summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/ntlm/auth.c2
-rw-r--r--source4/auth/ntlm/auth_developer.c5
-rw-r--r--source4/auth/sam.c32
-rw-r--r--source4/auth/session.c28
-rw-r--r--source4/auth/system_session.c60
-rw-r--r--source4/dsdb/common/util.c4
-rw-r--r--source4/dsdb/common/util_groups.c53
-rw-r--r--source4/dsdb/samdb/ldb_modules/operational.c24
-rw-r--r--source4/dsdb/samdb/samdb.c6
-rw-r--r--source4/dsdb/samdb/samdb.h1
-rw-r--r--source4/kdc/pac-glue.c33
-rw-r--r--source4/torture/auth/pac.c24
-rw-r--r--source4/torture/rpc/remote_pac.c22
13 files changed, 185 insertions, 109 deletions
diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 09d660a392b..e678f703db5 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -421,7 +421,7 @@ _PUBLIC_ NTSTATUS auth_check_password_recv(struct tevent_req *req,
state->user_info, status,
state->user_info_dc->info->domain_name,
state->user_info_dc->info->account_name,
- &state->user_info_dc->sids[0]);
+ &state->user_info_dc->sids[0].sid);
*user_info_dc = talloc_move(mem_ctx, &state->user_info_dc);
diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c
index 6e92252d5c5..330bcde4d02 100644
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -82,9 +82,12 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
user_info_dc->num_sids = 1;
- user_info_dc->sids = dom_sid_parse_talloc(user_info_dc, SID_NT_ANONYMOUS);
+ user_info_dc->sids = talloc(user_info_dc, struct auth_SidAttr);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
+ user_info_dc->sids->sid = global_sid_Anonymous;
+ user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 2b18d4dc3c0..ca26898f4ce 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -353,7 +353,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
const char *primary_group_dn;
DATA_BLOB primary_group_blob;
/* SID structures for the expanded group memberships */
- struct dom_sid *sids = NULL;
+ struct auth_SidAttr *sids = NULL;
unsigned int num_sids = 0, i;
struct dom_sid *domain_sid;
TALLOC_CTX *tmp_ctx;
@@ -368,7 +368,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- sids = talloc_array(user_info_dc, struct dom_sid, 2);
+ sids = talloc_array(user_info_dc, struct auth_SidAttr, 2);
if (sids == NULL) {
TALLOC_FREE(user_info_dc);
return NT_STATUS_NO_MEMORY;
@@ -388,9 +388,13 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
return status;
}
- sids[PRIMARY_USER_SID_INDEX] = *account_sid;
- sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
- sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
+ sids[PRIMARY_USER_SID_INDEX].sid = *account_sid;
+ sids[PRIMARY_USER_SID_INDEX].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+ sids[PRIMARY_GROUP_SID_INDEX].sid = *domain_sid;
+ sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX].sid, ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
+ sids[PRIMARY_GROUP_SID_INDEX].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
/*
* Filter out builtin groups from this token. We will search
@@ -406,7 +410,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
primary_group_dn = talloc_asprintf(
tmp_ctx,
"<SID=%s>",
- dom_sid_str_buf(&sids[PRIMARY_GROUP_SID_INDEX], &buf));
+ dom_sid_str_buf(&sids[PRIMARY_GROUP_SID_INDEX].sid, &buf));
if (primary_group_dn == NULL) {
TALLOC_FREE(user_info_dc);
return NT_STATUS_NO_MEMORY;
@@ -570,13 +574,15 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
PAC */
user_info_dc->sids = talloc_realloc(user_info_dc,
user_info_dc->sids,
- struct dom_sid,
+ struct auth_SidAttr,
user_info_dc->num_sids+1);
if (user_info_dc->sids == NULL) {
TALLOC_FREE(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
- user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs;
+ user_info_dc->sids[user_info_dc->num_sids].sid = global_sid_Enterprise_DCs;
+ user_info_dc->sids[user_info_dc->num_sids].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
user_info_dc->num_sids++;
}
@@ -585,15 +591,17 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
/* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */
user_info_dc->sids = talloc_realloc(user_info_dc,
user_info_dc->sids,
- struct dom_sid,
+ struct auth_SidAttr,
user_info_dc->num_sids+1);
if (user_info_dc->sids == NULL) {
TALLOC_FREE(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
- user_info_dc->sids[user_info_dc->num_sids] = *domain_sid;
- sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
+ user_info_dc->sids[user_info_dc->num_sids].sid = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid,
DOMAIN_RID_ENTERPRISE_READONLY_DCS);
+ user_info_dc->sids[user_info_dc->num_sids].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
user_info_dc->num_sids++;
}
@@ -636,7 +644,7 @@ _PUBLIC_ NTSTATUS authsam_update_user_info_dc(TALLOC_CTX *mem_ctx,
*/
n = user_info_dc->num_sids;
for (i = 0; i < n; i++) {
- struct dom_sid *sid = &user_info_dc->sids[i];
+ struct dom_sid *sid = &user_info_dc->sids[i].sid;
struct dom_sid_buf sid_buf;
char dn_str[sizeof(sid_buf.buf)*2];
DATA_BLOB dn_blob = data_blob_null;
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 34ad557eebb..5905964ecfc 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -62,7 +62,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
const char *filter;
- struct dom_sid *sids = NULL;
+ struct auth_SidAttr *sids = NULL;
const struct dom_sid *anonymous_sid, *system_sid;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@@ -110,7 +110,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids);
+ sids = talloc_array(tmp_ctx, struct auth_SidAttr, user_info_dc->num_sids);
if (sids == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
@@ -129,48 +129,52 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
*/
if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
- sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 2);
+ sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 2);
if (sids == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- sid_copy(&sids[num_sids], &global_sid_World);
+ sid_copy(&sids[num_sids].sid, &global_sid_World);
+ sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
num_sids++;
- sid_copy(&sids[num_sids], &global_sid_Network);
+ sid_copy(&sids[num_sids].sid, &global_sid_Network);
+ sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
num_sids++;
}
if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
- sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
+ sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 1);
if (sids == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- sid_copy(&sids[num_sids], &global_sid_Authenticated_Users);
+ sid_copy(&sids[num_sids].sid, &global_sid_Authenticated_Users);
+ sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
num_sids++;
}
if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
- sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
+ sids = talloc_realloc(tmp_ctx, sids, struct auth_SidAttr, num_sids + 1);
if (sids == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids])) {
+ if (!dom_sid_parse(SID_NT_NTLM_AUTHENTICATION, &sids[num_sids].sid)) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_INTERNAL_ERROR;
}
+ sids[num_sids].attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
num_sids++;
}
- if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {
+ if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX].sid)) {
/* Don't expand nested groups of system, anonymous etc*/
- } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX])) {
+ } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX].sid)) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
@@ -185,7 +189,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
sid_dn = talloc_asprintf(
tmp_ctx,
"<SID=%s>",
- dom_sid_str_buf(&sids[i], &buf));
+ dom_sid_str_buf(&sids[i].sid, &buf));
if (sid_dn == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index 17cfc4bab8b..da15f6bf0da 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -125,9 +125,12 @@ NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
user_info_dc->num_sids = 1;
- user_info_dc->sids = dom_sid_dup(user_info_dc, &global_sid_System);
+ user_info_dc->sids = talloc(user_info_dc, struct auth_SidAttr);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
+ user_info_dc->sids->sid = global_sid_System;
+ user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
@@ -199,24 +202,38 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
user_info_dc->num_sids = 7;
- user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids);
-
- user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
- sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
-
- user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
- sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], DOMAIN_RID_USERS);
-
- user_info_dc->sids[2] = global_sid_Builtin_Administrators;
-
- user_info_dc->sids[3] = *domain_sid;
- sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
- user_info_dc->sids[4] = *domain_sid;
- sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
- user_info_dc->sids[5] = *domain_sid;
- sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
- user_info_dc->sids[6] = *domain_sid;
- sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
+ user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids);
+
+ user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, DOMAIN_RID_ADMINISTRATOR);
+ user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+
+ user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, DOMAIN_RID_USERS);
+ user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+
+ user_info_dc->sids[2].sid = global_sid_Builtin_Administrators;
+ user_info_dc->sids[2].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+
+ user_info_dc->sids[3].sid = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[3].sid, DOMAIN_RID_ADMINS);
+ user_info_dc->sids[3].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+ user_info_dc->sids[4].sid = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[4].sid, DOMAIN_RID_ENTERPRISE_ADMINS);
+ user_info_dc->sids[4].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+ user_info_dc->sids[5].sid = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[5].sid, DOMAIN_RID_POLICY_ADMINS);
+ user_info_dc->sids[5].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+ user_info_dc->sids[6].sid = *domain_sid;
+ sid_append_rid(&user_info_dc->sids[6].sid, DOMAIN_RID_SCHEMA_ADMINS);
+ user_info_dc->sids[6].attrs
+ = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
/* What should the session key be?*/
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
@@ -370,9 +387,12 @@ _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
user_info_dc->num_sids = 1;
- user_info_dc->sids = dom_sid_dup(user_info_dc, &global_sid_Anonymous);
+ user_info_dc->sids = talloc(user_info_dc, struct auth_SidAttr);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
+ user_info_dc->sids->sid = global_sid_Anonymous;
+ user_info_dc->sids->attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+
/* annoying, but the Anonymous really does have a session key... */
user_info_dc->user_session_key = data_blob_talloc(user_info_dc, NULL, 16);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->user_session_key.data);
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 2cde400daa6..2c4bc980f80 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -6369,7 +6369,7 @@ done:
* if not. Returns a negative value on error.
*/
int dsdb_is_protected_user(struct ldb_context *ldb,
- const struct dom_sid *sids,
+ const struct auth_SidAttr *sids,
uint32_t num_sids)
{
const struct dom_sid *domain_sid = NULL;
@@ -6387,7 +6387,7 @@ int dsdb_is_protected_user(struct ldb_context *ldb,
}
for (i = 0; i < num_sids; ++i) {
- if (dom_sid_equal(&protected_users_sid, &sids[i])) {
+ if (dom_sid_equal(&protected_users_sid, &sids[i].sid)) {
return 1;
}
}
diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index c2075de25b8..97dc50c5ecf 100644
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -27,15 +27,22 @@
#include "dsdb/common/util.h"
/* This function tests if a SID structure "sids" contains the SID "sid" */
-static bool sids_contains_sid(const struct dom_sid *sids,
+static bool sids_contains_sid(const struct auth_SidAttr *sids,
const unsigned int num_sids,
- const struct dom_sid *sid)
+ const struct dom_sid *sid,
+ uint32_t attrs)
{
unsigned int i;
for (i = 0; i < num_sids; i++) {
- if (dom_sid_equal(&sids[i], sid))
- return true;
+ if (attrs != sids[i].attrs) {
+ continue;
+ }
+ if (!dom_sid_equal(&sids[i].sid, sid)) {
+ continue;
+ }
+
+ return true;
}
return false;
}
@@ -56,13 +63,12 @@ static bool sids_contains_sid(const struct dom_sid *sids,
*/
NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
struct ldb_val *dn_val, const bool only_childs, const char *filter,
- TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids,
+ TALLOC_CTX *res_sids_ctx, struct auth_SidAttr **res_sids,
unsigned int *num_res_sids)
{
- const char * const attrs[] = { "memberOf", NULL };
+ const char * const attrs[] = { "groupType", "memberOf", NULL };
unsigned int i;
int ret;
- bool already_there;
struct ldb_dn *dn;
struct dom_sid sid;
TALLOC_CTX *tmp_ctx;
@@ -113,14 +119,6 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN);
} else {
- /* This is an O(n^2) linear search */
- already_there = sids_contains_sid(*res_sids,
- *num_res_sids, &sid);
- if (already_there) {
- talloc_free(tmp_ctx);
- return NT_STATUS_OK;
- }
-
ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s",
filter);
@@ -172,13 +170,34 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
/* We only apply this test once we know the SID matches the filter */
if (!only_childs) {
+ unsigned group_type;
+ uint32_t sid_attrs;
+ bool already_there;
+
+ sid_attrs = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+ group_type = ldb_msg_find_attr_as_uint(res->msgs[0], "groupType", 0);
+ if (group_type & GROUP_TYPE_RESOURCE_GROUP) {
+ sid_attrs |= SE_GROUP_RESOURCE;
+ }
+
+ /* This is an O(n^2) linear search */
+ already_there = sids_contains_sid(*res_sids, *num_res_sids,
+ &sid, sid_attrs);
+ if (already_there) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
*res_sids = talloc_realloc(res_sids_ctx, *res_sids,
- struct dom_sid, *num_res_sids + 1);
+ struct auth_SidAttr, *num_res_sids + 1);
if (*res_sids == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
- (*res_sids)[*num_res_sids] = sid;
+
+ (*res_sids)[*num_res_sids].sid = sid;
+ (*res_sids)[*num_res_sids].attrs = sid_attrs;
+
++(*num_res_sids);
}
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 2b3cd2d7954..a4ef129c467 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -76,6 +76,8 @@
#include "libcli/security/security.h"
+#include "auth/auth.h"
+
#ifndef ARRAY_SIZE
#define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0]))
#endif
@@ -149,7 +151,7 @@ static int construct_primary_group_token(struct ldb_module *module,
*/
static int get_group_sids(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
struct ldb_message *msg, const char *attribute_string,
- enum search_type type, struct dom_sid **groupSIDs,
+ enum search_type type, struct auth_SidAttr **groupSIDs,
unsigned int *num_groupSIDs)
{
const char *filter = NULL;
@@ -204,7 +206,7 @@ static int get_group_sids(struct ldb_context *ldb, TALLOC_CTX *mem_ctx,
/* for RevMembGetAccountGroups, exclude built-in groups */
case ACCOUNT_GROUPS:
filter = talloc_asprintf(mem_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))",
- GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
+ GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
break;
}
@@ -280,7 +282,7 @@ static int construct_generic_token_groups(struct ldb_module *module,
TALLOC_CTX *tmp_ctx = talloc_new(msg);
unsigned int i;
int ret;
- struct dom_sid *groupSIDs = NULL;
+ struct auth_SidAttr *groupSIDs = NULL;
unsigned int num_groupSIDs = 0;
if (scope != LDB_SCOPE_BASE) {
@@ -299,7 +301,7 @@ static int construct_generic_token_groups(struct ldb_module *module,
/* add these SIDs to the search result */
for (i=0; i < num_groupSIDs; i++) {
- ret = samdb_msg_add_dom_sid(ldb, msg, msg, attribute_string, &groupSIDs[i]);
+ ret = samdb_msg_add_dom_sid(ldb, msg, msg, attribute_string, &groupSIDs[i].sid);
if (ret) {
talloc_free(tmp_ctx);
return ret;
@@ -1070,7 +1072,7 @@ static int pso_compare(struct ldb_message **m1, struct ldb_message **m2)
*/
static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx,
struct ldb_request *parent,
- struct dom_sid *sid_array, unsigned int num_sids,
+ struct auth_SidAttr *sid_array, unsigned int num_sids,
struct ldb_result **result)
{
int ret;
@@ -1096,7 +1098,7 @@ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx,
sid_filter = talloc_asprintf_append(
sid_filter,
"(msDS-PSOAppliesTo=<SID=%s>)",
- dom_sid_str_buf(&sid_array[i], &sid_buf));
+ dom_sid_str_buf(&sid_array[i].sid, &sid_buf));
}
if (sid_filter == NULL) {
@@ -1125,7 +1127,7 @@ static int pso_search_by_sids(struct ldb_module *module, TALLOC_CTX *mem_ctx,
* Returns the best PSO object that applies to the object SID(s) specified
*/
static int pso_find_best(struct ldb_module *module, TALLOC_CTX *mem_ctx,
- struct ldb_request *parent, struct dom_sid *sid_array,
+ struct ldb_request *parent, struct auth_SidAttr *sid_array,
unsigned int num_sids, struct ldb_message **best_pso)
{
struct ldb_result *res = NULL;
@@ -1160,7 +1162,7 @@ static int get_pso_for_user(struct ldb_module *module,
struct ldb_message **pso_msg)
{
bool pso_supported;
- struct dom_sid *groupSIDs = NULL;
+ struct auth_SidAttr *groupSIDs = NULL;
unsigned int num_groupSIDs = 0;
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_message *best_pso = NULL;
@@ -1219,10 +1221,12 @@ static int get_pso_for_user(struct ldb_module *module,
el = ldb_msg_find_element(user_msg, "msDS-PSOApplied");
if (el != NULL && el->num_values > 0) {
- struct dom_sid *user_sid = NULL;
+ struct auth_SidAttr *user_sid = NULL;
/* lookup the best PSO object, based on the user's SID */
- user_sid = samdb_result_dom_sid(tmp_ctx, user_msg, "objectSid");
+ user_sid = samdb_result_dom_sid_attrs(
+ tmp_ctx, user_msg, "objectSid",
+ SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED);
ret = pso_find_best(module, tmp_ctx, parent, user_sid, 1,
&best_pso);
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index d5890dec03e..98fcb7a0b56 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -163,7 +163,7 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
unsigned int num_sids,
- struct dom_sid *sids,
+ struct auth_SidAttr *sids,
uint32_t session_info_flags,
struct security_token **token)
{
@@ -184,7 +184,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
for (check_sid_idx = 0;
check_sid_idx < ptoken->num_sids;
check_sid_idx++) {
- if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) {
+ if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i].sid)) {
break;
}
}
@@ -193,7 +193,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->sids[ptoken->num_sids] = sids[i];
+ ptoken->sids[ptoken->num_sids] = sids[i].sid;
ptoken->num_sids++;
}
}
diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
index f2f738121f9..d76cbeba841 100644
--- a/source4/dsdb/samdb/samdb.h
+++ b/source4/dsdb/samdb/samdb.h
@@ -22,6 +22,7 @@
#ifndef __SAMDB_H__
#define __SAMDB_H__
+struct auth_SidAttr;
struct auth_session_info;
struct dsdb_control_current_partition;
struct dsdb_extended_replicated_object;
diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index e9b951ff48e..e1a44bf8e1f 100644
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -93,7 +93,7 @@ NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
ZERO_STRUCT(pac_requester_sid);
- pac_requester_sid.requester_sid.sid = info->sids[0];
+ pac_requester_sid.requester_sid.sid = info->sids[0].sid;
ndr_err = ndr_push_union_blob(requester_sid_blob, mem_ctx,
&pac_requester_sid,
@@ -140,7 +140,7 @@ NTSTATUS samba_get_upn_info_pac_blob(TALLOC_CTX *mem_ctx,
= info->info->account_name;
pac_upn.upn_dns_info.ex.sam_name_and_sid.objectsid
- = &info->sids[0];
+ = &info->sids[0].sid;
ndr_err = ndr_push_union_blob(upn_data, mem_ctx, &pac_upn,
PAC_TYPE_UPN_DNS_INFO,
@@ -802,10 +802,12 @@ static NTSTATUS samba_add_asserted_identity(TALLOC_CTX *mem_ctx,
dom_sid_parse(sid_str, &ai_sid);
- return add_sid_to_array_unique(user_info_dc,
- &ai_sid,
- &user_info_dc->sids,
- &user_info_dc->num_sids);
+ return add_sid_to_array_attrs_unique(
+ user_info_dc,
+ &ai_sid,
+ SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED,
+ &user_info_dc->sids,
+ &user_info_dc->num_sids);
}
/*
@@ -1259,7 +1261,7 @@ krb5_error_code samba_kdc_validate_pac_blob(
goto out;
}
- pac_sid = pac_user_info->sids[0];
+ pac_sid = pac_user_info->sids[0].sid;
} else if (code != 0) {
goto out;
}
@@ -1484,6 +1486,10 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
if (is_untrusted) {
struct auth_user_info_dc *user_info_dc = NULL;
WERROR werr;
+
+ struct dom_sid *object_sids = NULL;
+ uint32_t j;
+
/*
* In this case the RWDC discards the PAC an RODC generated.
* Windows adds the asserted_identity in this case too.
@@ -1533,10 +1539,21 @@ krb5_error_code samba_kdc_update_pac(TALLOC_CTX *mem_ctx,
* Check if the SID list in the user_info_dc intersects
* correctly with the RODC allow/deny lists.
*/
+ object_sids = talloc_array(mem_ctx, struct dom_sid, user_info_dc->num_sids);
+ if (object_sids == NULL) {
+ code = ENOMEM;
+ goto done;
+ }
+
+ for (j = 0; j < user_info_dc->num_sids; ++j) {
+ object_sids[j] = user_info_dc->sids[j].sid;
+ }
+
werr = samba_rodc_confirm_user_is_allowed(user_info_dc->num_sids,
- user_info_dc->sids,
+ object_sids,
krbtgt,
client);
+ TALLOC_FREE(object_sids);
TALLOC_FREE(user_info_dc);
if (!W_ERROR_IS_OK(werr)) {
code = KRB5KDC_ERR_TGT_REVOKED;
diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index c019c09672c..50ac17ad07b 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -170,8 +170,8 @@ static bool torture_pac_self_check(struct torture_context *tctx)
&user_info_dc_out, NULL, NULL);
/* The user's SID is the first element in the list */
- if (!dom_sid_equal(user_info_dc->sids,
- user_info_dc_out->sids)) {
+ if (!dom_sid_equal(&user_info_dc->sids[0].sid,
+ &user_info_dc_out->sids[0].sid)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
@@ -182,8 +182,8 @@ static bool torture_pac_self_check(struct torture_context *tctx)
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
- dom_sid_string(mem_ctx, user_info_dc->sids),
- dom_sid_string(mem_ctx, user_info_dc_out->sids)));
+ dom_sid_string(mem_ctx, &user_info_dc->sids[0].sid),
+ dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid)));
}
talloc_free(user_info_dc_out);
@@ -232,13 +232,13 @@ static bool torture_pac_self_check(struct torture_context *tctx)
nt_errstr(nt_status)));
}
- if (!dom_sid_equal(user_info_dc->sids,
- user_info_dc_out->sids)) {
+ if (!dom_sid_equal(&user_info_dc->sids[0].sid,
+ &user_info_dc_out->sids[0].sid)) {
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
- dom_sid_string(mem_ctx, user_info_dc->sids),
- dom_sid_string(mem_ctx, user_info_dc_out->sids)));
+ dom_sid_string(mem_ctx, &user_info_dc->sids[0].sid),
+ dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid)));
}
return true;
}
@@ -447,7 +447,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
- user_info_dc_out->sids)) {
+ &user_info_dc_out->sids[0].sid)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
@@ -458,7 +458,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
talloc_asprintf(tctx,
"(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
- dom_sid_string(mem_ctx, user_info_dc_out->sids)));
+ dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid)));
}
talloc_free(user_info_dc_out);
@@ -506,7 +506,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
- user_info_dc_out->sids)) {
+ &user_info_dc_out->sids[0].sid)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
@@ -517,7 +517,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
talloc_asprintf(tctx,
"(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
- dom_sid_string(mem_ctx, user_info_dc_out->sids)));
+ dom_sid_string(mem_ctx, &user_info_dc_out->sids[0].sid)));
}
if (krbtgt_bytes == NULL) {
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index b899aafb0e0..34d369194b5 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -981,8 +981,8 @@ static bool test_S4U2Self(struct torture_context *tctx,
/* Check that the primary group is not duplicated in user_info_dc SID array */
for (i = 2; i < netlogon_user_info_dc->num_sids; i++) {
- torture_assert(tctx, !dom_sid_equal(&netlogon_user_info_dc->sids[1],
- &netlogon_user_info_dc->sids[i]),
+ torture_assert(tctx, !dom_sid_equal(&netlogon_user_info_dc->sids[1].sid,
+ &netlogon_user_info_dc->sids[i].sid),
"Duplicate PrimaryGroupId in return SID array");
}
@@ -1007,14 +1007,14 @@ static bool test_S4U2Self(struct torture_context *tctx,
ai_auth_authority_count = 0;
ai_service_count = 0;
for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
- ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i],
+ ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid,
ai_auth_authority);
if (ok) {
ai_auth_authority_count++;
kinit_asserted_identity_index = i;
}
- ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i],
+ ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i].sid,
ai_service);
if (ok) {
ai_service_count++;
@@ -1030,14 +1030,14 @@ static bool test_S4U2Self(struct torture_context *tctx,
ai_auth_authority_count = 0;
ai_service_count = 0;
for (i = 0; i < s4u2self_session_info->torture->num_dc_sids; i++) {
- ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i],
+ ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid,
ai_auth_authority);
if (ok) {
ai_auth_authority_count++;
s4u2self_asserted_identity_index = i;
}
- ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i],
+ ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i].sid,
ai_service);
if (ok) {
ai_service_count++;
@@ -1063,11 +1063,11 @@ static bool test_S4U2Self(struct torture_context *tctx,
/* Skip over the asserted identity SID. */
++k;
}
- torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[j]), "Different domain groups for kinit-based PAC");
- torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s4u2self_session_info->torture->dc_sids[k]), "Different domain groups for S4U2Self");
- torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s4u2self_session_info->torture->dc_sids[k]), "Returned BUILTIN domain in groups for S4U2Self");
- torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[j]), "Returned BUILTIN domain in groups kinit-based PAC");
- torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
+ torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i].sid, &kinit_session_info->torture->dc_sids[j].sid), "Different domain groups for kinit-based PAC");
+ torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i].sid, &s4u2self_session_info->torture->dc_sids[k].sid), "Different domain groups for S4U2Self");
+ torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s4u2self_session_info->torture->dc_sids[k].sid), "Returned BUILTIN domain in groups for S4U2Self");
+ torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->torture->dc_sids[j].sid), "Returned BUILTIN domain in groups kinit-based PAC");
+ torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_user_info_dc->sids[i].sid), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
}
return true;
View Lorry Controller Status