From 3ad6e4d2790d8beea8227db3fe7ed05a9b0a2eeb Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Tue, 7 Feb 2006 17:55:17 +0000 Subject: r13377: Fix from Volker: Make offline authentication work with NT4 as well (handle no ACB_NORMAL flag and save name2sid as early as possible). Guenther (This used to be commit a04a5e40b774b7fe535e9cbbabddf94ee5578005) --- source3/nsswitch/winbindd_cache.c | 8 ++++++++ source3/nsswitch/winbindd_pam.c | 14 ++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) (limited to 'source3/nsswitch') diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index 910e30b07e..297c608bc1 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -2048,6 +2048,14 @@ BOOL lookup_cached_name(TALLOC_CTX *mem_ctx, return NT_STATUS_IS_OK(status); } +void cache_name2sid(struct winbindd_domain *domain, + const char *domain_name, const char *name, + enum SID_NAME_USE type, const DOM_SID *sid) +{ + wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name, + sid, type); +} + /* delete all centries that don't have NT_STATUS_OK set */ static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *state) diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index fc8d0885fc..264134570a 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -734,13 +734,17 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, if (my_info3->acct_flags & ACB_DOMTRUST) { return NT_STATUS_NOLOGON_INTERDOMAIN_TRUST_ACCOUNT; } - +#if 0 + /* The info3 acct_flags in NT4's samlogon reply don't have + * ACB_NORMAL set. Disable this paranoia check until we + * can research this more - Guenther */ + if (!(my_info3->acct_flags & ACB_NORMAL)) { DEBUG(10,("winbindd_dual_pam_auth_cached: whats wrong with that one?: 0x%08x\n", my_info3->acct_flags)); return NT_STATUS_LOGON_FAILURE; } - +#endif kickoff_time = nt_time_to_unix(&my_info3->kickoff_time); if (kickoff_time != 0 && time(NULL) > kickoff_time) { return NT_STATUS_ACCOUNT_EXPIRED; @@ -1116,9 +1120,15 @@ process_result: if (NT_STATUS_IS_OK(result)) { + DOM_SID user_sid; + netsamlogon_cache_store(name_user, info3); wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3); + /* save name_to_sid info as early as possible */ + sid_compose(&user_sid, &info3->dom_sid.sid, info3->user_rid); + cache_name2sid(domain, name_domain, name_user, SID_NAME_USER, &user_sid); + /* Check if the user is in the right group */ if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, info3, -- cgit