kerberos auth info3 should contain resource group ids available from pac_logon

successful pam auth (e.g. from ssh) will cache group sids (but not any
resource group sids)) The subsequent cached entry used for groups lookups
can be missing those resource groups

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 864382e5df1b7272958cf79fe9af0e6d0d869d48..018f70f01d61da793bbc4567a7b3abb5d981ea48 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -594,6 +594,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
        struct PAC_DATA_CTR *pac_data_ctr = NULL;
        const char *local_service;
        int i;
+       struct netr_SamInfo3 *info3_copy = NULL;
 
        *info3 = NULL;
 
@@ -713,11 +714,15 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                break;
        }
 
-       *info3 = &logon_info->info3;
 
        DEBUG(10,("winbindd_raw_kerberos_login: winbindd validated ticket of %s\n",
                principal_s));
 
+       result = create_info3_from_pac_logon_info(mem_ctx, logon_info, &info3_copy);
+       if (!NT_STATUS_IS_OK(result)) {
+               goto failed;
+       }
+
        /* if we had a user's ccache then return that string for the pam
         * environment */
 
@@ -753,7 +758,7 @@ static NTSTATUS winbindd_raw_kerberos_login(TALLOC_CTX *mem_ctx,
                }
 
        }
-
+       *info3 = info3_copy;
        return NT_STATUS_OK;
 
 failed: