From 097f279dbe2ec6a9f3c54bb04fce18a6f7e6339f Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Wed, 10 Jun 2015 13:13:25 +0100
Subject: [PATCH 1/2] kerberos auth info3 should contain resource group ids
 available from pac_logon

successful pam auth (e.g. from ssh) will cache group sids (but not any
resource group sids)) The subsequent cached entry used for groups lookups
can be missing those resource groups

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit efadcb31215f9ccaf7942341c698a8eb2ac166ce)
---
 source3/winbindd/winbindd_pam.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 51dc2ea..fdbc5c0 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -581,6 +581,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 	struct PAC_DATA_CTR *pac_data_ctr = NULL;
 	const char *local_service;
 	int i;
+	struct netr_SamInfo3 *info3_copy = NULL;
 
 	*info3 = NULL;
 
@@ -700,11 +701,15 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		break;
 	}
 
-	*info3 = &logon_info->info3;
 
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
 		principal_s));
 
+	result = create_info3_from_pac_logon_info(mem_ctx, logon_info, &info3_copy);
+	if (!NT_STATUS_IS_OK(result)) {
+		goto failed;
+	}
+
 	/* if we had a user's ccache then return that string for the pam
 	 * environment */
 
@@ -740,7 +745,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		}
 
 	}
-
+	*info3 = info3_copy;
 	return NT_STATUS_OK;
 
 failed:
-- 
2.1.4


From b3a48b7895e151015878c3ba1b6f0dabfb2ceb35 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 10 Jun 2015 16:31:21 -0700
Subject: [PATCH 2/2] winbindd: winbindd_raw_kerberos_login - ensure logon_info
 exists in PAC.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 11 07:30:38 CEST 2015 on sn-devel-104

(cherry picked from commit 4c5fefe0723ae4cd3cacaabc5ae4c500d2306968)
---
 source3/winbindd/winbindd_pam.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index fdbc5c0..bed2220 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -701,6 +701,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
 		break;
 	}
 
+	if (logon_info == NULL) {
+		DEBUG(10,("Missing logon_info in ticket of %s\n",
+			principal_s));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
 
 	DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
 		principal_s));
-- 
2.1.4