diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-09-27 14:51:54 +1300 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2023-02-08 00:03:39 +0000 |
| commit | 94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6 (patch) | |
| tree | 6843e5f44cf67cbb539faaca7d70229d9b808f52 /source4/rpc_server | |
| parent | 673ee782d97c19bf240e37d4714e8a51fbf80457 (diff) | |
| download | samba-94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6.tar.gz | |
auth: Exclude resource groups from a TGT
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/rpc_server')
| -rw-r--r-- | source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 314b469a718..7456422af74 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -1469,6 +1469,7 @@ static void dcesrv_netr_LogonSamLogon_base_auth_done(struct tevent_req *subreq) case 2: nt_status = auth_convert_user_info_dc_saminfo2(mem_ctx, user_info_dc, + AUTH_INCLUDE_RESOURCE_GROUPS, &sam2); if (!NT_STATUS_IS_OK(nt_status)) { r->out.result = nt_status; @@ -1482,6 +1483,7 @@ static void dcesrv_netr_LogonSamLogon_base_auth_done(struct tevent_req *subreq) case 3: nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, user_info_dc, + AUTH_INCLUDE_RESOURCE_GROUPS, &sam3); if (!NT_STATUS_IS_OK(nt_status)) { r->out.result = nt_status; @@ -1495,6 +1497,7 @@ static void dcesrv_netr_LogonSamLogon_base_auth_done(struct tevent_req *subreq) case 6: nt_status = auth_convert_user_info_dc_saminfo6(mem_ctx, user_info_dc, + AUTH_INCLUDE_RESOURCE_GROUPS, &sam6); if (!NT_STATUS_IS_OK(nt_status)) { r->out.result = nt_status; |