The Samba-Bugzilla – Attachment 11149 Details for
Bug 11328
we should use resource group sids obtained from pac logon_info
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patches to backport to 4.2
bso11328-4.2.patch (text/plain), 2.88 KB, created by
Noel Power
on 2015-06-12 10:08:50 UTC
(
hide
)
Description:
patches to backport to 4.2
Filename:
MIME Type:
Creator:
Noel Power
Created:
2015-06-12 10:08:50 UTC
Size:
2.88 KB
patch
obsolete
>From 097f279dbe2ec6a9f3c54bb04fce18a6f7e6339f Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Wed, 10 Jun 2015 13:13:25 +0100 >Subject: [PATCH 1/2] kerberos auth info3 should contain resource group ids > available from pac_logon > >successful pam auth (e.g. from ssh) will cache group sids (but not any >resource group sids)) The subsequent cached entry used for groups lookups >can be missing those resource groups > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit efadcb31215f9ccaf7942341c698a8eb2ac166ce) >--- > source3/winbindd/winbindd_pam.c | 9 +++++++-- > 1 file changed, 7 insertions(+), 2 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 51dc2ea..fdbc5c0 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -581,6 +581,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > struct PAC_DATA_CTR *pac_data_ctr = NULL; > const char *local_service; > int i; >+ struct netr_SamInfo3 *info3_copy = NULL; > > *info3 = NULL; > >@@ -700,11 +701,15 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > break; > } > >- *info3 = &logon_info->info3; > > DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", > principal_s)); > >+ result = create_info3_from_pac_logon_info(mem_ctx, logon_info, &info3_copy); >+ if (!NT_STATUS_IS_OK(result)) { >+ goto failed; >+ } >+ > /* if we had a user's ccache then return that string for the pam > * environment */ > >@@ -740,7 +745,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > } > > } >- >+ *info3 = info3_copy; > return NT_STATUS_OK; > > failed: >-- >2.1.4 > > >From b3a48b7895e151015878c3ba1b6f0dabfb2ceb35 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 10 Jun 2015 16:31:21 -0700 >Subject: [PATCH 2/2] winbindd: winbindd_raw_kerberos_login - ensure logon_info > exists in PAC. > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Thu Jun 11 07:30:38 CEST 2015 on sn-devel-104 > >(cherry picked from commit 4c5fefe0723ae4cd3cacaabc5ae4c500d2306968) >--- > source3/winbindd/winbindd_pam.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index fdbc5c0..bed2220 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -701,6 +701,11 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > break; > } > >+ if (logon_info == NULL) { >+ DEBUG(10,("Missing logon_info in ticket of %s\n", >+ principal_s)); >+ return NT_STATUS_INVALID_PARAMETER; >+ } > > DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", > principal_s)); >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
abartlet
:
review+
Actions:
View
Attachments on
bug 11328
: 11149 |
11150