auth: Exclude resource groups from a TGT

Resource group SIDs should only be placed into a service ticket, but we were including them in all tickets. Now that we have access to the group attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if we're creating a TGT. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2022-09-27 14:51:54 +1300
committer: Andrew Bartlett <abartlet@samba.org> 2023-02-08 00:03:39 +0000
commit: 94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6 (patch)
tree: 6843e5f44cf67cbb539faaca7d70229d9b808f52 /librpc
parent: 673ee782d97c19bf240e37d4714e8a51fbf80457 (diff)
download: samba-94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
index 5985d554606..582587e062f 100644
--- a/librpc/idl/auth.idl
+++ b/librpc/idl/auth.idl
@@ -95,6 +95,15 @@ interface auth
 		TICKET_TYPE_NON_TGT = 2
 	} ticket_type;
 
+	/*
+	 * Used to indicate whether or not to include resource groups in the
+	 * formation of SamInfo or a PAC.
+	 */
+	typedef enum {
+		AUTH_INCLUDE_RESOURCE_GROUPS = 0,
+		AUTH_EXCLUDE_RESOURCE_GROUPS = 1
+	} auth_group_inclusion;
+
 	typedef [public] struct {
 		dom_sid sid;
 		security_GroupAttrs attrs;
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2022-09-27 14:51:54 +1300
committer	Andrew Bartlett <abartlet@samba.org>	2023-02-08 00:03:39 +0000
commit	94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6 (patch)
tree	6843e5f44cf67cbb539faaca7d70229d9b808f52 /librpc
parent	673ee782d97c19bf240e37d4714e8a51fbf80457 (diff)
download	samba-94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6.tar.gz