[ipfire-2.x.git] / src / patches / samba / samba-3.6.99-fix_usergroup_cache_lookup.patch

From 72494e601ee6027873494f7ee7aff03d9170e3eb Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Jun 2014 22:49:29 -0700
Subject: [PATCH 1/5] PATCHSET21: s3: auth: Add some const to the struct
 netr_SamInfo3 * arguments of copy_netr_SamInfo3() and
 make_server_info_info3()

Both functions only read from the struct netr_SamInfo3 * argument.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
(cherry picked from commit c2411767adb5ce48a4619349075f6f8faae41aab)

Conflicts:
	source3/auth/proto.h
---
 source3/auth/auth_util.c   | 2 +-
 source3/auth/proto.h       | 4 ++--
 source3/auth/server_info.c | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 1f1fed9..a548b7b 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1195,7 +1195,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
				const char *sent_nt_username,
				const char *domain,
				struct auth_serversupplied_info **server_info,
-				struct netr_SamInfo3 *info3)
+				const struct netr_SamInfo3 *info3)
 {
	static const char zeros[16] = {0, };

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index fccabc4..c851722 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -173,7 +173,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
				const char *sent_nt_username,
				const char *domain,
				struct auth_serversupplied_info **server_info,
-				struct netr_SamInfo3 *info3);
+				const struct netr_SamInfo3 *info3);
 struct wbcAuthUserInfo;
 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
					  const char *sent_nt_username,
@@ -233,7 +233,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
			    const struct passwd *pwd,
			    struct netr_SamInfo3 **pinfo3);
 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-					 struct netr_SamInfo3 *orig);
+					 const struct netr_SamInfo3 *orig);
 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
					const struct wbcAuthUserInfo *info);

diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index e627892..63b4989 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -632,7 +632,7 @@ done:
	} } while(0)

 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
-					 struct netr_SamInfo3 *orig)
+					 const struct netr_SamInfo3 *orig)
 {
	struct netr_SamInfo3 *info3;
	unsigned int i;
--
2.1.0


From 1afd41a9cc31acdff66ab084ba89913c8a239a0f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Jun 2014 22:54:45 -0700
Subject: [PATCH 2/5] PATCHSET21: s3: auth: Change make_server_info_info3() to
 take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.

make_server_info_info3() only reads from the info3 pointer.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
(cherry picked from commit 527f7b54388713acaaf7b66c718cc0f7114fc368)

Conflicts:
	source3/auth/auth_generic.c
	source3/auth/proto.h
	source3/auth/user_krb5.c
---
 source3/auth/proto.h     | 2 +-
 source3/auth/user_krb5.c | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index c851722..0ab32a7 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -305,7 +305,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
				char *ntdomain,
				char *username,
				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
				bool mapped_to_guest,
				struct auth_serversupplied_info **server_info);

diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 1e5254e..fde2f48 100644
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -184,7 +184,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
				char *ntdomain,
				char *username,
				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
				bool mapped_to_guest,
				struct auth_serversupplied_info **server_info)
 {
@@ -198,14 +198,14 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
			return status;
		}

-	} else if (logon_info) {
+	} else if (info3) {
		/* pass the unmapped username here since map_username()
		   will be called again in make_server_info_info3() */

		status = make_server_info_info3(mem_ctx,
						ntuser, ntdomain,
						server_info,
-						&logon_info->info3);
+						info3);
		if (!NT_STATUS_IS_OK(status)) {
			DEBUG(1, ("make_server_info_info3 failed: %s!\n",
				  nt_errstr(status)));
@@ -284,7 +284,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
				char *ntdomain,
				char *username,
				struct passwd *pw,
-				struct PAC_LOGON_INFO *logon_info,
+				const struct netr_SamInfo3 *info3,
				bool mapped_to_guest,
				struct auth_serversupplied_info **server_info)
 {
--
2.1.0


From 08bf07ec03537aedbd7beb359cf9274be2882edf Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 16 Jun 2014 23:11:58 -0700
Subject: [PATCH 3/5] PATCHSET21: s3: auth: Add
 create_info3_from_pac_logon_info() to create a new info3 and merge resource
 group SIDs into it.

Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
Reviewed-by: Simo Sorce <idra@samba.org>
(cherry picked from commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6)
---
 source3/auth/proto.h       |  5 ++-
 source3/auth/server_info.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 82 insertions(+), 1 deletion(-)

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 0ab32a7..4335cf8 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -209,6 +209,7 @@ NTSTATUS auth_winbind_init(void);
 struct netr_SamInfo2;
 struct netr_SamInfo3;
 struct netr_SamInfo6;
+struct PAC_LOGON_INFO;

 struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx);
 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
@@ -223,6 +224,9 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
				uint8_t *pipe_session_key,
				size_t pipe_session_key_len,
				struct netr_SamInfo6 *sam6);
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+                                        const struct PAC_LOGON_INFO *logon_info,
+                                        struct netr_SamInfo3 **pp_info3);
 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
			  struct samu *samu,
			  const char *login_server,
@@ -289,7 +293,6 @@ bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname);
 bool user_in_list(TALLOC_CTX *ctx, const char *user,const char **list);

 /* The following definitions come from auth/user_krb5.c  */
-struct PAC_LOGON_INFO;
 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
				     const char *cli_name,
				     const char *princ_name,
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 63b4989..1fd9317 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -21,6 +21,7 @@
 #include "auth.h"
 #include "../lib/crypto/arcfour.h"
 #include "../librpc/gen_ndr/netlogon.h"
+#include "../librpc/gen_ndr/krb5pac.h"
 #include "../libcli/security/security.h"
 #include "rpc_client/util_netlogon.h"
 #include "nsswitch/libwbclient/wbclient.h"
@@ -293,6 +294,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
	return NT_STATUS_OK;
 }

+/*
+ * Merge resource SIDs, if any, into the passed in info3 structure.
+ */
+
+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
+				struct netr_SamInfo3 *info3)
+{
+	uint32_t i = 0;
+
+	if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
+		return NT_STATUS_OK;
+	}
+
+	/*
+	 * If there are any resource groups (SID Compression) add
+	 * them to the extra sids portion of the info3 in the PAC.
+	 *
+	 * This makes the info3 look like it would if we got the info
+	 * from the DC rather than the PAC.
+	 */
+
+	/*
+	 * Construct a SID for each RID in the list and then append it
+	 * to the info3.
+	 */
+	for (i = 0; i < logon_info->res_groups.count; i++) {
+		NTSTATUS status;
+		struct dom_sid new_sid;
+		uint32_t attributes = logon_info->res_groups.rids[i].attributes;
+
+		sid_compose(&new_sid,
+			logon_info->res_group_dom_sid,
+			logon_info->res_groups.rids[i].rid);
+
+		DEBUG(10, ("Adding SID %s to extra SIDS\n",
+			sid_string_dbg(&new_sid)));
+
+		status = append_netr_SidAttr(info3, &info3->sids,
+					&info3->sidcount,
+					&new_sid,
+					attributes);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
+				sid_string_dbg(&new_sid),
+				nt_errstr(status)));
+			return status;
+		}
+	}
+
+	return NT_STATUS_OK;
+}
+
+/*
+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
+ * then merge resource SIDs, if any, into it. If successful return
+ * the created info3 struct.
+ */
+
+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
+					const struct PAC_LOGON_INFO *logon_info,
+					struct netr_SamInfo3 **pp_info3)
+{
+	NTSTATUS status;
+	struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
+					&logon_info->info3);
+	if (info3 == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	status = merge_resource_sids(logon_info, info3);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(info3);
+		return status;
+	}
+	*pp_info3 = info3;
+	return NT_STATUS_OK;
+}
+
 #define RET_NOMEM(ptr) do { \
	if (!ptr) { \
		TALLOC_FREE(info3); \
--
2.1.0


From 86d58108db53958f05d559b2d2a20185ef2deb55 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@cryptomilk.org>
Date: Wed, 4 Mar 2015 17:45:39 +0100
Subject: [PATCH 4/5] PATCHSET21: s3-winbind: Merge resource groups from a
 trusted PAC into the sid array.

This is a backport of db775c68ccbed0252abf092b5cb811e8f5fa9bb6.
---
 source3/winbindd/winbindd_pam.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 5316232..b1838a6 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -546,6 +546,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
	time_t time_offset = 0;
	const char *user_ccache_file;
	struct PAC_LOGON_INFO *logon_info = NULL;
+	struct netr_SamInfo3 *info3_copy = NULL;

	*info3 = NULL;

@@ -624,7 +625,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
		goto failed;
	}

-	*info3 = &logon_info->info3;
+	result = create_info3_from_pac_logon_info(mem_ctx,
+						  logon_info,
+						  &info3_copy);
+	if (!NT_STATUS_IS_OK(result)) {
+		return result;
+	}
+
+	*info3 = info3_copy;

	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
		principal_s));
--
2.1.0


From 40731d512ba1ee0502bdbdd831c4154f967d9f3e Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Mon, 9 Mar 2015 15:15:37 +0100
Subject: [PATCH 5/5] PATCHSET21: s3-winbind: Fix chached user group lookup of
 trusted domains.

If a user group lookup has aleady been done before with a machine
account we did always return the incomplete information from the cache.
This patch makes sure we return the correct group information from the
netsamlogon cache.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

(cherry picked from commit f5d0204bfa1eb641fe7697613c1f773b6a7e65de)
---
 source3/winbindd/wb_lookupusergroups.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/source3/winbindd/wb_lookupusergroups.c b/source3/winbindd/wb_lookupusergroups.c
index aeffc17..1bb7081 100644
--- a/source3/winbindd/wb_lookupusergroups.c
+++ b/source3/winbindd/wb_lookupusergroups.c
@@ -37,6 +37,7 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
 {
	struct tevent_req *req, *subreq;
	struct wb_lookupusergroups_state *state;
+	NTSTATUS status;

	req = tevent_req_create(mem_ctx, &state,
				struct wb_lookupusergroups_state);
@@ -45,6 +46,16 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
	}
	sid_copy(&state->sid, sid);

+	status = lookup_usergroups_cached(NULL,
+					  state,
+					  &state->sid,
+					  &state->sids.num_sids,
+					  &state->sids.sids);
+	if (NT_STATUS_IS_OK(status)) {
+		tevent_req_done(req);
+		return tevent_req_post(req, ev);
+	}
+
	subreq = dcerpc_wbint_LookupUserGroups_send(
		state, ev, dom_child_handle(domain), &state->sid, &state->sids);
	if (tevent_req_nomem(subreq, req)) {
--
2.1.0
Commit	Line	Data
1d13e637 AF	1	From 72494e601ee6027873494f7ee7aff03d9170e3eb Mon Sep 17 00:00:00 2001
	2	From: Jeremy Allison <jra@samba.org>
	3	Date: Mon, 16 Jun 2014 22:49:29 -0700
	4	Subject: [PATCH 1/5] PATCHSET21: s3: auth: Add some const to the struct
	5	netr_SamInfo3 * arguments of copy_netr_SamInfo3() and
	6	make_server_info_info3()
	7
	8	Both functions only read from the struct netr_SamInfo3 * argument.
	9
	10	Signed-off-by: Jeremy Allison <jra@samba.org>
	11	Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
	12	Reviewed-by: Simo Sorce <idra@samba.org>
	13	(cherry picked from commit c2411767adb5ce48a4619349075f6f8faae41aab)
	14
	15	Conflicts:
	16	source3/auth/proto.h
	17	---
	18	source3/auth/auth_util.c \| 2 +-
	19	source3/auth/proto.h \| 4 ++--
	20	source3/auth/server_info.c \| 2 +-
	21	3 files changed, 4 insertions(+), 4 deletions(-)
	22
	23	diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
	24	index 1f1fed9..a548b7b 100644
	25	--- a/source3/auth/auth_util.c
	26	+++ b/source3/auth/auth_util.c
	27	@@ -1195,7 +1195,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
	28	const char *sent_nt_username,
	29	const char *domain,
	30	struct auth_serversupplied_info **server_info,
	31	- struct netr_SamInfo3 *info3)
	32	+ const struct netr_SamInfo3 *info3)
	33	{
	34	static const char zeros[16] = {0, };
	35
	36	diff --git a/source3/auth/proto.h b/source3/auth/proto.h
	37	index fccabc4..c851722 100644
	38	--- a/source3/auth/proto.h
	39	+++ b/source3/auth/proto.h
	40	@@ -173,7 +173,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
	41	const char *sent_nt_username,
	42	const char *domain,
	43	struct auth_serversupplied_info **server_info,
	44	- struct netr_SamInfo3 *info3);
	45	+ const struct netr_SamInfo3 *info3);
	46	struct wbcAuthUserInfo;
	47	NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
	48	const char *sent_nt_username,
	49	@@ -233,7 +233,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
	50	const struct passwd *pwd,
	51	struct netr_SamInfo3 **pinfo3);
	52	struct netr_SamInfo3 copy_netr_SamInfo3(TALLOC_CTX mem_ctx,
	53	- struct netr_SamInfo3 *orig);
	54	+ const struct netr_SamInfo3 *orig);
	55	struct netr_SamInfo3 wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX mem_ctx,
	56	const struct wbcAuthUserInfo *info);
	57
	58	diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
	59	index e627892..63b4989 100644
	60	--- a/source3/auth/server_info.c
	61	+++ b/source3/auth/server_info.c
	62	@@ -632,7 +632,7 @@ done:
	63	} } while(0)
	64
65	struct netr_SamInfo3 copy_netr_SamInfo3(TALLOC_CTX mem_ctx,
66	- struct netr_SamInfo3 *orig)
67	+ const struct netr_SamInfo3 *orig)
68	{
69	struct netr_SamInfo3 *info3;
70	unsigned int i;
71	--
72	2.1.0
73
74
75	From 1afd41a9cc31acdff66ab084ba89913c8a239a0f Mon Sep 17 00:00:00 2001
76	From: Jeremy Allison <jra@samba.org>
77	Date: Mon, 16 Jun 2014 22:54:45 -0700
78	Subject: [PATCH 2/5] PATCHSET21: s3: auth: Change make_server_info_info3() to
79	take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
80
81	make_server_info_info3() only reads from the info3 pointer.
82
83	Signed-off-by: Jeremy Allison <jra@samba.org>
84	Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
85	Reviewed-by: Simo Sorce <idra@samba.org>
86	(cherry picked from commit 527f7b54388713acaaf7b66c718cc0f7114fc368)
87
88	Conflicts:
89	source3/auth/auth_generic.c
90	source3/auth/proto.h
91	source3/auth/user_krb5.c
92	---
93	source3/auth/proto.h \| 2 +-
94	source3/auth/user_krb5.c \| 8 ++++----
95	2 files changed, 5 insertions(+), 5 deletions(-)
96
97	diff --git a/source3/auth/proto.h b/source3/auth/proto.h
98	index c851722..0ab32a7 100644
99	--- a/source3/auth/proto.h
100	+++ b/source3/auth/proto.h
101	@@ -305,7 +305,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
102	char *ntdomain,
103	char *username,
104	struct passwd *pw,
105	- struct PAC_LOGON_INFO *logon_info,
106	+ const struct netr_SamInfo3 *info3,
107	bool mapped_to_guest,
108	struct auth_serversupplied_info **server_info);
109
110	diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
111	index 1e5254e..fde2f48 100644
112	--- a/source3/auth/user_krb5.c
113	+++ b/source3/auth/user_krb5.c
114	@@ -184,7 +184,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
115	char *ntdomain,
116	char *username,
117	struct passwd *pw,
118	- struct PAC_LOGON_INFO *logon_info,
119	+ const struct netr_SamInfo3 *info3,
120	bool mapped_to_guest,
121	struct auth_serversupplied_info **server_info)
122	{
123	@@ -198,14 +198,14 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
124	return status;
125	}
126
127	- } else if (logon_info) {
128	+ } else if (info3) {
129	/* pass the unmapped username here since map_username()
130	will be called again in make_server_info_info3() */
131
132	status = make_server_info_info3(mem_ctx,
133	ntuser, ntdomain,
134	server_info,
135	- &logon_info->info3);
136	+ info3);
137	if (!NT_STATUS_IS_OK(status)) {
138	DEBUG(1, ("make_server_info_info3 failed: %s!\n",
139	nt_errstr(status)));
140	@@ -284,7 +284,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
141	char *ntdomain,
142	char *username,
143	struct passwd *pw,
144	- struct PAC_LOGON_INFO *logon_info,
145	+ const struct netr_SamInfo3 *info3,
146	bool mapped_to_guest,
147	struct auth_serversupplied_info **server_info)
148	{
149	--
150	2.1.0
151
152
153	From 08bf07ec03537aedbd7beb359cf9274be2882edf Mon Sep 17 00:00:00 2001
154	From: Jeremy Allison <jra@samba.org>
155	Date: Mon, 16 Jun 2014 23:11:58 -0700
156	Subject: [PATCH 3/5] PATCHSET21: s3: auth: Add
157	create_info3_from_pac_logon_info() to create a new info3 and merge resource
158	group SIDs into it.
159
160	Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
161
162	Signed-off-by: Jeremy Allison <jra@samba.org>
163	Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
164	Reviewed-by: Simo Sorce <idra@samba.org>
165	(cherry picked from commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6)
166	---
167	source3/auth/proto.h \| 5 ++-
168	source3/auth/server_info.c \| 78 ++++++++++++++++++++++++++++++++++++++++++++++
169	2 files changed, 82 insertions(+), 1 deletion(-)
170
171	diff --git a/source3/auth/proto.h b/source3/auth/proto.h
172	index 0ab32a7..4335cf8 100644
173	--- a/source3/auth/proto.h
174	+++ b/source3/auth/proto.h
175	@@ -209,6 +209,7 @@ NTSTATUS auth_winbind_init(void);
176	struct netr_SamInfo2;
177	struct netr_SamInfo3;
178	struct netr_SamInfo6;
179	+struct PAC_LOGON_INFO;
180
181	struct auth_serversupplied_info make_server_info(TALLOC_CTX mem_ctx);
182	NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
183	@@ -223,6 +224,9 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
184	uint8_t *pipe_session_key,
185	size_t pipe_session_key_len,
186	struct netr_SamInfo6 *sam6);
187	+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
188	+ const struct PAC_LOGON_INFO *logon_info,
189	+ struct netr_SamInfo3 **pp_info3);
190	NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
191	struct samu *samu,
192	const char *login_server,
193	@@ -289,7 +293,6 @@ bool user_in_netgroup(TALLOC_CTX ctx, const char user, const char *ngname);
194	bool user_in_list(TALLOC_CTX ctx, const char user,const char **list);
195
196	/* The following definitions come from auth/user_krb5.c */
197	-struct PAC_LOGON_INFO;
198	NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
199	const char *cli_name,
200	const char *princ_name,
201	diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
202	index 63b4989..1fd9317 100644
203	--- a/source3/auth/server_info.c
204	+++ b/source3/auth/server_info.c
205	@@ -21,6 +21,7 @@
206	#include "auth.h"
207	#include "../lib/crypto/arcfour.h"
208	#include "../librpc/gen_ndr/netlogon.h"
209	+#include "../librpc/gen_ndr/krb5pac.h"
210	#include "../libcli/security/security.h"
211	#include "rpc_client/util_netlogon.h"
212	#include "nsswitch/libwbclient/wbclient.h"
213	@@ -293,6 +294,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
214	return NT_STATUS_OK;
215	}
216
217	+/*
218	+ * Merge resource SIDs, if any, into the passed in info3 structure.
219	+ */
220	+
221	+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
222	+ struct netr_SamInfo3 *info3)
223	+{
224	+ uint32_t i = 0;
225	+
226	+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
227	+ return NT_STATUS_OK;
228	+ }
229	+
230	+ /*
231	+ * If there are any resource groups (SID Compression) add
232	+ * them to the extra sids portion of the info3 in the PAC.
233	+ *
234	+ * This makes the info3 look like it would if we got the info
235	+ * from the DC rather than the PAC.
236	+ */
237	+
238	+ /*
239	+ * Construct a SID for each RID in the list and then append it
240	+ * to the info3.
241	+ */
242	+ for (i = 0; i < logon_info->res_groups.count; i++) {
243	+ NTSTATUS status;
244	+ struct dom_sid new_sid;
245	+ uint32_t attributes = logon_info->res_groups.rids[i].attributes;
246	+
247	+ sid_compose(&new_sid,
248	+ logon_info->res_group_dom_sid,
249	+ logon_info->res_groups.rids[i].rid);
250	+
251	+ DEBUG(10, ("Adding SID %s to extra SIDS\n",
252	+ sid_string_dbg(&new_sid)));
253	+
254	+ status = append_netr_SidAttr(info3, &info3->sids,
255	+ &info3->sidcount,
256	+ &new_sid,
257	+ attributes);
258	+ if (!NT_STATUS_IS_OK(status)) {
259	+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
260	+ sid_string_dbg(&new_sid),
261	+ nt_errstr(status)));
262	+ return status;
263	+ }
264	+ }
265	+
266	+ return NT_STATUS_OK;
267	+}
268	+
269	+/*
270	+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
271	+ * then merge resource SIDs, if any, into it. If successful return
272	+ * the created info3 struct.
273	+ */
274	+
275	+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
276	+ const struct PAC_LOGON_INFO *logon_info,
277	+ struct netr_SamInfo3 **pp_info3)
278	+{
279	+ NTSTATUS status;
280	+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
281	+ &logon_info->info3);
282	+ if (info3 == NULL) {
283	+ return NT_STATUS_NO_MEMORY;
284	+ }
285	+ status = merge_resource_sids(logon_info, info3);
286	+ if (!NT_STATUS_IS_OK(status)) {
287	+ TALLOC_FREE(info3);
288	+ return status;
289	+ }
290	+ *pp_info3 = info3;
291	+ return NT_STATUS_OK;
292	+}
293	+
294	#define RET_NOMEM(ptr) do { \
295	if (!ptr) { \
296	TALLOC_FREE(info3); \
297	--
298	2.1.0
299
300
301	From 86d58108db53958f05d559b2d2a20185ef2deb55 Mon Sep 17 00:00:00 2001
302	From: Andreas Schneider <asn@cryptomilk.org>
303	Date: Wed, 4 Mar 2015 17:45:39 +0100
304	Subject: [PATCH 4/5] PATCHSET21: s3-winbind: Merge resource groups from a
305	trusted PAC into the sid array.
306
307	This is a backport of db775c68ccbed0252abf092b5cb811e8f5fa9bb6.
308	---
309	source3/winbindd/winbindd_pam.c \| 10 +++++++++-
310	1 file changed, 9 insertions(+), 1 deletion(-)
311
312	diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
313	index 5316232..b1838a6 100644
314	--- a/source3/winbindd/winbindd_pam.c
315	+++ b/source3/winbindd/winbindd_pam.c
316	@@ -546,6 +546,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
317	time_t time_offset = 0;
318	const char *user_ccache_file;
319	struct PAC_LOGON_INFO *logon_info = NULL;
320	+ struct netr_SamInfo3 *info3_copy = NULL;
321
322	*info3 = NULL;
323
324	@@ -624,7 +625,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
325	goto failed;
326	}
327
328	- *info3 = &logon_info->info3;
329	+ result = create_info3_from_pac_logon_info(mem_ctx,
330	+ logon_info,
331	+ &info3_copy);
332	+ if (!NT_STATUS_IS_OK(result)) {
333	+ return result;
334	+ }
335	+
336	+ *info3 = info3_copy;
337
338	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
339	principal_s));
340	--
341	2.1.0
342
343
344	From 40731d512ba1ee0502bdbdd831c4154f967d9f3e Mon Sep 17 00:00:00 2001
345	From: Michael Adam <obnox@samba.org>
346	Date: Mon, 9 Mar 2015 15:15:37 +0100
347	Subject: [PATCH 5/5] PATCHSET21: s3-winbind: Fix chached user group lookup of
348	trusted domains.
349
350	If a user group lookup has aleady been done before with a machine
351	account we did always return the incomplete information from the cache.
352	This patch makes sure we return the correct group information from the
353	netsamlogon cache.
354
355	BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143
356
357	Pair-Programmed-With: Andreas Schneider <asn@samba.org>
358	Signed-off-by: Michael Adam <obnox@samba.org>
359	Signed-off-by: Andreas Schneider <asn@samba.org>
360	Reviewed-by: Volker Lendecke <vl@samba.org>
361
362	(cherry picked from commit f5d0204bfa1eb641fe7697613c1f773b6a7e65de)
363	---
364	source3/winbindd/wb_lookupusergroups.c \| 11 +++++++++++
365	1 file changed, 11 insertions(+)
366
367	diff --git a/source3/winbindd/wb_lookupusergroups.c b/source3/winbindd/wb_lookupusergroups.c
368	index aeffc17..1bb7081 100644
369	--- a/source3/winbindd/wb_lookupusergroups.c
370	+++ b/source3/winbindd/wb_lookupusergroups.c
371	@@ -37,6 +37,7 @@ struct tevent_req wb_lookupusergroups_send(TALLOC_CTX mem_ctx,
372	{
373	struct tevent_req req, subreq;
374	struct wb_lookupusergroups_state *state;
375	+ NTSTATUS status;
376
377	req = tevent_req_create(mem_ctx, &state,
378	struct wb_lookupusergroups_state);
379	@@ -45,6 +46,16 @@ struct tevent_req wb_lookupusergroups_send(TALLOC_CTX mem_ctx,
380	}
381	sid_copy(&state->sid, sid);
382
383	+ status = lookup_usergroups_cached(NULL,
384	+ state,
385	+ &state->sid,
386	+ &state->sids.num_sids,
387	+ &state->sids.sids);
388	+ if (NT_STATUS_IS_OK(status)) {
389	+ tevent_req_done(req);
390	+ return tevent_req_post(req, ev);
391	+ }
392	+
393	subreq = dcerpc_wbint_LookupUserGroups_send(
394	state, ev, dom_child_handle(domain), &state->sid, &state->sids);
395	if (tevent_req_nomem(subreq, req)) {
396	--
397	2.1.0