From 4406cf792a599724f55777a45efb6367a9bd92b2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 20 May 2016 14:16:35 +0200
Subject: krb5pac.idl: introduce PAC_DOMAIN_GROUP_MEMBERSHIP to handle the
 resource groups

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 30 07:16:45 CEST 2016 on sn-devel-144
---
 auth/auth_sam_reply.c | 34 +++++++++++++++++++++++++---------
 1 file changed, 25 insertions(+), 9 deletions(-)

(limited to 'auth/auth_sam_reply.c')

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 319a8b03d9e..1929cd9d848 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -512,6 +512,10 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
 	NTSTATUS nt_status;
 	union netr_Validation validation;
 	struct auth_user_info_dc *user_info_dc;
+	const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL;
+	size_t sidcount;
+
+	rg = &pac_logon_info->resource_groups;
 
 	validation.sam3 = discard_const_p(struct netr_SamInfo3, &pac_logon_info->info3);
 
@@ -522,11 +526,19 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
 		return nt_status;
 	}
 
-	if (pac_logon_info->res_groups.count > 0) {
-		size_t sidcount;
+	if (pac_logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) {
+		rg = &pac_logon_info->resource_groups;
+	}
+
+	if (rg == NULL) {
+		*_user_info_dc = user_info_dc;
+		return NT_STATUS_OK;
+	}
+
+	if (rg->groups.count > 0) {
 		/* The IDL layer would be a better place to check this, but to
 		 * guard the integer addition below, we double-check */
-		if (pac_logon_info->res_groups.count > 65535) {
+		if (rg->groups.count > 65535) {
 			talloc_free(user_info_dc);
 			return NT_STATUS_INVALID_PARAMETER;
 		}
@@ -536,12 +548,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
 		  trusted domains, and verify that the SID
 		  matches.
 		*/
-		if (!pac_logon_info->res_group_dom_sid) {
+		if (rg->domain_sid == NULL) {
+			talloc_free(user_info_dc);
 			DEBUG(0, ("Cannot operate on a PAC without a resource domain SID"));
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 
-		sidcount = user_info_dc->num_sids + pac_logon_info->res_groups.count;
+		sidcount = user_info_dc->num_sids + rg->groups.count;
 		user_info_dc->sids
 			= talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount);
 		if (user_info_dc->sids == NULL) {
@@ -549,10 +562,13 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
-			user_info_dc->sids[user_info_dc->num_sids] = *pac_logon_info->res_group_dom_sid;
-			if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
-					    pac_logon_info->res_groups.rids[i].rid)) {
+		for (i = 0; i < rg->groups.count; i++) {
+			bool ok;
+
+			user_info_dc->sids[user_info_dc->num_sids] = *rg->domain_sid;
+			ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
+					    rg->groups.rids[i].rid);
+			if (!ok) {
 				return NT_STATUS_INVALID_PARAMETER;
 			}
 			user_info_dc->num_sids++;
-- 
cgit v1.2.1