A possible approach to handling SID compression on member servers ...

Richard Sharpe realrichardsharpe at gmail.com
Sun Jun 15 14:15:49 MDT 2014

On Sat, Jun 14, 2014 at 7:34 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Sat, Jun 14, 2014 at 5:38 PM, Andrew Bartlett <abartlet at samba.org> wrote:
>> On Sat, 2014-06-14 at 12:53 -0700, Richard Sharpe wrote:
>>> Hi folks,
>>> Here is what I am thinking of. It is incomplete, in that the meat
>>> needs to be added, but I merge the resource SIDs into the ExtraSIDS
>>> portion of the info3 before we create the server_info structure.
>>> This also means that we save the correct set of SIDs in the
>>> netsamlogon cache as well.
>>> Since we throw away the logon_info structure we extract from the PAC
>>> it should not matter that we modify it.
>>> Let me know if there are any violent objections.
>> I would much rather to do this on a copy, as style of accessor function.
>> We have functions to copy this structure (which at the same time should
>> be rewritten to use a pull/push via NDR).
>> That is, something like get_full_info3_from_PAC().
> Let me think about how to do that.
>> Also, make sure you handle (or remove, if obsolete) the calls in
>> source3/winbindd/winbind_pam.c
> OK, let me look at those ...

It looks like there are two places where we need to do essentially the
same thing:

auth/auth_generic.c:auth3_generate_session_info_pac and
winbindd/winbindd_pam.c:winbindd_pac_auth_send where in each case we
currently just store the info3 in the netsamlogon cache.

There are two other places in winbindd_pam.c where we call
netsamlogon_cache_store but it those cases we have an info3 obtained
via RPC calls by the look of things.

What I _think_ we need is a common routine, like maybe
merge_resource_sids_and_store that will centralize the code to perform
that operation and then it can be called from the two places we need
it to be called from.

Richard Sharpe

More information about the samba-technical mailing list