The branch, master has been updated
via ccfba25 s3: auth: Use wbcAuthenticateUserEx to prime the caches.
via cf0f288 s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the
name2sid cache.
from f92590d lib: Fix bug 12291
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ccfba2537d0ea081fbeeee0feecf8e2774850300
Author: Jeremy Allison <j...@samba.org>
Date: Mon Sep 26 17:07:44 2016 -0700
s3: auth: Use wbcAuthenticateUserEx to prime the caches.
Idea by Volker - use WBC_AUTH_USER_LEVEL_PAC to pass
the PAC to winbind from smbd on auth, this allows
winbind to prime the user info via netsamlogon_cache_store()
and the name2sid cache *before* smbd looks up the user.
Note that as this is merely a cache prime having
winbind not available is not an error.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
Autobuild-User(master): Jeremy Allison <j...@samba.org>
Autobuild-Date(master): Wed Sep 28 22:45:27 CEST 2016 on sn-devel-144
commit cf0f28819e771d433af00b3532011de70112b1f8
Author: Jeremy Allison <j...@samba.org>
Date: Tue Sep 27 15:04:49 2016 -0700
s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache.
In addition to priming the netsamlogon cache.
This prevents a winbind AD-DC lookup for something
the PAC already told us.
Note we only do this in the case where the PAC successfully
passed signature verification.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source3/auth/auth_generic.c | 49 +++++++++++++++++++++++++++++++++++++++--
source3/winbindd/winbindd_pam.c | 35 ++++++++++++++++++++++++++++-
2 files changed, 81 insertions(+), 3 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 74eb2fa..f9b9184 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -28,6 +28,7 @@
#include "lib/param/param.h"
#ifdef HAVE_KRB5
#include "auth/kerberos/pac_utils.h"
+#include "nsswitch/libwbclient/wbclient.h"
#endif
#include "librpc/crypto/gse.h"
#include "auth/credentials/credentials.h"
@@ -63,6 +64,51 @@ static NTSTATUS auth3_generate_session_info_pac(struct
auth4_context *auth_ctx,
if (pac_blob) {
#ifdef HAVE_KRB5
+ struct wbcAuthUserParams params = {};
+ struct wbcAuthUserInfo *info = NULL;
+ struct wbcAuthErrorInfo *err = NULL;
+ wbcErr wbc_err;
+
+ /*
+ * Let winbind decode the PAC.
+ * This will also store the user
+ * data in the netsamlogon cache.
+ *
+ * We need to do this *before* we
+ * call get_user_from_kerberos_info()
+ * as that does a user lookup that
+ * expects info in the netsamlogon cache.
+ *
+ * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
+ */
+ params.level = WBC_AUTH_USER_LEVEL_PAC;
+ params.password.pac.data = pac_blob->data;
+ params.password.pac.length = pac_blob->length;
+
+ become_root();
+ wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err);
+ unbecome_root();
+
+ /*
+ * As this is merely a cache prime
+ * WBC_ERR_WINBIND_NOT_AVAILABLE
+ * is not a fatal error, treat it
+ * as success.
+ */
+
+ switch (wbc_err) {
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ case WBC_ERR_SUCCESS:
+ break;
+ case WBC_ERR_AUTH_ERROR:
+ status = NT_STATUS(err->nt_status);
+ wbcFreeMemory(err);
+ goto done;
+ default:
+ status = NT_STATUS_LOGON_FAILURE;
+ goto done;
+ }
+
status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
NULL, NULL, 0, &logon_info);
#else
@@ -101,7 +147,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct
auth4_context *auth_ctx,
goto done;
}
- /* save the PAC data if we have it */
+ /* Get the info3 from the PAC data if we have it */
if (logon_info) {
status = create_info3_from_pac_logon_info(tmp_ctx,
logon_info,
@@ -109,7 +155,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct
auth4_context *auth_ctx,
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
- netsamlogon_cache_store(ntuser, info3_copy);
}
/* setup the string used by %U */
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 8ec4fe4..da874c7 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2568,7 +2568,15 @@ NTSTATUS winbindd_pam_auth_pac_send(struct
winbindd_cli_state *state,
}
if (logon_info) {
- /* Signature verification succeeded, trust the PAC */
+ /*
+ * Signature verification succeeded, we can
+ * trust the PAC and prime the netsamlogon
+ * and name2sid caches. DO NOT DO THIS
+ * in the signature verification failed
+ * code path.
+ */
+ struct winbindd_domain *domain = NULL;
+
result = create_info3_from_pac_logon_info(state->mem_ctx,
logon_info,
&info3_copy);
@@ -2577,6 +2585,31 @@ NTSTATUS winbindd_pam_auth_pac_send(struct
winbindd_cli_state *state,
}
netsamlogon_cache_store(NULL, info3_copy);
+ /*
+ * We're in the parent here, so find the child
+ * pointer from the PAC domain name.
+ */
+ domain = find_domain_from_name_noinit(
+ info3_copy->base.logon_domain.string);
+ if (domain && domain->primary ) {
+ struct dom_sid user_sid;
+
+ sid_compose(&user_sid,
+ info3_copy->base.domain_sid,
+ info3_copy->base.rid);
+
+ cache_name2sid(domain,
+ info3_copy->base.logon_domain.string,
+ info3_copy->base.account_name.string,
+ SID_NAME_USER,
+ &user_sid);
+
+ DBG_INFO("PAC for user %s\%s SID %s primed cache\n",
+ info3_copy->base.logon_domain.string,
+ info3_copy->base.account_name.string,
+ sid_string_dbg(&user_sid));
+ }
+
} else {
/* Try without signature verification */
result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
--
Samba Shared Repository
