The Samba-Bugzilla – Attachment 12515 Details for
Bug 11259
smbd contacts a domain controller for each session
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am patch for master
bug-11259 (text/plain), 5.09 KB, created by
Jeremy Allison
on 2016-09-28 00:41:14 UTC
(
hide
)
Description:
git-am patch for master
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2016-09-28 00:41:14 UTC
Size:
5.09 KB
patch
obsolete
>From 397bc5da361f1d5c6c25fed86172d8fba264bc9d Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 27 Sep 2016 15:04:49 -0700 >Subject: [PATCH 1/2] s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the > name2sid cache. > >In addition to priming the netsamlogon cache. > >This prevents a winbind AD-DC lookup for something >the PAC already told us. > >Note we only do this in the case where the PAC successfully >passed signature verification. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/winbindd/winbindd_pam.c | 35 ++++++++++++++++++++++++++++++++++- > 1 file changed, 34 insertions(+), 1 deletion(-) > >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index 8ec4fe4..da874c7 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -2568,7 +2568,15 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, > } > > if (logon_info) { >- /* Signature verification succeeded, trust the PAC */ >+ /* >+ * Signature verification succeeded, we can >+ * trust the PAC and prime the netsamlogon >+ * and name2sid caches. DO NOT DO THIS >+ * in the signature verification failed >+ * code path. >+ */ >+ struct winbindd_domain *domain = NULL; >+ > result = create_info3_from_pac_logon_info(state->mem_ctx, > logon_info, > &info3_copy); >@@ -2577,6 +2585,31 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state, > } > netsamlogon_cache_store(NULL, info3_copy); > >+ /* >+ * We're in the parent here, so find the child >+ * pointer from the PAC domain name. >+ */ >+ domain = find_domain_from_name_noinit( >+ info3_copy->base.logon_domain.string); >+ if (domain && domain->primary ) { >+ struct dom_sid user_sid; >+ >+ sid_compose(&user_sid, >+ info3_copy->base.domain_sid, >+ info3_copy->base.rid); >+ >+ cache_name2sid(domain, >+ info3_copy->base.logon_domain.string, >+ info3_copy->base.account_name.string, >+ SID_NAME_USER, >+ &user_sid); >+ >+ DBG_INFO("PAC for user %s\%s SID %s primed cache\n", >+ info3_copy->base.logon_domain.string, >+ info3_copy->base.account_name.string, >+ sid_string_dbg(&user_sid)); >+ } >+ > } else { > /* Try without signature verification */ > result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL, >-- >2.7.4 > > >From a183b36a6a0731cf088e8e49a952f9ccc6392c0f Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Mon, 26 Sep 2016 17:07:44 -0700 >Subject: [PATCH 2/2] s3: auth: Use wbcAuthenticateUserEx to prime the caches. > >Idea by Volker - use WBC_AUTH_USER_LEVEL_PAC to pass >the PAC to winbind from smbd on auth, this allows >winbind to prime the user info via netsamlogon_cache_store() >and the name2sid cache *before* smbd looks up the user. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 > >Signed-off-by: Jeremy Allison <jra@samba.org> >--- > source3/auth/auth_generic.c | 40 ++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 38 insertions(+), 2 deletions(-) > >diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c >index 74eb2fa..8cda9a3 100644 >--- a/source3/auth/auth_generic.c >+++ b/source3/auth/auth_generic.c >@@ -28,6 +28,7 @@ > #include "lib/param/param.h" > #ifdef HAVE_KRB5 > #include "auth/kerberos/pac_utils.h" >+#include "nsswitch/libwbclient/wbclient.h" > #endif > #include "librpc/crypto/gse.h" > #include "auth/credentials/credentials.h" >@@ -63,6 +64,42 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > > if (pac_blob) { > #ifdef HAVE_KRB5 >+ struct wbcAuthUserParams params = {}; >+ struct wbcAuthUserInfo *info = NULL; >+ struct wbcAuthErrorInfo *err = NULL; >+ wbcErr wbc_err; >+ >+ /* >+ * Let winbind decode the PAC. >+ * This will also store the user >+ * data in the netsamlogon cache. >+ * >+ * We need to do this *before* we >+ * call get_user_from_kerberos_info() >+ * as that does a user lookup that >+ * expects info in the netsamlogon cache. >+ * >+ * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 >+ */ >+ params.level = WBC_AUTH_USER_LEVEL_PAC; >+ params.password.pac.data = pac_blob->data; >+ params.password.pac.length = pac_blob->length; >+ >+ become_root(); >+ wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err); >+ unbecome_root(); >+ >+ if (wbc_err == WBC_ERR_AUTH_ERROR) { >+ status = NT_STATUS(err->nt_status); >+ wbcFreeMemory(err); >+ goto done; >+ } >+ >+ if (!WBC_ERROR_IS_OK(wbc_err)) { >+ status = NT_STATUS_LOGON_FAILURE; >+ goto done; >+ } >+ > status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, > NULL, NULL, 0, &logon_info); > #else >@@ -101,7 +138,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > goto done; > } > >- /* save the PAC data if we have it */ >+ /* Get the info3 from the PAC data if we have it */ > if (logon_info) { > status = create_info3_from_pac_logon_info(tmp_ctx, > logon_info, >@@ -109,7 +146,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, > if (!NT_STATUS_IS_OK(status)) { > goto done; > } >- netsamlogon_cache_store(ntuser, info3_copy); > } > > /* setup the string used by %U */ >-- >2.7.4 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 11259
:
11025
|
11026
|
11027
|
11028
|
11043
|
11044
|
11045
|
11047
|
11049
|
11050
|
11053
|
11059
|
11060
|
11061
|
11062
|
12513
|
12514
|
12515
|
12516
|
12553
|
12586