A possible approach to handling SID compression on member servers ...

[Richard Sharpe]

On Sat, Jun 14, 2014 at 7:34 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Sat, Jun 14, 2014 at 5:38 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> On Sat, 2014-06-14 at 12:53 -0700, Richard Sharpe wrote:
>>> Hi folks,
>>>
>>> Here is what I am thinking of. It is incomplete, in that the meat
>>> needs to be added, but I merge the resource SIDs into the ExtraSIDS
>>> portion of the info3 before we create the server_info structure.
>>>
>>> This also means that we save the correct set of SIDs in the
>>> netsamlogon cache as well.
>>>
>>> Since we throw away the logon_info structure we extract from the PAC
>>> it should not matter that we modify it.
>>>
>>> Let me know if there are any violent objections.
>>
>> I would much rather to do this on a copy, as style of accessor function.
>> We have functions to copy this structure (which at the same time should
>> be rewritten to use a pull/push via NDR).
>>
>> That is, something like get_full_info3_from_PAC().
>
> Let me think about how to do that.
>
>> Also, make sure you handle (or remove, if obsolete) the calls in
>> source3/winbindd/winbind_pam.c
>
> OK, let me look at those ...

It looks like there are two places where we need to do essentially the
same thing:

auth/auth_generic.c:auth3_generate_session_info_pac and
winbindd/winbindd_pam.c:winbindd_pac_auth_send where in each case we
currently just store the info3 in the netsamlogon cache.

There are two other places in winbindd_pam.c where we call
netsamlogon_cache_store but it those cases we have an info3 obtained
via RPC calls by the look of things.

What I _think_ we need is a common routine, like maybe
merge_resource_sids_and_store that will centralize the code to perform
that operation and then it can be called from the two places we need
it to be called from.


-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)