1 From 72494e601ee6027873494f7ee7aff03d9170e3eb Mon Sep 17 00:00:00 2001
2 From: Jeremy Allison <jra@samba.org>
3 Date: Mon, 16 Jun 2014 22:49:29 -0700
4 Subject: [PATCH 1/5] PATCHSET21: s3: auth: Add some const to the struct
5 netr_SamInfo3 * arguments of copy_netr_SamInfo3() and
6 make_server_info_info3()
8 Both functions only read from the struct netr_SamInfo3 * argument.
10 Signed-off-by: Jeremy Allison <jra@samba.org>
11 Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
12 Reviewed-by: Simo Sorce <idra@samba.org>
13 (cherry picked from commit c2411767adb5ce48a4619349075f6f8faae41aab)
18 source3/auth/auth_util.c | 2 +-
19 source3/auth/proto.h | 4 ++--
20 source3/auth/server_info.c | 2 +-
21 3 files changed, 4 insertions(+), 4 deletions(-)
23 diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
24 index 1f1fed9..a548b7b 100644
25 --- a/source3/auth/auth_util.c
26 +++ b/source3/auth/auth_util.c
27 @@ -1195,7 +1195,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
28 const char *sent_nt_username,
30 struct auth_serversupplied_info **server_info,
31 - struct netr_SamInfo3 *info3)
32 + const struct netr_SamInfo3 *info3)
34 static const char zeros[16] = {0, };
36 diff --git a/source3/auth/proto.h b/source3/auth/proto.h
37 index fccabc4..c851722 100644
38 --- a/source3/auth/proto.h
39 +++ b/source3/auth/proto.h
40 @@ -173,7 +173,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
41 const char *sent_nt_username,
43 struct auth_serversupplied_info **server_info,
44 - struct netr_SamInfo3 *info3);
45 + const struct netr_SamInfo3 *info3);
46 struct wbcAuthUserInfo;
47 NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx,
48 const char *sent_nt_username,
49 @@ -233,7 +233,7 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
50 const struct passwd *pwd,
51 struct netr_SamInfo3 **pinfo3);
52 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
53 - struct netr_SamInfo3 *orig);
54 + const struct netr_SamInfo3 *orig);
55 struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx,
56 const struct wbcAuthUserInfo *info);
58 diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
59 index e627892..63b4989 100644
60 --- a/source3/auth/server_info.c
61 +++ b/source3/auth/server_info.c
62 @@ -632,7 +632,7 @@ done:
65 struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx,
66 - struct netr_SamInfo3 *orig)
67 + const struct netr_SamInfo3 *orig)
69 struct netr_SamInfo3 *info3;
75 From 1afd41a9cc31acdff66ab084ba89913c8a239a0f Mon Sep 17 00:00:00 2001
76 From: Jeremy Allison <jra@samba.org>
77 Date: Mon, 16 Jun 2014 22:54:45 -0700
78 Subject: [PATCH 2/5] PATCHSET21: s3: auth: Change make_server_info_info3() to
79 take a const struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO.
81 make_server_info_info3() only reads from the info3 pointer.
83 Signed-off-by: Jeremy Allison <jra@samba.org>
84 Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
85 Reviewed-by: Simo Sorce <idra@samba.org>
86 (cherry picked from commit 527f7b54388713acaaf7b66c718cc0f7114fc368)
89 source3/auth/auth_generic.c
91 source3/auth/user_krb5.c
93 source3/auth/proto.h | 2 +-
94 source3/auth/user_krb5.c | 8 ++++----
95 2 files changed, 5 insertions(+), 5 deletions(-)
97 diff --git a/source3/auth/proto.h b/source3/auth/proto.h
98 index c851722..0ab32a7 100644
99 --- a/source3/auth/proto.h
100 +++ b/source3/auth/proto.h
101 @@ -305,7 +305,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
105 - struct PAC_LOGON_INFO *logon_info,
106 + const struct netr_SamInfo3 *info3,
107 bool mapped_to_guest,
108 struct auth_serversupplied_info **server_info);
110 diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
111 index 1e5254e..fde2f48 100644
112 --- a/source3/auth/user_krb5.c
113 +++ b/source3/auth/user_krb5.c
114 @@ -184,7 +184,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
118 - struct PAC_LOGON_INFO *logon_info,
119 + const struct netr_SamInfo3 *info3,
120 bool mapped_to_guest,
121 struct auth_serversupplied_info **server_info)
123 @@ -198,14 +198,14 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
127 - } else if (logon_info) {
128 + } else if (info3) {
129 /* pass the unmapped username here since map_username()
130 will be called again in make_server_info_info3() */
132 status = make_server_info_info3(mem_ctx,
135 - &logon_info->info3);
137 if (!NT_STATUS_IS_OK(status)) {
138 DEBUG(1, ("make_server_info_info3 failed: %s!\n",
140 @@ -284,7 +284,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx,
144 - struct PAC_LOGON_INFO *logon_info,
145 + const struct netr_SamInfo3 *info3,
146 bool mapped_to_guest,
147 struct auth_serversupplied_info **server_info)
153 From 08bf07ec03537aedbd7beb359cf9274be2882edf Mon Sep 17 00:00:00 2001
154 From: Jeremy Allison <jra@samba.org>
155 Date: Mon, 16 Jun 2014 23:11:58 -0700
156 Subject: [PATCH 3/5] PATCHSET21: s3: auth: Add
157 create_info3_from_pac_logon_info() to create a new info3 and merge resource
160 Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>.
162 Signed-off-by: Jeremy Allison <jra@samba.org>
163 Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com>
164 Reviewed-by: Simo Sorce <idra@samba.org>
165 (cherry picked from commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6)
167 source3/auth/proto.h | 5 ++-
168 source3/auth/server_info.c | 78 ++++++++++++++++++++++++++++++++++++++++++++++
169 2 files changed, 82 insertions(+), 1 deletion(-)
171 diff --git a/source3/auth/proto.h b/source3/auth/proto.h
172 index 0ab32a7..4335cf8 100644
173 --- a/source3/auth/proto.h
174 +++ b/source3/auth/proto.h
175 @@ -209,6 +209,7 @@ NTSTATUS auth_winbind_init(void);
176 struct netr_SamInfo2;
177 struct netr_SamInfo3;
178 struct netr_SamInfo6;
179 +struct PAC_LOGON_INFO;
181 struct auth_serversupplied_info *make_server_info(TALLOC_CTX *mem_ctx);
182 NTSTATUS serverinfo_to_SamInfo2(struct auth_serversupplied_info *server_info,
183 @@ -223,6 +224,9 @@ NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info,
184 uint8_t *pipe_session_key,
185 size_t pipe_session_key_len,
186 struct netr_SamInfo6 *sam6);
187 +NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
188 + const struct PAC_LOGON_INFO *logon_info,
189 + struct netr_SamInfo3 **pp_info3);
190 NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx,
192 const char *login_server,
193 @@ -289,7 +293,6 @@ bool user_in_netgroup(TALLOC_CTX *ctx, const char *user, const char *ngname);
194 bool user_in_list(TALLOC_CTX *ctx, const char *user,const char **list);
196 /* The following definitions come from auth/user_krb5.c */
197 -struct PAC_LOGON_INFO;
198 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
199 const char *cli_name,
200 const char *princ_name,
201 diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
202 index 63b4989..1fd9317 100644
203 --- a/source3/auth/server_info.c
204 +++ b/source3/auth/server_info.c
207 #include "../lib/crypto/arcfour.h"
208 #include "../librpc/gen_ndr/netlogon.h"
209 +#include "../librpc/gen_ndr/krb5pac.h"
210 #include "../libcli/security/security.h"
211 #include "rpc_client/util_netlogon.h"
212 #include "nsswitch/libwbclient/wbclient.h"
213 @@ -293,6 +294,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3,
218 + * Merge resource SIDs, if any, into the passed in info3 structure.
221 +static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info,
222 + struct netr_SamInfo3 *info3)
226 + if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
227 + return NT_STATUS_OK;
231 + * If there are any resource groups (SID Compression) add
232 + * them to the extra sids portion of the info3 in the PAC.
234 + * This makes the info3 look like it would if we got the info
235 + * from the DC rather than the PAC.
239 + * Construct a SID for each RID in the list and then append it
242 + for (i = 0; i < logon_info->res_groups.count; i++) {
244 + struct dom_sid new_sid;
245 + uint32_t attributes = logon_info->res_groups.rids[i].attributes;
247 + sid_compose(&new_sid,
248 + logon_info->res_group_dom_sid,
249 + logon_info->res_groups.rids[i].rid);
251 + DEBUG(10, ("Adding SID %s to extra SIDS\n",
252 + sid_string_dbg(&new_sid)));
254 + status = append_netr_SidAttr(info3, &info3->sids,
258 + if (!NT_STATUS_IS_OK(status)) {
259 + DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n",
260 + sid_string_dbg(&new_sid),
261 + nt_errstr(status)));
266 + return NT_STATUS_OK;
270 + * Create a copy of an info3 struct from the struct PAC_LOGON_INFO,
271 + * then merge resource SIDs, if any, into it. If successful return
272 + * the created info3 struct.
275 +NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx,
276 + const struct PAC_LOGON_INFO *logon_info,
277 + struct netr_SamInfo3 **pp_info3)
280 + struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx,
281 + &logon_info->info3);
282 + if (info3 == NULL) {
283 + return NT_STATUS_NO_MEMORY;
285 + status = merge_resource_sids(logon_info, info3);
286 + if (!NT_STATUS_IS_OK(status)) {
287 + TALLOC_FREE(info3);
291 + return NT_STATUS_OK;
294 #define RET_NOMEM(ptr) do { \
296 TALLOC_FREE(info3); \
301 From 86d58108db53958f05d559b2d2a20185ef2deb55 Mon Sep 17 00:00:00 2001
302 From: Andreas Schneider <asn@cryptomilk.org>
303 Date: Wed, 4 Mar 2015 17:45:39 +0100
304 Subject: [PATCH 4/5] PATCHSET21: s3-winbind: Merge resource groups from a
305 trusted PAC into the sid array.
307 This is a backport of db775c68ccbed0252abf092b5cb811e8f5fa9bb6.
309 source3/winbindd/winbindd_pam.c | 10 +++++++++-
310 1 file changed, 9 insertions(+), 1 deletion(-)
312 diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
313 index 5316232..b1838a6 100644
314 --- a/source3/winbindd/winbindd_pam.c
315 +++ b/source3/winbindd/winbindd_pam.c
316 @@ -546,6 +546,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
317 time_t time_offset = 0;
318 const char *user_ccache_file;
319 struct PAC_LOGON_INFO *logon_info = NULL;
320 + struct netr_SamInfo3 *info3_copy = NULL;
324 @@ -624,7 +625,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
328 - *info3 = &logon_info->info3;
329 + result = create_info3_from_pac_logon_info(mem_ctx,
332 + if (!NT_STATUS_IS_OK(result)) {
336 + *info3 = info3_copy;
338 DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
344 From 40731d512ba1ee0502bdbdd831c4154f967d9f3e Mon Sep 17 00:00:00 2001
345 From: Michael Adam <obnox@samba.org>
346 Date: Mon, 9 Mar 2015 15:15:37 +0100
347 Subject: [PATCH 5/5] PATCHSET21: s3-winbind: Fix chached user group lookup of
350 If a user group lookup has aleady been done before with a machine
351 account we did always return the incomplete information from the cache.
352 This patch makes sure we return the correct group information from the
355 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11143
357 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
358 Signed-off-by: Michael Adam <obnox@samba.org>
359 Signed-off-by: Andreas Schneider <asn@samba.org>
360 Reviewed-by: Volker Lendecke <vl@samba.org>
362 (cherry picked from commit f5d0204bfa1eb641fe7697613c1f773b6a7e65de)
364 source3/winbindd/wb_lookupusergroups.c | 11 +++++++++++
365 1 file changed, 11 insertions(+)
367 diff --git a/source3/winbindd/wb_lookupusergroups.c b/source3/winbindd/wb_lookupusergroups.c
368 index aeffc17..1bb7081 100644
369 --- a/source3/winbindd/wb_lookupusergroups.c
370 +++ b/source3/winbindd/wb_lookupusergroups.c
371 @@ -37,6 +37,7 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
373 struct tevent_req *req, *subreq;
374 struct wb_lookupusergroups_state *state;
377 req = tevent_req_create(mem_ctx, &state,
378 struct wb_lookupusergroups_state);
379 @@ -45,6 +46,16 @@ struct tevent_req *wb_lookupusergroups_send(TALLOC_CTX *mem_ctx,
381 sid_copy(&state->sid, sid);
383 + status = lookup_usergroups_cached(NULL,
386 + &state->sids.num_sids,
387 + &state->sids.sids);
388 + if (NT_STATUS_IS_OK(status)) {
389 + tevent_req_done(req);
390 + return tevent_req_post(req, ev);
393 subreq = dcerpc_wbint_LookupUserGroups_send(
394 state, ev, dom_child_handle(domain), &state->sid, &state->sids);
395 if (tevent_req_nomem(subreq, req)) {