Hi,

Jakub found that currently only group SIDs are used to find group
memberships of users from trusted domain. The attached patch adds the
user SID as well.

Fixes https://fedorahosted.org/freeipa/ticket/3257 .

bye,
Sumit
From 9525242dc9912a62b89dc65633917ab660df1704 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sb...@redhat.com>
Date: Wed, 14 Nov 2012 14:22:15 +0100
Subject: [PATCH] Lookup the user SID in external group as well

Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. This patch adds the user SID to the list.

Fixes https://fedorahosted.org/freeipa/ticket/3257
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 19 ++++++++++++++-----
 1 Datei geändert, 14 Zeilen hinzugefügt(+), 5 Zeilen entfernt(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 
881a7a7124b3f6651c44bc393b6899d093f8dfc6..072dd0db8ee0a214ad062282e9459941022535e5
 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -660,9 +660,9 @@ static char *gen_sid_string(TALLOC_CTX *memctx, struct 
dom_sid *dom_sid,
     return str;
 }
 
-static int get_group_sids(TALLOC_CTX *memctx,
-                          struct PAC_LOGON_INFO_CTR *logon_info,
-                          char ***_group_sids)
+static int get_user_and_group_sids(TALLOC_CTX *memctx,
+                                   struct PAC_LOGON_INFO_CTR *logon_info,
+                                   char ***_group_sids)
 {
     int ret;
     size_t c;
@@ -678,7 +678,7 @@ static int get_group_sids(TALLOC_CTX *memctx,
     }
 
     group_sids = talloc_array(memctx, char *,
-                                     2 +
+                                     3 +
                                      logon_info->info->info3.base.groups.count 
+
                                      logon_info->info->info3.sidcount);
     if (group_sids == NULL) {
@@ -688,6 +688,15 @@ static int get_group_sids(TALLOC_CTX *memctx,
     }
 
     group_sids[p] = gen_sid_string(memctx, domain_sid,
+                                  logon_info->info->info3.base.rid);
+    if (group_sids[p] == NULL) {
+        krb5_klog_syslog(LOG_ERR, "gen_sid_string failed");
+        ret = EINVAL;
+        goto done;
+    }
+    p++;
+
+    group_sids[p] = gen_sid_string(memctx, domain_sid,
                                   logon_info->info->info3.base.primary_gid);
     if (group_sids[p] == NULL) {
         krb5_klog_syslog(LOG_ERR, "gen_sid_string failed");
@@ -931,7 +940,7 @@ static krb5_error_code add_local_groups(krb5_context 
context,
     size_t ipa_group_sids_count = 0;
     struct dom_sid *ipa_group_sids = NULL;
 
-    ret = get_group_sids(memctx, info, &group_sids);
+    ret = get_user_and_group_sids(memctx, info, &group_sids);
     if (ret != 0) {
         return KRB5_KDB_INTERNAL_ERROR;
     }
-- 
1.7.11.4

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to