summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSimo Sorce <ssorce@redhat.com>2010-05-29 11:29:29 -0400
committerAndrew Bartlett <abartlet@samba.org>2010-06-07 22:53:08 +1000
commit00089fd74af740f832573d904312854e494a869e (patch)
treed6504e469cdbd3499a86721168c0d795e6863ab4
parent048575defba064a8d9f0e4eb542a299dc8730327 (diff)
downloadsamba-00089fd74af740f832573d904312854e494a869e.tar.gz
samba-00089fd74af740f832573d904312854e494a869e.tar.bz2
samba-00089fd74af740f832573d904312854e494a869e.zip
s3:auth make sure the primary group sid is usable
This function was previously performed under the cover by converting back and forth from info3 to samu and then later from samu to info3. Since we now shortcircuit that in some cases, check explicitly using get_primary_group_sid() Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r--source3/auth/auth_util.c43
1 files changed, 30 insertions, 13 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index cb9c4b22fc..a93d44fe91 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1047,11 +1047,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
char *found_username = NULL;
const char *nt_domain;
const char *nt_username;
- struct dom_sid user_sid;
- struct dom_sid group_sid;
bool username_was_mapped;
struct passwd *pwd;
struct auth_serversupplied_info *result;
+ struct dom_sid *group_sid;
+ struct netr_SamInfo3 *i3;
/*
Here is where we should check the list of
@@ -1059,15 +1059,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
matches.
*/
- if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (!sid_compose(&group_sid, info3->base.domain_sid,
- info3->base.primary_gid)) {
- return NT_STATUS_INVALID_PARAMETER;
- }
-
nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string);
if (!nt_username) {
/* If the server didn't give us one, just use the one we sent
@@ -1119,13 +1110,39 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
}
/* copy in the info3 */
- result->info3 = copy_netr_SamInfo3(result, info3);
+ result->info3 = i3 = copy_netr_SamInfo3(result, info3);
/* Fill in the unix info we found on the way */
-
result->utok.uid = pwd->pw_uid;
result->utok.gid = pwd->pw_gid;
+ /* We can't just trust that the primary group sid sent us is something
+ * we can really use. Obtain the useable sid, and store the original
+ * one as an additional group if it had to be replaced */
+ nt_status = get_primary_group_sid(mem_ctx, found_username,
+ &pwd, &group_sid);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ TALLOC_FREE(result);
+ return nt_status;
+ }
+
+ /* store and check if it is the same we got originally */
+ sid_peek_rid(group_sid, &i3->base.primary_gid);
+ if (i3->base.primary_gid != info3->base.primary_gid) {
+ uint32_t n = i3->base.groups.count;
+ /* not the same, store the original as an additional group */
+ i3->base.groups.rids =
+ talloc_realloc(i3, i3->base.groups.rids,
+ struct samr_RidWithAttribute, n + 1);
+ if (i3->base.groups.rids == NULL) {
+ TALLOC_FREE(result);
+ return NT_STATUS_NO_MEMORY;
+ }
+ i3->base.groups.rids[n].rid = info3->base.primary_gid;
+ i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED;
+ i3->base.groups.count = n + 1;
+ }
+
/* ensure we are never given NULL session keys */
if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) {