svn commit: samba r17971 - in branches: SAMBA_3_0/source/libads SAMBA_3_0/source/passdb SAMBA_3_0_23/source/passdb

jerry at samba.org jerry at samba.org
Thu Aug 31 18:32:23 GMT 2006


Author: jerry
Date: 2006-08-31 18:32:23 +0000 (Thu, 31 Aug 2006)
New Revision: 17971

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=17971

Log:
Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to the SID<->uid/gid cache.  FIxes a bug in token creation
Modified:
   branches/SAMBA_3_0/source/libads/kerberos_verify.c
   branches/SAMBA_3_0/source/passdb/lookup_sid.c
   branches/SAMBA_3_0_23/source/passdb/lookup_sid.c


Changeset:
Modified: branches/SAMBA_3_0/source/libads/kerberos_verify.c
===================================================================
--- branches/SAMBA_3_0/source/libads/kerberos_verify.c	2006-08-31 16:26:32 UTC (rev 17970)
+++ branches/SAMBA_3_0/source/libads/kerberos_verify.c	2006-08-31 18:32:23 UTC (rev 17971)
@@ -376,13 +376,15 @@
 		goto out;
 	}
 
-	if (lp_use_kerberos_keytab()) {
+	/* always check secrets first in order to prevent hitting the 
+	   keytab until really necessary */
+
+	auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+					    ticket, &packet, &tkt, &keyblock);
+
+	if (!auth_ok && lp_use_kerberos_keytab()) {
 		auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &packet, &tkt, &keyblock);
 	}
-	if (!auth_ok) {
-		auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
-						    ticket, &packet, &tkt, &keyblock);
-	}
 
 	release_server_mutex();
 	got_replay_mutex = False;

Modified: branches/SAMBA_3_0/source/passdb/lookup_sid.c
===================================================================
--- branches/SAMBA_3_0/source/passdb/lookup_sid.c	2006-08-31 16:26:32 UTC (rev 17970)
+++ branches/SAMBA_3_0/source/passdb/lookup_sid.c	2006-08-31 18:32:23 UTC (rev 17971)
@@ -999,6 +999,11 @@
 {
 	struct uid_sid_cache *pc;
 
+	/* do not store SIDs in the "Unix Group" domain */
+	
+	if ( sid_check_is_in_unix_users( psid ) )
+		return;
+
 	if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) {
 		/* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */
 		struct uid_sid_cache *pc_next;
@@ -1070,6 +1075,11 @@
 void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
 {
 	struct gid_sid_cache *pc;
+	
+	/* do not store SIDs in the "Unix Group" domain */
+	
+	if ( sid_check_is_in_unix_groups( psid ) )
+		return;
 
 	if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) {
 		/* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */

Modified: branches/SAMBA_3_0_23/source/passdb/lookup_sid.c
===================================================================
--- branches/SAMBA_3_0_23/source/passdb/lookup_sid.c	2006-08-31 16:26:32 UTC (rev 17970)
+++ branches/SAMBA_3_0_23/source/passdb/lookup_sid.c	2006-08-31 18:32:23 UTC (rev 17971)
@@ -951,6 +951,11 @@
 {
 	struct uid_sid_cache *pc;
 
+	/* do not store SIDs in the "Unix Group" domain */
+	
+	if ( sid_check_is_in_unix_users( psid ) )
+		return;
+
 	if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) {
 		/* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */
 		struct uid_sid_cache *pc_next;
@@ -1022,6 +1027,11 @@
 void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
 {
 	struct gid_sid_cache *pc;
+	
+	/* do not store SIDs in the "Unix Group" domain */
+	
+	if ( sid_check_is_in_unix_groups( psid ) )
+		return;
 
 	if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) {
 		/* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */



More information about the samba-cvs mailing list