Patch to handle sid compression for consideration ...

Jeremy Allison jra at samba.org
Tue Jun 17 11:17:44 MDT 2014 

On Tue, Jun 17, 2014 at 08:09:18AM -0700, Richard Sharpe wrote:
> 
> Right. That was one of my concerns originally as well, although I
> didn't articulate it.
> 
> If no one else gets to it today

Ok Richard, I did get to it (sorry :-).

Here's the updated patchset with Volker
and Simo's changes made.

If you can review I'd appreciate it !

Cheers,

	Jeremy.
-------------- next part --------------
>From d29c63440dc0b37aefb6d4d64e326faa87cfdd7f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 16 Jun 2014 22:49:29 -0700
Subject: [PATCH 1/5] s3: auth: Add some const to the struct netr_SamInfo3 *
 arguments of copy_netr_SamInfo3() and make_server_info_info3()

Both functions only read from the struct netr_SamInfo3 * argument.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/auth/auth_util.c   | 2 +-
 source3/auth/proto.h       | 4 ++--
 source3/auth/server_info.c | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index cab77b4..2986fb4 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1335,7 +1335,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 				const char *sent_nt_username,
 				const char *domain,
 				struct auth_serversupplied_info **server_info,
-				struct netr_SamInfo3 *info3)
+				const struct netr_SamInfo3 *info3)
 {
 	static const char zeros[16] = {0, };
 
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 9e11a0c..686582a 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -242,7 +242,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 				const char *sent_nt_username,
 				const char *domain,
 				struct auth_serversupplied_info **server_info,
-				struct netr_SamInfo3 *info3);
+				const struct netr_SamInfo3 *info3);
 struct wbcAuthUserInfo;
 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
 					  const char *sent_nt_username,
@@ -304,7 +304,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
 			    const struct passwd *pwd,
 			    struct netr_SamInfo3 **pinfo3);
 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-					 struct netr_SamInfo3 *orig);
+					 const struct netr_SamInfo3 *orig);
 
 /* The following definitions come from auth/auth_wbc.c  */
 
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index df0be54..4ce57c1 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -580,7 +580,7 @@ done:
 	} } while(0)
 
 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-					 struct netr_SamInfo3 *orig)
+					 const struct netr_SamInfo3 *orig)
 {
 	struct netr_SamInfo3 *info3;
 	unsigned int i;
-- 
1.9.1


>From a605b2f6c2711c16f47afc71da1751a7fd27c359 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 16 Jun 2014 22:54:45 -0700
Subject: [PATCH 2/5] s3: auth: Change make_server_info_info3() to take a const
 struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.

make_server_info_info3() only reads from the info3 pointer.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/auth/auth_generic.c | 2 +-
 source3/auth/proto.h        | 2 +-
 source3/auth/user_krb5.c    | 8 ++++----
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 05c4ddc..6b146a0 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -113,7 +113,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	status = make_session_info_krb5(mem_ctx,
 					ntuser, ntdomain, username, pw,
-					logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+					&logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
 					session_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 686582a..ab8fb89 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -372,7 +372,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
 				bool mapped_to_guest, bool username_was_mapped,
 				DATA_BLOB *session_key,
 				struct auth_session_info **session_info);
diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 6b8fad2..7442ea4 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
 				bool mapped_to_guest, bool username_was_mapped,
 				DATA_BLOB *session_key,
 				struct auth_session_info **session_info)
@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 			return status;
 		}
 
-	} else if (logon_info) {
+	} else if (info3) {
 		/* pass the unmapped username here since map_username()
 		   will be called again in make_server_info_info3() */
 
 		status = make_server_info_info3(mem_ctx,
 						ntuser, ntdomain,
 						&server_info,
-						&logon_info->info3);
+						info3);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("make_server_info_info3 failed: %s!\n",
 				  nt_errstr(status)));
@@ -298,7 +298,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 				char *ntdomain,
 				char *username,
 				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
 				bool mapped_to_guest, bool username_was_mapped,
 				DATA_BLOB *session_key,
 				struct auth_session_info **session_info)
-- 
1.9.1


>From 785f8a07a96d5f548245ccfeeb48a94a1cab18be Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 16 Jun 2014 23:11:58 -0700
Subject: [PATCH 3/5] s3: auth: Add create_info3_from_pac_logon_info() to
 create a new info3 and merge resource group SIDs into it.

Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe at gmail.com>.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/auth/proto.h       |  3 ++
 source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 80 insertions(+)

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index ab8fb89..1da0c44 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -294,6 +294,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in
 				struct netr_SamInfo3 *sam3);
 NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
 				struct netr_SamInfo6 *sam6);
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+                                        const struct PAC_LOGON_INFO *logon_info,
+                                        struct netr_SamInfo3 **pp_info3);
 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
 			  struct samu *samu,
 			  const char *login_server,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 4ce57c1..8fd3b0d 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -253,6 +253,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
 	return NT_STATUS_OK;
 }
 
+/*
+ * Merge resource SIDs, if any, into the passed in info3 structure.
+ */
+
+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
+				struct netr_SamInfo3 *info3)
+{
+	uint32_t i = 0;
+
+	if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
+		return NT_STATUS_OK;
+	}
+
+	/*
+	 * If there are any resource groups (SID Compression) add
+	 * them to the extra sids portion of the info3 in the PAC.
+	 *
+	 * This makes the info3 look like it would if we got the info
+	 * from the DC rather than the PAC.
+	 */
+
+	/*
+	 * Construct a SID for each RID in the list and then append it
+	 * to the info3.
+	 */
+	for (i = 0; i < logon_info->res_groups.count; i++) {
+		NTSTATUS status;
+		struct dom_sid new_sid;
+		uint32_t attributes = logon_info->res_groups.rids[i].attributes;
+
+		sid_compose(&new_sid,
+			logon_info->res_group_dom_sid,
+			logon_info->res_groups.rids[i].rid);
+
+		DEBUG(10, ("Adding SID %s to extra SIDS\n",
+			sid_string_dbg(&new_sid)));
+
+		status = append_netr_SidAttr(info3, &info3->sids,
+					&info3->sidcount,
+					&new_sid,
+					attributes);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
+				sid_string_dbg(&new_sid),
+				nt_errstr(status)));
+			return status;
+		}
+	}
+
+	return NT_STATUS_OK;
+}
+
+/*
+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
+ * then merge resource SIDs, if any, into it. If successful return
+ * the created info3 struct.
+ */
+
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+					const struct PAC_LOGON_INFO *logon_info,
+					struct netr_SamInfo3 **pp_info3)
+{
+	NTSTATUS status;
+	struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
+					&logon_info->info3);
+	if (info3 == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	status = merge_resource_sids(logon_info, info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(info3);
+		return status;
+	}
+	*pp_info3 = info3;
+	return NT_STATUS_OK;
+}
+
 #define RET_NOMEM(ptr) do { \
 	if (!ptr) { \
 		TALLOC_FREE(info3); \
-- 
1.9.1


>From a4203fdc6d535325f45a821efc934f27033f4a4d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 16 Jun 2014 23:15:21 -0700
Subject: [PATCH 4/5] s3: auth: Change auth3_generate_session_info_pac() to use
 a copy of the info3 struct from the struct PAC_LOGON_INFO.

Call create_info3_from_pac_logon_info() to add in any resource SIDs
from the struct PAC_LOGON_INFO to the info3.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/auth/auth_generic.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 6b146a0..1da4961 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -45,6 +45,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 {
 	TALLOC_CTX *tmp_ctx;
 	struct PAC_LOGON_INFO *logon_info = NULL;
+	struct netr_SamInfo3 *info3_copy = NULL;
 	bool is_mapped;
 	bool is_guest;
 	char *ntuser;
@@ -102,7 +103,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	/* save the PAC data if we have it */
 	if (logon_info) {
-		netsamlogon_cache_store(ntuser, &logon_info->info3);
+		status = create_info3_from_pac_logon_info(tmp_ctx,
+					logon_info,
+					&info3_copy);
+		if (!NT_STATUS_IS_OK(status)) {
+			goto done;
+		}
+		netsamlogon_cache_store(ntuser, info3_copy);
 	}
 
 	/* setup the string used by %U */
@@ -113,7 +120,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	status = make_session_info_krb5(mem_ctx,
 					ntuser, ntdomain, username, pw,
-					&logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+					info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
 					session_info);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
-- 
1.9.1


>From 041718feb75599e3d3d74277a61b07de078d9a2c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra at samba.org>
Date: Mon, 16 Jun 2014 23:27:35 -0700
Subject: [PATCH 5/5] s3: auth: Fix winbindd_pam_auth_pac_send() to create a
 new info3 and merge in resource groups from a trusted PAC.

Based on a patch from Richard Sharpe <realrichardsharpe at gmail.com>.

Signed-off-by: Jeremy Allison <jra at samba.org>
---
 source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 1fb4360..1112b21 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2450,6 +2450,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
 	struct winbindd_request *req = state->request;
 	DATA_BLOB pac_blob;
 	struct PAC_LOGON_INFO *logon_info = NULL;
+	struct netr_SamInfo3 *info3_copy = NULL;
 	NTSTATUS result;
 
 	pac_blob = data_blob_const(req->extra_data.data, req->extra_len);
@@ -2463,7 +2464,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
 
 	if (logon_info) {
 		/* Signature verification succeeded, trust the PAC */
-		netsamlogon_cache_store(NULL, &logon_info->info3);
+		result = create_info3_from_pac_logon_info(state->mem_ctx,
+							logon_info,
+							&info3_copy);
+		if (!NT_STATUS_IS_OK(result)) {
+			return result;
+		}
+		netsamlogon_cache_store(NULL, info3_copy);
 
 	} else {
 		/* Try without signature verification */
@@ -2475,9 +2482,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
 				   nt_errstr(result)));
 			return result;
 		}
+		if (logon_info) {
+			/*
+			 * Don't strictly need to copy here,
+			 * but it makes it explicit we're
+			 * returning a copy talloc'ed off
+			 * the state->mem_ctx.
+			 */
+			info3_copy = copy_netr_SamInfo3(state->mem_ctx,
+					&logon_info->info3);
+			if (info3_copy == NULL) {
+				return NT_STATUS_NO_MEMORY;
+			}
+		}
 	}
 
-	*info3 = &logon_info->info3;
+	*info3 = info3_copy;
 
 	return NT_STATUS_OK;
 }
-- 
1.9.1

More information about the samba-technical mailing list