| commit | 949df3ca93f1e570a531b51e005206780925bc7e | |
| author | David Disseldorp <ddiss@samba.org> | |
| Tue, 6 Nov 2012 11:29:24 +0000 (6 12:29 +0100) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Mon, 12 Nov 2012 08:09:50 +0000 (12 09:09 +0100) | ||
| tree | a0943c92ac9e777d0c54ee633c8a786062776394 | treesnapshot (tar.gz zip) |
| parent | c2bafcf2e24eb12afaa9b49b5bbc0b02d67dd8a6 | commitdiff |
Revert "s3-winbindd: make sure we obey the -n switch also for samlogon cache access."
This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b.
Bug 9125 analysis from Volker:
The problem is that there are no network calls possible at all that
would do what the samlogon cache does for us. There is just no way to
retrieve the group membership in a complex trusted environment. If you
have just a single domain with Samba as domain controller it might be
possible, but even within a single domain it is not possible to
correctly retrieve all group memberships using LDAP calls due to ACLs on
directory objects. The call to get that is called NetSamLogon on the
NETLOGON pipe. But this call requires user credentials and might trigger
updating counts on the server. So to correctly implement wbinfo -r after
a user has logged in, you have two alternatives: Save the info3 struct
or the PAC in the netsamlogon cache. If you insist on doing network
calls, you need to cache the user credentials somewhere to re-do the
NetSamLogon call every time the wbinfo -r is requested.
This reverts commit ae6a779bf9f816680e724ede37324b7f5355996b.
Bug 9125 analysis from Volker:
The problem is that there are no network calls possible at all that
would do what the samlogon cache does for us. There is just no way to
retrieve the group membership in a complex trusted environment. If you
have just a single domain with Samba as domain controller it might be
possible, but even within a single domain it is not possible to
correctly retrieve all group memberships using LDAP calls due to ACLs on
directory objects. The call to get that is called NetSamLogon on the
NETLOGON pipe. But this call requires user credentials and might trigger
updating counts on the server. So to correctly implement wbinfo -r after
a user has logged in, you have two alternatives: Save the info3 struct
or the PAC in the netsamlogon cache. If you insist on doing network
calls, you need to cache the user credentials somewhere to re-do the
NetSamLogon call every time the wbinfo -r is requested.