--- /dev/null
+From 72494e601ee6027873494f7ee7aff03d9170e3eb Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 16 Jun 2014 22:49:29 -0700
+Subject: [PATCH 1/5] PATCHSET21: s3: auth: Add some const to the struct
+ netr_SamInfo3 * arguments of copy_netr_SamInfo3() and
+ make_server_info_info3()
+
+Both functions only read from the struct netr_SamInfo3 * argument.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+Reviewed-by: Simo Sorce <idra@samba.org>
+(cherry picked from commit c2411767adb5ce48a4619349075f6f8faae41aab)
+
+Conflicts:
+ source3/auth/proto.h
+---
+ source3/auth/auth_util.c | 2 +-
+ source3/auth/proto.h | 4 ++--
+ source3/auth/server_info.c | 2 +-
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index 1f1fed9..a548b7b 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -1195,7 +1195,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ const char *sent_nt_username,
+ const char *domain,
+ struct auth_serversupplied_info **server_info,
+- struct netr_SamInfo3 *info3)
++ const struct netr_SamInfo3 *info3)
+ {
+ static const char zeros[16] = {0, };
+
+diff --git a/source3/auth/proto.h b/source3/auth/proto.h
+index fccabc4..c851722 100644
+--- a/source3/auth/proto.h
++++ b/source3/auth/proto.h
+@@ -173,7 +173,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ const char *sent_nt_username,
+ const char *domain,
+ struct auth_serversupplied_info **server_info,
+- struct netr_SamInfo3 *info3);
++ const struct netr_SamInfo3 *info3);
+ struct wbcAuthUserInfo;
+ NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
+ const char *sent_nt_username,
+@@ -233,7 +233,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct passwd *pwd,
+ struct netr_SamInfo3 **pinfo3);
+ struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+- struct netr_SamInfo3 *orig);
++ const struct netr_SamInfo3 *orig);
+ struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+ const struct wbcAuthUserInfo *info);
+
+diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
+index e627892..63b4989 100644
+--- a/source3/auth/server_info.c
++++ b/source3/auth/server_info.c
+@@ -632,7 +632,7 @@ done:
+ } } while(0)
+
+ struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
+- struct netr_SamInfo3 *orig)
++ const struct netr_SamInfo3 *orig)
+ {
+ struct netr_SamInfo3 *info3;
+ unsigned int i;
+--
+2.1.0
+
+
+From 1afd41a9cc31acdff66ab084ba89913c8a239a0f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 16 Jun 2014 22:54:45 -0700
+Subject: [PATCH 2/5] PATCHSET21: s3: auth: Change make_server_info_info3() to
+ take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
+
+make_server_info_info3() only reads from the info3 pointer.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+Reviewed-by: Simo Sorce <idra@samba.org>
+(cherry picked from commit 527f7b54388713acaaf7b66c718cc0f7114fc368)
+
+Conflicts:
+ source3/auth/auth_generic.c
+ source3/auth/proto.h
+ source3/auth/user_krb5.c
+---
+ source3/auth/proto.h | 2 +-
+ source3/auth/user_krb5.c | 8 ++++----
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/auth/proto.h b/source3/auth/proto.h
+index c851722..0ab32a7 100644
+--- a/source3/auth/proto.h
++++ b/source3/auth/proto.h
+@@ -305,7 +305,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- struct PAC_LOGON_INFO *logon_info,
++ const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest,
+ struct auth_serversupplied_info **server_info);
+
+diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
+index 1e5254e..fde2f48 100644
+--- a/source3/auth/user_krb5.c
++++ b/source3/auth/user_krb5.c
+@@ -184,7 +184,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- struct PAC_LOGON_INFO *logon_info,
++ const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest,
+ struct auth_serversupplied_info **server_info)
+ {
+@@ -198,14 +198,14 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+ return status;
+ }
+
+- } else if (logon_info) {
++ } else if (info3) {
+ /* pass the unmapped username here since map_username()
+ will be called again in make_server_info_info3() */
+
+ status = make_server_info_info3(mem_ctx,
+ ntuser, ntdomain,
+ server_info,
+- &logon_info->info3);
++ info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("make_server_info_info3 failed: %s!\n",
+ nt_errstr(status)));
+@@ -284,7 +284,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
+ char *ntdomain,
+ char *username,
+ struct passwd *pw,
+- struct PAC_LOGON_INFO *logon_info,
++ const struct netr_SamInfo3 *info3,
+ bool mapped_to_guest,
+ struct auth_serversupplied_info **server_info)
+ {
+--
+2.1.0
+
+
+From 08bf07ec03537aedbd7beb359cf9274be2882edf Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 16 Jun 2014 23:11:58 -0700
+Subject: [PATCH 3/5] PATCHSET21: s3: auth: Add
+ create_info3_from_pac_logon_info() to create a new info3 and merge resource
+ group SIDs into it.
+
+Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
+Reviewed-by: Simo Sorce <idra@samba.org>
+(cherry picked from commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6)
+---
+ source3/auth/proto.h | 5 ++-
+ source3/auth/server_info.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 82 insertions(+), 1 deletion(-)
+
+diff --git a/source3/auth/proto.h b/source3/auth/proto.h
+index 0ab32a7..4335cf8 100644
+--- a/source3/auth/proto.h
++++ b/source3/auth/proto.h
+@@ -209,6 +209,7 @@ NTSTATUS auth_winbind_init(void);
+ struct netr_SamInfo2;
+ struct netr_SamInfo3;
+ struct netr_SamInfo6;
++struct PAC_LOGON_INFO;
+
+ struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx);
+ NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
+@@ -223,6 +224,9 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
+ uint8_t *pipe_session_key,
+ size_t pipe_session_key_len,
+ struct netr_SamInfo6 *sam6);
++NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
++ const struct PAC_LOGON_INFO *logon_info,
++ struct netr_SamInfo3 **pp_info3);
+ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
+ struct samu *samu,
+ const char *login_server,
+@@ -289,7 +293,6 @@ bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname);
+ bool user_in_list(TALLOC_CTX *ctx, const char *user,const char **list);
+
+ /* The following definitions come from auth/user_krb5.c */
+-struct PAC_LOGON_INFO;
+ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
+ const char *cli_name,
+ const char *princ_name,
+diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
+index 63b4989..1fd9317 100644
+--- a/source3/auth/server_info.c
++++ b/source3/auth/server_info.c
+@@ -21,6 +21,7 @@
+ #include "auth.h"
+ #include "../lib/crypto/arcfour.h"
+ #include "../librpc/gen_ndr/netlogon.h"
++#include "../librpc/gen_ndr/krb5pac.h"
+ #include "../libcli/security/security.h"
+ #include "rpc_client/util_netlogon.h"
+ #include "nsswitch/libwbclient/wbclient.h"
+@@ -293,6 +294,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
+ return NT_STATUS_OK;
+ }
+
++/*
++ * Merge resource SIDs, if any, into the passed in info3 structure.
++ */
++
++static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
++ struct netr_SamInfo3 *info3)
++{
++ uint32_t i = 0;
++
++ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
++ return NT_STATUS_OK;
++ }
++
++ /*
++ * If there are any resource groups (SID Compression) add
++ * them to the extra sids portion of the info3 in the PAC.
++ *
++ * This makes the info3 look like it would if we got the info
++ * from the DC rather than the PAC.
++ */
++
++ /*
++ * Construct a SID for each RID in the list and then append it
++ * to the info3.
++ */
++ for (i = 0; i < logon_info->res_groups.count; i++) {
++ NTSTATUS status;
++ struct dom_sid new_sid;
++ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
++
++ sid_compose(&new_sid,
++ logon_info->res_group_dom_sid,
++ logon_info->res_groups.rids[i].rid);
++
++ DEBUG(10, ("Adding SID %s to extra SIDS\n",
++ sid_string_dbg(&new_sid)));
++
++ status = append_netr_SidAttr(info3, &info3->sids,
++ &info3->sidcount,
++ &new_sid,
++ attributes);
++ if (!NT_STATUS_IS_OK(status)) {
++ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
++ sid_string_dbg(&new_sid),
++ nt_errstr(status)));
++ return status;
++ }
++ }
++
++ return NT_STATUS_OK;
++}
++
++/*
++ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
++ * then merge resource SIDs, if any, into it. If successful return
++ * the created info3 struct.
++ */
++
++NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
++ const struct PAC_LOGON_INFO *logon_info,
++ struct netr_SamInfo3 **pp_info3)
++{
++ NTSTATUS status;
++ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
++ &logon_info->info3);
++ if (info3 == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ status = merge_resource_sids(logon_info, info3);
++ if (!NT_STATUS_IS_OK(status)) {
++ TALLOC_FREE(info3);
++ return status;
++ }
++ *pp_info3 = info3;
++ return NT_STATUS_OK;
++}
++
+ #define RET_NOMEM(ptr) do { \
+ if (!ptr) { \
+ TALLOC_FREE(info3); \
+--
+2.1.0
+
+
+From 86d58108db53958f05d559b2d2a20185ef2deb55 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@cryptomilk.org>
+Date: Wed, 4 Mar 2015 17:45:39 +0100
+Subject: [PATCH 4/5] PATCHSET21: s3-winbind: Merge resource groups from a
+ trusted PAC into the sid array.
+
+This is a backport of db775c68ccbed0252abf092b5cb811e8f5fa9bb6.
+---
+ source3/winbindd/winbindd_pam.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index 5316232..b1838a6 100644
+--- a/source3/winbindd/winbindd_pam.c
++++ b/source3/winbindd/winbindd_pam.c
+@@ -546,6 +546,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ time_t time_offset = 0;
+ const char *user_ccache_file;
+ struct PAC_LOGON_INFO *logon_info = NULL;
++ struct netr_SamInfo3 *info3_copy = NULL;
+
+ *info3 = NULL;
+
+@@ -624,7 +625,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
+ goto failed;
+ }
+
+- *info3 = &logon_info->info3;
++ result = create_info3_from_pac_logon_info(mem_ctx,
++ logon_info,
++ &info3_copy);
++ if (!NT_STATUS_IS_OK(result)) {
++ return result;
++ }
++
++ *info3 = info3_copy;
+
+ DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
+ principal_s));
+--
+2.1.0
+
+
+From 40731d512ba1ee0502bdbdd831c4154f967d9f3e Mon Sep 17 00:00:00 2001
+From: Michael Adam <obnox@samba.org>
+Date: Mon, 9 Mar 2015 15:15:37 +0100
+Subject: [PATCH 5/5] PATCHSET21: s3-winbind: Fix chached user group lookup of
+ trusted domains.
+
+If a user group lookup has aleady been done before with a machine
+account we did always return the incomplete information from the cache.
+This patch makes sure we return the correct group information from the
+netsamlogon cache.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143
+
+Pair-Programmed-With: Andreas Schneider <asn@samba.org>
+Signed-off-by: Michael Adam <obnox@samba.org>
+Signed-off-by: Andreas Schneider <asn@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+
+(cherry picked from commit f5d0204bfa1eb641fe7697613c1f773b6a7e65de)
+---
+ source3/winbindd/wb_lookupusergroups.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/source3/winbindd/wb_lookupusergroups.c b/source3/winbindd/wb_lookupusergroups.c
+index aeffc17..1bb7081 100644
+--- a/source3/winbindd/wb_lookupusergroups.c
++++ b/source3/winbindd/wb_lookupusergroups.c
+@@ -37,6 +37,7 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
+ {
+ struct tevent_req *req, *subreq;
+ struct wb_lookupusergroups_state *state;
++ NTSTATUS status;
+
+ req = tevent_req_create(mem_ctx, &state,
+ struct wb_lookupusergroups_state);
+@@ -45,6 +46,16 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
+ }
+ sid_copy(&state->sid, sid);
+
++ status = lookup_usergroups_cached(NULL,
++ state,
++ &state->sid,
++ &state->sids.num_sids,
++ &state->sids.sids);
++ if (NT_STATUS_IS_OK(status)) {
++ tevent_req_done(req);
++ return tevent_req_post(req, ev);
++ }
++
+ subreq = dcerpc_wbint_LookupUserGroups_send(
+ state, ev, dom_child_handle(domain), &state->sid, &state->sids);
+ if (tevent_req_nomem(subreq, req)) {
+--
+2.1.0
projects / ipfire-2.x.git / blobdiff