From: Günther Deschner Date: Fri, 4 May 2007 10:21:39 +0000 (+0000) Subject: r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make X-Git-Tag: samba-misc-tags/initial-v3-0-unstable~554 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0f436eab5b2e5891c341c27cb22db52a72bf1af7;p=thirdparty%2Fsamba.git r22666: Expand kerberos_kinit_password_ext() to return NTSTATUS codes and make winbindd's kerberized pam_auth use that. Guenther --- diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c index dc3d11a60c2..c721b563850 100644 --- a/source/libads/kerberos.c +++ b/source/libads/kerberos.c @@ -189,7 +189,8 @@ int kerberos_kinit_password_ext(const char *principal, const char *cache_name, BOOL request_pac, BOOL add_netbios_addr, - time_t renewable_time) + time_t renewable_time, + NTSTATUS *ntstatus) { krb5_context ctx = NULL; krb5_error_code code = 0; @@ -267,6 +268,29 @@ int kerberos_kinit_password_ext(const char *principal, *renew_till_time = (time_t) my_creds.times.renew_till; } out: + if (ntstatus) { + + NTSTATUS status; + + /* fast path */ + if (code == 0) { + *ntstatus = NT_STATUS_OK; + goto cleanup; + } + + /* try to get ntstatus code out of krb5_error when we have it + * inside the krb5_get_init_creds_opt - gd */ + + if (opt && smb_krb5_get_ntstatus_from_krb5_error_init_creds_opt(ctx, opt, &status)) { + *ntstatus = status; + goto cleanup; + } + + /* fall back to self-made-mapping */ + *ntstatus = krb5_to_nt_status(code); + } + + cleanup: krb5_free_cred_contents(ctx, &my_creds); if (me) { krb5_free_principal(ctx, me); @@ -321,7 +345,8 @@ int ads_kinit_password(ADS_STRUCT *ads) } ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset, - &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable); + &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable, + NULL); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", @@ -580,7 +605,8 @@ int kerberos_kinit_password(const char *principal, cache_name, False, False, - 0); + 0, + NULL); } /************************************************************************ diff --git a/source/nsswitch/winbindd_cred_cache.c b/source/nsswitch/winbindd_cred_cache.c index 368090c3909..2c9572d7f86 100644 --- a/source/nsswitch/winbindd_cred_cache.c +++ b/source/nsswitch/winbindd_cred_cache.c @@ -111,7 +111,8 @@ static void krb5_ticket_refresh_handler(struct event_context *event_ctx, entry->ccname, False, /* no PAC required anymore */ True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME); + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL); gain_root_privilege(); if (ret) { @@ -224,7 +225,8 @@ static void krb5_ticket_gain_handler(struct event_context *event_ctx, entry->ccname, False, /* no PAC required anymore */ True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME); + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + NULL); gain_root_privilege(); if (ret) { diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c index 59bff901ce4..97c1ac4b9c3 100644 --- a/source/nsswitch/winbindd_pam.c +++ b/source/nsswitch/winbindd_pam.c @@ -564,12 +564,12 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, cc, True, True, - WINBINDD_PAM_AUTH_KRB5_RENEW_TIME); + WINBINDD_PAM_AUTH_KRB5_RENEW_TIME, + &result); if (krb5_ret) { DEBUG(1,("winbindd_raw_kerberos_login: kinit failed for '%s' with: %s (%d)\n", principal_s, error_message(krb5_ret), krb5_ret)); - result = krb5_to_nt_status(krb5_ret); goto failed; }