From 83a4031e1d7fdecc15f9f77aea176d4676ea7a6e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Mar 2017 09:57:30 +0100
Subject: [PATCH 1/2] s3:libads: Remove obsolete
 smb_krb5_get_ntstatus_from_init_creds()

There is no way we can get a better error code out of this. The original
function called was krb5_get_init_creds_opt_get_error() which has been
deprecated in 2008.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>
(cherry picked from commit e2028837b958618a66449a77ee628e4e176e521e)
---
 source3/libads/kerberos.c | 169 ----------------------------------------------
 1 file changed, 169 deletions(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index dcb268e..13c48ca 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -99,156 +99,6 @@ kerb_prompter(krb5_context ctx, void *data,
 	return 0;
 }
 
-static bool unwrap_edata_ntstatus(TALLOC_CTX *mem_ctx,
-				  DATA_BLOB *edata,
-				  DATA_BLOB *edata_out)
-{
-	DATA_BLOB edata_contents;
-	ASN1_DATA *data;
-	int edata_type;
-
-	if (!edata->length) {
-		return false;
-	}
-
-	data = asn1_init(mem_ctx);
-	if (data == NULL) {
-		return false;
-	}
-
-	if (!asn1_load(data, *edata)) goto err;
-	if (!asn1_start_tag(data, ASN1_SEQUENCE(0))) goto err;
-	if (!asn1_start_tag(data, ASN1_CONTEXT(1))) goto err;
-	if (!asn1_read_Integer(data, &edata_type)) goto err;
-
-	if (edata_type != KRB5_PADATA_PW_SALT) {
-		DEBUG(0,("edata is not of required type %d but of type %d\n",
-			KRB5_PADATA_PW_SALT, edata_type));
-		goto err;
-	}
-
-	if (!asn1_start_tag(data, ASN1_CONTEXT(2))) goto err;
-	if (!asn1_read_OctetString(data, talloc_tos(), &edata_contents)) goto err;
-	if (!asn1_end_tag(data)) goto err;
-	if (!asn1_end_tag(data)) goto err;
-	if (!asn1_end_tag(data)) goto err;
-	asn1_free(data);
-
-	*edata_out = data_blob_talloc(mem_ctx, edata_contents.data, edata_contents.length);
-
-	data_blob_free(&edata_contents);
-
-	return true;
-
-  err:
-
-	asn1_free(data);
-	return false;
-}
-
- static bool smb_krb5_get_ntstatus_from_krb5_error(krb5_error *error,
-						   NTSTATUS *nt_status)
-{
-	DATA_BLOB edata;
-	DATA_BLOB unwrapped_edata;
-	TALLOC_CTX *mem_ctx;
-	struct KRB5_EDATA_NTSTATUS parsed_edata;
-	enum ndr_err_code ndr_err;
-
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
-	edata = data_blob(error->e_data->data, error->e_data->length);
-#else
-	edata = data_blob(error->e_data.data, error->e_data.length);
-#endif /* HAVE_E_DATA_POINTER_IN_KRB5_ERROR */
-
-#ifdef DEVELOPER
-	dump_data(10, edata.data, edata.length);
-#endif /* DEVELOPER */
-
-	mem_ctx = talloc_init("smb_krb5_get_ntstatus_from_krb5_error");
-	if (mem_ctx == NULL) {
-		data_blob_free(&edata);
-		return False;
-	}
-
-	if (!unwrap_edata_ntstatus(mem_ctx, &edata, &unwrapped_edata)) {
-		data_blob_free(&edata);
-		TALLOC_FREE(mem_ctx);
-		return False;
-	}
-
-	data_blob_free(&edata);
-
-	ndr_err = ndr_pull_struct_blob_all(&unwrapped_edata, mem_ctx, 
-		&parsed_edata, (ndr_pull_flags_fn_t)ndr_pull_KRB5_EDATA_NTSTATUS);
-	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-		data_blob_free(&unwrapped_edata);
-		TALLOC_FREE(mem_ctx);
-		return False;
-	}
-
-	data_blob_free(&unwrapped_edata);
-
-	if (nt_status) {
-		*nt_status = parsed_edata.ntstatus;
-	}
-
-	TALLOC_FREE(mem_ctx);
-
-	return True;
-}
-
-static bool smb_krb5_get_ntstatus_from_init_creds(krb5_context ctx,
-						  krb5_principal client,
-						  krb5_get_init_creds_opt *opt,
-						  NTSTATUS *nt_status)
-{
-	krb5_init_creds_context icc;
-	krb5_error_code code;
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
-	/* HEIMDAL */
-	krb5_error error;
-#else
-	krb5_error *error = NULL;
-#endif
-	bool ok;
-
-	code = krb5_init_creds_init(ctx,
-				    client,
-				    NULL,
-				    NULL,
-				    0,
-				    opt,
-				    &icc);
-	if (code != 0) {
-		DBG_WARNING("krb5_init_creds_init failed with: %s\n",
-			    error_message(code));
-		return false;
-	}
-
-	code = krb5_init_creds_get_error(ctx,
-					 icc,
-					 &error);
-	if (code != 0) {
-		DBG_WARNING("krb5_init_creds_get_error failed with: %s\n",
-			    error_message(code));
-		return false;
-	}
-	krb5_init_creds_free(ctx, icc);
-
-#ifdef HAVE_E_DATA_POINTER_IN_KRB5_ERROR
-	ok = smb_krb5_get_ntstatus_from_krb5_error(&error, nt_status);
-
-	krb5_free_error_contents(ctx, &error);
-#else
-	ok = smb_krb5_get_ntstatus_from_krb5_error(error, nt_status);
-
-	krb5_free_error(ctx, error);
-#endif
-
-	return ok;
-}
-
 /*
   simulate a kinit, putting the tgt in the given cache location. If cache_name == NULL
   place in default cache location.
@@ -356,31 +206,12 @@ int kerberos_kinit_password_ext(const char *principal,
 	}
  out:
 	if (ntstatus) {
-
-		NTSTATUS status;
-
 		/* fast path */
 		if (code == 0) {
 			*ntstatus = NT_STATUS_OK;
 			goto cleanup;
 		}
 
-		/* try to get ntstatus code out of krb5_error when we have it
-		 * inside the krb5_get_init_creds_opt - gd */
-
-		if (opt != NULL) {
-			bool ok;
-
-			ok = smb_krb5_get_ntstatus_from_init_creds(ctx,
-								   me,
-								   opt,
-								   &status);
-			if (ok) {
-				*ntstatus = status;
-				goto cleanup;
-			}
-		}
-
 		/* fall back to self-made-mapping */
 		*ntstatus = krb5_to_nt_status(code);
 	}
-- 
2.9.3


From ce7794f3591b4880a215343e80ce35d30ca7e04b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 20 Mar 2017 12:22:44 +0100
Subject: [PATCH 2/2] nsswtich: Add negative tests for authentication with
 wbinfo

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12708

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Uri Simchoni <uri@samba.org>

Autobuild-User(master): Uri Simchoni <uri@samba.org>
Autobuild-Date(master): Wed Mar 22 10:58:58 CET 2017 on sn-devel-144

(cherry picked from commit e7d1d8c49322a131e7ca1993f9956f0bddcaff3c)
---
 nsswitch/tests/test_wbinfo.sh | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index 69cc437..cfe582d 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -254,6 +254,10 @@ testit "wbinfo -K against $TARGET with domain creds" $wbinfo --krb5ccname=$KRB5C
 
 testit "wbinfo --separator against $TARGET" $wbinfo --separator || failed=`expr $failed + 1`
 
+testit_expect_failure "wbinfo -a against $TARGET with invalid password" $wbinfo -a "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
+
+testit_expect_failure "wbinfo -K against $TARGET with invalid password" $wbinfo -K "$DOMAIN/$USERNAME%InvalidPassword" && failed=`expr $failed + 1`
+
 rm -f $KRB5CCNAME_PATH
 
 exit $failed
-- 
2.9.3