A possible approach to handling SID compression on member servers ...

Andrew Bartlett abartlet at samba.org
Sun Jun 15 16:08:09 MDT 2014 

On Sun, 2014-06-15 at 13:15 -0700, Richard Sharpe wrote:
> On Sat, Jun 14, 2014 at 7:34 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> > On Sat, Jun 14, 2014 at 5:38 PM, Andrew Bartlett <abartlet at samba.org> wrote:
> >> On Sat, 2014-06-14 at 12:53 -0700, Richard Sharpe wrote:
> >>> Hi folks,
> >>>
> >>> Here is what I am thinking of. It is incomplete, in that the meat
> >>> needs to be added, but I merge the resource SIDs into the ExtraSIDS
> >>> portion of the info3 before we create the server_info structure.
> >>>
> >>> This also means that we save the correct set of SIDs in the
> >>> netsamlogon cache as well.
> >>>
> >>> Since we throw away the logon_info structure we extract from the PAC
> >>> it should not matter that we modify it.
> >>>
> >>> Let me know if there are any violent objections.
> >>
> >> I would much rather to do this on a copy, as style of accessor function.
> >> We have functions to copy this structure (which at the same time should
> >> be rewritten to use a pull/push via NDR).
> >>
> >> That is, something like get_full_info3_from_PAC().
> >
> > Let me think about how to do that.
> >
> >> Also, make sure you handle (or remove, if obsolete) the calls in
> >> source3/winbindd/winbind_pam.c
> >
> > OK, let me look at those ...
> 
> It looks like there are two places where we need to do essentially the
> same thing:
> 
> auth/auth_generic.c:auth3_generate_session_info_pac and
> winbindd/winbindd_pam.c:winbindd_pac_auth_send where in each case we
> currently just store the info3 in the netsamlogon cache.
> 
> There are two other places in winbindd_pam.c where we call
> netsamlogon_cache_store but it those cases we have an info3 obtained
> via RPC calls by the look of things.
> 
> What I _think_ we need is a common routine, like maybe
> merge_resource_sids_and_store that will centralize the code to perform
> that operation and then it can be called from the two places we need
> it to be called from.

Sort-of.  Remember, it is just as important to pass the corrected
'info3' to the function that creates the struct auth_session_info as it
is to store it in the cache correctly.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list