summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-10-02 05:09:42 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-10-02 09:11:37 +1000
commita82e3abc707ecaf68ee26828f11987d621ec1bb5 (patch)
treea27d6cb91f4993253961bfaaaf13a77594a6b49f
parent6488d5bc0b585d91b185ae37315293123c4b1001 (diff)
downloadsamba-a82e3abc707ecaf68ee26828f11987d621ec1bb5.tar.gz
samba-a82e3abc707ecaf68ee26828f11987d621ec1bb5.tar.bz2
samba-a82e3abc707ecaf68ee26828f11987d621ec1bb5.zip
s4-auth Add make_server_info_pac() to include 'resource domain' groups
Previously, our PAC code didn't include these groups into the server_info from which we would eventually calculate the full list of tokenGroups. Andrew Bartlett
-rw-r--r--source4/auth/auth_sam_reply.c37
-rw-r--r--source4/auth/kerberos/kerberos_pac.c8
2 files changed, 40 insertions, 5 deletions
diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c
index b234f87215..0c03e78493 100644
--- a/source4/auth/auth_sam_reply.c
+++ b/source4/auth/auth_sam_reply.c
@@ -287,3 +287,40 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
+/**
+ * Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon
+ */
+NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
+ struct PAC_LOGON_INFO *pac_logon_info,
+ struct auth_serversupplied_info **_server_info)
+{
+ uint32_t i;
+ NTSTATUS nt_status;
+ union netr_Validation validation;
+ struct auth_serversupplied_info *server_info;
+
+ validation.sam3 = &pac_logon_info->info3;
+
+ nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3, &validation, &server_info);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
+ if (pac_logon_info->res_groups.count > 0) {
+ struct dom_sid **rgrps;
+ size_t sidcount = server_info->n_domain_groups + pac_logon_info->res_groups.count;
+ server_info->domain_groups = rgrps
+ = talloc_realloc(server_info, server_info->domain_groups, struct dom_sid *, sidcount);
+ NT_STATUS_HAVE_NO_MEMORY(rgrps);
+
+ for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
+ size_t sid_idx = server_info->n_domain_groups + i;
+ rgrps[sid_idx]
+ = dom_sid_add_rid(rgrps, pac_logon_info->res_group_dom_sid,
+ pac_logon_info->res_groups.rids[i].rid);
+ NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]);
+ }
+ }
+ *_server_info = server_info;
+ return NT_STATUS_OK;
+}
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index aca807e78d..40f0cf7cf8 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -684,11 +684,9 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
}
/* Pull this right into the normal auth sysstem structures */
- validation.sam3 = &info.logon_info.info->info3;
- nt_status = make_server_info_netlogon_validation(mem_ctx,
- "",
- 3, &validation,
- &server_info_out);
+ nt_status = make_server_info_pac(mem_ctx,
+ info.logon_info.info,
+ &server_info_out);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return EINVAL;