From: Ralph Boehme <slow@samba.org>
Date: Wed, 29 Nov 2017 09:55:25 +0000 (+0100)
Subject: winbindd: use add_trusted_domain_from_auth
X-Git-Tag: samba-4.8.0rc1~45
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=939592c660263b6f9969c30e4c6a1903fcc75831;p=thirdparty%2Fsamba.git

winbindd: use add_trusted_domain_from_auth

After a successfully authentication, ensure we have the users domain in our
domain list and the TDC.

Signed-off-by: Ralph Boehme <slow@samba.org>
---

diff --git a/source3/winbindd/winbindd_pam_auth.c b/source3/winbindd/winbindd_pam_auth.c
index 7ff44888975..b35a17cf319 100644
--- a/source3/winbindd/winbindd_pam_auth.c
+++ b/source3/winbindd/winbindd_pam_auth.c
@@ -19,6 +19,7 @@
 
 #include "includes.h"
 #include "winbindd.h"
+#include "libcli/security/dom_sid.h"
 
 struct winbindd_pam_auth_state {
 	struct winbindd_request *request;
@@ -127,6 +128,20 @@ NTSTATUS winbindd_pam_auth_recv(struct tevent_req *req,
 		return status;
 	}
 
+	if (state->request->flags & WBFLAG_PAM_INFO3_TEXT) {
+		bool ok;
+
+		ok = add_trusted_domain_from_auth(
+			state->response->data.auth.validation_level,
+			&state->response->data.auth.info3,
+			&state->response->data.auth.info6);
+		if (!ok) {
+			DBG_ERR("add_trusted_domain_from_auth failed\n");
+			set_auth_errors(response, NT_STATUS_LOGON_FAILURE);
+			return NT_STATUS_LOGON_FAILURE;
+		}
+	}
+
 	if (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) {
 
 		/* Store in-memory creds for single-signon using ntlm_auth. */
diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
index 695ee1d0864..eb4087b1c2c 100644
--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
@@ -20,6 +20,7 @@
 #include "includes.h"
 #include "winbindd.h"
 #include "rpc_client/util_netlogon.h"
+#include "libcli/security/dom_sid.h"
 
 struct winbindd_pam_auth_crap_state {
 	struct winbindd_response *response;
@@ -46,10 +47,11 @@ struct tevent_req *winbindd_pam_auth_crap_send(
 		return NULL;
 	}
 
-	if (request->flags & WBFLAG_PAM_AUTH_PAC) {
+	state->flags = request->flags;
+
+	if (state->flags & WBFLAG_PAM_AUTH_PAC) {
 		NTSTATUS status;
 
-		state->flags = request->flags;
 		status = winbindd_pam_auth_pac_send(cli, &state->info3);
 		if (NT_STATUS_IS_OK(status)) {
 			/* Defer filling out response to recv */
@@ -132,7 +134,7 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
 		return status;
 	}
 
-	if (state->flags & WBFLAG_PAM_AUTH_PAC) {
+	if (state->flags & WBFLAG_PAM_AUTH_PAC)	{
 		uint16_t validation_level;
 		union netr_Validation *validation = NULL;
 
@@ -155,6 +157,22 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
 
 	}
 
+ 	if (NT_STATUS_IS_OK(NT_STATUS(state->response->data.auth.nt_status)) &&
+	    (state->flags & WBFLAG_PAM_INFO3_TEXT))
+	{
+		bool ok;
+
+		ok = add_trusted_domain_from_auth(
+			state->response->data.auth.validation_level,
+			&state->response->data.auth.info3,
+			&state->response->data.auth.info6);
+		if (!ok) {
+			DBG_ERR("add_trusted_domain_from_auth failed\n");
+			set_auth_errors(response, NT_STATUS_LOGON_FAILURE);
+			return NT_STATUS_LOGON_FAILURE;
+		}
+	}
+
 	*response = *state->response;
 	response->result = WINBINDD_PENDING;
 	state->response = talloc_move(response, &state->response);