diff options
author | Gerald Carter <jerry@samba.org> | 2006-08-31 18:32:23 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:39:44 -0500 |
commit | e53dfa1f4a1162b814ea7dc23c7c603d1c6c4908 (patch) | |
tree | 760913720db2f57c5f32f46cd065c6b9b529ddbf /source3 | |
parent | 305ceade3905dad45eac2f407dd8f56a9979cf1c (diff) | |
download | samba-e53dfa1f4a1162b814ea7dc23c7c603d1c6c4908.tar.gz samba-e53dfa1f4a1162b814ea7dc23c7c603d1c6c4908.tar.bz2 samba-e53dfa1f4a1162b814ea7dc23c7c603d1c6c4908.zip |
r17971: Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to the SID<->uid/gid cache. FIxes a bug in token creation
(This used to be commit fa05708789654a8a34cb4a4068514a0b3d950653)
Diffstat (limited to 'source3')
-rw-r--r-- | source3/libads/kerberos_verify.c | 12 | ||||
-rw-r--r-- | source3/passdb/lookup_sid.c | 10 |
2 files changed, 17 insertions, 5 deletions
diff --git a/source3/libads/kerberos_verify.c b/source3/libads/kerberos_verify.c index 3aa0860809..cff007db47 100644 --- a/source3/libads/kerberos_verify.c +++ b/source3/libads/kerberos_verify.c @@ -376,13 +376,15 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx, goto out; } - if (lp_use_kerberos_keytab()) { + /* always check secrets first in order to prevent hitting the + keytab until really necessary */ + + auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ, + ticket, &packet, &tkt, &keyblock); + + if (!auth_ok && lp_use_kerberos_keytab()) { auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &packet, &tkt, &keyblock); } - if (!auth_ok) { - auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ, - ticket, &packet, &tkt, &keyblock); - } release_server_mutex(); got_replay_mutex = False; diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 03fe58bc27..dbd466fe40 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -999,6 +999,11 @@ void store_uid_sid_cache(const DOM_SID *psid, uid_t uid) { struct uid_sid_cache *pc; + /* do not store SIDs in the "Unix Group" domain */ + + if ( sid_check_is_in_unix_users( psid ) ) + return; + if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) { /* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */ struct uid_sid_cache *pc_next; @@ -1070,6 +1075,11 @@ static BOOL fetch_gid_from_cache(gid_t *pgid, const DOM_SID *psid) void store_gid_sid_cache(const DOM_SID *psid, gid_t gid) { struct gid_sid_cache *pc; + + /* do not store SIDs in the "Unix Group" domain */ + + if ( sid_check_is_in_unix_groups( psid ) ) + return; if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) { /* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */ |