diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-09-27 15:13:12 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2023-02-08 00:03:39 +0000 |
| commit | 7050e05742956bb75c4b27f39f97adc4d544e0f1 (patch) | |
| tree | 32cb1f3ecd162fb05726829be444442425b48ddd | |
| parent | 53d72c87e6362e24eb922a5a9040e5d631c7fce4 (diff) | |
| download | samba-7050e05742956bb75c4b27f39f97adc4d544e0f1.tar.gz | |
auth: Store group attributes in auth_user_info_dc
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.
Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| -rw-r--r-- | auth/auth_sam_reply.c | 59 | ||||
| -rw-r--r-- | librpc/idl/auth.idl | 4 | ||||
| -rw-r--r-- | selftest/knownfail_heimdal_kdc | 1 | ||||
| -rw-r--r-- | source3/auth/auth_ntlmssp.c | 2 | ||||
| -rw-r--r-- | source3/auth/auth_util.c | 39 | ||||
| -rw-r--r-- | source3/passdb/pdb_samba_dsdb.c | 4 | ||||
| -rw-r--r-- | source4/auth/ntlm/auth.c | 2 | ||||
| -rw-r--r-- | source4/auth/ntlm/auth_developer.c | 5 | ||||
| -rw-r--r-- | source4/auth/sam.c | 32 | ||||
| -rw-r--r-- | source4/auth/session.c | 28 | ||||
| -rw-r--r-- | source4/auth/system_session.c | 60 | ||||
| -rw-r--r-- | source4/dsdb/common/util.c | 4 | ||||
| -rw-r--r-- | source4/dsdb/common/util_groups.c | 53 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/operational.c | 24 | ||||
| -rw-r--r-- | source4/dsdb/samdb/samdb.c | 6 | ||||
| -rw-r--r-- | source4/dsdb/samdb/samdb.h | 1 | ||||
| -rw-r--r-- | source4/kdc/pac-glue.c | 33 | ||||
| -rw-r--r-- | source4/torture/auth/pac.c | 24 | ||||
| -rw-r--r-- | source4/torture/rpc/remote_pac.c | 22 |
19 files changed, 247 insertions, 156 deletions
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 173a5132964..552834a1bb0 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -35,7 +35,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, ZERO_STRUCTP(sam); if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) { - status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX], + status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, &sam->domain_sid, &sam->rid); if (!NT_STATUS_IS_OK(status)) { return status; @@ -45,7 +45,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, } if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) { - status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], + status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, NULL, &sam->primary_gid); if (!NT_STATUS_IS_OK(status)) { return status; @@ -98,16 +98,15 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) { - struct dom_sid *group_sid = &user_info_dc->sids[i]; - if (!dom_sid_in_domain(sam->domain_sid, group_sid)) { + struct auth_SidAttr *group_sid = &user_info_dc->sids[i]; + if (!dom_sid_in_domain(sam->domain_sid, &group_sid->sid)) { /* We handle this elsewhere */ continue; } sam->groups.rids[sam->groups.count].rid = - group_sid->sub_auths[group_sid->num_auths-1]; + group_sid->sid.sub_auths[group_sid->sid.num_auths-1]; - sam->groups.rids[sam->groups.count].attributes = - SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + sam->groups.rids[sam->groups.count].attributes = group_sid->attrs; sam->groups.count += 1; } } @@ -169,16 +168,15 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, /* We don't put the user and group SIDs in there */ for (i=2; i<user_info_dc->num_sids; i++) { - if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i])) { + if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) { continue; } - sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i]); + sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i].sid); if (sam6->sids[sam6->sidcount].sid == NULL) { TALLOC_FREE(sam6); return NT_STATUS_NO_MEMORY; } - sam6->sids[sam6->sidcount].attributes = - SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + sam6->sids[sam6->sidcount].attributes = user_info_dc->sids[i].attrs; sam6->sidcount += 1; } if (sam6->sidcount) { @@ -437,28 +435,39 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, user_info_dc->num_sids = 2; - user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids + base->groups.count); + user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids + base->groups.count); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); - user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid; - if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], base->rid)) { + user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, base->rid)) { return NT_STATUS_INVALID_PARAMETER; } + user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; - user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid; - if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) { + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, base->primary_gid)) { return NT_STATUS_INVALID_PARAMETER; } + /* + * This attribute value might be wrong if the primary group is a + * resource group. But a resource group is not meant to be in a primary + * group in the first place, and besides, these attributes will never + * make their way into a PAC. + */ + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; for (i = 0; i < base->groups.count; i++) { /* Skip primary group, already added above */ if (base->groups.rids[i].rid == base->primary_gid) { continue; } - user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid; - if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], base->groups.rids[i].rid)) { + user_info_dc->sids[user_info_dc->num_sids].sid = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, base->groups.rids[i].rid)) { return NT_STATUS_INVALID_PARAMETER; } + user_info_dc->sids[user_info_dc->num_sids].attrs = base->groups.rids[i].attributes; user_info_dc->num_sids++; } @@ -477,11 +486,11 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, } if (sidcount > 0) { - struct dom_sid *dgrps = user_info_dc->sids; + struct auth_SidAttr *dgrps = user_info_dc->sids; size_t dgrps_count; dgrps_count = user_info_dc->num_sids + sidcount; - dgrps = talloc_realloc(user_info_dc, dgrps, struct dom_sid, + dgrps = talloc_realloc(user_info_dc, dgrps, struct auth_SidAttr, dgrps_count); if (dgrps == NULL) { return NT_STATUS_NO_MEMORY; @@ -489,7 +498,8 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, for (i = 0; i < sidcount; i++) { if (sids[i].sid) { - dgrps[user_info_dc->num_sids] = *sids[i].sid; + dgrps[user_info_dc->num_sids].sid = *sids[i].sid; + dgrps[user_info_dc->num_sids].attrs = sids[i].attributes; user_info_dc->num_sids++; } } @@ -596,7 +606,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, sidcount = user_info_dc->num_sids + rg->groups.count; user_info_dc->sids - = talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount); + = talloc_realloc(user_info_dc, user_info_dc->sids, struct auth_SidAttr, sidcount); if (user_info_dc->sids == NULL) { TALLOC_FREE(user_info_dc); return NT_STATUS_NO_MEMORY; @@ -605,12 +615,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, for (i = 0; i < rg->groups.count; i++) { bool ok; - user_info_dc->sids[user_info_dc->num_sids] = *rg->domain_sid; - ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], + user_info_dc->sids[user_info_dc->num_sids].sid = *rg->domain_sid; + ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, rg->groups.rids[i].rid); if (!ok) { return NT_STATUS_INVALID_PARAMETER; } + user_info_dc->sids[user_info_dc->num_sids].attrs = rg->groups.rids[i].attributes; user_info_dc->num_sids++; } } diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl index 6d95fe84e93..5985d554606 100644 --- a/librpc/idl/auth.idl +++ b/librpc/idl/auth.idl @@ -59,7 +59,7 @@ interface auth typedef [public] struct { /* Number SIDs from the DC netlogon validation info */ uint32 num_dc_sids; - [size_is(num_dc_sids)] dom_sid dc_sids[*]; + [size_is(num_dc_sids)] auth_SidAttr dc_sids[*]; } auth_user_info_torture; typedef [public] struct { @@ -104,7 +104,7 @@ interface auth * privileges and local groups are handled */ typedef [public] struct { uint32 num_sids; - [size_is(num_sids)] dom_sid sids[*]; + [size_is(num_sids)] auth_SidAttr sids[*]; auth_user_info *info; [noprint] DATA_BLOB user_session_key; [noprint] DATA_BLOB lm_session_key; diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 9f492f81402..4a55b0709ea 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -145,6 +145,7 @@ # # Group tests # +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_Samba_4_17_tgs_req_to_krbtgt.ad_dc ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_Samba_4_17_tgs_req_to_service.ad_dc ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_as_req_to_krbtgt.ad_dc ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_compression_as_req_to_service.ad_dc diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index f2deca09aa6..73938dc2b88 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -58,7 +58,7 @@ NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context, if (user_info->num_sids != 1) { return NT_STATUS_INTERNAL_ERROR; } - sid = &user_info->sids[PRIMARY_USER_SID_INDEX]; + sid = &user_info->sids[PRIMARY_USER_SID_INDEX].sid; cmp = dom_sid_compare(sid, &global_sid_System); if (cmp == 0) { diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index b60dd2647c8..6d94356ef35 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -721,10 +721,11 @@ NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, sid_compose(&tmp_sid, &global_sid_Unix_NFS_Users, (uint32_t)uid); - status = add_sid_to_array_unique(user_info_dc->sids, - &tmp_sid, - &user_info_dc->sids, - &user_info_dc->num_sids); + status = add_sid_to_array_attrs_unique(user_info_dc->sids, + &tmp_sid, + SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED, + &user_info_dc->sids, + &user_info_dc->num_sids); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("add_sid_to_array_unique failed: %s\n", nt_errstr(status))); @@ -738,10 +739,11 @@ NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, sid_compose(&tmp_sid, &global_sid_Unix_NFS_Groups, (uint32_t)gid); - status = add_sid_to_array_unique(user_info_dc->sids, - &tmp_sid, - &user_info_dc->sids, - &user_info_dc->num_sids); + status = add_sid_to_array_attrs_unique(user_info_dc->sids, + &tmp_sid, + SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED, + &user_info_dc->sids, + &user_info_dc->num_sids); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("add_sid_to_array_unique failed: %s\n", nt_errstr(status))); @@ -755,10 +757,11 @@ NTSTATUS auth3_user_info_dc_add_hints(struct auth_user_info_dc *user_info_dc, sid_compose(&tmp_sid, &global_sid_Unix_NFS_Mode, flags); - status = add_sid_to_array_unique(user_info_dc->sids, - &tmp_sid, - &user_info_dc->sids, - &user_info_dc->num_sids); + status = add_sid_to_array_attrs_unique(user_info_dc->sids, + &tmp_sid, + SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED, + &user_info_dc->sids, + &user_info_dc->num_sids); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("add_sid_to_array_unique failed: %s\n", nt_errstr(status))); @@ -861,18 +864,18 @@ static NTSTATUS auth3_session_info_create( * S-1-5-88-3-Y gives flags=Y: AUTH3_UNIX_HINT_* */ cmp = dom_sid_compare_domain(&global_sid_Unix_NFS, - &user_info_dc->sids[i]); + &user_info_dc->sids[i].sid); if (cmp == 0) { bool match; uint32_t hint = 0; - match = sid_peek_rid(&user_info_dc->sids[i], &hint); + match = sid_peek_rid(&user_info_dc->sids[i].sid, &hint); if (!match) { continue; } match = dom_sid_in_domain(&global_sid_Unix_NFS_Users, - &user_info_dc->sids[i]); + &user_info_dc->sids[i].sid); if (match) { if (found_hint_uid) { TALLOC_FREE(frame); @@ -884,7 +887,7 @@ static NTSTATUS auth3_session_info_create( } match = dom_sid_in_domain(&global_sid_Unix_NFS_Groups, - &user_info_dc->sids[i]); + &user_info_dc->sids[i].sid); if (match) { if (found_hint_gid) { TALLOC_FREE(frame); @@ -896,7 +899,7 @@ static NTSTATUS auth3_session_info_create( } match = dom_sid_in_domain(&global_sid_Unix_NFS_Mode, - &user_info_dc->sids[i]); + &user_info_dc->sids[i].sid); if (match) { if (found_hint_flags) { TALLOC_FREE(frame); @@ -911,7 +914,7 @@ static NTSTATUS auth3_session_info_create( } status = add_sid_to_array_unique(nt_token->sids, - &user_info_dc->sids[i], + &user_info_dc->sids[i].sid, &nt_token->sids, &nt_token->num_sids); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/passdb/pdb_samba_dsdb.c b/source3/passdb/pdb_samba_dsdb.c index 4c0fd6d4430..284936c26b8 100644 --- a/source3/passdb/pdb_samba_dsdb.c +++ b/source3/passdb/pdb_samba_dsdb.c @@ -1703,7 +1703,7 @@ static NTSTATUS pdb_samba_dsdb_enum_alias_memberships(struct pdb_methods *m, uint32_t *alias_rids = NULL; size_t num_alias_rids = 0; int i; - struct dom_sid *groupSIDs = NULL; + struct auth_SidAttr *groupSIDs = NULL; unsigned int num_groupSIDs = 0; char *filter; NTSTATUS status; @@ -1752,7 +1752,7 @@ static NTSTATUS pdb_samba_dsdb_enum_alias_memberships(struct pdb_methods *m, } for (i=0; i<num_groupSIDs; i++) { - if (sid_peek_check_rid(domain_sid, &groupSIDs[i], + if (sid_peek_check_rid(domain_sid, &groupSIDs[i].sid, &alias_rids[num_alias_rids])) { num_alias_rids++;; } diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c index 09d660a392b..e678f703db5 100644 --- a/source4/auth/ntlm/auth.c +++ b/source4/auth/ntlm/auth.c @@ -421,7 +421,7 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req, state->user_info, status, state->user_info_dc->info->domain_name, state->user_info_dc->info->account_name, - &state->user_info_dc->sids[0]); + &state->user_info_dc->sids[0].sid); *user_info_dc = talloc_move(mem_ctx, &state->user_info_dc); diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c index 6e92252d5c5..330bcde4d02 100644 --- a/source4/auth/ntlm/auth_developer.c +++ b/source4/auth/ntlm/auth_developer.c @@ -82,9 +82,12 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, /* This returns a pointer to a struct dom_sid, which is the * same as a 1 element list of struct dom_sid */ user_info_dc->num_sids = 1; - user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS); + user_info_dc->sids = talloc(user_info_dc, struct auth_SidAttr); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); + user_info_dc->sids->sid = global_sid_Anonymous; + user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + /* annoying, but the Anonymous really does have a session key, and it is all zeros! */ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 2b18d4dc3c0..ca26898f4ce 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -353,7 +353,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, const char *primary_group_dn; DATA_BLOB primary_group_blob; /* SID structures for the expanded group memberships */ - struct dom_sid *sids = NULL; + struct auth_SidAttr *sids = NULL; unsigned int num_sids = 0, i; struct dom_sid *domain_sid; TALLOC_CTX *tmp_ctx; @@ -368,7 +368,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sids = talloc_array(user_info_dc, struct dom_sid, 2); + sids = talloc_array(user_info_dc, struct auth_SidAttr, 2); if (sids == NULL) { TALLOC_FREE(user_info_dc); return NT_STATUS_NO_MEMORY; @@ -388,9 +388,13 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, return status; } - sids[PRIMARY_USER_SID_INDEX] = *account_sid; - sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; - sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0)); + sids[PRIMARY_USER_SID_INDEX].sid = *account_sid; + sids[PRIMARY_USER_SID_INDEX].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + sids[PRIMARY_GROUP_SID_INDEX].sid = *domain_sid; + sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX].sid, ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0)); + sids[PRIMARY_GROUP_SID_INDEX].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* * Filter out builtin groups from this token. We will search @@ -406,7 +410,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, primary_group_dn = talloc_asprintf( tmp_ctx, "<SID=%s>", - dom_sid_str_buf(&sids[PRIMARY_GROUP_SID_INDEX], &buf)); + dom_sid_str_buf(&sids[PRIMARY_GROUP_SID_INDEX].sid, &buf)); if (primary_group_dn == NULL) { TALLOC_FREE(user_info_dc); return NT_STATUS_NO_MEMORY; @@ -570,13 +574,15 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, PAC */ user_info_dc->sids = talloc_realloc(user_info_dc, user_info_dc->sids, - struct dom_sid, + struct auth_SidAttr, user_info_dc->num_sids+1); if (user_info_dc->sids == NULL) { TALLOC_FREE(user_info_dc); return NT_STATUS_NO_MEMORY; } - user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs; + user_info_dc->sids[user_info_dc->num_sids].sid = global_sid_Enterprise_DCs; + user_info_dc->sids[user_info_dc->num_sids].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; user_info_dc->num_sids++; } @@ -585,15 +591,17 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, /* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */ user_info_dc->sids = talloc_realloc(user_info_dc, user_info_dc->sids, - struct dom_sid, + struct auth_SidAttr, user_info_dc->num_sids+1); if (user_info_dc->sids == NULL) { TALLOC_FREE(user_info_dc); return NT_STATUS_NO_MEMORY; } - user_info_dc->sids[user_info_dc->num_sids] = *domain_sid; - sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], + user_info_dc->sids[user_info_dc->num_sids].sid = *domain_sid; + sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid, DOMAIN_RID_ENTERPRISE_READONLY_DCS); + user_info_dc->sids[user_info_dc->num_sids].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; user_info_dc->num_sids++; } @@ -636,7 +644,7 @@ _PUBLIC_ NTSTATUS authsam_update_user_info_dc(TALLOC_CTX *mem_ctx, */ n = user_info_dc->num_sids; for (i = 0; i < n; i++) { - struct dom_sid *sid = &user_info_dc->sids[i]; + struct dom_sid *sid = &user_info_dc->sids[i].sid; struct dom_sid_buf sid_buf; char dn_str[sizeof(sid_buf.buf)*2]; DATA_BLOB dn_blob = data_blob_null; diff --git a/source4/auth/session.c b/source4/auth/session.c index 34ad557eebb..5905964ecfc 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -62,7 +62,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, const char *filter; - struct dom_sid *sids = NULL; + struct auth_SidAttr *sids = NULL; const struct dom_sid *anonymous_sid, *system_sid; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -110,7 +110,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids); + sids = talloc_array(tmp_ctx, struct auth_SidAttr, user_info_dc->num_sids); if (sids == NULL) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; @@ -129,48 +129,52 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, */ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { - sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 2); + sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 2); if (sids == NULL) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } - sid_copy(&sids[num_sids], &global_sid_World); + sid_copy(&sids[num_sids].sid, &global_sid_World); + sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; num_sids++; - sid_copy(&sids[num_sids], &global_sid_Network); + sid_copy(&sids[num_sids].sid, &global_sid_Network); + sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; num_sids++; } if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { - sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1); + sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 1); if (sids == NULL) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } - sid_copy(&sids[num_sids], &global_sid_Authenticated_Users); + sid_copy(&sids[num_sids].sid, &global_sid_Authenticated_Users); + sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; num_sids++; } if (session_info_flags & AUTH_SESSION_INFO_NTLM) { - sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1); + sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 1); if (sids == NULL) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } - if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids])) { + if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids].sid)) { TALLOC_FREE(tmp_ctx); return NT_STATUS_INTERNAL_ERROR; } + sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; num_sids++; } - if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) { + if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX].sid)) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX])) { + } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX].sid)) { /* Don't expand nested groups of system, anonymous etc*/ } else if (sam_ctx) { filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", @@ -185,7 +189,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, sid_dn = talloc_asprintf( tmp_ctx, "<SID=%s>", - dom_sid_str_buf(&sids[i], &buf)); + dom_sid_str_buf(&sids[i].sid, &buf)); if (sid_dn == NULL) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 17cfc4bab8b..da15f6bf0da 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -125,9 +125,12 @@ NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name, /* This returns a pointer to a struct dom_sid, which is the * same as a 1 element list of struct dom_sid */ user_info_dc->num_sids = 1; - user_info_dc->sids = dom_sid_dup(user_info_dc, &global_sid_System); + user_info_dc->sids = talloc(user_info_dc, struct auth_SidAttr); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); + user_info_dc->sids->sid = global_sid_System; + user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + /* annoying, but the Anonymous really does have a session key, and it is all zeros! */ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); @@ -199,24 +202,38 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx, NT_STATUS_HAVE_NO_MEMORY(user_info_dc); user_info_dc->num_sids = 7; - user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids); - - user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid; - sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR); - - user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; - sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS); - - user_info_dc->sids[2] = global_sid_Builtin_Administrators; - - user_info_dc->sids[3] = *domain_sid; - sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS); - user_info_dc->sids[4] = *domain_sid; - sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS); - user_info_dc->sids[5] = *domain_sid; - sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS); - user_info_dc->sids[6] = *domain_sid; - sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS); + user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids); + + user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *domain_sid; + sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, DOMAIN_RID_ADMINISTRATOR); + user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *domain_sid; + sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, DOMAIN_RID_USERS); + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + + user_info_dc->sids[2].sid = global_sid_Builtin_Administrators; + user_info_dc->sids[2].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + + user_info_dc->sids[3].sid = *domain_sid; + sid_append_rid(&user_info_dc->sids[3].sid, DOMAIN_RID_ADMINS); + user_info_dc->sids[3].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + user_info_dc->sids[4].sid = *domain_sid; + sid_append_rid(&user_info_dc->sids[4].sid, DOMAIN_RID_ENTERPRISE_ADMINS); + user_info_dc->sids[4].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + user_info_dc->sids[5].sid = *domain_sid; + sid_append_rid(&user_info_dc->sids[5].sid, DOMAIN_RID_POLICY_ADMINS); + user_info_dc->sids[5].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + user_info_dc->sids[6].sid = *domain_sid; + sid_append_rid(&user_info_dc->sids[6].sid, DOMAIN_RID_SCHEMA_ADMINS); + user_info_dc->sids[6].attrs + = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; /* What should the session key be?*/ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); @@ -370,9 +387,12 @@ _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx, /* This returns a pointer to a struct dom_sid, which is the * same as a 1 element list of struct dom_sid */ user_info_dc->num_sids = 1; - user_info_dc->sids = dom_sid_dup(user_info_dc, &global_sid_Anonymous); + user_info_dc->sids = talloc(user_info_dc, struct auth_SidAttr); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); + user_info_dc->sids->sid = global_sid_Anonymous; + user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + /* annoying, but the Anonymous really does have a session key... */ user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data); diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index 2cde400daa6..2c4bc980f80 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -6369,7 +6369,7 @@ done: * if not. Returns a negative value on error. */ int dsdb_is_protected_user(struct ldb_context *ldb, - const struct dom_sid *sids, + const struct auth_SidAttr *sids, uint32_t num_sids) { const struct dom_sid *domain_sid = NULL; @@ -6387,7 +6387,7 @@ int dsdb_is_protected_user(struct ldb_context *ldb, } for (i = 0; i < num_sids; ++i) { - if (dom_sid_equal(&protected_users_sid, &sids[i])) { + if (dom_sid_equal(&protected_users_sid, &sids[i].sid)) { return 1; } } diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c index c2075de25b8..97dc50c5ecf 100644 --- a/source4/dsdb/common/util_groups.c +++ b/source4/dsdb/common/util_groups.c @@ -27,15 +27,22 @@ #include "dsdb/common/util.h" /* This function tests if a SID structure "sids" contains the SID "sid" */ -static bool sids_contains_sid(const struct dom_sid *sids, +static bool sids_contains_sid(const struct auth_SidAttr *sids, const unsigned int num_sids, - const struct dom_sid *sid) + const struct dom_sid *sid, + uint32_t attrs) { unsigned int i; for (i = 0; i < num_sids; i++) { - if (dom_sid_equal(&sids[i], sid)) - return true; + if (attrs != sids[i].attrs) { + continue; + } + if (!dom_sid_equal(&sids[i].sid, sid)) { + continue; + } + + return true; } return false; } @@ -56,13 +63,12 @@ static bool sids_contains_sid(const struct dom_sid *sids, */ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, struct ldb_val *dn_val, const bool only_childs, const char *filter, - TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids, + TALLOC_CTX *res_sids_ctx, struct auth_SidAttr **res_sids, unsigned int *num_res_sids) { - const char * const attrs[] = { "memberOf", NULL }; + const char * const attrs[] = { "groupType", "memberOf", NULL }; unsigned int i; int ret; - bool already_there; struct ldb_dn *dn; struct dom_sid sid; TALLOC_CTX *tmp_ctx; @@ -113,14 +119,6 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN); } else { - /* This is an O(n^2) linear search */ - already_there = sids_contains_sid(*res_sids, - *num_res_sids, &sid); - if (already_there) { - talloc_free(tmp_ctx); - return NT_STATUS_OK; - } - ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s", filter); @@ -172,13 +170,34 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, /* We only apply this test once we know the SID matches the filter */ if (!only_childs) { + unsigned group_type; + uint32_t sid_attrs; + bool already_there; + + sid_attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + group_type = ldb_msg_find_attr_as_uint(res->msgs[0], "groupType", 0); + if (group_type & GROUP_TYPE_RESOURCE_GROUP) { + sid_attrs |= SE_GROUP_RESOURCE; + } + + /* This is an O(n^2) linear search */ + already_there = sids_contains_sid(*res_sids, *num_res_sids, + &sid, sid_attrs); + if (already_there) { + talloc_free(tmp_ctx); + return NT_STATUS_OK; + } + *res_sids = talloc_realloc(res_sids_ctx, *res_sids, - struct dom_sid, *num_res_sids + 1); + struct auth_SidAttr, *num_res_sids + 1); if (*res_sids == NULL) { TALLOC_FREE(tmp_ctx); return NT_STATUS_NO_MEMORY; } - (*res_sids)[*num_res_sids] = sid; + + (*res_sids)[*num_res_sids].sid = sid; + (*res_sids)[*num_res_sids].attrs = sid_attrs; + ++(*num_res_sids); } diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 2b3cd2d7954..a4ef129c467 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -76,6 +76,8 @@ #include "libcli/security/security.h" +#include "auth/auth.h" + #ifndef ARRAY_SIZE #define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0])) #endif @@ -149,7 +151,7 @@ static int construct_primary_group_token(struct ldb_module *module, */ static int get_group_sids(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, struct ldb_message *msg, const char *attribute_string, - enum search_type type, struct dom_sid **groupSIDs, + enum search_type type, struct auth_SidAttr **groupSIDs, unsigned int *num_groupSIDs) { const char *filter = NULL; @@ -204,7 +206,7 @@ static int get_group_sids(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, /* for RevMembGetAccountGroups, exclude built-in groups */ case ACCOUNT_GROUPS: filter = talloc_asprintf(mem_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", - GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED); + GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED); break; } @@ -280,7 +282,7 @@ static int construct_generic_token_groups(struct ldb_module *module, TALLOC_CTX *tmp_ctx = talloc_new(msg); unsigned int i; int ret; - struct dom_sid *groupSIDs = NULL; + struct auth_SidAttr *groupSIDs = NULL; unsigned int num_groupSIDs = 0; if (scope != LDB_SCOPE_BASE) { @@ -299,7 +301,7 @@ static int construct_generic_token_groups(struct ldb_module *module, /* add these SIDs to the search result */ for (i=0; i < num_groupSIDs; i++) { - ret = samdb_msg_add_dom_sid(ldb, msg, msg, attribute_string, &groupSIDs[i]); + ret = samdb_msg_add_dom_sid(ldb, msg, msg, attribute_string, &groupSIDs[i].sid); if (ret) { talloc_free(tmp_ctx); return ret; @@ -1070,7 +1072,7 @@ static int pso_compare(struct ldb_message **m1, struct ldb_message **m2) */ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx, struct ldb_request *parent, - struct dom_sid *sid_array, unsigned int num_sids, + struct auth_SidAttr *sid_array, unsigned int num_sids, struct ldb_result **result) { int ret; @@ -1096,7 +1098,7 @@ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx, sid_filter = talloc_asprintf_append( sid_filter, "(msDS-PSOAppliesTo=<SID=%s>)", - dom_sid_str_buf(&sid_array[i], &sid_buf)); + dom_sid_str_buf(&sid_array[i].sid, &sid_buf)); } if (sid_filter == NULL) { @@ -1125,7 +1127,7 @@ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx, * Returns the best PSO object that applies to the object SID(s) specified */ static int pso_find_best(struct ldb_module *module, TALLOC_CTX *mem_ctx, - struct ldb_request *parent, struct dom_sid *sid_array, + struct ldb_request *parent, struct auth_SidAttr *sid_array, unsigned int num_sids, struct ldb_message **best_pso) { struct ldb_result *res = NULL; @@ -1160,7 +1162,7 @@ static int get_pso_for_user(struct ldb_module *module, struct ldb_message **pso_msg) { bool pso_supported; - struct dom_sid *groupSIDs = NULL; + struct auth_SidAttr *groupSIDs = NULL; unsigned int num_groupSIDs = 0; struct ldb_context *ldb = ldb_module_get_ctx(module); struct ldb_message *best_pso = NULL; @@ -1219,10 +1221,12 @@ static int get_pso_for_user(struct ldb_module *module, el = ldb_msg_find_element(user_msg, "msDS-PSOApplied"); if (el != NULL && el->num_values > 0) { - struct dom_sid *user_sid = NULL; + struct auth_SidAttr *user_sid = NULL; /* lookup the best PSO object, based on the user's SID */ - user_sid = samdb_result_dom_sid(tmp_ctx, user_msg, "objectSid"); + user_sid = samdb_result_dom_sid_attrs( + tmp_ctx, user_msg, "objectSid", + SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED); ret = pso_find_best(module, tmp_ctx, parent, user_sid, 1, &best_pso); diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index d5890dec03e..98fcb7a0b56 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -163,7 +163,7 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, unsigned int num_sids, - struct dom_sid *sids, + struct auth_SidAttr *sids, uint32_t session_info_flags, struct security_token **token) { @@ -184,7 +184,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, for (check_sid_idx = 0; check_sid_idx < ptoken->num_sids; check_sid_idx++) { - if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) { + if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i].sid)) { break; } } @@ -193,7 +193,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->sids[ptoken->num_sids] = sids[i]; + ptoken->sids[ptoken->num_sids] = sids[i].sid; ptoken->num_sids++; } } diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h index f2f738121f9..d76cbeba841 100644 --- a/source4/dsdb/samdb/samdb.h +++ b/source4/dsdb/samdb/samdb.h @@ -22,6 +22,7 @@ #ifndef __SAMDB_H__ #define __SAMDB_H__ +struct auth_SidAttr; struct auth_session_info; struct dsdb_control_current_partition; struct dsdb_extended_replicated_object; diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c index e9b951ff48e..e1a44bf8e1f 100644 --- a/source4/kdc/pac-glue.c +++ b/source4/kdc/pac-glue.c @@ -93,7 +93,7 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx, ZERO_STRUCT(pac_requester_sid); - pac_requester_sid.requester_sid.sid = info->sids[0]; + pac_requester_sid.requester_sid.sid = info->sids[0].sid; ndr_err = ndr_push_union_blob(requester_sid_blob, mem_ctx, &pac_requester_sid, @@ -140,7 +140,7 @@ NTSTATUS samba_get_upn_info_pac_blob(TALLOC_CTX *mem_ctx, = info->info->account_name; pac_upn.upn_dns_info.ex.sam_name_and_sid.objectsid - = &info->sids[0]; + = &info->sids[0].sid; ndr_err = ndr_push_union_blob(upn_data, mem_ctx, &pac_upn, PAC_TYPE_UPN_DNS_INFO, @@ -802,10 +802,12 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx, dom_sid_parse(sid_str, &ai_sid); - return add_sid_to_array_unique(user_info_dc, - &ai_sid, - &user_info_dc->sids, - &user_info_dc->num_sids); + return add_sid_to_array_attrs_unique( + user_info_dc, + &ai_sid, + SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED, + &user_info_dc->sids, + &user_info_dc->num_sids); } /* @@ -1259,7 +1261,7 @@ krb5_error_code samba_kdc_validate_pac_blob( goto out; } - pac_sid = pac_user_info->sids[0]; + pac_sid = pac_user_info->sids[0].sid; } else if (code != 0) { goto out; } @@ -1484,6 +1486,10 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, if (is_untrusted) { struct auth_user_info_dc *user_info_dc = NULL; WERROR werr; + + struct dom_sid *object_sids = NULL; + uint32_t j; + /* * In this case the RWDC discards the PAC an RODC generated. * Windows adds the asserted_identity in this case too. @@ -1533,10 +1539,21 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx, * Check if the SID list in the user_info_dc intersects * correctly with the RODC allow/deny lists. */ + object_sids = talloc_array(mem_ctx, struct dom_sid, user_info_dc->num_sids); + if (object_sids == NULL) { + code = ENOMEM; + goto done; + } + + for (j = 0; j < user_info_dc->num_sids; ++j) { + object_sids[j] = user_info_dc->sids[j].sid; + } + werr = samba_rodc_confirm_user_is_allowed(user_info_dc->num_sids, - user_info_dc->sids, + object_sids, krbtgt, client); + TALLOC_FREE(object_sids); TALLOC_FREE(user_info_dc); if (!W_ERROR_IS_OK(werr)) { code = KRB5KDC_ERR_TGT_REVOKED; diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index c019c09672c..50ac17ad07b 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -170,8 +170,8 @@ static bool torture_pac_self_check(struct torture_context *tctx) &user_info_dc_out, NULL, NULL); /* The user's SID is the first element in the list */ - if (!dom_sid_equal(user_info_dc->sids, - user_info_dc_out->sids)) { + if (!dom_sid_equal(&user_info_dc->sids[0].sid, + &user_info_dc_out->sids[0].sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -182,8 +182,8 @@ static bool torture_pac_self_check(struct torture_context *tctx) torture_fail(tctx, talloc_asprintf(tctx, "(self test) PAC Decode resulted in *different* domain SID: %s != %s", - dom_sid_string(mem_ctx, user_info_dc->sids), - dom_sid_string(mem_ctx, user_info_dc_out->sids))); + dom_sid_string(mem_ctx, &user_info_dc->sids[0].sid), + dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid))); } talloc_free(user_info_dc_out); @@ -232,13 +232,13 @@ static bool torture_pac_self_check(struct torture_context *tctx) nt_errstr(nt_status))); } - if (!dom_sid_equal(user_info_dc->sids, - user_info_dc_out->sids)) { + if (!dom_sid_equal(&user_info_dc->sids[0].sid, + &user_info_dc_out->sids[0].sid)) { torture_fail(tctx, talloc_asprintf(tctx, "(self test) PAC Decode resulted in *different* domain SID: %s != %s", - dom_sid_string(mem_ctx, user_info_dc->sids), - dom_sid_string(mem_ctx, user_info_dc_out->sids))); + dom_sid_string(mem_ctx, &user_info_dc->sids[0].sid), + dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid))); } return true; } @@ -447,7 +447,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), - user_info_dc_out->sids)) { + &user_info_dc_out->sids[0].sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -458,7 +458,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) talloc_asprintf(tctx, "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, user_info_dc_out->sids))); + dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid))); } talloc_free(user_info_dc_out); @@ -506,7 +506,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), - user_info_dc_out->sids)) { + &user_info_dc_out->sids[0].sid)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -517,7 +517,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) talloc_asprintf(tctx, "(saved test) PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, user_info_dc_out->sids))); + dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid))); } if (krbtgt_bytes == NULL) { diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index b899aafb0e0..34d369194b5 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -981,8 +981,8 @@ static bool test_S4U2Self(struct torture_context *tctx, /* Check that the primary group is not duplicated in user_info_dc SID array */ for (i = 2; i < netlogon_user_info_dc->num_sids; i++) { - torture_assert(tctx, !dom_sid_equal(&netlogon_user_info_dc->sids[1], - &netlogon_user_info_dc->sids[i]), + torture_assert(tctx, !dom_sid_equal(&netlogon_user_info_dc->sids[1].sid, + &netlogon_user_info_dc->sids[i].sid), "Duplicate PrimaryGroupId in return SID array"); } @@ -1007,14 +1007,14 @@ static bool test_S4U2Self(struct torture_context *tctx, ai_auth_authority_count = 0; ai_service_count = 0; for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) { - ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i], + ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid, ai_auth_authority); if (ok) { ai_auth_authority_count++; kinit_asserted_identity_index = i; } - ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i], + ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid, ai_service); if (ok) { ai_service_count++; @@ -1030,14 +1030,14 @@ static bool test_S4U2Self(struct torture_context *tctx, ai_auth_authority_count = 0; ai_service_count = 0; for (i = 0; i < s4u2self_session_info->torture->num_dc_sids; i++) { - ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i], + ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid, ai_auth_authority); if (ok) { ai_auth_authority_count++; s4u2self_asserted_identity_index = i; } - ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i], + ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid, ai_service); if (ok) { ai_service_count++; @@ -1063,11 +1063,11 @@ static bool test_S4U2Self(struct torture_context *tctx, /* Skip over the asserted identity SID. */ ++k; } - torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[j]), "Different domain groups for kinit-based PAC"); - torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s4u2self_session_info->torture->dc_sids[k]), "Different domain groups for S4U2Self"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s4u2self_session_info->torture->dc_sids[k]), "Returned BUILTIN domain in groups for S4U2Self"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[j]), "Returned BUILTIN domain in groups kinit-based PAC"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply"); + torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i].sid, &kinit_session_info->torture->dc_sids[j].sid), "Different domain groups for kinit-based PAC"); + torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i].sid, &s4u2self_session_info->torture->dc_sids[k].sid), "Different domain groups for S4U2Self"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s4u2self_session_info->torture->dc_sids[k].sid), "Returned BUILTIN domain in groups for S4U2Self"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[j].sid), "Returned BUILTIN domain in groups kinit-based PAC"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i].sid), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply"); } return true; |