diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-09-27 14:51:54 +1300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2023-02-08 00:03:39 +0000 |
commit | 94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6 (patch) | |
tree | 6843e5f44cf67cbb539faaca7d70229d9b808f52 /auth | |
parent | 673ee782d97c19bf240e37d4714e8a51fbf80457 (diff) | |
download | samba-94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6.tar.gz |
auth: Exclude resource groups from a TGT
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'auth')
-rw-r--r-- | auth/auth_sam_reply.c | 31 | ||||
-rw-r--r-- | auth/auth_sam_reply.h | 3 |
2 files changed, 31 insertions, 3 deletions
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 552834a1bb0..8a68f045547 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -99,6 +99,13 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) { struct auth_SidAttr *group_sid = &user_info_dc->sids[i]; + if (group_sid->attrs & SE_GROUP_RESOURCE) { + /* + * Resource groups don't belong in the base + * RIDs, they're handled elsewhere. + */ + continue; + } if (!dom_sid_in_domain(sam->domain_sid, &group_sid->sid)) { /* We handle this elsewhere */ continue; @@ -140,6 +147,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, * the user_info_dc it was generated from */ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, struct netr_SamInfo6 **_sam6) { NTSTATUS status; @@ -168,7 +176,20 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, /* We don't put the user and group SIDs in there */ for (i=2; i<user_info_dc->num_sids; i++) { - if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) { + if (user_info_dc->sids[i].attrs & SE_GROUP_RESOURCE) { + /* + * If it's a resource group, check whether it should be + * included or filtered out. + */ + switch (group_inclusion) { + case AUTH_INCLUDE_RESOURCE_GROUPS: + /* Include it. */ + break; + case AUTH_EXCLUDE_RESOURCE_GROUPS: + /* Ignore it. */ + continue; + } + } else if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) { continue; } sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i].sid); @@ -211,6 +232,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, * the user_info_dc it was generated from */ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, struct netr_SamInfo2 **_sam2) { NTSTATUS status; @@ -222,7 +244,8 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, &sam6); + status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, + group_inclusion, &sam6); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sam2); return status; @@ -237,6 +260,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, * the user_info_dc it was generated from */ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, struct netr_SamInfo3 **_sam3) { NTSTATUS status; @@ -248,7 +272,8 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, &sam6); + status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, + group_inclusion, &sam6); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sam3); return status; diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h index d8a30c6b36f..4eebf0b06e3 100644 --- a/auth/auth_sam_reply.h +++ b/auth/auth_sam_reply.h @@ -47,12 +47,15 @@ struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx, NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, struct netr_SamInfo6 **_sam6); NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, struct netr_SamInfo2 **_sam2); NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, struct netr_SamInfo3 **_sam3); /** |