diff options
| author | Stefan Metzmacher <metze@samba.org> | 2018-02-01 23:12:36 +0100 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2018-03-19 20:30:51 +0100 |
| commit | 4565ac59984895ba8235a2da5afeaec48e97c41d (patch) | |
| tree | 70001fdd54627adfe77a9c970e234962cf2349e6 /source4 | |
| parent | d6ee0651193f4e3d92d0ece162813eae8e128cb6 (diff) | |
| download | samba-4565ac59984895ba8235a2da5afeaec48e97c41d.tar.gz | |
s4:auth: add authsam_update_user_info_dc() that implements SID expanding for the local domain
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source4')
| -rw-r--r-- | source4/auth/auth.h | 3 | ||||
| -rw-r--r-- | source4/auth/sam.c | 62 |
2 files changed, 65 insertions, 0 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index f88489b6f60..51895c9259f 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -136,6 +136,9 @@ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ struct ldb_message *msg, DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, struct auth_user_info_dc **_user_info_dc); +NTSTATUS authsam_update_user_info_dc(TALLOC_CTX *mem_ctx, + struct ldb_context *sam_ctx, + struct auth_user_info_dc *user_info_dc); NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx, struct loadparm_context *lp_ctx, struct auth_session_info **_session_info) ; diff --git a/source4/auth/sam.c b/source4/auth/sam.c index bb64bd98a29..fb309f5100e 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -589,6 +589,68 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +_PUBLIC_ NTSTATUS authsam_update_user_info_dc(TALLOC_CTX *mem_ctx, + struct ldb_context *sam_ctx, + struct auth_user_info_dc *user_info_dc) +{ + char *filter = NULL; + NTSTATUS status; + uint32_t i; + uint32_t n = 0; + + /* + * This function exists to expand group memberships + * in the local domain (forest), as the token + * may come from a different domain. + */ + + /* + * Filter out builtin groups from this token. We will search + * for builtin groups later. + */ + status = authsam_domain_group_filter(mem_ctx, &filter); + if (!NT_STATUS_IS_OK(status)) { + TALLOC_FREE(user_info_dc); + return status; + } + + /* + * We loop only over the existing number of + * sids. + */ + n = user_info_dc->num_sids; + for (i = 0; i < n; i++) { + struct dom_sid *sid = &user_info_dc->sids[i]; + char sid_buf[DOM_SID_STR_BUFLEN] = {0,}; + char dn_str[DOM_SID_STR_BUFLEN*2] = {0,}; + DATA_BLOB dn_blob = data_blob_null; + int len; + + len = dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf)); + if (len+1 > sizeof(sid_buf)) { + return NT_STATUS_INVALID_SID; + } + snprintf(dn_str, sizeof(dn_str), "<SID=%s>", sid_buf); + dn_blob = data_blob_string_const(dn_str); + + /* + * We already have the SID in the token, so set + * 'only childs' flag to true and add all + * groups which match the filter. + */ + status = dsdb_expand_nested_groups(sam_ctx, &dn_blob, + true, filter, + user_info_dc, + &user_info_dc->sids, + &user_info_dc->num_sids); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } + + return NT_STATUS_OK; +} + NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, const char *principal, const char **attrs, |