diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2012-12-29 15:13:54 +1100 |
|---|---|---|
| committer | Stefan Metzmacher <metze@samba.org> | 2013-01-21 16:12:45 +0100 |
| commit | 8f078cdf247476fad511bb6d7e00c8654fd26e85 (patch) | |
| tree | 224841e3e6b0531d20de16e336b84a32cdb085e7 /source4/dsdb/samdb/samdb.c | |
| parent | d36c03056fb85dfedbafd3a59497e35db63ade17 (diff) | |
| download | samba-8f078cdf247476fad511bb6d7e00c8654fd26e85.tar.gz | |
dsdb: Ensure "authenticated users" is processed for group memberships
This change moves the addition of "Authenticated Users" from the very end of the
token processing to the start. The reason is that we need to see if
"Authenticated Users" is a member of other builtin groups, just as we
would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access"
group, which is in turn often used in ACLs on LDAP objects.
Without this change, the eventual token does not contain S-1-5-32-554
and users other than "Administrator" are unable to read uidNumber
(in particular).
Andrew Bartlett
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/dsdb/samdb/samdb.c')
| -rw-r--r-- | source4/dsdb/samdb/samdb.c | 31 |
1 files changed, 0 insertions, 31 deletions
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 713448c4e81..361ece79f0a 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -143,37 +143,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, } } - /* - * Finally add the "standard" sids. - * The only difference between guest and "anonymous" - * is the addition of Authenticated_Users. - */ - - if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 2); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - if (!dom_sid_parse(SID_WORLD, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - - if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - } - - if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - } - /* The caller may have requested simple privilages, for example if there isn't a local DB */ if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { /* Shortcuts to prevent recursion and avoid lookups */ |