auth: Exclude resource groups from a TGT

Resource group SIDs should only be placed into a service ticket, but we were including them in all tickets. Now that we have access to the group attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if we're creating a TGT. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2022-09-27 14:51:54 +1300
committer: Andrew Bartlett <abartlet@samba.org> 2023-02-08 00:03:39 +0000
commit: 94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6 (patch)
tree: 6843e5f44cf67cbb539faaca7d70229d9b808f52 /auth
parent: 673ee782d97c19bf240e37d4714e8a51fbf80457 (diff)
download: samba-94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6.tar.gz
2 files changed, 31 insertions, 3 deletions
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 552834a1bb0..8a68f045547 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -99,6 +99,13 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
 
 		for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) {
 			struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
+			if (group_sid->attrs & SE_GROUP_RESOURCE) {
+				/*
+				 * Resource groups don't belong in the base
+				 * RIDs, they're handled elsewhere.
+				 */
+				continue;
+			}
 			if (!dom_sid_in_domain(sam->domain_sid, &group_sid->sid)) {
 				/* We handle this elsewhere */
 				continue;
@@ -140,6 +147,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
  * the user_info_dc it was generated from */
 NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
 					    const struct auth_user_info_dc *user_info_dc,
+					    enum auth_group_inclusion group_inclusion,
 					    struct netr_SamInfo6 **_sam6)
 {
 	NTSTATUS status;
@@ -168,7 +176,20 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
 
 	/* We don't put the user and group SIDs in there */
 	for (i=2; i<user_info_dc->num_sids; i++) {
-		if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) {
+		if (user_info_dc->sids[i].attrs & SE_GROUP_RESOURCE) {
+			/*
+			 * If it's a resource group, check whether it should be
+			 * included or filtered out.
+			 */
+			switch (group_inclusion) {
+			case AUTH_INCLUDE_RESOURCE_GROUPS:
+				/* Include it. */
+				break;
+			case AUTH_EXCLUDE_RESOURCE_GROUPS:
+				/* Ignore it. */
+				continue;
+			}
+		} else if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) {
 			continue;
 		}
 		sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i].sid);
@@ -211,6 +232,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
  * the user_info_dc it was generated from */
 NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
 					   const struct auth_user_info_dc *user_info_dc,
+					   enum auth_group_inclusion group_inclusion,
 					   struct netr_SamInfo2 **_sam2)
 {
 	NTSTATUS status;
@@ -222,7 +244,8 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, &sam6);
+	status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc,
+						    group_inclusion, &sam6);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(sam2);
 		return status;
@@ -237,6 +260,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
  * the user_info_dc it was generated from */
 NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
 					   const struct auth_user_info_dc *user_info_dc,
+					   enum auth_group_inclusion group_inclusion,
 					   struct netr_SamInfo3 **_sam3)
 {
 	NTSTATUS status;
@@ -248,7 +272,8 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, &sam6);
+	status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc,
+						    group_inclusion, &sam6);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(sam3);
 		return status;
diff --git a/auth/auth_sam_reply.h b/auth/auth_sam_reply.h
index d8a30c6b36f..4eebf0b06e3 100644
--- a/auth/auth_sam_reply.h
+++ b/auth/auth_sam_reply.h
@@ -47,12 +47,15 @@ struct auth_user_info *auth_user_info_copy(TALLOC_CTX *mem_ctx,
 
 NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
 					   const struct auth_user_info_dc *user_info_dc,
+					   enum auth_group_inclusion group_inclusion,
 					   struct netr_SamInfo6 **_sam6);
 NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
 					   const struct auth_user_info_dc *user_info_dc,
+					   enum auth_group_inclusion group_inclusion,
 					   struct netr_SamInfo2 **_sam2);
 NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
 					   const struct auth_user_info_dc *user_info_dc,
+					   enum auth_group_inclusion group_inclusion,
 					   struct netr_SamInfo3 **_sam3);
 
 /**
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2022-09-27 14:51:54 +1300
committer	Andrew Bartlett <abartlet@samba.org>	2023-02-08 00:03:39 +0000
commit	94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6 (patch)
tree	6843e5f44cf67cbb539faaca7d70229d9b808f52 /auth
parent	673ee782d97c19bf240e37d4714e8a51fbf80457 (diff)
download	samba-94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6.tar.gz