summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-08-14 13:30:51 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-08-18 09:50:38 +1000
commit7c6ca95bec5141707d4f19e802062731d6789cc5 (patch)
treed6ee504cf0f98ff62b5bac6b19a869f8378c3757
parent60086dcf9a58525d400b39e9464847d73cbce6d2 (diff)
downloadsamba-7c6ca95bec5141707d4f19e802062731d6789cc5.tar.gz
samba-7c6ca95bec5141707d4f19e802062731d6789cc5.tar.bz2
samba-7c6ca95bec5141707d4f19e802062731d6789cc5.zip
s4:security Remove use of user_sid and group_sid from struct security_token
This makes the structure more like Samba3's NT_USER_TOKEN
-rw-r--r--librpc/idl/security.idl2
-rw-r--r--source4/auth/system_session.c15
-rw-r--r--source4/dsdb/samdb/ldb_modules/acl.c4
-rw-r--r--source4/dsdb/samdb/samdb.c6
-rw-r--r--source4/dsdb/samdb/samdb_privilege.c2
-rw-r--r--source4/kdc/kpasswdd.c6
-rw-r--r--source4/lib/policy/gp_ldap.c2
-rw-r--r--source4/libcli/security/create_descriptor.c7
-rw-r--r--source4/libcli/security/security_token.c8
-rw-r--r--source4/rpc_server/drsuapi/getncchanges.c2
-rw-r--r--source4/rpc_server/drsuapi/updaterefs.c4
-rw-r--r--source4/rpc_server/handles.c6
-rw-r--r--source4/rpc_server/lsa/dcesrv_lsa.c2
13 files changed, 29 insertions, 37 deletions
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 369579cb7c..68ed485a82 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -467,8 +467,6 @@ interface security
} sec_desc_buf;
typedef [public] struct {
- dom_sid *user_sid;
- dom_sid *group_sid;
uint32 num_sids;
[size_is(num_sids)] dom_sid *sids[*];
udlong privilege_mask;
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index 386f066de4..08ddb68f5d 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -51,13 +51,10 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->user_sid = talloc_reference(ptoken, user_sid);
- ptoken->group_sid = talloc_reference(ptoken, group_sid);
+ ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
+ ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
ptoken->privilege_mask = 0;
- ptoken->sids[0] = ptoken->user_sid;
- ptoken->sids[1] = ptoken->group_sid;
-
/*
* Finally add the "standard" SIDs.
* The only difference between guest and "anonymous"
@@ -93,7 +90,7 @@ static NTSTATUS create_token(TALLOC_CTX *mem_ctx,
*token = ptoken;
/* Shortcuts to prevent recursion and avoid lookups */
- if (ptoken->user_sid == NULL) {
+ if (ptoken->sids == NULL) {
ptoken->privilege_mask = 0;
return NT_STATUS_OK;
}
@@ -337,12 +334,10 @@ static NTSTATUS create_admin_token(TALLOC_CTX *mem_ctx,
ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 3);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->user_sid = talloc_reference(ptoken, user_sid);
- ptoken->group_sid = talloc_reference(ptoken, group_sid);
ptoken->privilege_mask = 0;
+ ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
+ ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
- ptoken->sids[0] = ptoken->user_sid;
- ptoken->sids[1] = ptoken->group_sid;
ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]);
ptoken->num_sids = 3;
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9965e5374b..55d252b100 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -709,7 +709,9 @@ static int acl_check_self_membership(TALLOC_CTX *mem_ctx,
return LDB_SUCCESS;
}
/* if we are adding/deleting ourselves, check for self membership */
- ret = dsdb_find_dn_by_sid(ldb, mem_ctx, acl_user_token(module)->user_sid, &user_dn);
+ ret = dsdb_find_dn_by_sid(ldb, mem_ctx,
+ acl_user_token(module)->sids[PRIMARY_USER_SID_INDEX],
+ &user_dn);
if (ret != LDB_SUCCESS) {
return ret;
}
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 2b4e9a1438..2d64cc1b85 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -157,8 +157,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken = security_token_initialise(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(ptoken);
- ptoken->user_sid = talloc_reference(ptoken, user_sid);
- ptoken->group_sid = talloc_reference(ptoken, group_sid);
ptoken->privilege_mask = 0;
ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 6 /* over-allocate */);
@@ -169,8 +167,8 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->sids[0] = ptoken->user_sid;
- ptoken->sids[1] = ptoken->group_sid;
+ ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
+ ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
ptoken->num_sids++;
/*
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c
index f05b7e2a18..38e5a33831 100644
--- a/source4/dsdb/samdb/samdb_privilege.c
+++ b/source4/dsdb/samdb/samdb_privilege.c
@@ -93,7 +93,7 @@ NTSTATUS samdb_privilege_setup(struct tevent_context *ev_ctx,
NTSTATUS status;
/* Shortcuts to prevent recursion and avoid lookups */
- if (token->user_sid == NULL) {
+ if (token->sids == NULL) {
token->privilege_mask = 0;
return NT_STATUS_OK;
}
diff --git a/source4/kdc/kpasswdd.c b/source4/kdc/kpasswdd.c
index e08a5149b9..36ddb65bb0 100644
--- a/source4/kdc/kpasswdd.c
+++ b/source4/kdc/kpasswdd.c
@@ -224,11 +224,11 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
DEBUG(3, ("Changing password of %s\\%s (%s)\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
- dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
+ dom_sid_string(mem_ctx, session_info->security_token->sids[PRIMARY_USER_SID_INDEX])));
/* Performs the password change */
status = samdb_set_password_sid(samdb, mem_ctx,
- session_info->security_token->user_sid,
+ session_info->security_token->sids[PRIMARY_USER_SID_INDEX],
password, NULL, NULL,
oldLmHash, oldNtHash, /* this is a user password change */
&reject_reason,
@@ -382,7 +382,7 @@ static bool kpasswd_process_request(struct kdc_server *kdc,
DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
- dom_sid_string(mem_ctx, session_info->security_token->user_sid),
+ dom_sid_string(mem_ctx, session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
set_password_on_princ));
ret = ldb_transaction_start(samdb);
if (ret != LDB_SUCCESS) {
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c
index 9a66f4f6ac..e566ca4e0f 100644
--- a/source4/lib/policy/gp_ldap.c
+++ b/source4/lib/policy/gp_ldap.c
@@ -443,7 +443,7 @@ NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, c
mem_ctx = talloc_new(gp_ctx);
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
- sid = dom_sid_string(mem_ctx, token->user_sid);
+ sid = dom_sid_string(mem_ctx, token->sids[PRIMARY_USER_SID_INDEX]);
/* Find the user DN and objectclass via the sid from the security token */
rv = ldb_search(gp_ctx->ldb_ctx,
diff --git a/source4/libcli/security/create_descriptor.c b/source4/libcli/security/create_descriptor.c
index d64de2fe22..cb52d6502e 100644
--- a/source4/libcli/security/create_descriptor.c
+++ b/source4/libcli/security/create_descriptor.c
@@ -367,7 +367,7 @@ struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx,
if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) {
new_owner = parent_sd->owner_sid;
} else if (!default_owner) {
- new_owner = token->user_sid;
+ new_owner = token->sids[PRIMARY_USER_SID_INDEX];
} else {
new_owner = default_owner;
new_sd->type |= SEC_DESC_OWNER_DEFAULTED;
@@ -379,8 +379,11 @@ struct security_descriptor *create_security_descriptor(TALLOC_CTX *mem_ctx,
if (!creator_sd || !creator_sd->group_sid){
if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) {
new_group = parent_sd->group_sid;
+ } else if (!default_group && token->sids[PRIMARY_GROUP_SID_INDEX]) {
+ new_group = token->sids[PRIMARY_GROUP_SID_INDEX];
} else if (!default_group) {
- new_group = token->group_sid;
+ /* This will happen only for anonymous, which has no other groups */
+ new_group = token->sids[PRIMARY_USER_SID_INDEX];
} else {
new_group = default_group;
new_sd->type |= SEC_DESC_GROUP_DEFAULTED;
diff --git a/source4/libcli/security/security_token.c b/source4/libcli/security/security_token.c
index 7cfb566b91..f9be977a26 100644
--- a/source4/libcli/security/security_token.c
+++ b/source4/libcli/security/security_token.c
@@ -36,8 +36,6 @@ struct security_token *security_token_initialise(TALLOC_CTX *mem_ctx)
return NULL;
}
- st->user_sid = NULL;
- st->group_sid = NULL;
st->num_sids = 0;
st->sids = NULL;
st->privilege_mask = 0;
@@ -63,9 +61,7 @@ void security_token_debug(int dbg_lev, const struct security_token *token)
return;
}
- DEBUG(dbg_lev, ("Security token of user %s\n",
- dom_sid_string(mem_ctx, token->user_sid) ));
- DEBUGADD(dbg_lev, (" SIDs (%lu):\n",
+ DEBUG(dbg_lev, ("Security token SIDs (%lu):\n",
(unsigned long)token->num_sids));
for (i = 0; i < token->num_sids; i++) {
DEBUGADD(dbg_lev, (" SID[%3lu]: %s\n", (unsigned long)i,
@@ -81,7 +77,7 @@ void security_token_debug(int dbg_lev, const struct security_token *token)
bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
{
- if (dom_sid_equal(token->user_sid, sid)) {
+ if (token->sids && dom_sid_equal(token->sids[PRIMARY_USER_SID_INDEX], sid)) {
return true;
}
return false;
diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index ba47b9b040..0beb99d758 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -774,7 +774,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
(req8->replica_flags & DRSUAPI_DRS_WRIT_REP)) {
DEBUG(3,(__location__ ": Removing WRIT_REP flag for replication by RODC %s\n",
dom_sid_string(mem_ctx,
- dce_call->conn->auth_state.session_info->security_token->user_sid)));
+ dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX])));
req8->replica_flags &= ~DRSUAPI_DRS_WRIT_REP;
}
diff --git a/source4/rpc_server/drsuapi/updaterefs.c b/source4/rpc_server/drsuapi/updaterefs.c
index daf057d6d6..08d49baf2b 100644
--- a/source4/rpc_server/drsuapi/updaterefs.c
+++ b/source4/rpc_server/drsuapi/updaterefs.c
@@ -215,11 +215,11 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
/* check that they are using an DSA objectGUID that they own */
ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
&req->dest_dsa_guid,
- dce_call->conn->auth_state.session_info->security_token->user_sid);
+ dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
dom_sid_string(mem_ctx,
- dce_call->conn->auth_state.session_info->security_token->user_sid),
+ dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
GUID_string(mem_ctx, &req->dest_dsa_guid)));
return WERR_DS_DRA_ACCESS_DENIED;
}
diff --git a/source4/rpc_server/handles.c b/source4/rpc_server/handles.c
index 085703b3d4..495d42ab4a 100644
--- a/source4/rpc_server/handles.c
+++ b/source4/rpc_server/handles.c
@@ -22,7 +22,7 @@
#include "includes.h"
#include "../lib/util/dlinklist.h"
#include "rpc_server/dcerpc_server.h"
-#include "libcli/security/dom_sid.h"
+#include "libcli/security/security.h"
#include "auth/session.h"
/*
@@ -44,7 +44,7 @@ _PUBLIC_ struct dcesrv_handle *dcesrv_handle_new(struct dcesrv_connection_contex
struct dcesrv_handle *h;
struct dom_sid *sid;
- sid = context->conn->auth_state.session_info->security_token->user_sid;
+ sid = context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
h = talloc(context->assoc_group, struct dcesrv_handle);
if (!h) {
@@ -80,7 +80,7 @@ _PUBLIC_ struct dcesrv_handle *dcesrv_handle_fetch(
struct dcesrv_handle *h;
struct dom_sid *sid;
- sid = context->conn->auth_state.session_info->security_token->user_sid;
+ sid = context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
if (policy_handle_empty(p)) {
/* TODO: we should probably return a NULL handle here */
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 0a347e07dd..371419fa70 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -338,7 +338,7 @@ static NTSTATUS dcesrv_lsa_QuerySecurity(struct dcesrv_call_state *dce_call, TAL
DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY);
- sid = dce_call->conn->auth_state.session_info->security_token->user_sid;
+ sid = dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
if (h->wire_handle.handle_type == LSA_HANDLE_POLICY) {
status = dcesrv_build_lsa_sd(mem_ctx, &sd, sid, 0);