A possible approach to handling SID compression on member servers ...
Richard Sharpe
realrichardsharpe at gmail.com
Sat Jun 14 13:53:53 MDT 2014
Hi folks,
Here is what I am thinking of. It is incomplete, in that the meat
needs to be added, but I merge the resource SIDs into the ExtraSIDS
portion of the info3 before we create the server_info structure.
This also means that we save the correct set of SIDs in the
netsamlogon cache as well.
Since we throw away the logon_info structure we extract from the PAC
it should not matter that we modify it.
Let me know if there are any violent objections.
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -34,6 +34,14 @@
#include "lib/param/loadparm.h"
#include "librpc/gen_ndr/dcerpc.h"
+NTSTATUS merge_resource_sids(struct PAC_LOGON_INFO *logon_info,
+ struct netr_SamInfo3 *info3)
+{
+ NTSTATUS status = NT_STATUS_OK;
+
+ return status;
+}
+
static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
TALLOC_CTX *mem_ctx,
struct smb_krb5_context *smb_krb
@@ -102,6 +110,25 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth
/* save the PAC data if we have it */
if (logon_info) {
+ /*
+ * If there are any resource groups (SID Compression) add
+ * them to the extra sids portion of the info3 in the PAC.
+ *
+ * This makes the info3 look like it would if we got the info
+ * from the DC rather than the PAC.
+ */
+ if (logon_info->info3.base.user_flags &
+ NETLOGON_RESOURCE_GROUPS) {
+ DEBUG(10, ("Merging SID Compression SID to info3\n"));
+ status = merge_resource_sids(logon_info,
+ &logon_info->info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("merge_resource_groups failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+ }
+
netsamlogon_cache_store(ntuser, &logon_info->info3);
}
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list