diff options
author | Günther Deschner <gd@samba.org> | 2006-02-07 17:55:17 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:09:57 -0500 |
commit | 3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb (patch) | |
tree | 71045d0d6dc0350eefd9d2eccb579e7ceb8111d3 /source3 | |
parent | 88aae1a6e8c12bb933509ae36cb4a6cf2fc6602b (diff) | |
download | samba-3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb.tar.gz samba-3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb.tar.bz2 samba-3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb.zip |
r13377: Fix from Volker: Make offline authentication work with NT4 as well
(handle no ACB_NORMAL flag and save name2sid as early as possible).
Guenther
(This used to be commit a04a5e40b774b7fe535e9cbbabddf94ee5578005)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/nsswitch/winbindd_cache.c | 8 | ||||
-rw-r--r-- | source3/nsswitch/winbindd_pam.c | 14 |
2 files changed, 20 insertions, 2 deletions
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index 910e30b07e..297c608bc1 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -2048,6 +2048,14 @@ BOOL lookup_cached_name(TALLOC_CTX *mem_ctx, return NT_STATUS_IS_OK(status); } +void cache_name2sid(struct winbindd_domain *domain, + const char *domain_name, const char *name, + enum SID_NAME_USE type, const DOM_SID *sid) +{ + wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name, + sid, type); +} + /* delete all centries that don't have NT_STATUS_OK set */ static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *state) diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index fc8d0885fc..264134570a 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -734,13 +734,17 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, if (my_info3->acct_flags & ACB_DOMTRUST) { return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } - +#if 0 + /* The info3 acct_flags in NT4's samlogon reply don't have + * ACB_NORMAL set. Disable this paranoia check until we + * can research this more - Guenther */ + if (!(my_info3->acct_flags & ACB_NORMAL)) { DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n", my_info3->acct_flags)); return NT_STATUS_LOGON_FAILURE; } - +#endif kickoff_time = nt_time_to_unix(&my_info3->kickoff_time); if (kickoff_time != 0 && time(NULL) > kickoff_time) { return NT_STATUS_ACCOUNT_EXPIRED; @@ -1116,9 +1120,15 @@ process_result: if (NT_STATUS_IS_OK(result)) { + DOM_SID user_sid; + netsamlogon_cache_store(name_user, info3); wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3); + /* save name_to_sid info as early as possible */ + sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid); + cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid); + /* Check if the user is in the right group */ if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3, |