kerberos auth info3 should contain resource group ids available from pac_logon

successful pam auth (e.g. from ssh) will cache group sids (but not any
resource group sids)) The subsequent cached entry used for groups lookups
can be missing those resource groups

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit efadcb31215f9ccaf7942341c698a8eb2ac166ce)

Conflicts:
	source3/winbindd/winbindd_pam.c

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 88fa14debb67bcc62fce165dedc68e7cc7046a30..987354d9406d1015f5af64c19ea296abbd9aa13d 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -576,6 +576,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
        time_t time_offset = 0;
        const char *user_ccache_file;
        struct PAC_LOGON_INFO *logon_info = NULL;
+       struct netr_SamInfo3 *info3_copy = NULL;
 
        *info3 = NULL;
 
@@ -664,11 +665,14 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                goto failed;
        }
 
-       *info3 = &logon_info->info3;
-
        DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
                principal_s));
 
+       result = create_info3_from_pac_logon_info(mem_ctx, logon_info, &info3_copy);
+       if (!NT_STATUS_IS_OK(result)) {
+               goto failed;
+       }
+
        /* if we had a user's ccache then return that string for the pam
         * environment */
 
@@ -704,7 +708,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                }
 
        }
-
+       *info3 = info3_copy;
        return NT_STATUS_OK;
 
 failed: