Mercurial > dovecot > original-hg > dovecot-1.2
annotate src/auth/mech-winbind.c @ 9008:fc4f65a4ca60 HEAD
virtual: Don't show mailboxes as \Noselect.
author | Timo Sirainen <tss@iki.fi> |
---|---|
date | Fri, 01 May 2009 14:56:52 -0400 |
parents | 9f3968f49ceb |
children |
rev | line source |
---|---|
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
1 /* |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
2 * NTLM and Negotiate authentication mechanisms, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
3 * using Samba winbind daemon |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
4 * |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
5 * Copyright (c) 2007 Dmitry Butskoy <dmitry@butskoy.name> |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
6 * |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
7 * This software is released under the MIT license. |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
8 */ |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
9 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
10 #include "common.h" |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
11 #include "lib-signals.h" |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
12 #include "mech.h" |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
13 #include "str.h" |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
14 #include "buffer.h" |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
15 #include "base64.h" |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
16 #include "istream.h" |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
17 #include "ostream.h" |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
18 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
19 #include <stdlib.h> |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
20 #include <unistd.h> |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
21 #include <sys/wait.h> |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
22 |
6182
593d2ab4df0d
Renamed auth_winbind_helper to auth_winbind_helper_path.
Timo Sirainen <tss@iki.fi>
parents:
6181
diff
changeset
|
23 #define DEFAULT_WINBIND_HELPER_PATH "/usr/bin/ntlm_auth" |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
24 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
25 enum helper_result { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
26 HR_OK = 0, /* OK or continue */ |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
27 HR_FAIL = -1, /* authentication failed */ |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
28 HR_RESTART = -2 /* FAIL + try to restart helper */ |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
29 }; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
30 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
31 struct winbind_helper { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
32 const char *param; |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
33 pid_t pid; |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
34 |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
35 struct istream *in_pipe; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
36 struct ostream *out_pipe; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
37 }; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
38 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
39 struct winbind_auth_request { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
40 struct auth_request auth_request; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
41 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
42 struct winbind_helper *winbind; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
43 bool continued; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
44 }; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
45 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
46 static struct winbind_helper winbind_ntlm_context = { |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
47 "--helper-protocol=squid-2.5-ntlmssp", -1, NULL, NULL |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
48 }; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
49 static struct winbind_helper winbind_spnego_context = { |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
50 "--helper-protocol=gss-spnego", -1, NULL, NULL |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
51 }; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
52 |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
53 static bool sigchld_handler_set = FALSE; |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
54 |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
55 static void winbind_helper_disconnect(struct winbind_helper *winbind) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
56 { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
57 if (winbind->in_pipe != NULL) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
58 i_stream_destroy(&winbind->in_pipe); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
59 if (winbind->out_pipe != NULL) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
60 o_stream_destroy(&winbind->out_pipe); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
61 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
62 |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
63 static void winbind_wait_pid(struct winbind_helper *winbind) |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
64 { |
6230 | 65 int status, ret; |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
66 |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
67 if (winbind->pid == -1) |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
68 return; |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
69 |
8307
33eae1ca0be0
Added support for userdb checkpassword. Patch by Sascha Wilde.
Timo Sirainen <tss@iki.fi>
parents:
6411
diff
changeset
|
70 /* FIXME: use child-wait.h API */ |
6230 | 71 if ((ret = waitpid(winbind->pid, &status, WNOHANG)) <= 0) { |
72 if (ret < 0 && errno != ECHILD && errno != EINTR) | |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
73 i_error("waitpid() failed: %m"); |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
74 return; |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
75 } |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
76 |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
77 if (WIFSIGNALED(status)) { |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
78 i_error("winbind: ntlm_auth died with signal %d", |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
79 WTERMSIG(status)); |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
80 } else if (WIFEXITED(status)) { |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
81 i_error("winbind: ntlm_auth exited with exit code %d", |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
82 WEXITSTATUS(status)); |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
83 } else { |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
84 /* shouldn't happen */ |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
85 i_error("winbind: ntlm_auth exited with status %d", |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
86 status); |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
87 } |
6227
b1cfce4263a2
And mark pid=-1 so restarting really works.
Timo Sirainen <tss@iki.fi>
parents:
6226
diff
changeset
|
88 winbind->pid = -1; |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
89 } |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
90 |
8882
9f3968f49ceb
lib-signals: Changed callback API to return siginfo_t.
Timo Sirainen <tss@iki.fi>
parents:
8605
diff
changeset
|
91 static void sigchld_handler(const siginfo_t *si ATTR_UNUSED, |
6411
6a64e64fa3a3
Renamed __attr_*__ to ATTR_*. Renamed __attrs_used__ to ATTRS_DEFINED.
Timo Sirainen <tss@iki.fi>
parents:
6234
diff
changeset
|
92 void *context ATTR_UNUSED) |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
93 { |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
94 winbind_wait_pid(&winbind_ntlm_context); |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
95 winbind_wait_pid(&winbind_spnego_context); |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
96 } |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
97 |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
98 static void winbind_helper_connect(struct winbind_helper *winbind) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
99 { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
100 int infd[2], outfd[2]; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
101 pid_t pid; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
102 |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
103 if (winbind->in_pipe != NULL || winbind->pid != -1) |
6225 | 104 return; |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
105 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
106 if (pipe(infd) < 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
107 i_error("pipe() failed: %m"); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
108 return; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
109 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
110 if (pipe(outfd) < 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
111 (void)close(infd[0]); (void)close(infd[1]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
112 return; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
113 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
114 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
115 pid = fork(); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
116 if (pid < 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
117 i_error("fork() failed: %m"); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
118 (void)close(infd[0]); (void)close(infd[1]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
119 (void)close(outfd[0]); (void)close(outfd[1]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
120 return; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
121 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
122 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
123 if (pid == 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
124 /* child */ |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
125 const char *helper_path, *args[3]; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
126 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
127 (void)close(infd[0]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
128 (void)close(outfd[1]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
129 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
130 if (dup2(outfd[0], STDIN_FILENO) < 0 || |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
131 dup2(infd[1], STDOUT_FILENO) < 0) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
132 i_fatal("dup2() failed: %m"); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
133 |
6182
593d2ab4df0d
Renamed auth_winbind_helper to auth_winbind_helper_path.
Timo Sirainen <tss@iki.fi>
parents:
6181
diff
changeset
|
134 helper_path = getenv("WINBIND_HELPER_PATH"); |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
135 if (helper_path == NULL) |
6182
593d2ab4df0d
Renamed auth_winbind_helper to auth_winbind_helper_path.
Timo Sirainen <tss@iki.fi>
parents:
6181
diff
changeset
|
136 helper_path = DEFAULT_WINBIND_HELPER_PATH; |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
137 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
138 args[0] = helper_path; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
139 args[1] = winbind->param; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
140 args[2] = NULL; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
141 execv(args[0], (void *)args); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
142 i_fatal("execv(%s) failed: %m", args[0]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
143 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
144 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
145 /* parent */ |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
146 (void)close(infd[1]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
147 (void)close(outfd[0]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
148 |
6234 | 149 winbind->pid = pid; |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
150 winbind->in_pipe = |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
151 i_stream_create_fd(infd[0], AUTH_CLIENT_MAX_LINE_LENGTH, TRUE); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
152 winbind->out_pipe = |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
153 o_stream_create_fd(outfd[1], (size_t)-1, TRUE); |
6226
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
154 |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
155 if (!sigchld_handler_set) { |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
156 sigchld_handler_set = TRUE; |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
157 lib_signals_set_handler(SIGCHLD, TRUE, sigchld_handler, NULL); |
315b954801f7
waitpid() ntlm_auth workers so they won't be left as zombies.
Timo Sirainen <tss@iki.fi>
parents:
6225
diff
changeset
|
158 } |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
159 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
160 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
161 static enum helper_result |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
162 do_auth_continue(struct auth_request *auth_request, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
163 const unsigned char *data, size_t data_size) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
164 { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
165 struct winbind_auth_request *request = |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
166 (struct winbind_auth_request *)auth_request; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
167 struct istream *in_pipe = request->winbind->in_pipe; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
168 string_t *str; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
169 char *answer; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
170 const char **token; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
171 bool gss_spnego = request->winbind == &winbind_spnego_context; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
172 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
173 if (request->winbind->in_pipe == NULL) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
174 return HR_RESTART; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
175 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
176 str = t_str_new(MAX_BASE64_ENCODED_SIZE(data_size + 1) + 4); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
177 str_printfa(str, "%s ", request->continued ? "KK" : "YR"); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
178 base64_encode(data, data_size, str); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
179 str_append_c(str, '\n'); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
180 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
181 if (o_stream_send_str(request->winbind->out_pipe, str_c(str)) < 0 || |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
182 o_stream_flush(request->winbind->out_pipe) < 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
183 auth_request_log_error(auth_request, "winbind", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
184 "write(out_pipe) failed: %m"); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
185 return HR_RESTART; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
186 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
187 request->continued = FALSE; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
188 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
189 while ((answer = i_stream_read_next_line(in_pipe)) == NULL) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
190 if (in_pipe->stream_errno != 0) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
191 break; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
192 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
193 if (answer == NULL) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
194 auth_request_log_error(auth_request, "winbind", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
195 "read(in_pipe) failed: %m"); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
196 return HR_RESTART; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
197 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
198 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
199 token = t_strsplit_spaces(answer, " "); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
200 if (token[0] == NULL || |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
201 (token[1] == NULL && strcmp(token[0], "BH") != 0) || |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
202 (token[2] == NULL && gss_spnego)) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
203 auth_request_log_error(auth_request, "winbind", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
204 "Invalid input from helper: %s", answer); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
205 return HR_RESTART; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
206 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
207 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
208 /* |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
209 * NTLM: |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
210 * The child's reply contains 2 parts: |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
211 * - The code: TT, AF or NA |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
212 * - The argument: |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
213 * For TT it's the blob to send to the client, coded in base64 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
214 * For AF it's user or DOMAIN\user |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
215 * For NA it's the NT error code |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
216 * |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
217 * GSS-SPNEGO: |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
218 * The child's reply contains 3 parts: |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
219 * - The code: TT, AF or NA |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
220 * - The blob to send to the client, coded in base64 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
221 * - The argument: |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
222 * For TT it's a dummy '*' |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
223 * For AF it's DOMAIN\user |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
224 * For NA it's the NT error code |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
225 */ |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
226 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
227 if (strcmp(token[0], "TT") == 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
228 buffer_t *buf; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
229 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
230 buf = t_base64_decode_str(token[1]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
231 auth_request->callback(auth_request, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
232 AUTH_CLIENT_RESULT_CONTINUE, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
233 buf->data, buf->used); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
234 request->continued = TRUE; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
235 return HR_OK; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
236 } else if (strcmp(token[0], "NA") == 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
237 const char *error = gss_spnego ? token[2] : token[1]; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
238 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
239 auth_request_log_info(auth_request, "winbind", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
240 "user not authenticated: %s", error); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
241 return HR_FAIL; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
242 } else if (strcmp(token[0], "AF") == 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
243 const char *user, *p, *error; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
244 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
245 user = gss_spnego ? token[2] : token[1]; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
246 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
247 p = strchr(user, '\\'); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
248 if (p != NULL) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
249 /* change "DOMAIN\user" to uniform style |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
250 "user@DOMAIN" */ |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
251 user = t_strconcat(p+1, "@", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
252 t_strdup_until(user, p), NULL); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
253 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
254 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
255 if (!auth_request_set_username(auth_request, user, &error)) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
256 auth_request_log_info(auth_request, "winbind", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
257 "%s", error); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
258 return HR_FAIL; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
259 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
260 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
261 if (gss_spnego && strcmp(token[1], "*") != 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
262 buffer_t *buf; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
263 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
264 buf = t_base64_decode_str(token[1]); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
265 auth_request_success(&request->auth_request, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
266 buf->data, buf->used); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
267 } else { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
268 auth_request_success(&request->auth_request, NULL, 0); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
269 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
270 return HR_OK; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
271 } else if (strcmp(token[0], "BH") == 0) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
272 auth_request_log_info(auth_request, "winbind", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
273 "ntlm_auth reports broken helper: %s", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
274 token[1] != NULL ? token[1] : ""); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
275 return HR_RESTART; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
276 } else { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
277 auth_request_log_error(auth_request, "winbind", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
278 "Invalid input from helper: %s", answer); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
279 return HR_RESTART; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
280 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
281 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
282 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
283 static void |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
284 mech_winbind_auth_continue(struct auth_request *auth_request, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
285 const unsigned char *data, size_t data_size) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
286 { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
287 struct winbind_auth_request *request = |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
288 (struct winbind_auth_request *)auth_request; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
289 enum helper_result res; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
290 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
291 res = do_auth_continue(auth_request, data, data_size); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
292 if (res != HR_OK) { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
293 if (res == HR_RESTART) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
294 winbind_helper_disconnect(request->winbind); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
295 auth_request_fail(auth_request); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
296 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
297 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
298 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
299 static struct auth_request *do_auth_new(struct winbind_helper *winbind) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
300 { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
301 struct winbind_auth_request *request; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
302 pool_t pool; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
303 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
304 pool = pool_alloconly_create("winbind_auth_request", 1024); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
305 request = p_new(pool, struct winbind_auth_request, 1); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
306 request->auth_request.pool = pool; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
307 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
308 request->winbind = winbind; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
309 winbind_helper_connect(request->winbind); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
310 return &request->auth_request; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
311 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
312 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
313 static struct auth_request *mech_winbind_ntlm_auth_new(void) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
314 { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
315 return do_auth_new(&winbind_ntlm_context); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
316 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
317 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
318 static struct auth_request *mech_winbind_spnego_auth_new(void) |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
319 { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
320 return do_auth_new(&winbind_spnego_context); |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
321 } |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
322 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
323 const struct mech_module mech_winbind_ntlm = { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
324 "NTLM", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
325 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
326 MEMBER(flags) MECH_SEC_DICTIONARY | MECH_SEC_ACTIVE, |
8605
84eea1977632
auth: Code cleanup for specifying what passdb features auth mechanisms need.
Timo Sirainen <tss@iki.fi>
parents:
8307
diff
changeset
|
327 MEMBER(passdb_need) MECH_PASSDB_NEED_NOTHING, |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
328 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
329 mech_winbind_ntlm_auth_new, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
330 mech_generic_auth_initial, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
331 mech_winbind_auth_continue, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
332 mech_generic_auth_free |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
333 }; |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
334 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
335 const struct mech_module mech_winbind_spnego = { |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
336 "GSS-SPNEGO", |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
337 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
338 MEMBER(flags) 0, |
8605
84eea1977632
auth: Code cleanup for specifying what passdb features auth mechanisms need.
Timo Sirainen <tss@iki.fi>
parents:
8307
diff
changeset
|
339 MEMBER(passdb_need) MECH_PASSDB_NEED_NOTHING, |
6181
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
340 |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
341 mech_winbind_spnego_auth_new, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
342 mech_generic_auth_initial, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
343 mech_winbind_auth_continue, |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
344 mech_generic_auth_free |
18f663e23c28
Added support for Samba's ntlm_auth helper. It's used for GSS-SPNEGO
Timo Sirainen <tss@iki.fi>
parents:
diff
changeset
|
345 }; |