]>
Commit | Line | Data |
---|---|---|
1d13e637 AF |
1 | From 72494e601ee6027873494f7ee7aff03d9170e3eb Mon Sep 17 00:00:00 2001 |
2 | From: Jeremy Allison <jra@samba.org> | |
3 | Date: Mon, 16 Jun 2014 22:49:29 -0700 | |
4 | Subject: [PATCH 1/5] PATCHSET21: s3: auth: Add some const to the struct | |
5 | netr_SamInfo3 * arguments of copy_netr_SamInfo3() and | |
6 | make_server_info_info3() | |
7 | ||
8 | Both functions only read from the struct netr_SamInfo3 * argument. | |
9 | ||
10 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
11 | Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> | |
12 | Reviewed-by: Simo Sorce <idra@samba.org> | |
13 | (cherry picked from commit c2411767adb5ce48a4619349075f6f8faae41aab) | |
14 | ||
15 | Conflicts: | |
16 | source3/auth/proto.h | |
17 | --- | |
18 | source3/auth/auth_util.c | 2 +- | |
19 | source3/auth/proto.h | 4 ++-- | |
20 | source3/auth/server_info.c | 2 +- | |
21 | 3 files changed, 4 insertions(+), 4 deletions(-) | |
22 | ||
23 | diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c | |
24 | index 1f1fed9..a548b7b 100644 | |
25 | --- a/source3/auth/auth_util.c | |
26 | +++ b/source3/auth/auth_util.c | |
27 | @@ -1195,7 +1195,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, | |
28 | const char *sent_nt_username, | |
29 | const char *domain, | |
30 | struct auth_serversupplied_info **server_info, | |
31 | - struct netr_SamInfo3 *info3) | |
32 | + const struct netr_SamInfo3 *info3) | |
33 | { | |
34 | static const char zeros[16] = {0, }; | |
35 | ||
36 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | |
37 | index fccabc4..c851722 100644 | |
38 | --- a/source3/auth/proto.h | |
39 | +++ b/source3/auth/proto.h | |
40 | @@ -173,7 +173,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, | |
41 | const char *sent_nt_username, | |
42 | const char *domain, | |
43 | struct auth_serversupplied_info **server_info, | |
44 | - struct netr_SamInfo3 *info3); | |
45 | + const struct netr_SamInfo3 *info3); | |
46 | struct wbcAuthUserInfo; | |
47 | NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, | |
48 | const char *sent_nt_username, | |
49 | @@ -233,7 +233,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
50 | const struct passwd *pwd, | |
51 | struct netr_SamInfo3 **pinfo3); | |
52 | struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, | |
53 | - struct netr_SamInfo3 *orig); | |
54 | + const struct netr_SamInfo3 *orig); | |
55 | struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, | |
56 | const struct wbcAuthUserInfo *info); | |
57 | ||
58 | diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c | |
59 | index e627892..63b4989 100644 | |
60 | --- a/source3/auth/server_info.c | |
61 | +++ b/source3/auth/server_info.c | |
62 | @@ -632,7 +632,7 @@ done: | |
63 | } } while(0) | |
64 | ||
65 | struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, | |
66 | - struct netr_SamInfo3 *orig) | |
67 | + const struct netr_SamInfo3 *orig) | |
68 | { | |
69 | struct netr_SamInfo3 *info3; | |
70 | unsigned int i; | |
71 | -- | |
72 | 2.1.0 | |
73 | ||
74 | ||
75 | From 1afd41a9cc31acdff66ab084ba89913c8a239a0f Mon Sep 17 00:00:00 2001 | |
76 | From: Jeremy Allison <jra@samba.org> | |
77 | Date: Mon, 16 Jun 2014 22:54:45 -0700 | |
78 | Subject: [PATCH 2/5] PATCHSET21: s3: auth: Change make_server_info_info3() to | |
79 | take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO. | |
80 | ||
81 | make_server_info_info3() only reads from the info3 pointer. | |
82 | ||
83 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
84 | Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> | |
85 | Reviewed-by: Simo Sorce <idra@samba.org> | |
86 | (cherry picked from commit 527f7b54388713acaaf7b66c718cc0f7114fc368) | |
87 | ||
88 | Conflicts: | |
89 | source3/auth/auth_generic.c | |
90 | source3/auth/proto.h | |
91 | source3/auth/user_krb5.c | |
92 | --- | |
93 | source3/auth/proto.h | 2 +- | |
94 | source3/auth/user_krb5.c | 8 ++++---- | |
95 | 2 files changed, 5 insertions(+), 5 deletions(-) | |
96 | ||
97 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | |
98 | index c851722..0ab32a7 100644 | |
99 | --- a/source3/auth/proto.h | |
100 | +++ b/source3/auth/proto.h | |
101 | @@ -305,7 +305,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
102 | char *ntdomain, | |
103 | char *username, | |
104 | struct passwd *pw, | |
105 | - struct PAC_LOGON_INFO *logon_info, | |
106 | + const struct netr_SamInfo3 *info3, | |
107 | bool mapped_to_guest, | |
108 | struct auth_serversupplied_info **server_info); | |
109 | ||
110 | diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c | |
111 | index 1e5254e..fde2f48 100644 | |
112 | --- a/source3/auth/user_krb5.c | |
113 | +++ b/source3/auth/user_krb5.c | |
114 | @@ -184,7 +184,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
115 | char *ntdomain, | |
116 | char *username, | |
117 | struct passwd *pw, | |
118 | - struct PAC_LOGON_INFO *logon_info, | |
119 | + const struct netr_SamInfo3 *info3, | |
120 | bool mapped_to_guest, | |
121 | struct auth_serversupplied_info **server_info) | |
122 | { | |
123 | @@ -198,14 +198,14 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
124 | return status; | |
125 | } | |
126 | ||
127 | - } else if (logon_info) { | |
128 | + } else if (info3) { | |
129 | /* pass the unmapped username here since map_username() | |
130 | will be called again in make_server_info_info3() */ | |
131 | ||
132 | status = make_server_info_info3(mem_ctx, | |
133 | ntuser, ntdomain, | |
134 | server_info, | |
135 | - &logon_info->info3); | |
136 | + info3); | |
137 | if (!NT_STATUS_IS_OK(status)) { | |
138 | DEBUG(1, ("make_server_info_info3 failed: %s!\n", | |
139 | nt_errstr(status))); | |
140 | @@ -284,7 +284,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, | |
141 | char *ntdomain, | |
142 | char *username, | |
143 | struct passwd *pw, | |
144 | - struct PAC_LOGON_INFO *logon_info, | |
145 | + const struct netr_SamInfo3 *info3, | |
146 | bool mapped_to_guest, | |
147 | struct auth_serversupplied_info **server_info) | |
148 | { | |
149 | -- | |
150 | 2.1.0 | |
151 | ||
152 | ||
153 | From 08bf07ec03537aedbd7beb359cf9274be2882edf Mon Sep 17 00:00:00 2001 | |
154 | From: Jeremy Allison <jra@samba.org> | |
155 | Date: Mon, 16 Jun 2014 23:11:58 -0700 | |
156 | Subject: [PATCH 3/5] PATCHSET21: s3: auth: Add | |
157 | create_info3_from_pac_logon_info() to create a new info3 and merge resource | |
158 | group SIDs into it. | |
159 | ||
160 | Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>. | |
161 | ||
162 | Signed-off-by: Jeremy Allison <jra@samba.org> | |
163 | Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> | |
164 | Reviewed-by: Simo Sorce <idra@samba.org> | |
165 | (cherry picked from commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6) | |
166 | --- | |
167 | source3/auth/proto.h | 5 ++- | |
168 | source3/auth/server_info.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++ | |
169 | 2 files changed, 82 insertions(+), 1 deletion(-) | |
170 | ||
171 | diff --git a/source3/auth/proto.h b/source3/auth/proto.h | |
172 | index 0ab32a7..4335cf8 100644 | |
173 | --- a/source3/auth/proto.h | |
174 | +++ b/source3/auth/proto.h | |
175 | @@ -209,6 +209,7 @@ NTSTATUS auth_winbind_init(void); | |
176 | struct netr_SamInfo2; | |
177 | struct netr_SamInfo3; | |
178 | struct netr_SamInfo6; | |
179 | +struct PAC_LOGON_INFO; | |
180 | ||
181 | struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx); | |
182 | NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info, | |
183 | @@ -223,6 +224,9 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, | |
184 | uint8_t *pipe_session_key, | |
185 | size_t pipe_session_key_len, | |
186 | struct netr_SamInfo6 *sam6); | |
187 | +NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, | |
188 | + const struct PAC_LOGON_INFO *logon_info, | |
189 | + struct netr_SamInfo3 **pp_info3); | |
190 | NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, | |
191 | struct samu *samu, | |
192 | const char *login_server, | |
193 | @@ -289,7 +293,6 @@ bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname); | |
194 | bool user_in_list(TALLOC_CTX *ctx, const char *user,const char **list); | |
195 | ||
196 | /* The following definitions come from auth/user_krb5.c */ | |
197 | -struct PAC_LOGON_INFO; | |
198 | NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, | |
199 | const char *cli_name, | |
200 | const char *princ_name, | |
201 | diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c | |
202 | index 63b4989..1fd9317 100644 | |
203 | --- a/source3/auth/server_info.c | |
204 | +++ b/source3/auth/server_info.c | |
205 | @@ -21,6 +21,7 @@ | |
206 | #include "auth.h" | |
207 | #include "../lib/crypto/arcfour.h" | |
208 | #include "../librpc/gen_ndr/netlogon.h" | |
209 | +#include "../librpc/gen_ndr/krb5pac.h" | |
210 | #include "../libcli/security/security.h" | |
211 | #include "rpc_client/util_netlogon.h" | |
212 | #include "nsswitch/libwbclient/wbclient.h" | |
213 | @@ -293,6 +294,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3, | |
214 | return NT_STATUS_OK; | |
215 | } | |
216 | ||
217 | +/* | |
218 | + * Merge resource SIDs, if any, into the passed in info3 structure. | |
219 | + */ | |
220 | + | |
221 | +static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info, | |
222 | + struct netr_SamInfo3 *info3) | |
223 | +{ | |
224 | + uint32_t i = 0; | |
225 | + | |
226 | + if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) { | |
227 | + return NT_STATUS_OK; | |
228 | + } | |
229 | + | |
230 | + /* | |
231 | + * If there are any resource groups (SID Compression) add | |
232 | + * them to the extra sids portion of the info3 in the PAC. | |
233 | + * | |
234 | + * This makes the info3 look like it would if we got the info | |
235 | + * from the DC rather than the PAC. | |
236 | + */ | |
237 | + | |
238 | + /* | |
239 | + * Construct a SID for each RID in the list and then append it | |
240 | + * to the info3. | |
241 | + */ | |
242 | + for (i = 0; i < logon_info->res_groups.count; i++) { | |
243 | + NTSTATUS status; | |
244 | + struct dom_sid new_sid; | |
245 | + uint32_t attributes = logon_info->res_groups.rids[i].attributes; | |
246 | + | |
247 | + sid_compose(&new_sid, | |
248 | + logon_info->res_group_dom_sid, | |
249 | + logon_info->res_groups.rids[i].rid); | |
250 | + | |
251 | + DEBUG(10, ("Adding SID %s to extra SIDS\n", | |
252 | + sid_string_dbg(&new_sid))); | |
253 | + | |
254 | + status = append_netr_SidAttr(info3, &info3->sids, | |
255 | + &info3->sidcount, | |
256 | + &new_sid, | |
257 | + attributes); | |
258 | + if (!NT_STATUS_IS_OK(status)) { | |
259 | + DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n", | |
260 | + sid_string_dbg(&new_sid), | |
261 | + nt_errstr(status))); | |
262 | + return status; | |
263 | + } | |
264 | + } | |
265 | + | |
266 | + return NT_STATUS_OK; | |
267 | +} | |
268 | + | |
269 | +/* | |
270 | + * Create a copy of an info3 struct from the struct PAC_LOGON_INFO, | |
271 | + * then merge resource SIDs, if any, into it. If successful return | |
272 | + * the created info3 struct. | |
273 | + */ | |
274 | + | |
275 | +NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, | |
276 | + const struct PAC_LOGON_INFO *logon_info, | |
277 | + struct netr_SamInfo3 **pp_info3) | |
278 | +{ | |
279 | + NTSTATUS status; | |
280 | + struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx, | |
281 | + &logon_info->info3); | |
282 | + if (info3 == NULL) { | |
283 | + return NT_STATUS_NO_MEMORY; | |
284 | + } | |
285 | + status = merge_resource_sids(logon_info, info3); | |
286 | + if (!NT_STATUS_IS_OK(status)) { | |
287 | + TALLOC_FREE(info3); | |
288 | + return status; | |
289 | + } | |
290 | + *pp_info3 = info3; | |
291 | + return NT_STATUS_OK; | |
292 | +} | |
293 | + | |
294 | #define RET_NOMEM(ptr) do { \ | |
295 | if (!ptr) { \ | |
296 | TALLOC_FREE(info3); \ | |
297 | -- | |
298 | 2.1.0 | |
299 | ||
300 | ||
301 | From 86d58108db53958f05d559b2d2a20185ef2deb55 Mon Sep 17 00:00:00 2001 | |
302 | From: Andreas Schneider <asn@cryptomilk.org> | |
303 | Date: Wed, 4 Mar 2015 17:45:39 +0100 | |
304 | Subject: [PATCH 4/5] PATCHSET21: s3-winbind: Merge resource groups from a | |
305 | trusted PAC into the sid array. | |
306 | ||
307 | This is a backport of db775c68ccbed0252abf092b5cb811e8f5fa9bb6. | |
308 | --- | |
309 | source3/winbindd/winbindd_pam.c | 10 +++++++++- | |
310 | 1 file changed, 9 insertions(+), 1 deletion(-) | |
311 | ||
312 | diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c | |
313 | index 5316232..b1838a6 100644 | |
314 | --- a/source3/winbindd/winbindd_pam.c | |
315 | +++ b/source3/winbindd/winbindd_pam.c | |
316 | @@ -546,6 +546,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, | |
317 | time_t time_offset = 0; | |
318 | const char *user_ccache_file; | |
319 | struct PAC_LOGON_INFO *logon_info = NULL; | |
320 | + struct netr_SamInfo3 *info3_copy = NULL; | |
321 | ||
322 | *info3 = NULL; | |
323 | ||
324 | @@ -624,7 +625,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, | |
325 | goto failed; | |
326 | } | |
327 | ||
328 | - *info3 = &logon_info->info3; | |
329 | + result = create_info3_from_pac_logon_info(mem_ctx, | |
330 | + logon_info, | |
331 | + &info3_copy); | |
332 | + if (!NT_STATUS_IS_OK(result)) { | |
333 | + return result; | |
334 | + } | |
335 | + | |
336 | + *info3 = info3_copy; | |
337 | ||
338 | DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", | |
339 | principal_s)); | |
340 | -- | |
341 | 2.1.0 | |
342 | ||
343 | ||
344 | From 40731d512ba1ee0502bdbdd831c4154f967d9f3e Mon Sep 17 00:00:00 2001 | |
345 | From: Michael Adam <obnox@samba.org> | |
346 | Date: Mon, 9 Mar 2015 15:15:37 +0100 | |
347 | Subject: [PATCH 5/5] PATCHSET21: s3-winbind: Fix chached user group lookup of | |
348 | trusted domains. | |
349 | ||
350 | If a user group lookup has aleady been done before with a machine | |
351 | account we did always return the incomplete information from the cache. | |
352 | This patch makes sure we return the correct group information from the | |
353 | netsamlogon cache. | |
354 | ||
355 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143 | |
356 | ||
357 | Pair-Programmed-With: Andreas Schneider <asn@samba.org> | |
358 | Signed-off-by: Michael Adam <obnox@samba.org> | |
359 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
360 | Reviewed-by: Volker Lendecke <vl@samba.org> | |
361 | ||
362 | (cherry picked from commit f5d0204bfa1eb641fe7697613c1f773b6a7e65de) | |
363 | --- | |
364 | source3/winbindd/wb_lookupusergroups.c | 11 +++++++++++ | |
365 | 1 file changed, 11 insertions(+) | |
366 | ||
367 | diff --git a/source3/winbindd/wb_lookupusergroups.c b/source3/winbindd/wb_lookupusergroups.c | |
368 | index aeffc17..1bb7081 100644 | |
369 | --- a/source3/winbindd/wb_lookupusergroups.c | |
370 | +++ b/source3/winbindd/wb_lookupusergroups.c | |
371 | @@ -37,6 +37,7 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx, | |
372 | { | |
373 | struct tevent_req *req, *subreq; | |
374 | struct wb_lookupusergroups_state *state; | |
375 | + NTSTATUS status; | |
376 | ||
377 | req = tevent_req_create(mem_ctx, &state, | |
378 | struct wb_lookupusergroups_state); | |
379 | @@ -45,6 +46,16 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx, | |
380 | } | |
381 | sid_copy(&state->sid, sid); | |
382 | ||
383 | + status = lookup_usergroups_cached(NULL, | |
384 | + state, | |
385 | + &state->sid, | |
386 | + &state->sids.num_sids, | |
387 | + &state->sids.sids); | |
388 | + if (NT_STATUS_IS_OK(status)) { | |
389 | + tevent_req_done(req); | |
390 | + return tevent_req_post(req, ev); | |
391 | + } | |
392 | + | |
393 | subreq = dcerpc_wbint_LookupUserGroups_send( | |
394 | state, ev, dom_child_handle(domain), &state->sid, &state->sids); | |
395 | if (tevent_req_nomem(subreq, req)) { | |
396 | -- | |
397 | 2.1.0 |