We should lookup and fill out he gecos field in case of a samlogon.
Our customer observed an issue with the winbind cache that resulted in an empty full_name/gecos field for an AD user that is _not_ using any POSIX sfu attributes. The problem occurs when using the default "template" nss info winbind method and there is a currently existing netsamlogon cache entry for this user (ie. the user has logged in). After the winbind cache time expires, the next user query will return with a NULL full_name field.
Patch currently under testing:
Marc, I worked on a dcerpc bug with Metze today. And as chance would have it, it is also the issue in 4.1 you discovered.
You need b5f30205931a4b9d0b3b257d5855869e606f8b63g and
(In reply to comment #2)
> Marc, I worked on a dcerpc bug with Metze today. And as chance would have it,
> it is also the issue in 4.1 you discovered.
> You need b5f30205931a4b9d0b3b257d5855869e606f8b63g and
This belongs to https://bugzilla.samba.org/show_bug.cgi?id=10481
Created attachment 10289 [details]
I've checked what we have to do to fully support this. It would mean porting gd's ndr talbe changes, the aes changes to the client then the schannel stuff from metze and finally the patches for the samlogon ex call in winbind for interactive logon.
I think it would be to big. So I ported the patches we have in our 3.6 tree to 4.1.
It needs a hack to reset the logon pipe to have the right session key. I'm not sure if this is acceptable but here is the patchset.
To workaround this case I have set the option "winbind rpc only = yes"
I've checked the source and think the problem where the NULL comes from is in
nss_info_template.c nss_template_get_info. Here gecos is set to NULL. This function in turn is called by winbindd_cache.c nss_get_info_cached (only if nothing is cached).
I also discovered that winbindd_ads.c uses nss_get_info_cached, but winbindd_msrpc.c/winbindd_rpc.c does not.
Created attachment 10392 [details]
allow giving nss_template_get_info a hint about the full_name (like for gid)
allow the gecos parameter of nss_*_get_info to be a hint.
make the callers aware of this fact.
this is a different approach solving same problem until the whole thing is refactored like proposed by Andreas Schneider.
Comment on attachment 10289 [details]
We can't use dcerpc_netr_LogonSamLogonEx and if (NT_STATUS_EQUAL(result, NT_STATUS_WRONG_PASSWORD)). We need to use dcerpc_netr_LogonSamLogon
with the credential step protection instead.
Created attachment 10438 [details]
Here is the complete patchset with all backports from master.
(In reply to Andreas Schneider from comment #9)
Do we really need all of this in v4-1-* ?
At least we need to change the defaults of some new options,
as we should not break existing 4.1 setups.
*** Bug 8459 has been marked as a duplicate of this bug. ***