diff options
| author | Stefan Metzmacher <metze@samba.org> | 2018-02-02 04:08:47 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2018-03-19 20:30:51 +0100 |
| commit | d6ee0651193f4e3d92d0ece162813eae8e128cb6 (patch) | |
| tree | 9e1766cfc0156ecd505d3c2a8cd28c7f5278ac39 /source4/auth | |
| parent | ef447434cb638563d1031a676ecbf1bf70a5e9ed (diff) | |
| download | samba-d6ee0651193f4e3d92d0ece162813eae8e128cb6.tar.gz | |
s4:auth: split out a authsam_domain_group_filter() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source4/auth')
| -rw-r--r-- | source4/auth/sam.c | 50 |
1 files changed, 44 insertions, 6 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 49e34baf145..bb64bd98a29 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -286,6 +286,41 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +static NTSTATUS authsam_domain_group_filter(TALLOC_CTX *mem_ctx, + char **_filter) +{ + char *filter = NULL; + + *_filter = NULL; + + filter = talloc_strdup(mem_ctx, "(&(objectClass=group)"); + if (filter == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* + * Skip all builtin groups, they're added later. + */ + filter = talloc_asprintf_append_buffer(filter, + "(!(groupType:1.2.840.113556.1.4.803:=%u))", + GROUP_TYPE_BUILTIN_LOCAL_GROUP); + if (filter == NULL) { + return NT_STATUS_NO_MEMORY; + } + /* + * Only include security groups. + */ + filter = talloc_asprintf_append_buffer(filter, + "(groupType:1.2.840.113556.1.4.803:=%u))", + GROUP_TYPE_SECURITY_ENABLED); + if (filter == NULL) { + return NT_STATUS_NO_MEMORY; + } + + *_filter = filter; + return NT_STATUS_OK; +} + _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, const char *netbios_name, @@ -300,7 +335,8 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, NTSTATUS status; struct auth_user_info_dc *user_info_dc; struct auth_user_info *info; - const char *str, *filter; + const char *str = NULL; + char *filter = NULL; /* SIDs for the account and his primary group */ struct dom_sid *account_sid; const char *primary_group_string; @@ -346,13 +382,15 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0)); - /* Filter out builtin groups from this token. We will search + /* + * Filter out builtin groups from this token. We will search * for builtin groups later, and not include them in the PAC - * on SamLogon validation info */ - filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED); - if (filter == NULL) { + * or SamLogon validation info. + */ + status = authsam_domain_group_filter(tmp_ctx, &filter); + if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(user_info_dc); - return NT_STATUS_NO_MEMORY; + return status; } primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]); |