The Samba-Bugzilla – Attachment 10610 Details for
Bug 11044
Samba 4.2 using Kerberos (not AD) fails to authenticate
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for passwd_to_SamInfo3
samba42_krb_fix.diff (text/plain), 4.07 KB, created by
Michael Zeis
on 2015-01-09 22:33:41 UTC
(
hide
)
Description:
Patch for passwd_to_SamInfo3
Filename:
MIME Type:
Creator:
Michael Zeis
Created:
2015-01-09 22:33:41 UTC
Size:
4.07 KB
patch
obsolete
>diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index dbc7d24..585afd3 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -671,7 +671,8 @@ NTSTATUS make_server_info_pw(TALLOC_CTX *mem_ctx, > status = passwd_to_SamInfo3(result, > unix_username, > pwd, >- &result->info3); >+ &result->info3, >+ &result->extra); > if (!NT_STATUS_IS_OK(status)) { > goto done; > } >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index da3c099..792e96d 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -305,7 +305,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, > const char *unix_username, > const struct passwd *pwd, >- struct netr_SamInfo3 **pinfo3); >+ struct netr_SamInfo3 **pinfo3, >+ struct extra_auth_info *extra); > struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, > const struct netr_SamInfo3 *orig); > >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index 8fd3b0d..86b3dd3 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -517,7 +517,8 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, > const char *unix_username, > const struct passwd *pwd, >- struct netr_SamInfo3 **pinfo3) >+ struct netr_SamInfo3 **pinfo3, >+ struct extra_auth_info *extra) > { > struct netr_SamInfo3 *info3; > NTSTATUS status; >@@ -613,23 +614,68 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, > > ZERO_STRUCT(domain_sid); > >- sid_copy(&domain_sid, &user_sid); >- sid_split_rid(&domain_sid, &info3->base.rid); >+ /* check if this is a "Unix Users" domain user, >+ * we need to handle it in a special way if that's the case */ >+ if (sid_check_is_in_unix_users(&user_sid)) { >+ /* in info3 you can only set rids for the user and the >+ * primary group, and the domain sid must be that of >+ * the sam domain. >+ * >+ * Store a completely bogus value here. >+ * The real SID is stored in the extra sids. >+ * Other code will know to look there if (-1) is found >+ */ >+ info3->base.rid = (uint32_t)(-1); >+ sid_copy(&extra->user_sid, &user_sid); >+ >+ DEBUG(10, ("Unix User found in passwd. Rid marked as " >+ "special and sid (%s) saved as extra sid\n", >+ sid_string_dbg(&user_sid))); >+ } else { >+ sid_copy(&domain_sid, &user_sid); >+ sid_split_rid(&domain_sid, &info3->base.rid); >+ } >+ >+ if (is_null_sid(&domain_sid)) { >+ sid_copy(&domain_sid, get_global_sam_sid()); >+ } >+ > info3->base.domain_sid = dom_sid_dup(info3, &domain_sid); > >- ok = sid_peek_check_rid(&domain_sid, &group_sid, >+ /* check if this is a "Unix Groups" domain group, >+ * if so we need special handling */ >+ if (sid_check_is_in_unix_groups(&group_sid)) { >+ /* in info3 you can only set rids for the user and the >+ * primary group, and the domain sid must be that of >+ * the sam domain. >+ * >+ * Store a completely bogus value here. >+ * The real SID is stored in the extra sids. >+ * Other code will know to look there if (-1) is found >+ */ >+ info3->base.primary_gid = (uint32_t)(-1); >+ sid_copy(&extra->pgid_sid, &group_sid); >+ >+ DEBUG(10, ("Unix Group found in passwd. Rid marked as " >+ "special and sid (%s) saved as extra sid\n", >+ sid_string_dbg(&group_sid))); >+ >+ } else { >+ ok = sid_peek_check_rid(&domain_sid, &group_sid, > &info3->base.primary_gid); >- if (!ok) { >- DEBUG(1, ("The primary group domain sid(%s) does not " >- "match the domain sid(%s) for %s(%s)\n", >- sid_string_dbg(&group_sid), >- sid_string_dbg(&domain_sid), >- unix_username, >- sid_string_dbg(&user_sid))); >- status = NT_STATUS_INVALID_SID; >- goto done; >+ if (!ok) { >+ DEBUG(1, ("The primary group domain sid(%s) does not " >+ "match the domain sid(%s) for %s(%s)\n", >+ sid_string_dbg(&group_sid), >+ sid_string_dbg(&domain_sid), >+ unix_username, >+ sid_string_dbg(&user_sid))); >+ status = NT_STATUS_INVALID_SID; >+ goto done; >+ } > } > >+ info3->base.user_flags = NETLOGON_EXTRA_SIDS; > info3->base.acct_flags = ACB_NORMAL; > > if (num_sids) {
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 11044
:
10610
|
10618
|
10621