Win2k domain auth problem with Samba 2.0.7

Jeremy Allison jeremy at valinux.com
Fri Sep 8 02:13:16 GMT 2000


Hi all,

	I recently did some work for Agilent (formally HP)
to fix Samba 2.0.7 to work with their (large) domain infrastructure
that uses Win2k PDC's with SID history.

There was a problem with 2.0.7 that caused "security=domain"
to fail when SID history was being maintained. I've fixed
this in the Samba HEAD (to be 2.2.x release) branch, and
this code is checked in.

However, Ray Frush at Agilent mentioned that there were
other sites with this problem so I'm enclosing the patch
I did for Agilent so others can test and ensure it fixes
the issue.

Hope this is helpful,

Cheers,

	Jeremy Allison,
	Samba Team.

Patch follows :

--------------------------------------------------------
--- /home/jeremy/src/samba-2/samba/source/include/rpc_lsa.h	Mon Apr  5 17:39:45 1999
+++ include/rpc_lsa.h	Thu Aug 31 15:25:14 2000
@@ -52,7 +52,7 @@
 #define LSA_LOOKUPRIDS      0xFD
 
 #define LSA_MAX_GROUPS 96
-#define LSA_MAX_SIDS 32
+#define LSA_MAX_SIDS 128
 
 /* DOM_QUERY - info class 3 and 5 LSA Query response */
 typedef struct dom_query_info
--- /home/jeremy/src/samba-2/samba/source/include/rpc_netlogon.h	Mon Apr 19 18:01:43 1999
+++ include/rpc_netlogon.h	Thu Aug 31 15:27:24 2000
@@ -120,6 +120,10 @@
 	UNISTR2 uni_logon_dom; /* logon domain unicode string */
 
 	DOM_SID2 dom_sid;           /* domain SID */
+
+	uint32 num_other_groups;        /* other groups */
+	DOM_GID other_gids[LSA_MAX_GROUPS]; /* group info */
+
 	DOM_SID2 other_sids[LSA_MAX_SIDS]; /* undocumented - domain SIDs */
 
 } NET_USER_INFO_3;
--- /home/jeremy/src/samba-2/samba/source/rpc_parse/parse_net.c	Mon Apr 19 18:01:44 1999
+++ rpc_parse/parse_net.c	Thu Sep  7 19:09:00 2000
@@ -1080,6 +1080,8 @@
 	init_unistr2(&usr->uni_logon_dom, logon_dom, len_logon_dom);
 
 	init_dom_sid2(&usr->dom_sid, dom_sid);
+
+	usr->num_other_groups = num_other_sids;
 	/* "other" sids are set up above */
 }
 
@@ -1198,11 +1200,22 @@
 	if(!smb_io_dom_sid2("", &usr->dom_sid, ps, depth))           /* domain SID */
 		return False;
 
-	SMB_ASSERT_ARRAY(usr->other_sids, usr->num_other_sids);
+	if (usr->num_other_sids) {
+		SMB_ASSERT_ARRAY(usr->other_sids, usr->num_other_sids);
 
-	for (i = 0; i < usr->num_other_sids; i++) {
-		if(!smb_io_dom_sid2("", &usr->other_sids[i], ps, depth)) /* other domain SIDs */
+		if(!prs_uint32("num_other_groups", ps, depth, &usr->num_other_groups))
 			return False;
+
+		SMB_ASSERT_ARRAY(usr->other_gids, usr->num_other_groups);
+
+		for (i = 0; i < usr->num_other_groups; i++) {
+			if(!smb_io_gid("", &usr->other_gids[i], ps, depth)) /* other GIDs */
+				return False;
+		}
+		for (i = 0; i < usr->num_other_sids; i++) {
+			if(!smb_io_dom_sid2("", &usr->other_sids[i], ps, depth)) /* other domain SIDs */
+				return False;
+		}
 	}
 
 	return True;
--------------------------------------------------------
-- 
--------------------------------------------------------
Buying an operating system without source is like buying
a self-assembly Space Shuttle with no instructions.
--------------------------------------------------------




More information about the samba-ntdom mailing list