From 932490ae08578c37523e00e537017603ee00ce7c Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Fri, 17 Jan 2014 14:29:03 +0100
Subject: [PATCH] s3-libads: pass down local_service to kerberos_return_pac().
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/libads/authdata.c       | 6 +-----
 source3/libads/kerberos_proto.h | 1 +
 source3/utils/net_ads.c         | 8 ++++++++
 source3/winbindd/winbindd_pam.c | 9 +++++++++
 4 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 801e551edbd..dd80dc24e44 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -101,13 +101,13 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     bool add_netbios_addr,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
+			     const char *local_service,
 			     struct PAC_LOGON_INFO **_logon_info)
 {
 	krb5_error_code ret;
 	NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
 	DATA_BLOB tkt, tkt_wrapped, ap_rep, sesskey1;
 	const char *auth_princ = NULL;
-	const char *local_service = NULL;
 	const char *cc = "MEMORY:kerberos_return_pac";
 	struct auth_session_info *session_info;
 	struct gensec_security *gensec_server_context;
@@ -141,10 +141,6 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 	}
 	NT_STATUS_HAVE_NO_MEMORY(auth_princ);
 
-	local_service = talloc_asprintf(mem_ctx, "%s$@%s",
-					lp_netbios_name(), lp_realm());
-	NT_STATUS_HAVE_NO_MEMORY(local_service);
-
 	ret = kerberos_kinit_password_ext(auth_princ,
 					  pass,
 					  time_offset,
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index 255963405c7..1151d66cd15 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -77,6 +77,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     bool add_netbios_addr,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
+			     const char *local_service,
 			     struct PAC_LOGON_INFO **logon_info);
 
 /* The following definitions come from libads/krb5_setpw.c  */
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 89eebf3388d..5a073b1cc71 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2604,6 +2604,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
 	NTSTATUS status;
 	int ret = -1;
 	const char *impersonate_princ_s = NULL;
+	const char *local_service = NULL;
 
 	if (c->display_usage) {
 		d_printf(  "%s\n"
@@ -2623,6 +2624,12 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
 		impersonate_princ_s = argv[0];
 	}
 
+	local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+					lp_netbios_name(), lp_realm());
+	if (local_service == NULL) {
+		goto out;
+	}
+
 	c->opt_password = net_prompt_pass(c, c->opt_user_name);
 
 	status = kerberos_return_pac(mem_ctx,
@@ -2636,6 +2643,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
 				     true,
 				     2592000, /* one month */
 				     impersonate_princ_s,
+				     local_service,
 				     &info);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf(_("failed to query kerberos PAC: %s\n"),
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 3f3ec7090f2..61e2cefd522 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	time_t time_offset = 0;
 	const char *user_ccache_file;
 	struct PAC_LOGON_INFO *logon_info = NULL;
+	const char *local_service;
 
 	*info3 = NULL;
 
@@ -632,6 +633,13 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
+	local_service = talloc_asprintf(mem_ctx, "%s$@%s",
+					lp_netbios_name(), lp_realm());
+	if (local_service == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+
 	/* if this is a user ccache, we need to act as the user to let the krb5
 	 * library handle the chown, etc. */
 
@@ -653,6 +661,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 				     true,
 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
 				     NULL,
+				     local_service,
 				     &logon_info);
 	if (user_ccache_file != NULL) {
 		gain_root_privilege();
-- 
2.11.4.GIT