From 9f24ac137eec3856d0fda09e0ae094d4d6ac0ebc Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 26 Sep 2016 17:07:44 -0700
Subject: [PATCH] s3: auth: Use wbcAuthenticateUserEx to prime the netsamlogon
 cache.

Idea by Volker - use WBC_AUTH_USER_LEVEL_PAC to pass
the PAC to winbind from smbd on auth, this allows
winbind to prime the user info via netsamlogon_cache_store()
*before* smbd looks up the user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/auth/auth_generic.c | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 74eb2fa..8cda9a3 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -28,6 +28,7 @@
 #include "lib/param/param.h"
 #ifdef HAVE_KRB5
 #include "auth/kerberos/pac_utils.h"
+#include "nsswitch/libwbclient/wbclient.h"
 #endif
 #include "librpc/crypto/gse.h"
 #include "auth/credentials/credentials.h"
@@ -63,6 +64,42 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	if (pac_blob) {
 #ifdef HAVE_KRB5
+		struct wbcAuthUserParams params = {};
+		struct wbcAuthUserInfo *info = NULL;
+		struct wbcAuthErrorInfo *err = NULL;
+		wbcErr wbc_err;
+
+		/*
+		 * Let winbind decode the PAC.
+		 * This will also store the user
+		 * data in the netsamlogon cache.
+		 *
+		 * We need to do this *before* we
+		 * call get_user_from_kerberos_info()
+		 * as that does a user lookup that
+		 * expects info in the netsamlogon cache.
+		 *
+		 * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
+		 */
+		params.level = WBC_AUTH_USER_LEVEL_PAC;
+		params.password.pac.data = pac_blob->data;
+		params.password.pac.length = pac_blob->length;
+
+		become_root();
+		wbc_err = wbcAuthenticateUserEx(&params, &info, &err);
+		unbecome_root();
+
+		if (wbc_err == WBC_ERR_AUTH_ERROR) {
+			status = NT_STATUS(err->nt_status);
+			wbcFreeMemory(err);
+			goto done;
+		}
+
+		if (!WBC_ERROR_IS_OK(wbc_err)) {
+			status = NT_STATUS_LOGON_FAILURE;
+			goto done;
+		}
+
 		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
 						 NULL, NULL, 0, &logon_info);
 #else
@@ -101,7 +138,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 		goto done;
 	}
 
-	/* save the PAC data if we have it */
+	/* Get the info3 from the PAC data if we have it */
 	if (logon_info) {
 		status = create_info3_from_pac_logon_info(tmp_ctx,
 					logon_info,
@@ -109,7 +146,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
-		netsamlogon_cache_store(ntuser, info3_copy);
 	}
 
 	/* setup the string used by %U */
-- 
2.7.4