The Samba-Bugzilla – Attachment 11150 Details for
Bug 11328
we should use resource group sids obtained from pac logon_info
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patches to backport to 4.1
bso11328-4.1.patch (text/plain), 16.95 KB, created by
Noel Power
on 2015-06-12 10:09:21 UTC
(
hide
)
Description:
patches to backport to 4.1
Filename:
MIME Type:
Creator:
Noel Power
Created:
2015-06-12 10:09:21 UTC
Size:
16.95 KB
patch
obsolete
>From 26feb73fcf4482c7511219064db2ab0d93f7e9ed Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Thu, 11 Jun 2015 18:16:01 +0100 >Subject: [PATCH 1/7] s3: auth: Add some const to the struct netr_SamInfo3 * > arguments of copy_netr_SamInfo3() and make_server_info_info3() > >Both functions only read from the struct netr_SamInfo3 * argument. > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> >Reviewed-by: Simo Sorce <idra@samba.org> >(cherry picked from commit c2411767adb5ce48a4619349075f6f8faae41aab) > > Conflicts: > source3/auth/proto.h > source3/auth/server_info.c >--- > source3/auth/auth_util.c | 2 +- > source3/auth/proto.h | 4 ++-- > source3/auth/server_info.c | 2 +- > 3 files changed, 4 insertions(+), 4 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index ceaa706..afa78ec 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1369,7 +1369,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > const char *sent_nt_username, > const char *domain, > struct auth_serversupplied_info **server_info, >- struct netr_SamInfo3 *info3) >+ const struct netr_SamInfo3 *info3) > { > static const char zeros[16] = {0, }; > >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 76661fc..6ec206e 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -232,7 +232,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > const char *sent_nt_username, > const char *domain, > struct auth_serversupplied_info **server_info, >- struct netr_SamInfo3 *info3); >+ const struct netr_SamInfo3 *info3); > struct wbcAuthUserInfo; > NTSTATUS make_server_info_wbcAuthUserInfo(TALLOC_CTX *mem_ctx, > const char *sent_nt_username, >@@ -287,7 +287,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > struct netr_SamInfo3 **_info3, > struct extra_auth_info *extra); > struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, >- struct netr_SamInfo3 *orig); >+ const struct netr_SamInfo3 *orig); > struct netr_SamInfo3 *wbcAuthUserInfo_to_netr_SamInfo3(TALLOC_CTX *mem_ctx, > const struct wbcAuthUserInfo *info); > >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index d2b7d6e..066b9a8 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -445,7 +445,7 @@ NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > } } while(0) > > struct netr_SamInfo3 *copy_netr_SamInfo3(TALLOC_CTX *mem_ctx, >- struct netr_SamInfo3 *orig) >+ const struct netr_SamInfo3 *orig) > { > struct netr_SamInfo3 *info3; > unsigned int i; >-- >2.1.4 > > >From df68261466f0ed23b9d89a6d5af8d0ba3ad9e794 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 16 Jun 2014 22:54:45 -0700 >Subject: [PATCH 2/7] s3: auth: Change make_server_info_info3() to take a const > struct netr_SamInfo3 pointer instead of a struct PAC_LOGON_INFO. > >make_server_info_info3() only reads from the info3 pointer. > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> >Reviewed-by: Simo Sorce <idra@samba.org> >(cherry picked from commit 527f7b54388713acaaf7b66c718cc0f7114fc368) >--- > source3/auth/auth_generic.c | 2 +- > source3/auth/proto.h | 2 +- > source3/auth/user_krb5.c | 8 ++++---- > 3 files changed, 6 insertions(+), 6 deletions(-) > >diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c >index a2ba4e3..2880bc9 100644 >--- a/source3/auth/auth_generic.c >+++ b/source3/auth/auth_generic.c >@@ -112,7 +112,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > > status = make_session_info_krb5(mem_ctx, > ntuser, ntdomain, username, pw, >- logon_info, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, >+ &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, > session_info); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 6ec206e..75d1097 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -357,7 +357,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > char *ntdomain, > char *username, > struct passwd *pw, >- struct PAC_LOGON_INFO *logon_info, >+ const struct netr_SamInfo3 *info3, > bool mapped_to_guest, bool username_was_mapped, > DATA_BLOB *session_key, > struct auth_session_info **session_info); >diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c >index 974a8aa..0a538b4 100644 >--- a/source3/auth/user_krb5.c >+++ b/source3/auth/user_krb5.c >@@ -186,7 +186,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > char *ntdomain, > char *username, > struct passwd *pw, >- struct PAC_LOGON_INFO *logon_info, >+ const struct netr_SamInfo3 *info3, > bool mapped_to_guest, bool username_was_mapped, > DATA_BLOB *session_key, > struct auth_session_info **session_info) >@@ -202,14 +202,14 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > return status; > } > >- } else if (logon_info) { >+ } else if (info3) { > /* pass the unmapped username here since map_username() > will be called again in make_server_info_info3() */ > > status = make_server_info_info3(mem_ctx, > ntuser, ntdomain, > &server_info, >- &logon_info->info3); >+ info3); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("make_server_info_info3 failed: %s!\n", > nt_errstr(status))); >@@ -299,7 +299,7 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx, > char *ntdomain, > char *username, > struct passwd *pw, >- struct PAC_LOGON_INFO *logon_info, >+ const struct netr_SamInfo3 *info3, > bool mapped_to_guest, bool username_was_mapped, > DATA_BLOB *session_key, > struct auth_session_info **session_info) >-- >2.1.4 > > >From b89662f447d1db771be1be326a1eb2dbff268fcd Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 16 Jun 2014 23:11:58 -0700 >Subject: [PATCH 3/7] s3: auth: Add create_info3_from_pac_logon_info() to > create a new info3 and merge resource group SIDs into it. > >Originally written by Richard Sharpe Richard Sharpe <realrichardsharpe@gmail.com>. > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> >Reviewed-by: Simo Sorce <idra@samba.org> >(cherry picked from commit db775c68ccbed0252abf092b5cb811e8f5fa9bb6) >--- > source3/auth/proto.h | 3 ++ > source3/auth/server_info.c | 77 ++++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 80 insertions(+) > >diff --git a/source3/auth/proto.h b/source3/auth/proto.h >index 75d1097..cc51698 100644 >--- a/source3/auth/proto.h >+++ b/source3/auth/proto.h >@@ -281,6 +281,9 @@ NTSTATUS serverinfo_to_SamInfo3(const struct auth_serversupplied_info *server_in > struct netr_SamInfo3 *sam3); > NTSTATUS serverinfo_to_SamInfo6(struct auth_serversupplied_info *server_info, > struct netr_SamInfo6 *sam6); >+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, >+ const struct PAC_LOGON_INFO *logon_info, >+ struct netr_SamInfo3 **pp_info3); > NTSTATUS samu_to_SamInfo3(TALLOC_CTX *mem_ctx, > struct samu *samu, > const char *login_server, >diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c >index 066b9a8..dc84794 100644 >--- a/source3/auth/server_info.c >+++ b/source3/auth/server_info.c >@@ -252,6 +252,83 @@ static NTSTATUS group_sids_to_info3(struct netr_SamInfo3 *info3, > return NT_STATUS_OK; > } > >+/* >+ * Merge resource SIDs, if any, into the passed in info3 structure. >+ */ >+ >+static NTSTATUS merge_resource_sids(const struct PAC_LOGON_INFO *logon_info, >+ struct netr_SamInfo3 *info3) >+{ >+ uint32_t i = 0; >+ >+ if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) { >+ return NT_STATUS_OK; >+ } >+ >+ /* >+ * If there are any resource groups (SID Compression) add >+ * them to the extra sids portion of the info3 in the PAC. >+ * >+ * This makes the info3 look like it would if we got the info >+ * from the DC rather than the PAC. >+ */ >+ >+ /* >+ * Construct a SID for each RID in the list and then append it >+ * to the info3. >+ */ >+ for (i = 0; i < logon_info->res_groups.count; i++) { >+ NTSTATUS status; >+ struct dom_sid new_sid; >+ uint32_t attributes = logon_info->res_groups.rids[i].attributes; >+ >+ sid_compose(&new_sid, >+ logon_info->res_group_dom_sid, >+ logon_info->res_groups.rids[i].rid); >+ >+ DEBUG(10, ("Adding SID %s to extra SIDS\n", >+ sid_string_dbg(&new_sid))); >+ >+ status = append_netr_SidAttr(info3, &info3->sids, >+ &info3->sidcount, >+ &new_sid, >+ attributes); >+ if (!NT_STATUS_IS_OK(status)) { >+ DEBUG(1, ("failed to append SID %s to extra SIDS: %s\n", >+ sid_string_dbg(&new_sid), >+ nt_errstr(status))); >+ return status; >+ } >+ } >+ >+ return NT_STATUS_OK; >+} >+ >+/* >+ * Create a copy of an info3 struct from the struct PAC_LOGON_INFO, >+ * then merge resource SIDs, if any, into it. If successful return >+ * the created info3 struct. >+ */ >+ >+NTSTATUS create_info3_from_pac_logon_info(TALLOC_CTX *mem_ctx, >+ const struct PAC_LOGON_INFO *logon_info, >+ struct netr_SamInfo3 **pp_info3) >+{ >+ NTSTATUS status; >+ struct netr_SamInfo3 *info3 = copy_netr_SamInfo3(mem_ctx, >+ &logon_info->info3); >+ if (info3 == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ status = merge_resource_sids(logon_info, info3); >+ if (!NT_STATUS_IS_OK(status)) { >+ TALLOC_FREE(info3); >+ return status; >+ } >+ *pp_info3 = info3; >+ return NT_STATUS_OK; >+} >+ > #define RET_NOMEM(ptr) do { \ > if (!ptr) { \ > TALLOC_FREE(info3); \ >-- >2.1.4 > > >From 98471f3a6947e951a215b6ed6def9a6e58899941 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 16 Jun 2014 23:15:21 -0700 >Subject: [PATCH 4/7] s3: auth: Change auth3_generate_session_info_pac() to use > a copy of the info3 struct from the struct PAC_LOGON_INFO. > >Call create_info3_from_pac_logon_info() to add in any resource SIDs >from the struct PAC_LOGON_INFO to the info3. > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> >Reviewed-by: Simo Sorce <idra@samba.org> >(cherry picked from commit 0e5a9f44e4b08b93bc4b501d1e14b59ed7b3647c) >--- > source3/auth/auth_generic.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > >diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c >index 2880bc9..f841f0c 100644 >--- a/source3/auth/auth_generic.c >+++ b/source3/auth/auth_generic.c >@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > { > TALLOC_CTX *tmp_ctx; > struct PAC_LOGON_INFO *logon_info = NULL; >+ struct netr_SamInfo3 *info3_copy = NULL; > bool is_mapped; > bool is_guest; > char *ntuser; >@@ -101,7 +102,13 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > > /* save the PAC data if we have it */ > if (logon_info) { >- netsamlogon_cache_store(ntuser, &logon_info->info3); >+ status = create_info3_from_pac_logon_info(tmp_ctx, >+ logon_info, >+ &info3_copy); >+ if (!NT_STATUS_IS_OK(status)) { >+ goto done; >+ } >+ netsamlogon_cache_store(ntuser, info3_copy); > } > > /* setup the string used by %U */ >@@ -112,7 +119,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > > status = make_session_info_krb5(mem_ctx, > ntuser, ntdomain, username, pw, >- &logon_info->info3, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, >+ info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, > session_info); > if (!NT_STATUS_IS_OK(status)) { > DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", >-- >2.1.4 > > >From 920628819127ce1e59ecef2bc50276e898f24888 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 16 Jun 2014 23:27:35 -0700 >Subject: [PATCH 5/7] s3: auth: Fix winbindd_pam_auth_pac_send() to create a > new info3 and merge in resource groups from a trusted PAC. > >Based on a patch from Richard Sharpe <realrichardsharpe@gmail.com>. > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Richard Sharpe <realrichardsharpe@gmail.com> >Reviewed-by: Simo Sorce <idra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed Jun 18 03:30:36 CEST 2014 on sn-devel-104 > >(cherry picked from commit e907f8415639d2a7cbc1cc2e40e2e35bfa0024de) >--- > source3/winbindd/winbindd_pam.c | 24 ++++++++++++++++++++++-- > 1 file changed, 22 insertions(+), 2 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index c356686..0f1ca28 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -2421,6 +2421,7 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, > struct winbindd_request *req = state->request; > DATA_BLOB pac_blob; > struct PAC_LOGON_INFO *logon_info = NULL; >+ struct netr_SamInfo3 *info3_copy = NULL; > NTSTATUS result; > > pac_blob = data_blob_const(req->extra_data.data, req->extra_len); >@@ -2434,7 +2435,13 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, > > if (logon_info) { > /* Signature verification succeeded, trust the PAC */ >- netsamlogon_cache_store(NULL, &logon_info->info3); >+ result = create_info3_from_pac_logon_info(state->mem_ctx, >+ logon_info, >+ &info3_copy); >+ if (!NT_STATUS_IS_OK(result)) { >+ return result; >+ } >+ netsamlogon_cache_store(NULL, info3_copy); > > } else { > /* Try without signature verification */ >@@ -2446,9 +2453,22 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, > nt_errstr(result))); > return result; > } >+ if (logon_info) { >+ /* >+ * Don't strictly need to copy here, >+ * but it makes it explicit we're >+ * returning a copy talloc'ed off >+ * the state->mem_ctx. >+ */ >+ info3_copy = copy_netr_SamInfo3(state->mem_ctx, >+ &logon_info->info3); >+ if (info3_copy == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ } > } > >- *info3 = &logon_info->info3; >+ *info3 = info3_copy; > > return NT_STATUS_OK; > } >-- >2.1.4 > > >From 7cdff6ec40de1eeaaa97d3aaf315cf806e0557d2 Mon Sep 17 00:00:00 2001 >From: Noel Power <noel.power@suse.com> >Date: Wed, 10 Jun 2015 13:13:25 +0100 >Subject: [PATCH 6/7] kerberos auth info3 should contain resource group ids > available from pac_logon > >successful pam auth (e.g. from ssh) will cache group sids (but not any >resource group sids)) The subsequent cached entry used for groups lookups >can be missing those resource groups > >Signed-off-by: Noel Power <noel.power@suse.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit efadcb31215f9ccaf7942341c698a8eb2ac166ce) > >Conflicts: > source3/winbindd/winbindd_pam.c >--- > source3/winbindd/winbindd_pam.c | 10 +++++++--- > 1 file changed, 7 insertions(+), 3 deletions(-) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 0f1ca28..272663b 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > time_t time_offset = 0; > const char *user_ccache_file; > struct PAC_LOGON_INFO *logon_info = NULL; >+ struct netr_SamInfo3 *info3_copy = NULL; > > *info3 = NULL; > >@@ -664,11 +665,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > goto failed; > } > >- *info3 = &logon_info->info3; >- > DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", > principal_s)); > >+ result = create_info3_from_pac_logon_info(mem_ctx, logon_info, &info3_copy); >+ if (!NT_STATUS_IS_OK(result)) { >+ goto failed; >+ } >+ > /* if we had a user's ccache then return that string for the pam > * environment */ > >@@ -704,7 +708,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > } > > } >- >+ *info3 = info3_copy; > return NT_STATUS_OK; > > failed: >-- >2.1.4 > > >From d547fbb5224a157a40b0018c9027be63521c0b57 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Wed, 10 Jun 2015 16:31:21 -0700 >Subject: [PATCH 7/7] winbindd: winbindd_raw_kerberos_login - ensure logon_info > exists in PAC. > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> > >Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> >Autobuild-Date(master): Thu Jun 11 07:30:38 CEST 2015 on sn-devel-104 > >(cherry picked from commit 4c5fefe0723ae4cd3cacaabc5ae4c500d2306968) > >Conflicts: > source3/winbindd/winbindd_pam.c >--- > source3/winbindd/winbindd_pam.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 272663b..3fb88d6 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -665,6 +665,12 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx, > goto failed; > } > >+ if (logon_info == NULL) { >+ DEBUG(10,("Missing logon_info in ticket of %s\n", >+ principal_s)); >+ return NT_STATUS_INVALID_PARAMETER; >+ } >+ > DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n", > principal_s)); > >-- >2.1.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
abartlet
:
review+
Actions:
View
Attachments on
bug 11328
:
11149
| 11150