summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-02-07 17:55:17 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:09:57 -0500
commit3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb (patch)
tree71045d0d6dc0350eefd9d2eccb579e7ceb8111d3 /source3
parent88aae1a6e8c12bb933509ae36cb4a6cf2fc6602b (diff)
downloadsamba-3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb.tar.gz
samba-3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb.tar.bz2
samba-3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb.zip
r13377: Fix from Volker: Make offline authentication work with NT4 as well
(handle no ACB_NORMAL flag and save name2sid as early as possible). Guenther (This used to be commit a04a5e40b774b7fe535e9cbbabddf94ee5578005)
Diffstat (limited to 'source3')
-rw-r--r--source3/nsswitch/winbindd_cache.c8
-rw-r--r--source3/nsswitch/winbindd_pam.c14
2 files changed, 20 insertions, 2 deletions
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 910e30b07e..297c608bc1 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -2048,6 +2048,14 @@ BOOL lookup_cached_name(TALLOC_CTX *mem_ctx,
return NT_STATUS_IS_OK(status);
}
+void cache_name2sid(struct winbindd_domain *domain,
+ const char *domain_name, const char *name,
+ enum SID_NAME_USE type, const DOM_SID *sid)
+{
+ wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
+ sid, type);
+}
+
/* delete all centries that don't have NT_STATUS_OK set */
static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
TDB_DATA dbuf, void *state)
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index fc8d0885fc..264134570a 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -734,13 +734,17 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain,
if (my_info3->acct_flags & ACB_DOMTRUST) {
return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT;
}
-
+#if 0
+ /* The info3 acct_flags in NT4's samlogon reply don't have
+ * ACB_NORMAL set. Disable this paranoia check until we
+ * can research this more - Guenther */
+
if (!(my_info3->acct_flags & ACB_NORMAL)) {
DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n",
my_info3->acct_flags));
return NT_STATUS_LOGON_FAILURE;
}
-
+#endif
kickoff_time = nt_time_to_unix(&my_info3->kickoff_time);
if (kickoff_time != 0 && time(NULL) > kickoff_time) {
return NT_STATUS_ACCOUNT_EXPIRED;
@@ -1116,9 +1120,15 @@ process_result:
if (NT_STATUS_IS_OK(result)) {
+ DOM_SID user_sid;
+
netsamlogon_cache_store(name_user, info3);
wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
+ /* save name_to_sid info as early as possible */
+ sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid);
+ cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid);
+
/* Check if the user is in the right group */
if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3,