diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-05-20 14:16:35 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-06-30 07:16:45 +0200 |
commit | 4406cf792a599724f55777a45efb6367a9bd92b2 (patch) | |
tree | f82b290bca8622faae6873d85ac27315daa2cf00 /auth/auth_sam_reply.c | |
parent | 0fd4943ea150ecc499fb4b49e836c86ec59ec714 (diff) | |
download | samba-4406cf792a599724f55777a45efb6367a9bd92b2.tar.gz |
krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the resource groups
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144
Diffstat (limited to 'auth/auth_sam_reply.c')
-rw-r--r-- | auth/auth_sam_reply.c | 34 |
1 files changed, 25 insertions, 9 deletions
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 319a8b03d9e..1929cd9d848 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -512,6 +512,10 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, NTSTATUS nt_status; union netr_Validation validation; struct auth_user_info_dc *user_info_dc; + const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL; + size_t sidcount; + + rg = &pac_logon_info->resource_groups; validation.sam3 = discard_const_p(struct netr_SamInfo3, &pac_logon_info->info3); @@ -522,11 +526,19 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, return nt_status; } - if (pac_logon_info->res_groups.count > 0) { - size_t sidcount; + if (pac_logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) { + rg = &pac_logon_info->resource_groups; + } + + if (rg == NULL) { + *_user_info_dc = user_info_dc; + return NT_STATUS_OK; + } + + if (rg->groups.count > 0) { /* The IDL layer would be a better place to check this, but to * guard the integer addition below, we double-check */ - if (pac_logon_info->res_groups.count > 65535) { + if (rg->groups.count > 65535) { talloc_free(user_info_dc); return NT_STATUS_INVALID_PARAMETER; } @@ -536,12 +548,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, trusted domains, and verify that the SID matches. */ - if (!pac_logon_info->res_group_dom_sid) { + if (rg->domain_sid == NULL) { + talloc_free(user_info_dc); DEBUG(0, ("Cannot operate on a PAC without a resource domain SID")); return NT_STATUS_INVALID_PARAMETER; } - sidcount = user_info_dc->num_sids + pac_logon_info->res_groups.count; + sidcount = user_info_dc->num_sids + rg->groups.count; user_info_dc->sids = talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount); if (user_info_dc->sids == NULL) { @@ -549,10 +562,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) { - user_info_dc->sids[user_info_dc->num_sids] = *pac_logon_info->res_group_dom_sid; - if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], - pac_logon_info->res_groups.rids[i].rid)) { + for (i = 0; i < rg->groups.count; i++) { + bool ok; + + user_info_dc->sids[user_info_dc->num_sids] = *rg->domain_sid; + ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], + rg->groups.rids[i].rid); + if (!ok) { return NT_STATUS_INVALID_PARAMETER; } user_info_dc->num_sids++; |