svn commit: samba r13377 - branches/SAMBA_3_0/source/nsswitch
trunk/source/nsswitch
gd at samba.org
gd at samba.org
Tue Feb 7 17:55:22 GMT 2006
Author: gd
Date: 2006-02-07 17:55:17 +0000 (Tue, 07 Feb 2006)
New Revision: 13377
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=13377
Log:
Fix from Volker: Make offline authentication work with NT4 as well
(handle no ACB_NORMAL flag and save name2sid as early as possible).
Guenther
Modified:
branches/SAMBA_3_0/source/nsswitch/winbindd_cache.c
branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
trunk/source/nsswitch/winbindd_cache.c
trunk/source/nsswitch/winbindd_pam.c
Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_cache.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_cache.c 2006-02-07 17:21:20 UTC (rev 13376)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_cache.c 2006-02-07 17:55:17 UTC (rev 13377)
@@ -2048,6 +2048,14 @@
return NT_STATUS_IS_OK(status);
}
+void cache_name2sid(struct winbindd_domain *domain,
+ const char *domain_name, const char *name,
+ enum SID_NAME_USE type, const DOM_SID *sid)
+{
+ wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
+ sid, type);
+}
+
/* delete all centries that don't have NT_STATUS_OK set */
static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
TDB_DATA dbuf, void *state)
Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c
===================================================================
--- branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-02-07 17:21:20 UTC (rev 13376)
+++ branches/SAMBA_3_0/source/nsswitch/winbindd_pam.c 2006-02-07 17:55:17 UTC (rev 13377)
@@ -734,13 +734,17 @@
if (my_info3->acct_flags & ACB_DOMTRUST) {
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
-
+#if 0
+ /* The info3 acct_flags in NT4's samlogon reply don't have
+ * ACB_NORMAL set. Disable this paranoia check until we
+ * can research this more - Guenther */
+
if (!(my_info3->acct_flags & ACB_NORMAL)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
my_info3->acct_flags));
return NT_STATUS_LOGON_FAILURE;
}
-
+#endif
kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
if (kickoff_time != 0 && time(NULL) > kickoff_time) {
return NT_STATUS_ACCOUNT_EXPIRED;
@@ -1116,9 +1120,15 @@
if (NT_STATUS_IS_OK(result)) {
+ DOM_SID user_sid;
+
netsamlogon_cache_store(name_user, info3);
wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
+ /* save name_to_sid info as early as possible */
+ sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid);
+ cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid);
+
/* Check if the user is in the right group */
if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
Modified: trunk/source/nsswitch/winbindd_cache.c
===================================================================
--- trunk/source/nsswitch/winbindd_cache.c 2006-02-07 17:21:20 UTC (rev 13376)
+++ trunk/source/nsswitch/winbindd_cache.c 2006-02-07 17:55:17 UTC (rev 13377)
@@ -2048,6 +2048,14 @@
return NT_STATUS_IS_OK(status);
}
+void cache_name2sid(struct winbindd_domain *domain,
+ const char *domain_name, const char *name,
+ enum SID_NAME_USE type, const DOM_SID *sid)
+{
+ wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
+ sid, type);
+}
+
/* delete all centries that don't have NT_STATUS_OK set */
static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
TDB_DATA dbuf, void *state)
Modified: trunk/source/nsswitch/winbindd_pam.c
===================================================================
--- trunk/source/nsswitch/winbindd_pam.c 2006-02-07 17:21:20 UTC (rev 13376)
+++ trunk/source/nsswitch/winbindd_pam.c 2006-02-07 17:55:17 UTC (rev 13377)
@@ -734,13 +734,17 @@
if (my_info3->acct_flags & ACB_DOMTRUST) {
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
-
+#if 0
+ /* The info3 acct_flags in NT4's samlogon reply don't have
+ * ACB_NORMAL set. Disable this paranoia check until we
+ * can research this more - Guenther */
+
if (!(my_info3->acct_flags & ACB_NORMAL)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
my_info3->acct_flags));
return NT_STATUS_LOGON_FAILURE;
}
-
+#endif
kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
if (kickoff_time != 0 && time(NULL) > kickoff_time) {
return NT_STATUS_ACCOUNT_EXPIRED;
@@ -1116,9 +1120,15 @@
if (NT_STATUS_IS_OK(result)) {
+ DOM_SID user_sid;
+
netsamlogon_cache_store(name_user, info3);
wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
+ /* save name_to_sid info as early as possible */
+ sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid);
+ cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid);
+
/* Check if the user is in the right group */
if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,
More information about the samba-cvs
mailing list