diff options
| author | Stefan Metzmacher <metze@samba.org> | 2018-03-13 21:38:27 +0100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2018-03-20 17:13:07 +0100 |
| commit | e0e4aa1ac539d2811bd801e9e3b8f69d7e306f3b (patch) | |
| tree | 2fc580dedc90846785f83e38de75fb66ed2f96d1 /source3/auth | |
| parent | c1f61c0816441be2061b3fd23db04dc60dcc64f7 (diff) | |
| download | samba-e0e4aa1ac539d2811bd801e9e3b8f69d7e306f3b.tar.gz | |
s3:auth: only call secrets_fetch_domain_sid() once in finalize_local_nt_token()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c2ffbf9f764a94ef1dc1280741884cf63a017308)
Diffstat (limited to 'source3/auth')
| -rw-r--r-- | source3/auth/token_util.c | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c index e5a12db1ba3..f3d24cdac2f 100644 --- a/source3/auth/token_util.c +++ b/source3/auth/token_util.c @@ -190,6 +190,9 @@ static NTSTATUS add_builtin_administrators(struct security_token *token, if ( IS_DC ) { sid_copy( &domadm, get_global_sam_sid() ); } else { + if (dom_sid == NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } sid_copy(&domadm, dom_sid); } sid_append_rid( &domadm, DOMAIN_RID_ADMINS ); @@ -513,9 +516,11 @@ static NTSTATUS add_local_groups(struct security_token *result, static NTSTATUS finalize_local_nt_token(struct security_token *result, bool is_guest) { - struct dom_sid dom_sid; + struct dom_sid _dom_sid = { 0, }; + struct dom_sid *domain_sid = NULL; NTSTATUS status; struct acct_info *info; + bool ok; /* Add in BUILTIN sids */ @@ -547,6 +552,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, } } + become_root(); + ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid); + if (ok) { + domain_sid = &_dom_sid; + } else { + DEBUG(3, ("Failed to fetch domain sid for %s\n", + lp_workgroup())); + } + unbecome_root(); + info = talloc_zero(talloc_tos(), struct acct_info); if (info == NULL) { DEBUG(0, ("talloc failed!\n")); @@ -561,18 +576,12 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, if (!NT_STATUS_IS_OK(status)) { become_root(); - if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { - status = NT_STATUS_OK; - DEBUG(3, ("Failed to fetch domain sid for %s\n", - lp_workgroup())); - } else { - status = create_builtin_administrators(&dom_sid); - } + status = create_builtin_administrators(domain_sid); unbecome_root(); if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) { /* Add BUILTIN\Administrators directly to token. */ - status = add_builtin_administrators(result, &dom_sid); + status = add_builtin_administrators(result, domain_sid); if ( !NT_STATUS_IS_OK(status) ) { DEBUG(3, ("Failed to check for local " "Administrators membership (%s)\n", @@ -593,13 +602,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result, if (!NT_STATUS_IS_OK(status)) { become_root(); - if (!secrets_fetch_domain_sid(lp_workgroup(), &dom_sid)) { - status = NT_STATUS_OK; - DEBUG(3, ("Failed to fetch domain sid for %s\n", - lp_workgroup())); - } else { - status = create_builtin_users(&dom_sid); - } + status = create_builtin_users(domain_sid); unbecome_root(); if (!NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) && |