2c0313f 100644 (file)
--- a/source/utils/ntlm_auth.c
+++ b/source/utils/ntlm_auth.c
@@ -90,7 +90,7 @@ static int request_lm_key;
 static int request_user_session_key;
 
 static const char *require_membership_of;
-static const char *require_membership_sid;
+static const char *require_membership_of_sid;
 
 static char winbind_separator(void)
 {
@@ -214,7 +214,7 @@ static BOOL get_require_membership_sid(void) {
                return True;
        }
 
-       if (require_membership_sid) {
+       if (require_membership_of_sid) {
                return True;
        }
 
@@ -238,9 +238,9 @@ static BOOL get_require_membership_sid(void) {
                return False;
        }
 
-       require_membership_sid = strdup(response.data.sid.sid);
+       require_membership_of_sid = strdup(response.data.sid.sid);
 
-       if (require_membership_sid)
+       if (require_membership_of_sid)
                return True;
 
        return False;
@@ -265,8 +265,8 @@ static BOOL check_plaintext_auth(const char *user, const char *pass,
 
        fstrcpy(request.data.auth.user, user);
        fstrcpy(request.data.auth.pass, pass);
-       if (require_membership_sid)
-               fstrcpy(request.data.auth.required_membership_sid, require_membership_sid);
+       if (require_membership_of_sid)
+               fstrcpy(request.data.auth.require_membership_of_sid, require_membership_of_sid);
 
        result = winbindd_request(WINBINDD_PAM_AUTH, &request, &response);
 
@@ -323,27 +323,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
 
        request.flags = flags;
 
-       if (require_membership_sid)
-               fstrcpy(request.data.auth_crap.required_membership_sid, require_membership_sid);
+       if (require_membership_of_sid)
+               fstrcpy(request.data.auth_crap.require_membership_of_sid, require_membership_of_sid);
 
-       if (push_utf8_fstring(request.data.auth_crap.user, username) == -1) {
-               *error_string = smb_xstrdup(
-                       "unable to create utf8 string for username");
-               return NT_STATUS_UNSUCCESSFUL;
-       }
-
-       if (push_utf8_fstring(request.data.auth_crap.domain, domain) == -1) {
-               *error_string = smb_xstrdup(
-                       "unable to create utf8 string for domain");
-               return NT_STATUS_UNSUCCESSFUL;
-       }
+        fstrcpy(request.data.auth_crap.user, username);
+       fstrcpy(request.data.auth_crap.domain, domain);
 
-       if (push_utf8_fstring(request.data.auth_crap.workstation, 
-                             workstation) == -1) {
-               *error_string = smb_xstrdup(
-                       "unable to create utf8 string for workstation");
-               return NT_STATUS_UNSUCCESSFUL;
-       }
+       fstrcpy(request.data.auth_crap.workstation, 
+               workstation);
 
        memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
 
@@ -391,7 +378,8 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
        }
 
        if (flags & WBFLAG_PAM_UNIX_NAME) {
-               if (pull_utf8_allocate(unix_name, (char *)response.extra_data) == -1) {
+               *unix_name = strdup((char *)response.extra_data);
+               if (!*unix_name) {
                        free_response(&response);
                        return NT_STATUS_NO_MEMORY;
                }
@@ -478,7 +466,7 @@ static NTSTATUS ntlm_auth_start_ntlmssp_client(NTLMSSP_STATE **client_ntlmssp_st
        NTSTATUS status;
        if ( (opt_username == NULL) || (opt_domain == NULL) ) {
                DEBUG(1, ("Need username and domain for NTLMSSP\n"));
-               return status;
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
        status = ntlmssp_client_start(client_ntlmssp_state);
@@ -1817,7 +1805,7 @@ enum {
 
                 case OPT_REQUIRE_MEMBERSHIP:
                        if (StrnCaseCmp("S-", require_membership_of, 2) == 0) {
-                               require_membership_sid = require_membership_of;
+                               require_membership_of_sid = require_membership_of;
                        }
                        break;
                }