From a8c2807a26d2f1ff094ed7ea5724c0394f79b888 Mon Sep 17 00:00:00 2001
From: =?utf8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
Date: Tue, 11 Mar 2014 18:07:11 +0100
Subject: [PATCH] s3-kerberos: let kerberos_return_pac() return a PAC
 container.
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Guenther

Signed-off-by: Günther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/libads/authdata.c       | 29 +++++++++++++++++++++--------
 source3/libads/kerberos_proto.h |  7 ++++++-
 source3/utils/net_ads.c         |  5 ++++-
 source3/winbindd/winbindd_pam.c |  8 +++++++-
 4 files changed, 38 insertions(+), 11 deletions(-)

diff --git a/source3/libads/authdata.c b/source3/libads/authdata.c
index 53e40ef71b8..276408d880e 100644
--- a/source3/libads/authdata.c
+++ b/source3/libads/authdata.c
@@ -53,6 +53,7 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
 {
 	TALLOC_CTX *tmp_ctx;
 	struct PAC_DATA *pac_data = NULL;
+	struct PAC_DATA_CTR *pac_data_ctr = NULL;
 	NTSTATUS status = NT_STATUS_INTERNAL_ERROR;
 
 	tmp_ctx = talloc_new(mem_ctx);
@@ -74,9 +75,21 @@ static NTSTATUS kerberos_fetch_pac(struct auth4_context *auth_ctx,
 		}
 	}
 
-	talloc_set_name_const(pac_data, "struct PAC_DATA");
+	pac_data_ctr = talloc(mem_ctx, struct PAC_DATA_CTR);
+	if (pac_data_ctr == NULL) {
+		status = NT_STATUS_NO_MEMORY;
+		goto done;
+	}
+
+	talloc_set_name_const(pac_data_ctr, "struct PAC_DATA_CTR");
+
+	pac_data_ctr->pac_data = talloc_steal(pac_data_ctr, pac_data);
+	pac_data_ctr->pac_blob = data_blob_talloc(pac_data_ctr,
+						  pac_blob->data,
+						  pac_blob->length);
+
+	auth_ctx->private_data = talloc_steal(auth_ctx, pac_data_ctr);
 
-	auth_ctx->private_data = talloc_steal(auth_ctx, pac_data);
 	*session_info = talloc_zero(mem_ctx, struct auth_session_info);
 	if (!*session_info) {
 		status = NT_STATUS_NO_MEMORY;
@@ -108,7 +121,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
 			     const char *local_service,
-			     struct PAC_DATA **_pac_data)
+			     struct PAC_DATA_CTR **_pac_data_ctr)
 {
 	krb5_error_code ret;
 	NTSTATUS status = NT_STATUS_INVALID_PARAMETER;
@@ -122,7 +135,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 	size_t idx = 0;
 	struct auth4_context *auth_context;
 	struct loadparm_context *lp_ctx;
-	struct PAC_DATA *pac_data = NULL;
+	struct PAC_DATA_CTR *pac_data_ctr = NULL;
 
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -278,15 +291,15 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 		goto out;
 	}
 
-	pac_data = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
-					 struct PAC_DATA);
-	if (pac_data == NULL) {
+	pac_data_ctr = talloc_get_type_abort(gensec_server_context->auth_context->private_data,
+					     struct PAC_DATA_CTR);
+	if (pac_data_ctr == NULL) {
 		DEBUG(1,("no PAC\n"));
 		status = NT_STATUS_INVALID_PARAMETER;
 		goto out;
 	}
 
-	*_pac_data = talloc_move(mem_ctx, &pac_data);
+	*_pac_data_ctr = talloc_move(mem_ctx, &pac_data_ctr);
 
 out:
 	talloc_free(tmp_ctx);
diff --git a/source3/libads/kerberos_proto.h b/source3/libads/kerberos_proto.h
index b2f74865afe..3d0ad4bb89a 100644
--- a/source3/libads/kerberos_proto.h
+++ b/source3/libads/kerberos_proto.h
@@ -34,6 +34,11 @@
 
 struct PAC_DATA;
 
+struct PAC_DATA_CTR {
+	DATA_BLOB pac_blob;
+	struct PAC_DATA *pac_data;
+};
+
 #include "libads/ads_status.h"
 
 /* The following definitions come from libads/kerberos.c  */
@@ -78,7 +83,7 @@ NTSTATUS kerberos_return_pac(TALLOC_CTX *mem_ctx,
 			     time_t renewable_time,
 			     const char *impersonate_princ_s,
 			     const char *local_service,
-			     struct PAC_DATA **pac_data);
+			     struct PAC_DATA_CTR **pac_data_ctr);
 
 /* The following definitions come from libads/krb5_setpw.c  */
 
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 19da6da8108..19c28b12f7b 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -2601,6 +2601,7 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
 {
 	struct PAC_LOGON_INFO *info = NULL;
 	struct PAC_DATA *pac_data = NULL;
+	struct PAC_DATA_CTR *pac_data_ctr = NULL;
 	TALLOC_CTX *mem_ctx = NULL;
 	NTSTATUS status;
 	int ret = -1;
@@ -2659,13 +2660,15 @@ static int net_ads_kerberos_pac(struct net_context *c, int argc, const char **ar
 				     2592000, /* one month */
 				     impersonate_princ_s,
 				     local_service,
-				     &pac_data);
+				     &pac_data_ctr);
 	if (!NT_STATUS_IS_OK(status)) {
 		d_printf(_("failed to query kerberos PAC: %s\n"),
 			nt_errstr(status));
 		goto out;
 	}
 
+	pac_data = pac_data_ctr->pac_data;
+
 	for (i=0; i < pac_data->num_buffers; i++) {
 
 		if (pac_data->buffers[i].type != PAC_TYPE_LOGON_INFO) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index a8daae51484..b41291e3751 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -577,6 +577,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	const char *user_ccache_file;
 	struct PAC_LOGON_INFO *logon_info = NULL;
 	struct PAC_DATA *pac_data = NULL;
+	struct PAC_DATA_CTR *pac_data_ctr = NULL;
 	const char *local_service;
 	int i;
 
@@ -664,7 +665,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 				     WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
 				     NULL,
 				     local_service,
-				     &pac_data);
+				     &pac_data_ctr);
 	if (user_ccache_file != NULL) {
 		gain_root_privilege();
 	}
@@ -675,6 +676,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		goto failed;
 	}
 
+	if (pac_data_ctr == NULL) {
+		goto failed;
+	}
+
+	pac_data = pac_data_ctr->pac_data;
 	if (pac_data == NULL) {
 		goto failed;
 	}
-- 
2.11.4.GIT