The branch, master has been updated via ccfba25 s3: auth: Use wbcAuthenticateUserEx to prime the caches. via cf0f288 s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache. from f92590d lib: Fix bug 12291
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ccfba2537d0ea081fbeeee0feecf8e2774850300 Author: Jeremy Allison <j...@samba.org> Date: Mon Sep 26 17:07:44 2016 -0700 s3: auth: Use wbcAuthenticateUserEx to prime the caches. Idea by Volker - use WBC_AUTH_USER_LEVEL_PAC to pass the PAC to winbind from smbd on auth, this allows winbind to prime the user info via netsamlogon_cache_store() and the name2sid cache *before* smbd looks up the user. Note that as this is merely a cache prime having winbind not available is not an error. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Wed Sep 28 22:45:27 CEST 2016 on sn-devel-144 commit cf0f28819e771d433af00b3532011de70112b1f8 Author: Jeremy Allison <j...@samba.org> Date: Tue Sep 27 15:04:49 2016 -0700 s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache. In addition to priming the netsamlogon cache. This prevents a winbind AD-DC lookup for something the PAC already told us. Note we only do this in the case where the PAC successfully passed signature verification. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> ----------------------------------------------------------------------- Summary of changes: source3/auth/auth_generic.c | 49 +++++++++++++++++++++++++++++++++++++++-- source3/winbindd/winbindd_pam.c | 35 ++++++++++++++++++++++++++++- 2 files changed, 81 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index 74eb2fa..f9b9184 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -28,6 +28,7 @@ #include "lib/param/param.h" #ifdef HAVE_KRB5 #include "auth/kerberos/pac_utils.h" +#include "nsswitch/libwbclient/wbclient.h" #endif #include "librpc/crypto/gse.h" #include "auth/credentials/credentials.h" @@ -63,6 +64,51 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, if (pac_blob) { #ifdef HAVE_KRB5 + struct wbcAuthUserParams params = {}; + struct wbcAuthUserInfo *info = NULL; + struct wbcAuthErrorInfo *err = NULL; + wbcErr wbc_err; + + /* + * Let winbind decode the PAC. + * This will also store the user + * data in the netsamlogon cache. + * + * We need to do this *before* we + * call get_user_from_kerberos_info() + * as that does a user lookup that + * expects info in the netsamlogon cache. + * + * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 + */ + params.level = WBC_AUTH_USER_LEVEL_PAC; + params.password.pac.data = pac_blob->data; + params.password.pac.length = pac_blob->length; + + become_root(); + wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err); + unbecome_root(); + + /* + * As this is merely a cache prime + * WBC_ERR_WINBIND_NOT_AVAILABLE + * is not a fatal error, treat it + * as success. + */ + + switch (wbc_err) { + case WBC_ERR_WINBIND_NOT_AVAILABLE: + case WBC_ERR_SUCCESS: + break; + case WBC_ERR_AUTH_ERROR: + status = NT_STATUS(err->nt_status); + wbcFreeMemory(err); + goto done; + default: + status = NT_STATUS_LOGON_FAILURE; + goto done; + } + status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, NULL, NULL, 0, &logon_info); #else @@ -101,7 +147,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, goto done; } - /* save the PAC data if we have it */ + /* Get the info3 from the PAC data if we have it */ if (logon_info) { status = create_info3_from_pac_logon_info(tmp_ctx, logon_info, @@ -109,7 +155,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, if (!NT_STATUS_IS_OK(status)) { goto done; } - netsamlogon_cache_store(ntuser, info3_copy); } /* setup the string used by %U */ diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 8ec4fe4..da874c7 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2568,7 +2568,15 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, } if (logon_info) { - /* Signature verification succeeded, trust the PAC */ + /* + * Signature verification succeeded, we can + * trust the PAC and prime the netsamlogon + * and name2sid caches. DO NOT DO THIS + * in the signature verification failed + * code path. + */ + struct winbindd_domain *domain = NULL; + result = create_info3_from_pac_logon_info(state->mem_ctx, logon_info, &info3_copy); @@ -2577,6 +2585,31 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, } netsamlogon_cache_store(NULL, info3_copy); + /* + * We're in the parent here, so find the child + * pointer from the PAC domain name. + */ + domain = find_domain_from_name_noinit( + info3_copy->base.logon_domain.string); + if (domain && domain->primary ) { + struct dom_sid user_sid; + + sid_compose(&user_sid, + info3_copy->base.domain_sid, + info3_copy->base.rid); + + cache_name2sid(domain, + info3_copy->base.logon_domain.string, + info3_copy->base.account_name.string, + SID_NAME_USER, + &user_sid); + + DBG_INFO("PAC for user %s\%s SID %s primed cache\n", + info3_copy->base.logon_domain.string, + info3_copy->base.account_name.string, + sid_string_dbg(&user_sid)); + } + } else { /* Try without signature verification */ result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL, -- Samba Shared Repository