s3: Fix bug 7139

To provide the user with the same SID when doing Kerberos logins, attempt to do
a make_server_info_sam instead of a make_server_info_pw.

1 files changed, 32 insertions, 2 deletions

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index ae99127db2..289055cc6b 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -486,10 +486,40 @@ static void reply_spnego_kerberos(struct smb_request *req,
 		}
 
 	} else {
-		ret = make_server_info_pw(&server_info, real_username, pw);
+		/*
+		 * We didn't get a PAC, we have to make up the user
+		 * ourselves. Try to ask the pdb backend to provide
+		 * SID consistency with ntlmssp session setup
+		 */
+		struct samu *sampass;
+
+		sampass = samu_new(talloc_tos());
+		if (sampass == NULL) {
+			ret = NT_STATUS_NO_MEMORY;
+			data_blob_free(&ap_rep);
+			data_blob_free(&session_key);
+			TALLOC_FREE(mem_ctx);
+			reply_nterror(req, nt_status_squash(ret));
+			return;
+		}
+
+		if (pdb_getsampwnam(sampass, real_username)) {
+			DEBUG(10, ("found user %s in passdb, calling "
+				   "make_server_info_sam\n", real_username));
+			ret = make_server_info_sam(&server_info, sampass);
+		} else {
+			/*
+			 * User not in passdb, make it up artificially
+			 */
+			TALLOC_FREE(sampass);
+			DEBUG(10, ("didn't find user %s in passdb, calling "
+				   "make_server_info_pw\n", real_username));
+			ret = make_server_info_pw(&server_info, real_username,
+						  pw);
+		}
 
 		if ( !NT_STATUS_IS_OK(ret) ) {
-			DEBUG(1,("make_server_info_pw failed: %s!\n",
+			DEBUG(1,("make_server_info_[sam|pw] failed: %s!\n",
 				 nt_errstr(ret)));
 			data_blob_free(&ap_rep);
 			data_blob_free(&session_key);