RFC also store resource group ids available from pac logon from successful pam authentication

Noel Power nopower at suse.com
Wed Jun 10 07:11:36 MDT 2015


Hi

came across a bug where sometimes groups returned (e.g. from id command)
were missing some group sids, turns out these group ids are resource
groups. If we successfully authenticate via pam then  the netsamlogon
cache is updated but is missing any of those resource group ids, this
patch attempts to address that.

Noel
-------------- next part --------------
From aff49c171194fe5a4ad9755eb16347dcfdfa16a1 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power at suse.com>
Date: Wed, 10 Jun 2015 13:13:25 +0100
Subject: [PATCH] kerberos auth info3 should contain resource group ids
 available from pac_logon

successful pam auth (e.g. from ssh) will cache group sids (but not any
resource group sids)) The subsequent cached entry used for groups lookups
can be missing those resource groups

Signed-off-by: Noel Power <noel.power at suse.com>
---
 source3/winbindd/winbindd_pam.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 864382e..018f70f 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -594,6 +594,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	struct PAC_DATA_CTR *pac_data_ctr = NULL;
 	const char *local_service;
 	int i;
+	struct netr_SamInfo3 *info3_copy = NULL;
 
 	*info3 = NULL;
 
@@ -713,11 +714,15 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		break;
 	}
 
-	*info3 = &logon_info->info3;
 
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
 		principal_s));
 
+	result = create_info3_from_pac_logon_info(mem_ctx, logon_info, &info3_copy);
+	if (!NT_STATUS_IS_OK(result)) {
+		goto failed;
+	}
+
 	/* if we had a user's ccache then return that string for the pam
 	 * environment */
 
@@ -753,7 +758,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		}
 
 	}
-
+	*info3 = info3_copy;
 	return NT_STATUS_OK;
 
 failed:
-- 
1.8.4.5



More information about the samba-technical mailing list