From 397bc5da361f1d5c6c25fed86172d8fba264bc9d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 27 Sep 2016 15:04:49 -0700
Subject: [PATCH 1/2] s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the
 name2sid cache.

In addition to priming the netsamlogon cache.

This prevents a winbind AD-DC lookup for something
the PAC already told us.

Note we only do this in the case where the PAC successfully
passed signature verification.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/winbindd/winbindd_pam.c | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 8ec4fe4..da874c7 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2568,7 +2568,15 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
 	}
 
 	if (logon_info) {
-		/* Signature verification succeeded, trust the PAC */
+		/*
+		 * Signature verification succeeded, we can
+		 * trust the PAC and prime the netsamlogon
+		 * and name2sid caches. DO NOT DO THIS
+		 * in the signature verification failed
+		 * code path.
+		 */
+		struct winbindd_domain *domain = NULL;
+
 		result = create_info3_from_pac_logon_info(state->mem_ctx,
 							logon_info,
 							&info3_copy);
@@ -2577,6 +2585,31 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
 		}
 		netsamlogon_cache_store(NULL, info3_copy);
 
+		/*
+		 * We're in the parent here, so find the child
+		 * pointer from the PAC domain name.
+		 */
+		domain = find_domain_from_name_noinit(
+				info3_copy->base.logon_domain.string);
+		if (domain && domain->primary ) {
+			struct dom_sid user_sid;
+
+			sid_compose(&user_sid,
+				info3_copy->base.domain_sid,
+				info3_copy->base.rid);
+
+			cache_name2sid(domain,
+				info3_copy->base.logon_domain.string,
+				info3_copy->base.account_name.string,
+				SID_NAME_USER,
+				&user_sid);
+
+			DBG_INFO("PAC for user %s\%s SID %s primed cache\n",
+				info3_copy->base.logon_domain.string,
+				info3_copy->base.account_name.string,
+				sid_string_dbg(&user_sid));
+		}
+
 	} else {
 		/* Try without signature verification */
 		result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,
-- 
2.7.4


From a183b36a6a0731cf088e8e49a952f9ccc6392c0f Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 26 Sep 2016 17:07:44 -0700
Subject: [PATCH 2/2] s3: auth: Use wbcAuthenticateUserEx to prime the caches.

Idea by Volker - use WBC_AUTH_USER_LEVEL_PAC to pass
the PAC to winbind from smbd on auth, this allows
winbind to prime the user info via netsamlogon_cache_store()
and the name2sid cache *before* smbd looks up the user.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/auth/auth_generic.c | 40 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 38 insertions(+), 2 deletions(-)

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 74eb2fa..8cda9a3 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -28,6 +28,7 @@
 #include "lib/param/param.h"
 #ifdef HAVE_KRB5
 #include "auth/kerberos/pac_utils.h"
+#include "nsswitch/libwbclient/wbclient.h"
 #endif
 #include "librpc/crypto/gse.h"
 #include "auth/credentials/credentials.h"
@@ -63,6 +64,42 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 
 	if (pac_blob) {
 #ifdef HAVE_KRB5
+		struct wbcAuthUserParams params = {};
+		struct wbcAuthUserInfo *info = NULL;
+		struct wbcAuthErrorInfo *err = NULL;
+		wbcErr wbc_err;
+
+		/*
+		 * Let winbind decode the PAC.
+		 * This will also store the user
+		 * data in the netsamlogon cache.
+		 *
+		 * We need to do this *before* we
+		 * call get_user_from_kerberos_info()
+		 * as that does a user lookup that
+		 * expects info in the netsamlogon cache.
+		 *
+		 * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259
+		 */
+		params.level = WBC_AUTH_USER_LEVEL_PAC;
+		params.password.pac.data = pac_blob->data;
+		params.password.pac.length = pac_blob->length;
+
+		become_root();
+		wbc_err = wbcAuthenticateUserEx(&params, &info, &err);
+		unbecome_root();
+
+		if (wbc_err == WBC_ERR_AUTH_ERROR) {
+			status = NT_STATUS(err->nt_status);
+			wbcFreeMemory(err);
+			goto done;
+		}
+
+		if (!WBC_ERROR_IS_OK(wbc_err)) {
+			status = NT_STATUS_LOGON_FAILURE;
+			goto done;
+		}
+
 		status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
 						 NULL, NULL, 0, &logon_info);
 #else
@@ -101,7 +138,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 		goto done;
 	}
 
-	/* save the PAC data if we have it */
+	/* Get the info3 from the PAC data if we have it */
 	if (logon_info) {
 		status = create_info3_from_pac_logon_info(tmp_ctx,
 					logon_info,
@@ -109,7 +146,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 		if (!NT_STATUS_IS_OK(status)) {
 			goto done;
 		}
-		netsamlogon_cache_store(ntuser, info3_copy);
 	}
 
 	/* setup the string used by %U */
-- 
2.7.4