From: Jeremy Allison <jra@samba.org>
Date: Tue, 27 Sep 2016 22:04:49 +0000 (-0700)
Subject: s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache.
X-Git-Url: http://git.samba.org/?p=metze%2Fsamba%2Fwip.git;a=commitdiff_plain;h=cf0f28819e771d433af00b3532011de70112b1f8

s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache.

In addition to priming the netsamlogon cache.

This prevents a winbind AD-DC lookup for something
the PAC already told us.

Note we only do this in the case where the PAC successfully
passed signature verification.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>
---

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 8ec4fe4a6a15..da874c74a0a2 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2568,7 +2568,15 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
 	}
 
 	if (logon_info) {
-		/* Signature verification succeeded, trust the PAC */
+		/*
+		 * Signature verification succeeded, we can
+		 * trust the PAC and prime the netsamlogon
+		 * and name2sid caches. DO NOT DO THIS
+		 * in the signature verification failed
+		 * code path.
+		 */
+		struct winbindd_domain *domain = NULL;
+
 		result = create_info3_from_pac_logon_info(state->mem_ctx,
 							logon_info,
 							&info3_copy);
@@ -2577,6 +2585,31 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
 		}
 		netsamlogon_cache_store(NULL, info3_copy);
 
+		/*
+		 * We're in the parent here, so find the child
+		 * pointer from the PAC domain name.
+		 */
+		domain = find_domain_from_name_noinit(
+				info3_copy->base.logon_domain.string);
+		if (domain && domain->primary ) {
+			struct dom_sid user_sid;
+
+			sid_compose(&user_sid,
+				info3_copy->base.domain_sid,
+				info3_copy->base.rid);
+
+			cache_name2sid(domain,
+				info3_copy->base.logon_domain.string,
+				info3_copy->base.account_name.string,
+				SID_NAME_USER,
+				&user_sid);
+
+			DBG_INFO("PAC for user %s\%s SID %s primed cache\n",
+				info3_copy->base.logon_domain.string,
+				info3_copy->base.account_name.string,
+				sid_string_dbg(&user_sid));
+		}
+
 	} else {
 		/* Try without signature verification */
 		result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,