Attachment 8138 Details for Bug 9347 – Patches for v4-0-test

[patch] Patches for v4-0-test

tmp40.diff (text/plain), 25.89 KB, created by Stefan Metzmacher on 2012-11-02 10:23:11 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2012-11-02 10:23:11 UTC

Size: 25.89 KB

patch

obsolete

>From 6a881e361e2e1a92d8941b17a706ddc33faf9ffb Mon Sep 17 00:00:00 2001
>From: Christof Schmitt <christof.schmitt@us.ibm.com>
>Date: Wed, 18 Jul 2012 14:38:47 -0700
>Subject: [PATCH 1/5] winbind: Extend wbcAuthenticateUserEx to provide PAC
>
>With this new interface, external applications that have authenticated
>to an ADS can pass the PAC from the Kerberos ticket to
>wbcAuthenticateUserEx. winbindd decodes and extracts the info3
>information for the external application. If winbindd can verify the PAC
>signature, the info3 from the PACis also added to the netsamlogon_cache.
>
>The info3 data can be used by the external application to get the uid
>and primary gid. The data in netsamlogon_cache allows to retrieve the
>complete group list through the NSS function getgrouplist.
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>(cherry picked from commit 1bc2f28b9420829645ed571daf2a17e6688b2103)
>---
> nsswitch/libwbclient/wbc_pam.c            |   16 +++-
> nsswitch/libwbclient/wbclient.h           |   42 +++++-----
> nsswitch/winbind_struct_protocol.h        |    1 +
> source3/winbindd/winbindd_pam.c           |  128 +++++++++++++++++++++++++++--
> source3/winbindd/winbindd_pam_auth_crap.c |   23 ++++++
> source3/winbindd/winbindd_proto.h         |    8 ++
> 6 files changed, 191 insertions(+), 27 deletions(-)
>
>diff --git a/nsswitch/libwbclient/wbc_pam.c b/nsswitch/libwbclient/wbc_pam.c
>index f7fb9f2..f183cc6 100644
>--- a/nsswitch/libwbclient/wbc_pam.c
>+++ b/nsswitch/libwbclient/wbc_pam.c
>@@ -364,7 +364,7 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
> 		BAIL_ON_WBC_ERROR(wbc_status);
> 	}
> 
>-	if (!params->account_name) {
>+	if (params->level != WBC_AUTH_USER_LEVEL_PAC && !params->account_name) {
> 		wbc_status = WBC_ERR_INVALID_PARAM;
> 		BAIL_ON_WBC_ERROR(wbc_status);
> 	}
>@@ -491,6 +491,20 @@ wbcErr wbcAuthenticateUserEx(const struct wbcAuthUserParams *params,
> 			       request.data.auth_crap.nt_resp_len);
> 		}
> 		break;
>+
>+	case WBC_AUTH_USER_LEVEL_PAC:
>+		cmd = WINBINDD_PAM_AUTH_CRAP;
>+		request.flags = WBFLAG_PAM_AUTH_PAC | WBFLAG_PAM_INFO3_TEXT;
>+		request.extra_data.data = malloc(params->password.pac.length);
>+		if (request.extra_data.data == NULL) {
>+			wbc_status = WBC_ERR_NO_MEMORY;
>+			BAIL_ON_WBC_ERROR(wbc_status);
>+		}
>+		memcpy(request.extra_data.data, params->password.pac.data,
>+		       params->password.pac.length);
>+		request.extra_len = params->password.pac.length;
>+		break;
>+
> 	default:
> 		break;
> 	}
>diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
>index cb70cbd..473c901 100644
>--- a/nsswitch/libwbclient/wbclient.h
>+++ b/nsswitch/libwbclient/wbclient.h
>@@ -197,6 +197,25 @@ struct wbcDomainInfo {
> #define WBC_DOMINFO_TRUSTTYPE_EXTERNAL   0x00000003
> 
> /**
>+ * @brief Generic Blob
>+ **/
>+
>+struct wbcBlob {
>+	uint8_t *data;
>+	size_t length;
>+};
>+
>+/**
>+ * @brief Named Blob
>+ **/
>+
>+struct wbcNamedBlob {
>+	const char *name;
>+	uint32_t flags;
>+	struct wbcBlob blob;
>+};
>+
>+/**
>  * @brief Auth User Parameters
>  **/
> 
>@@ -212,7 +231,8 @@ struct wbcAuthUserParams {
> 	enum wbcAuthUserLevel {
> 		WBC_AUTH_USER_LEVEL_PLAIN = 1,
> 		WBC_AUTH_USER_LEVEL_HASH = 2,
>-		WBC_AUTH_USER_LEVEL_RESPONSE = 3
>+		WBC_AUTH_USER_LEVEL_RESPONSE = 3,
>+		WBC_AUTH_USER_LEVEL_PAC = 4
> 	} level;
> 	union {
> 		const char *plaintext;
>@@ -227,29 +247,11 @@ struct wbcAuthUserParams {
> 			uint32_t lm_length;
> 			uint8_t *lm_data;
> 		} response;
>+		struct wbcBlob pac;
> 	} password;
> };
> 
> /**
>- * @brief Generic Blob
>- **/
>-
>-struct wbcBlob {
>-	uint8_t *data;
>-	size_t length;
>-};
>-
>-/**
>- * @brief Named Blob
>- **/
>-
>-struct wbcNamedBlob {
>-	const char *name;
>-	uint32_t flags;
>-	struct wbcBlob blob;
>-};
>-
>-/**
>  * @brief Logon User Parameters
>  **/
> 
>diff --git a/nsswitch/winbind_struct_protocol.h b/nsswitch/winbind_struct_protocol.h
>index e5ed8e1..c1704c8 100644
>--- a/nsswitch/winbind_struct_protocol.h
>+++ b/nsswitch/winbind_struct_protocol.h
>@@ -218,6 +218,7 @@ typedef struct winbindd_gr {
> #define WBFLAG_PAM_FALLBACK_AFTER_KRB5	0x00002000
> #define WBFLAG_PAM_CACHED_LOGIN		0x00004000
> #define WBFLAG_PAM_GET_PWD_POLICY	0x00008000
>+#define WBFLAG_PAM_AUTH_PAC		0x00010000
> 
> /* generic request flags */
> #define WBFLAG_QUERY_ONLY		0x00000020	/* not used */
>diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
>index 6ad0baf..5b6b77b 100644
>--- a/source3/winbindd/winbindd_pam.c
>+++ b/source3/winbindd/winbindd_pam.c
>@@ -38,6 +38,9 @@
> #include "passdb/machine_sid.h"
> #include "auth.h"
> #include "../lib/tsocket/tsocket.h"
>+#include "auth/kerberos/pac_utils.h"
>+#include "auth/gensec/gensec.h"
>+#include "librpc/crypto/gse_krb5.h"
> 
> #undef DBGC_CLASS
> #define DBGC_CLASS DBGC_WINBIND
>@@ -724,12 +727,12 @@ bool check_request_flags(uint32_t flags)
> /****************************************************************
> ****************************************************************/
> 
>-static NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
>-				 struct winbindd_response *resp,
>-				 uint32_t request_flags,
>-				 struct netr_SamInfo3 *info3,
>-				 const char *name_domain,
>-				 const char *name_user)
>+NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
>+			  struct winbindd_response *resp,
>+			  uint32_t request_flags,
>+			  struct netr_SamInfo3 *info3,
>+			  const char *name_domain,
>+			  const char *name_user)
> {
> 	NTSTATUS result;
> 
>@@ -2270,3 +2273,116 @@ enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domai
> 
> 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
> }
>+
>+#ifdef HAVE_KRB5
>+static NTSTATUS extract_pac_vrfy_sigs(TALLOC_CTX *mem_ctx, DATA_BLOB pac_blob,
>+				      struct PAC_LOGON_INFO **logon_info)
>+{
>+	krb5_context krbctx = NULL;
>+	krb5_error_code k5ret;
>+	krb5_keytab keytab;
>+	krb5_kt_cursor cursor;
>+	krb5_keytab_entry entry;
>+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
>+
>+	ZERO_STRUCT(entry);
>+	ZERO_STRUCT(cursor);
>+
>+	k5ret = krb5_init_context(&krbctx);
>+	if (k5ret) {
>+		DEBUG(1, ("Failed to initialize kerberos context: %s\n",
>+			  error_message(k5ret)));
>+		status = krb5_to_nt_status(k5ret);
>+		goto out;
>+	}
>+
>+	k5ret =  gse_krb5_get_server_keytab(krbctx, &keytab);
>+	if (k5ret) {
>+		DEBUG(1, ("Failed to get keytab: %s\n",
>+			  error_message(k5ret)));
>+		status = krb5_to_nt_status(k5ret);
>+		goto out_free;
>+	}
>+
>+	k5ret = krb5_kt_start_seq_get(krbctx, keytab, &cursor);
>+	if (k5ret) {
>+		DEBUG(1, ("Failed to start seq: %s\n",
>+			  error_message(k5ret)));
>+		status = krb5_to_nt_status(k5ret);
>+		goto out_keytab;
>+	}
>+
>+	k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
>+	while (k5ret == 0) {
>+		status = kerberos_pac_logon_info(mem_ctx, pac_blob,
>+						 krbctx, NULL,
>+						 KRB5_KT_KEY(&entry), NULL, 0,
>+						 logon_info);
>+		if (NT_STATUS_IS_OK(status)) {
>+			break;
>+		}
>+		k5ret = smb_krb5_kt_free_entry(krbctx, &entry);
>+		k5ret = krb5_kt_next_entry(krbctx, keytab, &entry, &cursor);
>+	}
>+
>+	k5ret = krb5_kt_end_seq_get(krbctx, keytab, &cursor);
>+	if (k5ret) {
>+		DEBUG(1, ("Failed to end seq: %s\n",
>+			  error_message(k5ret)));
>+	}
>+out_keytab:
>+	k5ret = krb5_kt_close(krbctx, keytab);
>+	if (k5ret) {
>+		DEBUG(1, ("Failed to close keytab: %s\n",
>+			  error_message(k5ret)));
>+	}
>+out_free:
>+	krb5_free_context(krbctx);
>+out:
>+	return status;
>+}
>+
>+NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
>+				    struct netr_SamInfo3 **info3)
>+{
>+	struct winbindd_request *req = state->request;
>+	DATA_BLOB pac_blob;
>+	struct PAC_LOGON_INFO *logon_info = NULL;
>+	NTSTATUS result;
>+
>+	pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
>+	result = extract_pac_vrfy_sigs(state->mem_ctx, pac_blob, &logon_info);
>+	if (!NT_STATUS_IS_OK(result) &&
>+	    !NT_STATUS_EQUAL(result, NT_STATUS_ACCESS_DENIED)) {
>+		DEBUG(1, ("Error during PAC signature verification: %s\n",
>+			  nt_errstr(result)));
>+		return result;
>+	}
>+
>+	if (logon_info) {
>+		/* Signature verification succeeded, trust the PAC */
>+		netsamlogon_cache_store(NULL, &logon_info->info3);
>+
>+	} else {
>+		/* Try without signature verification */
>+		result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
>+						 NULL, NULL, NULL, 0,
>+						 &logon_info);
>+		if (!NT_STATUS_IS_OK(result)) {
>+			DEBUG(10, ("Could not extract PAC: %s\n",
>+				   nt_errstr(result)));
>+			return result;
>+		}
>+	}
>+
>+	*info3 = &logon_info->info3;
>+
>+	return NT_STATUS_OK;
>+}
>+#else /* HAVE_KRB5 */
>+NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
>+				    struct netr_SamInfo3 **info3)
>+{
>+	return NT_STATUS_NO_SUCH_USER;
>+}
>+#endif /* HAVE_KRB5 */
>diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
>index 2fb5111..ffbc322 100644
>--- a/source3/winbindd/winbindd_pam_auth_crap.c
>+++ b/source3/winbindd/winbindd_pam_auth_crap.c
>@@ -22,6 +22,8 @@
> 
> struct winbindd_pam_auth_crap_state {
> 	struct winbindd_response *response;
>+	struct netr_SamInfo3 *info3;
>+	uint32_t flags;
> };
> 
> static void winbindd_pam_auth_crap_done(struct tevent_req *subreq);
>@@ -42,6 +44,21 @@ struct tevent_req *winbindd_pam_auth_crap_send(
> 		return NULL;
> 	}
> 
>+	if (request->flags & WBFLAG_PAM_AUTH_PAC) {
>+		NTSTATUS status;
>+
>+		state->flags = request->flags;
>+		status = winbindd_pam_auth_pac_send(cli, &state->info3);
>+		if (NT_STATUS_IS_OK(status)) {
>+			/* Defer filling out response to recv */
>+			tevent_req_done(req);
>+		} else {
>+			tevent_req_nterror(req, status);
>+		}
>+
>+		return tevent_req_post(req, ev);
>+	}
>+
> 	/* Ensure null termination */
> 	request->data.auth_crap.user[
> 		sizeof(request->data.auth_crap.user)-1] = '\0';
>@@ -114,6 +131,12 @@ NTSTATUS winbindd_pam_auth_crap_recv(struct tevent_req *req,
> 		set_auth_errors(response, status);
> 		return status;
> 	}
>+
>+	if (state->flags & WBFLAG_PAM_AUTH_PAC) {
>+		return append_auth_data(response, response, state->flags,
>+					state->info3, NULL, NULL);
>+	}
>+
> 	*response = *state->response;
> 	response->result = WINBINDD_PENDING;
> 	state->response = talloc_move(response, &state->response);
>diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
>index ec5ec37..5cc90f2 100644
>--- a/source3/winbindd/winbindd_proto.h
>+++ b/source3/winbindd/winbindd_proto.h
>@@ -353,6 +353,12 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
> /* The following definitions come from winbindd/winbindd_pam.c  */
> 
> bool check_request_flags(uint32_t flags);
>+NTSTATUS append_auth_data(TALLOC_CTX *mem_ctx,
>+			  struct winbindd_response *resp,
>+			  uint32_t request_flags,
>+			  struct netr_SamInfo3 *info3,
>+			  const char *name_domain,
>+			  const char *name_user);
> uid_t get_uid_from_request(struct winbindd_request *request);
> struct winbindd_domain *find_auth_domain(uint8_t flags,
> 					 const char *domain_name);
>@@ -365,6 +371,8 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
> enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
> 					      struct winbindd_cli_state *state) ;
> enum winbindd_result winbindd_dual_pam_chng_pswd_auth_crap(struct winbindd_domain *domainSt, struct winbindd_cli_state *state);
>+NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
>+				    struct netr_SamInfo3 **info3);
> 
> /* The following definitions come from winbindd/winbindd_util.c  */
> 
>-- 
>1.7.9.5
>
>
>From d1e88937bd520cb849fbe440ed3f4231fe83149e Mon Sep 17 00:00:00 2001
>From: Christof Schmitt <christof.schmitt@us.ibm.com>
>Date: Mon, 30 Jul 2012 11:03:54 -0700
>Subject: [PATCH 2/5] auth/kerberos: Adjust log level for failed PAC signature
> verification
>
>With winbindd trying to verify the signature of an application provided
>PAC, this message can be easily triggered. Adjust the debug level to
>avoid filling up the logs.
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>(cherry picked from commit 05befd2f734d3962619ebc0cc137bbe5cedfd81d)
>---
> auth/kerberos/kerberos_pac.c |    2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
>index 80f31d8..81f7f21 100644
>--- a/auth/kerberos/kerberos_pac.c
>+++ b/auth/kerberos/kerberos_pac.c
>@@ -322,7 +322,7 @@ NTSTATUS kerberos_decode_pac(TALLOC_CTX *mem_ctx,
> 					 context,
> 					 service_keyblock);
> 		if (ret) {
>-			DEBUG(1, ("PAC Decode: Failed to verify the service "
>+			DEBUG(5, ("PAC Decode: Failed to verify the service "
> 				  "signature: %s\n", error_message(ret)));
> 			return NT_STATUS_ACCESS_DENIED;
> 		}
>-- 
>1.7.9.5
>
>
>From e2a4bc6a79bfd28402687fed032b216dadee0032 Mon Sep 17 00:00:00 2001
>From: Christof Schmitt <christof.schmitt@us.ibm.com>
>Date: Thu, 20 Sep 2012 18:30:07 -0700
>Subject: [PATCH 3/5] s4-torture: Complete test for winbindd PAC parsing
>
>Decode the PAC through the wbcAuthenticateUserEx call, also decode it
>locally and compare the result.
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>(cherry picked from commit d9747b15c4a737a1422d0156d92efed762bb672d)
>---
> source4/torture/winbind/winbind.c |   92 ++++++++++++++++++++++++++++++++++---
> 1 file changed, 86 insertions(+), 6 deletions(-)
>
>diff --git a/source4/torture/winbind/winbind.c b/source4/torture/winbind/winbind.c
>index cb895f5..5956834 100644
>--- a/source4/torture/winbind/winbind.c
>+++ b/source4/torture/winbind/winbind.c
>@@ -3,6 +3,7 @@
>    SMB torture tester
>    Copyright (C) Stefan Metzmacher 2007
>    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2012
>+   Copyright (C) Christof Schmit <christof.schmitt@us.ibm.com> 2012
> 
>    This program is free software; you can redistribute it and/or modify
>    it under the terms of the GNU General Public License as published by
>@@ -29,6 +30,8 @@
> #include "auth/credentials/credentials.h"
> #include "param/param.h"
> #include "lib/cmdline/popt_common.h"
>+#include "auth/kerberos/pac_utils.h"
>+#include "wbclient.h"
> 
> struct pac_data {
> 	DATA_BLOB pac_blob;
>@@ -88,9 +91,89 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
> 	return nt_status;
> }
> 
>-/* Check to see if we can pass the PAC across to the NETLOGON server for validation */
>+static bool torture_decode_compare_pac(struct torture_context *tctx,
>+				       DATA_BLOB pac)
>+{
>+	struct wbcAuthUserParams params;
>+	struct wbcAuthUserInfo *info;
>+	struct wbcAuthErrorInfo *error;
>+	struct PAC_LOGON_INFO *logon_info;
>+	struct netr_SamInfo3 *info3;
>+	struct netr_SamBaseInfo *base;
>+	wbcErr wbc_err;
>+	NTSTATUS status;
>+	int result, sid_idx, i;
>+	char sid_str[50];
>+
>+	/* Let winbind decode the PAC */
>+	memset(&params, 0, sizeof(params));
>+	params.level = WBC_AUTH_USER_LEVEL_PAC;
>+	params.password.pac.data = pac.data;
>+	params.password.pac.length = pac.length;
>+
>+	wbc_err = wbcAuthenticateUserEx(&params, &info, &error);
>+	torture_assert(tctx, WBC_ERROR_IS_OK(wbc_err), wbcErrorString(wbc_err));
>+
>+	/* Decode the PAC internally */
>+	status = kerberos_pac_logon_info(tctx, pac, NULL, NULL, NULL, NULL, 0,
>+					 &logon_info);
>+	torture_assert(tctx, NT_STATUS_IS_OK(status), "pac_logon_info");
>+	info3 = &logon_info->info3;
>+	base = &info3->base;
>+
>+	/* Compare the decoded data from winbind and from internal call */
>+	torture_assert(tctx, info->user_flags == base->user_flags, "user_flags");
>+	torture_assert_str_equal(tctx, info->account_name, base->account_name.string, "account_name");
>+	torture_assert_str_equal(tctx, info->full_name, base->full_name.string, "full_name");
>+	torture_assert_str_equal(tctx, info->domain_name, base->logon_domain.string, "domain_name");
>+	torture_assert(tctx, info->acct_flags == base->acct_flags, "acct_flags");
>+	torture_assert(tctx, info->logon_count == base->logon_count, "logon_count");
>+	torture_assert(tctx, info->bad_password_count == base->bad_password_count, "bad_password_count");
>+	torture_assert(tctx, info->logon_time == nt_time_to_unix(base->logon_time), "logon_time");
>+	torture_assert(tctx, info->logoff_time == nt_time_to_unix(base->logoff_time), "logoff_time");
>+	torture_assert(tctx, info->kickoff_time == nt_time_to_unix(base->kickoff_time), "kickoff_time");
>+	torture_assert(tctx, info->pass_last_set_time == nt_time_to_unix(base->last_password_change), "last_password_change");
>+	torture_assert(tctx, info->pass_can_change_time == nt_time_to_unix(base->allow_password_change), "allow_password_change");
>+	torture_assert(tctx, info->pass_must_change_time == nt_time_to_unix(base->force_password_change), "force_password_change");
>+	torture_assert(tctx, info->num_sids == 2 + base->groups.count + info3->sidcount, "num_sids");
>+
>+	sid_idx = 0;
>+	wbcSidToStringBuf(&info->sids[sid_idx].sid, sid_str, sizeof(sid_str));
>+	torture_assert(tctx,
>+		       dom_sid_equal(dom_sid_parse_talloc(tctx, sid_str),
>+				     dom_sid_add_rid(tctx, base->domain_sid, base->rid)),
>+		       sid_str);
>+
>+	sid_idx++;
>+	wbcSidToStringBuf(&info->sids[sid_idx].sid, sid_str, sizeof(sid_str));
>+	torture_assert(tctx,
>+		       dom_sid_equal(dom_sid_parse_talloc(tctx, sid_str),
>+				     dom_sid_add_rid(tctx, base->domain_sid, base->primary_gid)),
>+		       sid_str);
>+
>+	for(i = 0; i < base->groups.count; i++ ) {
>+		sid_idx++;
>+		wbcSidToStringBuf(&info->sids[sid_idx].sid,
>+				  sid_str, sizeof(sid_str));
>+		torture_assert(tctx,
>+			       dom_sid_equal(dom_sid_parse_talloc(tctx, sid_str),
>+					     dom_sid_add_rid(tctx, base->domain_sid,
>+							     base->groups.rids[i].rid)),
>+			       sid_str);
>+	}
>+
>+	for(i = 0; i < info3->sidcount; i++) {
>+		sid_idx++;
>+		wbcSidToStringBuf(&info->sids[sid_idx].sid,
>+				  sid_str, sizeof(sid_str));
>+		torture_assert(tctx,
>+			       dom_sid_equal(dom_sid_parse_talloc(tctx, sid_str),
>+					     info3->sids[i].sid),
>+			       sid_str);
>+	}
> 
>-/* Also happens to be a really good one-step verfication of our Kerberos stack */
>+	return true;
>+}
> 
> static bool torture_winbind_pac(struct torture_context *tctx)
> {
>@@ -164,14 +247,11 @@ static bool torture_winbind_pac(struct torture_context *tctx)
> 
> 	torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context");
> 	torture_assert(tctx, pac_data->pac_blob.data != NULL, "pac_blob not present");
>-
>-					    /* TODO: Check the PAC blob with winbind */
>+	torture_decode_compare_pac(tctx, pac_data->pac_blob);
> 
> 	return true;
> }
> 
>-
>-
> NTSTATUS torture_winbind_init(void)
> {
> 	struct torture_suite *suite = torture_suite_create(talloc_autofree_context(), "winbind");
>-- 
>1.7.9.5
>
>
>From 6bf7a69baae5fba7bda5398132b21a7abdc2e718 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Thu, 20 Sep 2012 19:46:31 -0700
>Subject: [PATCH 4/5] libwbclient: bump ABI to 0.11 as wbcAuthenticateUserEx
> now provides PAC parsing
>
>Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
>Autobuild-Date(master): Fri Sep 21 06:37:15 CEST 2012 on sn-devel-104
>(cherry picked from commit 914b02be5a3e7805110f517e39ed9f6fe760c2bc)
>---
> nsswitch/libwbclient/ABI/wbclient-0.11.sigs |   76 +++++++++++++++++++++++++++
> nsswitch/libwbclient/wbclient.h             |    3 +-
> nsswitch/libwbclient/wscript                |    2 +-
> 3 files changed, 79 insertions(+), 2 deletions(-)
> create mode 100644 nsswitch/libwbclient/ABI/wbclient-0.11.sigs
>
>diff --git a/nsswitch/libwbclient/ABI/wbclient-0.11.sigs b/nsswitch/libwbclient/ABI/wbclient-0.11.sigs
>new file mode 100644
>index 0000000..eda96f4
>--- /dev/null
>+++ b/nsswitch/libwbclient/ABI/wbclient-0.11.sigs
>@@ -0,0 +1,76 @@
>+wbcAddNamedBlob: wbcErr (size_t *, struct wbcNamedBlob **, const char *, uint32_t, uint8_t *, size_t)
>+wbcAllocateGid: wbcErr (gid_t *)
>+wbcAllocateMemory: void *(size_t, size_t, void (*)(void *))
>+wbcAllocateStringArray: const char **(int)
>+wbcAllocateUid: wbcErr (uid_t *)
>+wbcAuthenticateUser: wbcErr (const char *, const char *)
>+wbcAuthenticateUserEx: wbcErr (const struct wbcAuthUserParams *, struct wbcAuthUserInfo **, struct wbcAuthErrorInfo **)
>+wbcChangeTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
>+wbcChangeUserPassword: wbcErr (const char *, const char *, const char *)
>+wbcChangeUserPasswordEx: wbcErr (const struct wbcChangePasswordParams *, struct wbcAuthErrorInfo **, enum wbcPasswordChangeRejectReason *, struct wbcUserPasswordPolicyInfo **)
>+wbcCheckTrustCredentials: wbcErr (const char *, struct wbcAuthErrorInfo **)
>+wbcCredentialCache: wbcErr (struct wbcCredentialCacheParams *, struct wbcCredentialCacheInfo **, struct wbcAuthErrorInfo **)
>+wbcCredentialSave: wbcErr (const char *, const char *)
>+wbcDcInfo: wbcErr (const char *, size_t *, const char ***, const char ***)
>+wbcDomainInfo: wbcErr (const char *, struct wbcDomainInfo **)
>+wbcEndgrent: wbcErr (void)
>+wbcEndpwent: wbcErr (void)
>+wbcErrorString: const char *(wbcErr)
>+wbcFreeMemory: void (void *)
>+wbcGetDisplayName: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
>+wbcGetGroups: wbcErr (const char *, uint32_t *, gid_t **)
>+wbcGetSidAliases: wbcErr (const struct wbcDomainSid *, struct wbcDomainSid *, uint32_t, uint32_t **, uint32_t *)
>+wbcGetgrent: wbcErr (struct group **)
>+wbcGetgrgid: wbcErr (gid_t, struct group **)
>+wbcGetgrlist: wbcErr (struct group **)
>+wbcGetgrnam: wbcErr (const char *, struct group **)
>+wbcGetpwent: wbcErr (struct passwd **)
>+wbcGetpwnam: wbcErr (const char *, struct passwd **)
>+wbcGetpwsid: wbcErr (struct wbcDomainSid *, struct passwd **)
>+wbcGetpwuid: wbcErr (uid_t, struct passwd **)
>+wbcGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
>+wbcGuidToString: wbcErr (const struct wbcGuid *, char **)
>+wbcInterfaceDetails: wbcErr (struct wbcInterfaceDetails **)
>+wbcLibraryDetails: wbcErr (struct wbcLibraryDetails **)
>+wbcListGroups: wbcErr (const char *, uint32_t *, const char ***)
>+wbcListTrusts: wbcErr (struct wbcDomainInfo **, size_t *)
>+wbcListUsers: wbcErr (const char *, uint32_t *, const char ***)
>+wbcLogoffUser: wbcErr (const char *, uid_t, const char *)
>+wbcLogoffUserEx: wbcErr (const struct wbcLogoffUserParams *, struct wbcAuthErrorInfo **)
>+wbcLogonUser: wbcErr (const struct wbcLogonUserParams *, struct wbcLogonUserInfo **, struct wbcAuthErrorInfo **, struct wbcUserPasswordPolicyInfo **)
>+wbcLookupDomainController: wbcErr (const char *, uint32_t, struct wbcDomainControllerInfo **)
>+wbcLookupDomainControllerEx: wbcErr (const char *, struct wbcGuid *, const char *, uint32_t, struct wbcDomainControllerInfoEx **)
>+wbcLookupName: wbcErr (const char *, const char *, struct wbcDomainSid *, enum wbcSidType *)
>+wbcLookupRids: wbcErr (struct wbcDomainSid *, int, uint32_t *, const char **, const char ***, enum wbcSidType **)
>+wbcLookupSid: wbcErr (const struct wbcDomainSid *, char **, char **, enum wbcSidType *)
>+wbcLookupSids: wbcErr (const struct wbcDomainSid *, int, struct wbcDomainInfo **, int *, struct wbcTranslatedName **)
>+wbcLookupUserSids: wbcErr (const struct wbcDomainSid *, bool, uint32_t *, struct wbcDomainSid **)
>+wbcPing: wbcErr (void)
>+wbcPingDc: wbcErr (const char *, struct wbcAuthErrorInfo **)
>+wbcPingDc2: wbcErr (const char *, struct wbcAuthErrorInfo **, char **)
>+wbcQueryGidToSid: wbcErr (gid_t, struct wbcDomainSid *)
>+wbcQuerySidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
>+wbcQuerySidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
>+wbcQueryUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
>+wbcRemoveGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
>+wbcRemoveUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
>+wbcRequestResponse: wbcErr (int, struct winbindd_request *, struct winbindd_response *)
>+wbcRequestResponsePriv: wbcErr (int, struct winbindd_request *, struct winbindd_response *)
>+wbcResolveWinsByIP: wbcErr (const char *, char **)
>+wbcResolveWinsByName: wbcErr (const char *, char **)
>+wbcSetGidHwm: wbcErr (gid_t)
>+wbcSetGidMapping: wbcErr (gid_t, const struct wbcDomainSid *)
>+wbcSetUidHwm: wbcErr (uid_t)
>+wbcSetUidMapping: wbcErr (uid_t, const struct wbcDomainSid *)
>+wbcSetgrent: wbcErr (void)
>+wbcSetpwent: wbcErr (void)
>+wbcSidToGid: wbcErr (const struct wbcDomainSid *, gid_t *)
>+wbcSidToString: wbcErr (const struct wbcDomainSid *, char **)
>+wbcSidToStringBuf: int (const struct wbcDomainSid *, char *, int)
>+wbcSidToUid: wbcErr (const struct wbcDomainSid *, uid_t *)
>+wbcSidTypeString: const char *(enum wbcSidType)
>+wbcSidsToUnixIds: wbcErr (const struct wbcDomainSid *, uint32_t, struct wbcUnixId *)
>+wbcStrDup: char *(const char *)
>+wbcStringToGuid: wbcErr (const char *, struct wbcGuid *)
>+wbcStringToSid: wbcErr (const char *, struct wbcDomainSid *)
>+wbcUidToSid: wbcErr (uid_t, struct wbcDomainSid *)
>diff --git a/nsswitch/libwbclient/wbclient.h b/nsswitch/libwbclient/wbclient.h
>index 473c901..a72d09e 100644
>--- a/nsswitch/libwbclient/wbclient.h
>+++ b/nsswitch/libwbclient/wbclient.h
>@@ -70,9 +70,10 @@ const char *wbcErrorString(wbcErr error);
>  *  0.8: Added wbcSidsToUnixIds() and wbcLookupSids()
>  *  0.9: Added support for WBC_ID_TYPE_BOTH
>  *  0.10: Added wbcPingDc2()
>+ *  0.11: Extended wbcAuthenticateUserEx to provide PAC parsing
>  **/
> #define WBCLIENT_MAJOR_VERSION 0
>-#define WBCLIENT_MINOR_VERSION 10
>+#define WBCLIENT_MINOR_VERSION 11
> #define WBCLIENT_VENDOR_VERSION "Samba libwbclient"
> struct wbcLibraryDetails {
> 	uint16_t major_version;
>diff --git a/nsswitch/libwbclient/wscript b/nsswitch/libwbclient/wscript
>index f73af94..9c4da16 100644
>--- a/nsswitch/libwbclient/wscript
>+++ b/nsswitch/libwbclient/wscript
>@@ -3,7 +3,7 @@
> import Options, Logs
> 
> # Remember to also update wbclient.h
>-VERSION="0.10"
>+VERSION="0.11"
> 
> # It may be useful at some point to allow Samba to build against a
> # system libwbclient, such as the one provided by Likewise.  To to
>-- 
>1.7.9.5
>
>
>From e38fcd6c1e619eacb3e2775e8f22dbee45ddd32a Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Fri, 21 Sep 2012 15:59:11 -0700
>Subject: [PATCH 5/5] auth/kerberos: add HAVE_KRB5 guard to fix non-krb5 build
> after winbindd pac changes
>
>Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
>Autobuild-Date(master): Sat Sep 22 02:44:07 CEST 2012 on sn-devel-104
>---
> auth/kerberos/pac_utils.h |    3 +++
> 1 file changed, 3 insertions(+)
>
>diff --git a/auth/kerberos/pac_utils.h b/auth/kerberos/pac_utils.h
>index b9b6664..d09e7b6 100644
>--- a/auth/kerberos/pac_utils.h
>+++ b/auth/kerberos/pac_utils.h
>@@ -21,6 +21,8 @@
> #ifndef _PAC_UTILS_H
> #define _PAC_UTILS_H
> 
>+#ifdef HAVE_KRB5
>+
> #include "lib/krb5_wrap/krb5_samba.h"
> #include "lib/krb5_wrap/gss_samba.h"
> 
>@@ -65,4 +67,5 @@ NTSTATUS gssapi_get_session_key(TALLOC_CTX *mem_ctx,
> char *gssapi_error_string(TALLOC_CTX *mem_ctx,
> 			  OM_uint32 maj_stat, OM_uint32 min_stat,
> 			  const gss_OID mech);
>+#endif /* HAVE_KRB5 */
> #endif /* _PAC_UTILS_H */
>-- 
>1.7.9.5
>

Flags:

abartlet: review+

Actions: View

Attachments on bug 9347: 8138