The Samba-Bugzilla – Attachment 10039 Details for
Bug 10662
Samba does not handle SID compression
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Resource SID compression support patch for 3.6.X
RSID_COMPRESSION_3.6_v2.patch (text/plain), 9.66 KB, created by
Hemanth
on 2014-06-18 11:30:36 UTC
(
hide
)
Description:
Resource SID compression support patch for 3.6.X
Filename:
MIME Type:
Creator:
Hemanth
Created:
2014-06-18 11:30:36 UTC
Size:
9.66 KB
patch
obsolete
>--- auth/auth_util.c.orig 2014-06-16 03:26:53.548570930 -0700 >+++ auth/auth_util.c 2014-06-17 02:02:30.598976494 -0700 >@@ -1243,7 +1243,7 @@ NTSTATUS make_server_info_info3(TALLOC_C > const char *sent_nt_username, > const char *domain, > struct auth_serversupplied_info **server_info, >- struct netr_SamInfo3 *info3) >+ const struct netr_SamInfo3 *info3) > { > static const char zeros[16] = {0, }; > >--- auth/proto.h.orig 2014-06-17 06:51:21.123964446 -0700 >+++ auth/proto.h 2014-06-18 03:43:43.450779722 -0700 >@@ -32,6 +32,7 @@ > > #ifndef _AUTH_PROTO_H_ > #define _AUTH_PROTO_H_ >+#include "../librpc/gen_ndr/krb5pac.h" > > /* The following definitions come from auth/auth.c */ > >@@ -169,7 +170,7 @@ NTSTATUS make_server_info_info3(TALLOC_C > const char *sent_nt_username, > const char *domain, > struct auth_serversupplied_info **server_info, >- struct netr_SamInfo3 *info3); >+ const struct netr_SamInfo3 *info3); > struct wbcAuthUserInfo; > NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, > const char *sent_nt_username, >@@ -219,13 +220,16 @@ NTSTATUS serverinfo_to_SamInfo6(struct a > uint8_t *pipe_session_key, > size_t pipe_session_key_len, > struct netr_SamInfo6 *sam6); >+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, >+ const struct PAC_LOGON_INFO *logon_info, >+ struct netr_SamInfo3 **pp_info3); > NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > struct samu *samu, > const char *login_server, > struct netr_SamInfo3 **_info3, > struct extra_auth_info *extra); > struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, >- struct netr_SamInfo3 *orig); >+ const struct netr_SamInfo3 *orig); > struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, > const struct wbcAuthUserInfo *info); > >@@ -297,7 +301,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CT > char *ntdomain, > char *username, > struct passwd *pw, >- struct PAC_LOGON_INFO *logon_info, >+ const struct netr_SamInfo3 *info3, > bool mapped_to_guest, > struct auth_serversupplied_info **server_info); > >--- auth/server_info.c.orig 2014-06-16 03:26:47.669543008 -0700 >+++ auth/server_info.c 2014-06-18 03:47:07.642722553 -0700 >@@ -291,6 +291,82 @@ static NTSTATUS group_sids_to_info3(stru > > return NT_STATUS_OK; > } >+/* >+ * Merge resource SIDs, if any, into the passed in info3 structure. >+ */ >+ >+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info, >+ struct netr_SamInfo3 *info3) >+{ >+ uint32_t i = 0; >+ >+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) { >+ return NT_STATUS_OK; >+ } >+ >+ /* >+ * If there are any resource groups (SID Compression) add >+ * them to the extra sids portion of the info3 in the PAC. >+ * >+ * This makes the info3 look like it would if we got the info >+ * from the DC rather than the PAC. >+ */ >+ >+ /* >+ * Construct a SID for each RID in the list and then append it >+ * to the info3. >+ */ >+ for (i = 0; i < logon_info->res_groups.count; i++) { >+ NTSTATUS status; >+ struct dom_sid new_sid; >+ uint32_t attributes = logon_info->res_groups.rids[i].attributes; >+ >+ sid_compose(&new_sid, >+ logon_info->res_group_dom_sid, >+ logon_info->res_groups.rids[i].rid); >+ >+ DEBUG(10, ("Adding SID %s to extra SIDS\n", >+ sid_string_dbg(&new_sid))); >+ >+ status = append_netr_SidAttr(info3, &info3->sids, >+ &info3->sidcount, >+ &new_sid, >+ attributes); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n", >+ sid_string_dbg(&new_sid), >+ nt_errstr(status))); >+ return status; >+ } >+ } >+ >+ return NT_STATUS_OK; >+} >+ >+/* >+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO, >+ * then merge resource SIDs, if any, into it. If successful return >+ * the created info3 struct. >+ */ >+ >+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, >+ const struct PAC_LOGON_INFO *logon_info, >+ struct netr_SamInfo3 **pp_info3) >+{ >+ NTSTATUS status; >+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx, >+ &logon_info->info3); >+ if (info3 == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ status = merge_resource_sids(logon_info, info3); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(info3); >+ return status; >+ } >+ *pp_info3 = info3; >+ return NT_STATUS_OK; >+} > > #define RET_NOMEM(ptr) do { \ > if (!ptr) { \ >@@ -485,7 +561,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *me > } } while(0) > > struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, >- struct netr_SamInfo3 *orig) >+ const struct netr_SamInfo3 *orig) > { > struct netr_SamInfo3 *info3; > unsigned int i; >--- auth/user_krb5.c.orig 2014-06-17 06:53:16.625499697 -0700 >+++ auth/user_krb5.c 2014-06-17 06:53:02.469432096 -0700 >@@ -184,7 +184,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CT > char *ntdomain, > char *username, > struct passwd *pw, >- struct PAC_LOGON_INFO *logon_info, >+ const struct netr_SamInfo3 *info3, > bool mapped_to_guest, > struct auth_serversupplied_info **server_info) > { >@@ -198,14 +198,14 @@ NTSTATUS make_server_info_krb5(TALLOC_CT > return status; > } > >- } else if (logon_info) { >+ } else if (info3) { > /* pass the unmapped username here since map_username() > will be called again in make_server_info_info3() */ > > status = make_server_info_info3(mem_ctx, > ntuser, ntdomain, > server_info, >- &logon_info->info3); >+ info3); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("make_server_info_info3 failed: %s!\n", > nt_errstr(status))); >@@ -285,7 +285,7 @@ NTSTATUS make_server_info_krb5(TALLOC_CT > char *ntdomain, > char *username, > struct passwd *pw, >- struct PAC_LOGON_INFO *logon_info, >+ const struct netr_SamInfo3 *info3, > bool mapped_to_guest, > struct auth_serversupplied_info **server_info) > { >--- rpc_server/dcesrv_gssapi.c.orig 2014-06-17 06:54:19.171788401 -0700 >+++ rpc_server/dcesrv_gssapi.c 2014-06-17 06:54:08.827738249 -0700 >@@ -194,7 +194,7 @@ NTSTATUS gssapi_server_get_user_info(str > > status = make_server_info_krb5(mem_ctx, > ntuser, ntdomain, username, pw, >- logon_info, is_guest, server_info); >+ &logon_info->info3, is_guest, server_info); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", > nt_errstr(status))); >--- smbd/sesssetup.c.orig 2014-06-16 03:26:40.012508385 -0700 >+++ smbd/sesssetup.c 2014-06-18 02:01:26.019454791 -0700 >@@ -257,6 +257,7 @@ static void reply_spnego_kerberos(struct > bool map_domainuser_to_guest = False; > bool username_was_mapped; > struct PAC_LOGON_INFO *logon_info = NULL; >+ struct netr_SamInfo3 *info3_copy = NULL; > struct smbd_server_connection *sconn = req->sconn; > char *principal; > char *user; >@@ -362,7 +363,18 @@ static void reply_spnego_kerberos(struct > > /* save the PAC data if we have it */ > if (logon_info) { >- netsamlogon_cache_store(user, &logon_info->info3); >+ ret = create_info3_from_pac_logon_info(mem_ctx, >+ logon_info, >+ &info3_copy); >+ if (!NT_STATUS_IS_OK(ret)) { >+ DEBUG(1, ("create_info3_from_pac_logon_info failed: %s\n", >+ nt_errstr(ret))); >+ data_blob_free(&ap_rep); >+ data_blob_free(&session_key); >+ TALLOC_FREE(mem_ctx); >+ return; >+ } >+ netsamlogon_cache_store(user, info3_copy); > } > > /* setup the string used by %U */ >@@ -373,7 +385,7 @@ static void reply_spnego_kerberos(struct > > ret = make_server_info_krb5(mem_ctx, > user, domain, real_username, pw, >- logon_info, map_domainuser_to_guest, >+ info3_copy, map_domainuser_to_guest, > &server_info); > if (!NT_STATUS_IS_OK(ret)) { > DEBUG(1, ("make_server_info_krb5 failed!\n")); >--- smbd/smb2_sesssetup.c.orig 2014-06-16 03:26:33.828479130 -0700 >+++ smbd/smb2_sesssetup.c 2014-06-18 02:20:31.920741407 -0700 >@@ -178,6 +178,7 @@ static NTSTATUS smbd_smb2_session_setup_ > DATA_BLOB secblob_out = data_blob_null; > uint8 tok_id[2]; > struct PAC_LOGON_INFO *logon_info = NULL; >+ struct netr_SamInfo3 *info3_copy = NULL; > char *principal = NULL; > char *user = NULL; > char *domain = NULL; >@@ -220,7 +221,15 @@ static NTSTATUS smbd_smb2_session_setup_ > > /* save the PAC data if we have it */ > if (logon_info) { >- netsamlogon_cache_store(user, &logon_info->info3); >+ status = create_info3_from_pac_logon_info(smb2req, >+ logon_info, >+ &info3_copy); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(1, ("create_info3_from_pac_logon_info failed: %s\n", >+ nt_errstr(status))); >+ return status; >+ } >+ netsamlogon_cache_store(NULL, info3_copy); > } > > /* setup the string used by %U */ >@@ -231,7 +240,7 @@ static NTSTATUS smbd_smb2_session_setup_ > > status = make_server_info_krb5(session, > user, domain, real_username, pw, >- logon_info, map_domainuser_to_guest, >+ info3_copy, map_domainuser_to_guest, > &session->session_info); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("smb2: make_server_info_krb5 failed\n")); >--- winbindd/winbindd_pam.c.orig 2014-06-16 03:26:26.748446612 -0700 >+++ winbindd/winbindd_pam.c 2014-06-18 02:09:56.176807472 -0700 >@@ -546,6 +546,7 @@ static NTSTATUS winbindd_raw_kerberos_lo > time_t time_offset = 0; > const char *user_ccache_file; > struct PAC_LOGON_INFO *logon_info = NULL; >+ struct netr_SamInfo3 *info3_copy = NULL; > > *info3 = NULL; > >@@ -623,8 +624,18 @@ static NTSTATUS winbindd_raw_kerberos_lo > if (!NT_STATUS_IS_OK(result)) { > goto failed; > } >+ if (logon_info) { >+ result = create_info3_from_pac_logon_info(mem_ctx, >+ logon_info, >+ &info3_copy); >+ if (!NT_STATUS_IS_OK(result)) { >+ DEBUG(1, ("create_info3_from_pac_logon_info failed: %s\n", >+ nt_errstr(result))); >+ goto failed; >+ } >+ } > >- *info3 = &logon_info->info3; >+ *info3 = info3_copy; > > DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", > principal_s));
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 10662
: 10039