]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - src/patches/samba/samba-3.6.99-fix_usergroup_cache_lookup.patch
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'core110'
[people/pmueller/ipfire-2.x.git] / src / patches / samba / samba-3.6.99-fix_usergroup_cache_lookup.patch
1 From 72494e601ee6027873494f7ee7aff03d9170e3eb Mon Sep 17 00:00:00 2001
2 From: Jeremy Allison <jra@samba.org>
3 Date: Mon, 16 Jun 2014 22:49:29 -0700
4 Subject: [PATCH 1/5] PATCHSET21: s3: auth: Add some const to the struct
5 netr_SamInfo3 * arguments of copy_netr_SamInfo3() and
6 make_server_info_info3()
7
8 Both functions only read from the struct netr_SamInfo3 * argument.
9
10 Signed-off-by: Jeremy Allison <jra@samba.org>
11 Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
12 Reviewed-by: Simo Sorce <idra@samba.org>
13 (cherry picked from commit c2411767adb5ce48a4619349075f6f8faae41aab)
14
15 Conflicts:
16 source3/auth/proto.h
17 ---
18 source3/auth/auth_util.c | 2 +-
19 source3/auth/proto.h | 4 ++--
20 source3/auth/server_info.c | 2 +-
21 3 files changed, 4 insertions(+), 4 deletions(-)
22
23 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
24 index 1f1fed9..a548b7b 100644
25 --- a/source3/auth/auth_util.c
26 +++ b/source3/auth/auth_util.c
27 @@ -1195,7 +1195,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
28 const char *sent_nt_username,
29 const char *domain,
30 struct auth_serversupplied_info **server_info,
31 - struct netr_SamInfo3 *info3)
32 + const struct netr_SamInfo3 *info3)
33 {
34 static const char zeros[16] = {0, };
35
36 diff --git a/source3/auth/proto.h b/source3/auth/proto.h
37 index fccabc4..c851722 100644
38 --- a/source3/auth/proto.h
39 +++ b/source3/auth/proto.h
40 @@ -173,7 +173,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
41 const char *sent_nt_username,
42 const char *domain,
43 struct auth_serversupplied_info **server_info,
44 - struct netr_SamInfo3 *info3);
45 + const struct netr_SamInfo3 *info3);
46 struct wbcAuthUserInfo;
47 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
48 const char *sent_nt_username,
49 @@ -233,7 +233,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
50 const struct passwd *pwd,
51 struct netr_SamInfo3 **pinfo3);
52 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
53 - struct netr_SamInfo3 *orig);
54 + const struct netr_SamInfo3 *orig);
55 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
56 const struct wbcAuthUserInfo *info);
57
58 diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
59 index e627892..63b4989 100644
60 --- a/source3/auth/server_info.c
61 +++ b/source3/auth/server_info.c
62 @@ -632,7 +632,7 @@ done:
63 } } while(0)
64
65 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
66 - struct netr_SamInfo3 *orig)
67 + const struct netr_SamInfo3 *orig)
68 {
69 struct netr_SamInfo3 *info3;
70 unsigned int i;
71 --
72 2.1.0
73
74
75 From 1afd41a9cc31acdff66ab084ba89913c8a239a0f Mon Sep 17 00:00:00 2001
76 From: Jeremy Allison <jra@samba.org>
77 Date: Mon, 16 Jun 2014 22:54:45 -0700
78 Subject: [PATCH 2/5] PATCHSET21: s3: auth: Change make_server_info_info3() to
79 take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
80
81 make_server_info_info3() only reads from the info3 pointer.
82
83 Signed-off-by: Jeremy Allison <jra@samba.org>
84 Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
85 Reviewed-by: Simo Sorce <idra@samba.org>
86 (cherry picked from commit 527f7b54388713acaaf7b66c718cc0f7114fc368)
87
88 Conflicts:
89 source3/auth/auth_generic.c
90 source3/auth/proto.h
91 source3/auth/user_krb5.c
92 ---
93 source3/auth/proto.h | 2 +-
94 source3/auth/user_krb5.c | 8 ++++----
95 2 files changed, 5 insertions(+), 5 deletions(-)
96
97 diff --git a/source3/auth/proto.h b/source3/auth/proto.h
98 index c851722..0ab32a7 100644
99 --- a/source3/auth/proto.h
100 +++ b/source3/auth/proto.h
101 @@ -305,7 +305,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
102 char *ntdomain,
103 char *username,
104 struct passwd *pw,
105 - struct PAC_LOGON_INFO *logon_info,
106 + const struct netr_SamInfo3 *info3,
107 bool mapped_to_guest,
108 struct auth_serversupplied_info **server_info);
109
110 diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
111 index 1e5254e..fde2f48 100644
112 --- a/source3/auth/user_krb5.c
113 +++ b/source3/auth/user_krb5.c
114 @@ -184,7 +184,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
115 char *ntdomain,
116 char *username,
117 struct passwd *pw,
118 - struct PAC_LOGON_INFO *logon_info,
119 + const struct netr_SamInfo3 *info3,
120 bool mapped_to_guest,
121 struct auth_serversupplied_info **server_info)
122 {
123 @@ -198,14 +198,14 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
124 return status;
125 }
126
127 - } else if (logon_info) {
128 + } else if (info3) {
129 /* pass the unmapped username here since map_username()
130 will be called again in make_server_info_info3() */
131
132 status = make_server_info_info3(mem_ctx,
133 ntuser, ntdomain,
134 server_info,
135 - &logon_info->info3);
136 + info3);
137 if (!NT_STATUS_IS_OK(status)) {
138 DEBUG(1, ("make_server_info_info3 failed: %s!\n",
139 nt_errstr(status)));
140 @@ -284,7 +284,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
141 char *ntdomain,
142 char *username,
143 struct passwd *pw,
144 - struct PAC_LOGON_INFO *logon_info,
145 + const struct netr_SamInfo3 *info3,
146 bool mapped_to_guest,
147 struct auth_serversupplied_info **server_info)
148 {
149 --
150 2.1.0
151
152
153 From 08bf07ec03537aedbd7beb359cf9274be2882edf Mon Sep 17 00:00:00 2001
154 From: Jeremy Allison <jra@samba.org>
155 Date: Mon, 16 Jun 2014 23:11:58 -0700
156 Subject: [PATCH 3/5] PATCHSET21: s3: auth: Add
157 create_info3_from_pac_logon_info() to create a new info3 and merge resource
158 group SIDs into it.
159
160 Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
161
162 Signed-off-by: Jeremy Allison <jra@samba.org>
163 Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
164 Reviewed-by: Simo Sorce <idra@samba.org>
165 (cherry picked from commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6)
166 ---
167 source3/auth/proto.h | 5 ++-
168 source3/auth/server_info.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++
169 2 files changed, 82 insertions(+), 1 deletion(-)
170
171 diff --git a/source3/auth/proto.h b/source3/auth/proto.h
172 index 0ab32a7..4335cf8 100644
173 --- a/source3/auth/proto.h
174 +++ b/source3/auth/proto.h
175 @@ -209,6 +209,7 @@ NTSTATUS auth_winbind_init(void);
176 struct netr_SamInfo2;
177 struct netr_SamInfo3;
178 struct netr_SamInfo6;
179 +struct PAC_LOGON_INFO;
180
181 struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx);
182 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
183 @@ -223,6 +224,9 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
184 uint8_t *pipe_session_key,
185 size_t pipe_session_key_len,
186 struct netr_SamInfo6 *sam6);
187 +NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
188 + const struct PAC_LOGON_INFO *logon_info,
189 + struct netr_SamInfo3 **pp_info3);
190 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
191 struct samu *samu,
192 const char *login_server,
193 @@ -289,7 +293,6 @@ bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname);
194 bool user_in_list(TALLOC_CTX *ctx, const char *user,const char **list);
195
196 /* The following definitions come from auth/user_krb5.c */
197 -struct PAC_LOGON_INFO;
198 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
199 const char *cli_name,
200 const char *princ_name,
201 diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
202 index 63b4989..1fd9317 100644
203 --- a/source3/auth/server_info.c
204 +++ b/source3/auth/server_info.c
205 @@ -21,6 +21,7 @@
206 #include "auth.h"
207 #include "../lib/crypto/arcfour.h"
208 #include "../librpc/gen_ndr/netlogon.h"
209 +#include "../librpc/gen_ndr/krb5pac.h"
210 #include "../libcli/security/security.h"
211 #include "rpc_client/util_netlogon.h"
212 #include "nsswitch/libwbclient/wbclient.h"
213 @@ -293,6 +294,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
214 return NT_STATUS_OK;
215 }
216
217 +/*
218 + * Merge resource SIDs, if any, into the passed in info3 structure.
219 + */
220 +
221 +static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
222 + struct netr_SamInfo3 *info3)
223 +{
224 + uint32_t i = 0;
225 +
226 + if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
227 + return NT_STATUS_OK;
228 + }
229 +
230 + /*
231 + * If there are any resource groups (SID Compression) add
232 + * them to the extra sids portion of the info3 in the PAC.
233 + *
234 + * This makes the info3 look like it would if we got the info
235 + * from the DC rather than the PAC.
236 + */
237 +
238 + /*
239 + * Construct a SID for each RID in the list and then append it
240 + * to the info3.
241 + */
242 + for (i = 0; i < logon_info->res_groups.count; i++) {
243 + NTSTATUS status;
244 + struct dom_sid new_sid;
245 + uint32_t attributes = logon_info->res_groups.rids[i].attributes;
246 +
247 + sid_compose(&new_sid,
248 + logon_info->res_group_dom_sid,
249 + logon_info->res_groups.rids[i].rid);
250 +
251 + DEBUG(10, ("Adding SID %s to extra SIDS\n",
252 + sid_string_dbg(&new_sid)));
253 +
254 + status = append_netr_SidAttr(info3, &info3->sids,
255 + &info3->sidcount,
256 + &new_sid,
257 + attributes);
258 + if (!NT_STATUS_IS_OK(status)) {
259 + DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
260 + sid_string_dbg(&new_sid),
261 + nt_errstr(status)));
262 + return status;
263 + }
264 + }
265 +
266 + return NT_STATUS_OK;
267 +}
268 +
269 +/*
270 + * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
271 + * then merge resource SIDs, if any, into it. If successful return
272 + * the created info3 struct.
273 + */
274 +
275 +NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
276 + const struct PAC_LOGON_INFO *logon_info,
277 + struct netr_SamInfo3 **pp_info3)
278 +{
279 + NTSTATUS status;
280 + struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
281 + &logon_info->info3);
282 + if (info3 == NULL) {
283 + return NT_STATUS_NO_MEMORY;
284 + }
285 + status = merge_resource_sids(logon_info, info3);
286 + if (!NT_STATUS_IS_OK(status)) {
287 + TALLOC_FREE(info3);
288 + return status;
289 + }
290 + *pp_info3 = info3;
291 + return NT_STATUS_OK;
292 +}
293 +
294 #define RET_NOMEM(ptr) do { \
295 if (!ptr) { \
296 TALLOC_FREE(info3); \
297 --
298 2.1.0
299
300
301 From 86d58108db53958f05d559b2d2a20185ef2deb55 Mon Sep 17 00:00:00 2001
302 From: Andreas Schneider <asn@cryptomilk.org>
303 Date: Wed, 4 Mar 2015 17:45:39 +0100
304 Subject: [PATCH 4/5] PATCHSET21: s3-winbind: Merge resource groups from a
305 trusted PAC into the sid array.
306
307 This is a backport of db775c68ccbed0252abf092b5cb811e8f5fa9bb6.
308 ---
309 source3/winbindd/winbindd_pam.c | 10 +++++++++-
310 1 file changed, 9 insertions(+), 1 deletion(-)
311
312 diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
313 index 5316232..b1838a6 100644
314 --- a/source3/winbindd/winbindd_pam.c
315 +++ b/source3/winbindd/winbindd_pam.c
316 @@ -546,6 +546,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
317 time_t time_offset = 0;
318 const char *user_ccache_file;
319 struct PAC_LOGON_INFO *logon_info = NULL;
320 + struct netr_SamInfo3 *info3_copy = NULL;
321
322 *info3 = NULL;
323
324 @@ -624,7 +625,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
325 goto failed;
326 }
327
328 - *info3 = &logon_info->info3;
329 + result = create_info3_from_pac_logon_info(mem_ctx,
330 + logon_info,
331 + &info3_copy);
332 + if (!NT_STATUS_IS_OK(result)) {
333 + return result;
334 + }
335 +
336 + *info3 = info3_copy;
337
338 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
339 principal_s));
340 --
341 2.1.0
342
343
344 From 40731d512ba1ee0502bdbdd831c4154f967d9f3e Mon Sep 17 00:00:00 2001
345 From: Michael Adam <obnox@samba.org>
346 Date: Mon, 9 Mar 2015 15:15:37 +0100
347 Subject: [PATCH 5/5] PATCHSET21: s3-winbind: Fix chached user group lookup of
348 trusted domains.
349
350 If a user group lookup has aleady been done before with a machine
351 account we did always return the incomplete information from the cache.
352 This patch makes sure we return the correct group information from the
353 netsamlogon cache.
354
355 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143
356
357 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
358 Signed-off-by: Michael Adam <obnox@samba.org>
359 Signed-off-by: Andreas Schneider <asn@samba.org>
360 Reviewed-by: Volker Lendecke <vl@samba.org>
361
362 (cherry picked from commit f5d0204bfa1eb641fe7697613c1f773b6a7e65de)
363 ---
364 source3/winbindd/wb_lookupusergroups.c | 11 +++++++++++
365 1 file changed, 11 insertions(+)
366
367 diff --git a/source3/winbindd/wb_lookupusergroups.c b/source3/winbindd/wb_lookupusergroups.c
368 index aeffc17..1bb7081 100644
369 --- a/source3/winbindd/wb_lookupusergroups.c
370 +++ b/source3/winbindd/wb_lookupusergroups.c
371 @@ -37,6 +37,7 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
372 {
373 struct tevent_req *req, *subreq;
374 struct wb_lookupusergroups_state *state;
375 + NTSTATUS status;
376
377 req = tevent_req_create(mem_ctx, &state,
378 struct wb_lookupusergroups_state);
379 @@ -45,6 +46,16 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
380 }
381 sid_copy(&state->sid, sid);
382
383 + status = lookup_usergroups_cached(NULL,
384 + state,
385 + &state->sid,
386 + &state->sids.num_sids,
387 + &state->sids.sids);
388 + if (NT_STATUS_IS_OK(status)) {
389 + tevent_req_done(req);
390 + return tevent_req_post(req, ev);
391 + }
392 +
393 subreq = dcerpc_wbint_LookupUserGroups_send(
394 state, ev, dom_child_handle(domain), &state->sid, &state->sids);
395 if (tevent_req_nomem(subreq, req)) {
396 --
397 2.1.0
Peter's tree of IPFire 2.x