The Samba-Bugzilla – Attachment 8158 Details for
Bug 9125
The winbindd -n switch should not be obeyed for samlogon cache access
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache access."
0001-Revert-s3-winbindd-make-sure-we-obey-the-n-switch-al.patch (text/plain), 3.79 KB, created by
David Disseldorp
on 2012-11-06 11:57:38 UTC
(
hide
)
Description:
Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache access."
Filename:
MIME Type:
Creator:
David Disseldorp
Created:
2012-11-06 11:57:38 UTC
Size:
3.79 KB
patch
obsolete
>From f72f8a2ca914be8186ed35d557112b55156b771e Mon Sep 17 00:00:00 2001 >From: David Disseldorp <ddiss@samba.org> >Date: Tue, 6 Nov 2012 12:29:24 +0100 >Subject: [PATCH 1/2] Revert "s3-winbindd: make sure we obey the -n switch > also for samlogon cache access." > >This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b. > >Bug 9125 analysis from Volker: > >The problem is that there are no network calls possible at all that >would do what the samlogon cache does for us. There is just no way to >retrieve the group membership in a complex trusted environment. If you >have just a single domain with Samba as domain controller it might be >possible, but even within a single domain it is not possible to >correctly retrieve all group memberships using LDAP calls due to ACLs on >directory objects. The call to get that is called NetSamLogon on the >NETLOGON pipe. But this call requires user credentials and might trigger >updating counts on the server. So to correctly implement wbinfo -r after >a user has logged in, you have two alternatives: Save the info3 struct >or the PAC in the netsamlogon cache. If you insist on doing network >calls, you need to cache the user credentials somewhere to re-do the >NetSamLogon call every time the wbinfo -r is requested. >--- > source3/winbindd/winbindd_ads.c | 2 +- > source3/winbindd/winbindd_cache.c | 4 ---- > source3/winbindd/winbindd_creds.c | 4 ---- > source3/winbindd/winbindd_msrpc.c | 6 ++---- > 4 files changed, 3 insertions(+), 13 deletions(-) > >diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c >index 628fd1c..a33aac2 100644 >--- a/source3/winbindd/winbindd_ads.c >+++ b/source3/winbindd/winbindd_ads.c >@@ -503,7 +503,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, > > /* try netsamlogon cache first */ > >- if (winbindd_use_cache() && (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL ) >+ if ( (user = netsamlogon_cache_get( mem_ctx, sid )) != NULL ) > { > DEBUG(5,("query_user: Cache lookup succeeded for %s\n", > sid_string_dbg(sid))); >diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c >index c79d3b6..517a302 100644 >--- a/source3/winbindd/winbindd_cache.c >+++ b/source3/winbindd/winbindd_cache.c >@@ -1302,10 +1302,6 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain, > uint32 rid; > fstring tmp; > >- if (!winbindd_use_cache()) { >- return NT_STATUS_OBJECT_NAME_NOT_FOUND; >- } >- > if (!cache->tdb) { > return NT_STATUS_INTERNAL_DB_ERROR; > } >diff --git a/source3/winbindd/winbindd_creds.c b/source3/winbindd/winbindd_creds.c >index a160f7a..6bbd0ff 100644 >--- a/source3/winbindd/winbindd_creds.c >+++ b/source3/winbindd/winbindd_creds.c >@@ -38,10 +38,6 @@ NTSTATUS winbindd_get_creds(struct winbindd_domain *domain, > struct netr_SamInfo3 *info; > NTSTATUS status; > >- if (!winbindd_use_cache()) { >- return NT_STATUS_OBJECT_NAME_NOT_FOUND; >- } >- > status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass, cred_salt); > if (!NT_STATUS_IS_OK(status)) { > return status; >diff --git a/source3/winbindd/winbindd_msrpc.c b/source3/winbindd/winbindd_msrpc.c >index 455de3d..39186f8 100644 >--- a/source3/winbindd/winbindd_msrpc.c >+++ b/source3/winbindd/winbindd_msrpc.c >@@ -407,7 +407,7 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain, > { > struct rpc_pipe_client *samr_pipe; > struct policy_handle dom_pol; >- struct netr_SamInfo3 *user = NULL; >+ struct netr_SamInfo3 *user; > TALLOC_CTX *tmp_ctx; > NTSTATUS status; > >@@ -425,9 +425,7 @@ static NTSTATUS msrpc_query_user(struct winbindd_domain *domain, > } > > /* try netsamlogon cache first */ >- if (winbindd_use_cache()) { >- user = netsamlogon_cache_get(tmp_ctx, user_sid); >- } >+ user = netsamlogon_cache_get(tmp_ctx, user_sid); > if (user != NULL) { > DEBUG(5,("msrpc_query_user: Cache lookup succeeded for %s\n", > sid_string_dbg(user_sid))); >-- >1.7.10.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8158">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
kseeger
:
review?
(
gd
)
asn
:
review+
Actions:
View
Attachments on
bug 9125
:
7847
| 8158 |
8159