s3: winbind: Make WBC_AUTH_USER_LEVEL_PAC prime the name2sid cache.

In addition to priming the netsamlogon cache.

This prevents a winbind AD-DC lookup for something
the PAC already told us.

Note we only do this in the case where the PAC successfully
passed signature verification.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Günther Deschner <gd@samba.org>

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 8ec4fe4a6a155e66c7b876a95eeb45c30400457e..da874c74a0a2a0e18d21c4725bbd89dcdac162df 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2568,7 +2568,15 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
        }
 
        if (logon_info) {
-               /* Signature verification succeeded, trust the PAC */
+               /*
+                * Signature verification succeeded, we can
+                * trust the PAC and prime the netsamlogon
+                * and name2sid caches. DO NOT DO THIS
+                * in the signature verification failed
+                * code path.
+                */
+               struct winbindd_domain *domain = NULL;
+
                result = create_info3_from_pac_logon_info(state->mem_ctx,
                                                        logon_info,
                                                        &info3_copy);
@@ -2577,6 +2585,31 @@ NTSTATUS winbindd_pam_auth_pac_send(struct winbindd_cli_state *state,
                }
                netsamlogon_cache_store(NULL, info3_copy);
 
+               /*
+                * We're in the parent here, so find the child
+                * pointer from the PAC domain name.
+                */
+               domain = find_domain_from_name_noinit(
+                               info3_copy->base.logon_domain.string);
+               if (domain && domain->primary ) {
+                       struct dom_sid user_sid;
+
+                       sid_compose(&user_sid,
+                               info3_copy->base.domain_sid,
+                               info3_copy->base.rid);
+
+                       cache_name2sid(domain,
+                               info3_copy->base.logon_domain.string,
+                               info3_copy->base.account_name.string,
+                               SID_NAME_USER,
+                               &user_sid);
+
+                       DBG_INFO("PAC for user %s\%s SID %s primed cache\n",
+                               info3_copy->base.logon_domain.string,
+                               info3_copy->base.account_name.string,
+                               sid_string_dbg(&user_sid));
+               }
+
        } else {
                /* Try without signature verification */
                result = kerberos_pac_logon_info(state->mem_ctx, pac_blob, NULL,