diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-10-02 05:09:42 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-10-02 09:11:37 +1000 |
commit | a82e3abc707ecaf68ee26828f11987d621ec1bb5 (patch) | |
tree | a27d6cb91f4993253961bfaaaf13a77594a6b49f | |
parent | 6488d5bc0b585d91b185ae37315293123c4b1001 (diff) | |
download | samba-a82e3abc707ecaf68ee26828f11987d621ec1bb5.tar.gz samba-a82e3abc707ecaf68ee26828f11987d621ec1bb5.tar.bz2 samba-a82e3abc707ecaf68ee26828f11987d621ec1bb5.zip |
s4-auth Add make_server_info_pac() to include 'resource domain' groups
Previously, our PAC code didn't include these groups into the
server_info from which we would eventually calculate the full
list of tokenGroups.
Andrew Bartlett
-rw-r--r-- | source4/auth/auth_sam_reply.c | 37 | ||||
-rw-r--r-- | source4/auth/kerberos/kerberos_pac.c | 8 |
2 files changed, 40 insertions, 5 deletions
diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c index b234f87215..0c03e78493 100644 --- a/source4/auth/auth_sam_reply.c +++ b/source4/auth/auth_sam_reply.c @@ -287,3 +287,40 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/** + * Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon + */ +NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx, + struct PAC_LOGON_INFO *pac_logon_info, + struct auth_serversupplied_info **_server_info) +{ + uint32_t i; + NTSTATUS nt_status; + union netr_Validation validation; + struct auth_serversupplied_info *server_info; + + validation.sam3 = &pac_logon_info->info3; + + nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3, &validation, &server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (pac_logon_info->res_groups.count > 0) { + struct dom_sid **rgrps; + size_t sidcount = server_info->n_domain_groups + pac_logon_info->res_groups.count; + server_info->domain_groups = rgrps + = talloc_realloc(server_info, server_info->domain_groups, struct dom_sid *, sidcount); + NT_STATUS_HAVE_NO_MEMORY(rgrps); + + for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) { + size_t sid_idx = server_info->n_domain_groups + i; + rgrps[sid_idx] + = dom_sid_add_rid(rgrps, pac_logon_info->res_group_dom_sid, + pac_logon_info->res_groups.rids[i].rid); + NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]); + } + } + *_server_info = server_info; + return NT_STATUS_OK; +} diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index aca807e78d..40f0cf7cf8 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -684,11 +684,9 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, } /* Pull this right into the normal auth sysstem structures */ - validation.sam3 = &info.logon_info.info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, - "", - 3, &validation, - &server_info_out); + nt_status = make_server_info_pac(mem_ctx, + info.logon_info.info, + &server_info_out); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return EINVAL; |