r17971: Disable storing SIDs in the S-1-22-1 and S-1-22-2 domain to the SID<->uid...

author Gerald Carter <jerry@samba.org>

Thu, 31 Aug 2006 18:32:23 +0000 (18:32 +0000)

committer Gerald (Jerry) Carter <jerry@samba.org>

Wed, 10 Oct 2007 16:39:44 +0000 (11:39 -0500)
author Gerald Carter <jerry@samba.org>
Thu, 31 Aug 2006 18:32:23 +0000 (18:32 +0000)
committer Gerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 16:39:44 +0000 (11:39 -0500)
diff --git a/source/libads/kerberos_verify.c b/source/libads/kerberos_verify.c

index 3aa0860809d39692ab612483107d83d7e9ccffc3..cff007db47650f4d84c28f927fbbda89caf064de 100644 (file)
--- a/source/libads/kerberos_verify.c
+++ b/source/libads/kerberos_verify.c
@@ -376,13 +376,15 @@ NTSTATUS ads_verify_ticket(TALLOC_CTX *mem_ctx,
                 goto out;
         }
  
-       if (lp_use_kerberos_keytab()) {
+       /* always check secrets first in order to prevent hitting the 
+          keytab until really necessary */
+
+       auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
+                                           ticket, &packet, &tkt, &keyblock);
+
+       if (!auth_ok && lp_use_kerberos_keytab()) {
                 auth_ok = ads_keytab_verify_ticket(context, auth_context, ticket, &packet, &tkt, &keyblock);
         }
-       if (!auth_ok) {
-               auth_ok = ads_secrets_verify_ticket(context, auth_context, host_princ,
-                                                   ticket, &packet, &tkt, &keyblock);
-       }
  
         release_server_mutex();
         got_replay_mutex = False;
diff --git a/source/passdb/lookup_sid.c b/source/passdb/lookup_sid.c

index 03fe58bc279b8249afe122298c737b55906c9127..dbd466fe403e105eadb4688944421f275763d3f8 100644 (file)
--- a/source/passdb/lookup_sid.c
+++ b/source/passdb/lookup_sid.c
@@ -999,6 +999,11 @@ void store_uid_sid_cache(const DOM_SID *psid, uid_t uid)
  {
         struct uid_sid_cache *pc;
  
+       /* do not store SIDs in the "Unix Group" domain */
+       
+       if ( sid_check_is_in_unix_users( psid ) )
+               return;
+
         if (n_uid_sid_cache >= MAX_UID_SID_CACHE_SIZE && n_uid_sid_cache > TURNOVER_UID_SID_CACHE_SIZE) {
                 /* Delete the last TURNOVER_UID_SID_CACHE_SIZE entries. */
                 struct uid_sid_cache *pc_next;
@@ -1070,6 +1075,11 @@ static BOOL fetch_gid_from_cache(gid_t *pgid, const DOM_SID *psid)
  void store_gid_sid_cache(const DOM_SID *psid, gid_t gid)
  {
         struct gid_sid_cache *pc;
+       
+       /* do not store SIDs in the "Unix Group" domain */
+       
+       if ( sid_check_is_in_unix_groups( psid ) )
+               return;
  
         if (n_gid_sid_cache >= MAX_GID_SID_CACHE_SIZE && n_gid_sid_cache > TURNOVER_GID_SID_CACHE_SIZE) {
                 /* Delete the last TURNOVER_GID_SID_CACHE_SIZE entries. */
author	Gerald Carter <jerry@samba.org>
	Thu, 31 Aug 2006 18:32:23 +0000 (18:32 +0000)
committer	Gerald (Jerry) Carter <jerry@samba.org>
	Wed, 10 Oct 2007 16:39:44 +0000 (11:39 -0500)
source/libads/kerberos_verify.c		patch \| blob \| history
source/passdb/lookup_sid.c		patch \| blob \| history