summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2007-07-17 09:39:39 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:28:42 -0500
commitdb4099884a44168a5a986093dc11426efef9803c (patch)
treea23967d7f4b0e276169ef05a51edcf240d770688
parent95d504280383f6348ce809b519b7b9027dab7df8 (diff)
downloadsamba-db4099884a44168a5a986093dc11426efef9803c.tar.gz
samba-db4099884a44168a5a986093dc11426efef9803c.tar.bz2
samba-db4099884a44168a5a986093dc11426efef9803c.zip
r23921: Remove GPO_SID_TOKEN struct and use nt_user_token instead, that already has
S-1-5-11 in the token. Guenther (This used to be commit 83c734690ab09a0fe103ee9fdb855fbdd31db39c)
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/include/gpo.h7
-rw-r--r--source3/libgpo/gpo_ldap.c50
-rw-r--r--source3/libgpo/gpo_sec.c32
4 files changed, 36 insertions, 55 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index f26afb1179..17f5ad4a49 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -697,7 +697,7 @@ NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_domain.o utils/net_help.o \
utils/netlookup.o utils/net_sam.o utils/net_rpc_shell.o \
utils/net_util.o utils/net_rpc_sh_acct.o utils/net_rpc_audit.o \
$(PASSWD_UTIL_OBJ) utils/net_dns.o utils/net_ads_gpo.o \
- utils/net_conf.o
+ utils/net_conf.o auth/token_util.o
NET_OBJ = $(NET_OBJ1) $(PARAM_WITHOUT_REG_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
$(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
diff --git a/source3/include/gpo.h b/source3/include/gpo.h
index 073dad0a11..85a0b82d65 100644
--- a/source3/include/gpo.h
+++ b/source3/include/gpo.h
@@ -93,10 +93,3 @@ struct GP_EXT {
#define GPO_CACHE_DIR "gpo_cache"
#define GPT_INI "GPT.INI"
-
-struct GPO_SID_TOKEN {
- DOM_SID object_sid;
- DOM_SID primary_group_sid;
- size_t num_token_sids;
- DOM_SID *token_sids;
-};
diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c
index 07b453d637..4f983b261d 100644
--- a/source3/libgpo/gpo_ldap.c
+++ b/source3/libgpo/gpo_ldap.c
@@ -1,7 +1,7 @@
/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
- * Copyright (C) Guenther Deschner 2005
+ * Copyright (C) Guenther Deschner 2005,2007
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -427,7 +427,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_MEMORY);
}
- /* sure ??? */
if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
@@ -441,7 +440,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
- /* ???, this is optional to have and what does it depend on, the 'flags' ?) */
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
@@ -536,7 +534,7 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
struct GP_LINK *gp_link,
enum GPO_LINK_TYPE link_type,
BOOL only_add_forced_gpos,
- struct GPO_SID_TOKEN *token)
+ const struct nt_user_token *token)
{
ADS_STATUS status;
int i;
@@ -592,10 +590,10 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
/****************************************************************
****************************************************************/
-static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- const char *dn,
- struct GPO_SID_TOKEN **token)
+ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *dn,
+ struct nt_user_token **token)
{
ADS_STATUS status;
DOM_SID object_sid;
@@ -604,12 +602,9 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
size_t num_ad_token_sids = 0;
DOM_SID *token_sids;
size_t num_token_sids = 0;
- struct GPO_SID_TOKEN *new_token = NULL;
+ struct nt_user_token *new_token = NULL;
int i;
- new_token = TALLOC_ZERO_P(mem_ctx, struct GPO_SID_TOKEN);
- ADS_ERROR_HAVE_NO_MEMORY(new_token);
-
status = ads_get_tokensids(ads, mem_ctx, dn,
&object_sid, &primary_group_sid,
&ad_token_sids, &num_ad_token_sids);
@@ -617,12 +612,14 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
return status;
}
- new_token->object_sid = object_sid;
- new_token->primary_group_sid = primary_group_sid;
-
token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
ADS_ERROR_HAVE_NO_MEMORY(token_sids);
+ if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
+ &num_token_sids)) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
for (i = 0; i < num_ad_token_sids; i++) {
if (sid_check_is_in_builtin(&ad_token_sids[i])) {
@@ -635,22 +632,17 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
}
}
- /* Add S-1-5-11 to token */
- if (!add_sid_to_array_unique(mem_ctx, &global_sid_Authenticated_Users,
- &token_sids, &num_token_sids)) {
- return ADS_ERROR(LDAP_NO_MEMORY);
- }
-
-
- new_token->token_sids = token_sids;
- new_token->num_token_sids = num_token_sids;
+ new_token = create_local_nt_token(mem_ctx, &object_sid, False,
+ num_token_sids, token_sids);
+ ADS_ERROR_HAVE_NO_MEMORY(new_token);
*token = new_token;
+ debug_nt_user_token(DBGC_CLASS, 5, *token);
+
return ADS_ERROR_LDAP(LDAP_SUCCESS);
}
-
/****************************************************************
get the full list of GROUP_POLICY_OBJECTs for a given dn
****************************************************************/
@@ -665,15 +657,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
ADS_STATUS status;
struct GP_LINK gp_link;
- struct GPO_SID_TOKEN *token = NULL;
+ struct nt_user_token *token = NULL;
const char *parent_dn, *site_dn, *tmp_dn;
BOOL add_only_forced_gpos = False;
ZERO_STRUCTP(gpo_list);
+ if (!dn) {
+ return ADS_ERROR(LDAP_PARAM_ERROR);
+ }
+
DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
- status = ads_get_gpo_sid_token(ads, mem_ctx, dn, &token);
+ status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) {
return status;
}
diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c
index abdcd17378..5286da57de 100644
--- a/source3/libgpo/gpo_sec.c
+++ b/source3/libgpo/gpo_sec.c
@@ -43,7 +43,7 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
&ext_right_apg_guid)) {
return True;
}
- case SEC_ACE_OBJECT_INHERITED_PRESENT:
+ case SEC_ACE_OBJECT_INHERITED_PRESENT:
if (GUID_equal(&object->inherited_type.inherited_type,
&ext_right_apg_guid)) {
return True;
@@ -60,11 +60,11 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
{
- if (sec_ace_object(ace->type)) {
- return gpo_sd_check_agp_object_guid(&ace->object.object);
+ if (!sec_ace_object(ace->type)) {
+ return False;
}
- return False;
+ return gpo_sd_check_agp_object_guid(&ace->object.object);
}
/****************************************************************
@@ -92,21 +92,13 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
/****************************************************************
****************************************************************/
-static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
- const struct GPO_SID_TOKEN *token)
+static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
+ const struct nt_user_token *token)
{
int i;
- if (sid_equal(trustee, &token->object_sid)) {
- return True;
- }
-
- if (sid_equal(trustee, &token->primary_group_sid)) {
- return True;
- }
-
- for (i = 0; i < token->num_token_sids; i++) {
- if (sid_equal(trustee, &token->token_sids[i])) {
+ for (i = 0; i < token->num_sids; i++) {
+ if (sid_equal(trustee, &token->user_sids[i])) {
return True;
}
}
@@ -118,7 +110,7 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
****************************************************************/
static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
- const struct GPO_SID_TOKEN *token)
+ const struct nt_user_token *token)
{
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
@@ -135,7 +127,7 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
****************************************************************/
static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
- const struct GPO_SID_TOKEN *token)
+ const struct nt_user_token *token)
{
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
@@ -152,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
****************************************************************/
static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
- const struct GPO_SID_TOKEN *token)
+ const struct nt_user_token *token)
{
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
@@ -168,7 +160,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
****************************************************************/
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
- const struct GPO_SID_TOKEN *token)
+ const struct nt_user_token *token)
{
SEC_DESC *sd = gpo->security_descriptor;
SEC_ACL *dacl = NULL;