s4-dsdb Implement tokenGroups expansion directly in ldb operational module

This removes a silly cross-dependency between the ldb moudle stack and auth/

Andrew Bartlett

3 files changed, 269 insertions, 30 deletions

diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
new file mode 100644
index 0000000000..07d761167d
--- /dev/null
+++ b/source4/dsdb/common/util_groups.c
@@ -0,0 +1,167 @@
+/*
+   Unix SMB/CIFS implementation.
+   Password and authentication handling
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2010
+   Copyright (C) Stefan Metzmacher                         2005
+   Copyright (C) Matthias Dieter Wallnöfer                 2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/auth.h"
+#include <ldb.h>
+#include "dsdb/samdb/samdb.h"
+#include "libcli/security/security.h"
+#include "dsdb/common/util.h"
+
+/* This function tests if a SID structure "sids" contains the SID "sid" */
+static bool sids_contains_sid(const struct dom_sid **sids,
+			      const unsigned int num_sids,
+			      const struct dom_sid *sid)
+{
+	unsigned int i;
+
+	for (i = 0; i < num_sids; i++) {
+		if (dom_sid_equal(sids[i], sid))
+			return true;
+	}
+	return false;
+}
+
+/*
+ * This function generates the transitive closure of a given SAM object "dn_val"
+ * (it basically expands nested memberships).
+ * If the object isn't located in the "res_sids" structure yet and the
+ * "only_childs" flag is false, we add it to "res_sids".
+ * Then we've always to consider the "memberOf" attributes. We invoke the
+ * function recursively on each of it with the "only_childs" flag set to
+ * "false".
+ * The "only_childs" flag is particularly useful if you have a user object and
+ * want to include all it's groups (referenced with "memberOf") but not itself
+ * or considering if that object matches the filter.
+ *
+ * At the beginning "res_sids" should reference to a NULL pointer.
+ */
+NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
+				   struct ldb_val *dn_val, const bool only_childs, const char *filter,
+				   TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
+				   unsigned int *num_res_sids)
+{
+	const char * const attrs[] = { "memberOf", NULL };
+	unsigned int i;
+	int ret;
+	bool already_there;
+	struct ldb_dn *dn;
+	struct dom_sid sid;
+	TALLOC_CTX *tmp_ctx;
+	struct ldb_result *res;
+	NTSTATUS status;
+	const struct ldb_message_element *el;
+
+	if (*res_sids == NULL) {
+		*num_res_sids = 0;
+	}
+
+	if (!sam_ctx) {
+		DEBUG(0, ("No SAM available, cannot determine local groups\n"));
+		return NT_STATUS_INVALID_SYSTEM_SERVICE;
+	}
+
+	tmp_ctx = talloc_new(res_sids_ctx);
+
+	dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, dn_val);
+	if (dn == NULL) {
+		talloc_free(tmp_ctx);
+		DEBUG(0, (__location__ ": we failed parsing DN %.*s, so we cannot calculate the group token\n",
+			  (int)dn_val->length, dn_val->data));
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
+	if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+		/* If we fail finding a SID then this is no error since it could
+		 * be a non SAM object - e.g. a group with object class
+		 * "groupOfNames" */
+		talloc_free(tmp_ctx);
+		return NT_STATUS_OK;
+	} else if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, (__location__ ": when parsing DN '%s' we failed to parse it's SID component, so we cannot calculate the group token: %s\n",
+			  ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
+			  nt_errstr(status)));
+		talloc_free(tmp_ctx);
+		return status;
+	}
+
+	if (only_childs) {
+		ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
+				     DSDB_SEARCH_SHOW_EXTENDED_DN);
+	} else {
+		/* This is an O(n^2) linear search */
+		already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
+						  *num_res_sids, &sid);
+		if (already_there) {
+			talloc_free(tmp_ctx);
+			return NT_STATUS_OK;
+		}
+
+		ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
+				  attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s",
+				  filter);
+	}
+
+	if (ret == LDB_ERR_NO_SUCH_OBJECT) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_OK;
+	}
+
+	if (ret != LDB_SUCCESS) {
+		DEBUG(1, (__location__ ": dsdb_search for %s failed: %s\n",
+			  ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
+			  ldb_errstring(sam_ctx)));
+		talloc_free(tmp_ctx);
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+
+	/* We may get back 0 results, if the SID didn't match the filter - such as it wasn't a domain group, for example */
+	if (res->count != 1) {
+		talloc_free(tmp_ctx);
+		return NT_STATUS_OK;
+	}
+
+	/* We only apply this test once we know the SID matches the filter */
+	if (!only_childs) {
+		*res_sids = talloc_realloc(res_sids_ctx, *res_sids,
+			struct dom_sid *, *num_res_sids + 1);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*res_sids, tmp_ctx);
+		(*res_sids)[*num_res_sids] = dom_sid_dup(*res_sids, &sid);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE((*res_sids)[*num_res_sids], tmp_ctx);
+		++(*num_res_sids);
+	}
+
+	el = ldb_msg_find_element(res->msgs[0], "memberOf");
+
+	for (i = 0; el && i < el->num_values; i++) {
+		status = dsdb_expand_nested_groups(sam_ctx, &el->values[i],
+						   false, filter, res_sids_ctx, res_sids, num_res_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			talloc_free(tmp_ctx);
+			return status;
+		}
+	}
+
+	talloc_free(tmp_ctx);
+
+	return NT_STATUS_OK;
+}
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index c4c2660f57..8604a27b9f 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -1,6 +1,7 @@
 /*
    ldb database library
 
+   Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2010
    Copyright (C) Andrew Tridgell 2005
    Copyright (C) Simo Sorce 2006-2008
    Copyright (C) Matthias Dieter Wallnöfer 2009
@@ -129,60 +130,131 @@ static int construct_token_groups(struct ldb_module *module,
 				  struct ldb_message *msg, enum ldb_scope scope)
 {
 	struct ldb_context *ldb = ldb_module_get_ctx(module);;
-	struct auth_context *auth_context;
-	struct auth_serversupplied_info *server_info;
-	struct auth_session_info *session_info;
 	TALLOC_CTX *tmp_ctx = talloc_new(msg);
-	uint32_t i;
+	unsigned int i;
 	int ret;
+	const char *filter;
 
 	NTSTATUS status;
 
+	struct dom_sid *primary_group_sid;
+	const char *primary_group_string;
+	const char *primary_group_dn;
+	DATA_BLOB primary_group_blob;
+
+	struct dom_sid *account_sid;
+	const char *account_sid_string;
+	const char *account_sid_dn;
+	DATA_BLOB account_sid_blob;
+	struct dom_sid **groupSIDs = NULL;
+	unsigned int num_groupSIDs = 0;
+
+	struct dom_sid *domain_sid;
+
 	if (scope != LDB_SCOPE_BASE) {
 		ldb_set_errstring(ldb, "Cannot provide tokenGroups attribute, this is not a BASE search");
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	status = auth_context_create_from_ldb(tmp_ctx, ldb, &auth_context);
-	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+	/* If it's not a user, it won't have a primaryGroupID */
+	if (ldb_msg_find_element(msg, "primaryGroupID") == NULL) {
+		talloc_free(tmp_ctx);
+		return LDB_SUCCESS;
+	}
+
+	/* Ensure it has an objectSID too */
+	account_sid = samdb_result_dom_sid(tmp_ctx, msg, "objectSid");
+	if (account_sid == NULL) {
+		talloc_free(tmp_ctx);
+		return LDB_SUCCESS;
+	}
+
+	status = dom_sid_split_rid(tmp_ctx, account_sid, &domain_sid, NULL);
+	if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_PARAMETER)) {
 		talloc_free(tmp_ctx);
-		return ldb_module_oom(module);
+		return LDB_ERR_INVALID_ATTRIBUTE_SYNTAX;
 	} else if (!NT_STATUS_IS_OK(status)) {
-		ldb_set_errstring(ldb, "Cannot provide tokenGroups attribute, could not create authContext");
 		talloc_free(tmp_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	status = auth_get_server_info_principal(tmp_ctx, auth_context, NULL, msg->dn, &server_info);
-	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+	primary_group_sid = dom_sid_add_rid(tmp_ctx,
+					    domain_sid,
+					    ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
+	if (!primary_group_sid) {
 		talloc_free(tmp_ctx);
-		return ldb_module_oom(module);
-	} else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
-		/* Not a user, we have no tokenGroups */
+		return ldb_oom(ldb);
+	}
+
+	/* Filter out builtin groups from this token.  We will search
+	 * for builtin groups later, and not include them in the
+	 * tokenGroups (and therefore the PAC or SamLogon validation
+	 * info) */
+	filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
+	if (!filter) {
 		talloc_free(tmp_ctx);
-		return LDB_SUCCESS;
-	} else if (!NT_STATUS_IS_OK(status)) {
+		return ldb_oom(ldb);
+	}
+
+	primary_group_string = dom_sid_string(tmp_ctx, primary_group_sid);
+	if (!primary_group_string) {
 		talloc_free(tmp_ctx);
-		ldb_asprintf_errstring(ldb, "Cannot provide tokenGroups attribute: auth_get_server_info_principal failed: %s", nt_errstr(status));
-		return LDB_ERR_OPERATIONS_ERROR;
+		return ldb_oom(ldb);
 	}
 
-	status = auth_generate_session_info(tmp_ctx, auth_context->lp_ctx, ldb, server_info, 0, &session_info);
-	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
+	primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
+	if (!primary_group_dn) {
 		talloc_free(tmp_ctx);
-		return ldb_module_oom(module);
-	} else if (!NT_STATUS_IS_OK(status)) {
+		return ldb_oom(ldb);
+	}
+
+	primary_group_blob = data_blob_string_const(primary_group_dn);
+
+	account_sid_string = dom_sid_string(tmp_ctx, account_sid);
+	if (!account_sid_string) {
+		talloc_free(tmp_ctx);
+		return ldb_oom(ldb);
+	}
+
+	account_sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", account_sid_string);
+	if (!account_sid_dn) {
+		talloc_free(tmp_ctx);
+		return ldb_oom(ldb);
+	}
+
+	account_sid_blob = data_blob_string_const(account_sid_dn);
+
+	status = dsdb_expand_nested_groups(ldb, &account_sid_blob,
+					   true, /* We don't want to add the object's SID itself,
+						    it's not returend in this attribute */
+					   filter,
+					   tmp_ctx, &groupSIDs, &num_groupSIDs);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		ldb_asprintf_errstring(ldb, "Failed to construct tokenGroups: expanding groups of SID %s failed: %s",
+				       account_sid_string, nt_errstr(status));
+		talloc_free(tmp_ctx);
+		return LDB_ERR_OPERATIONS_ERROR;
+	}
+
+	/* Expands the primary group - this function takes in
+	 * memberOf-like values, so we fake one up with the
+	 * <SID=S-...> format of DN and then let it expand
+	 * them, as long as they meet the filter - so only
+	 * domain groups, not builtin groups
+	 */
+	status = dsdb_expand_nested_groups(ldb, &primary_group_blob, false, filter,
+					   tmp_ctx, &groupSIDs, &num_groupSIDs);
+	if (!NT_STATUS_IS_OK(status)) {
+		ldb_asprintf_errstring(ldb, "Failed to construct tokenGroups: expanding groups of SID %s failed: %s",
+				       account_sid_string, nt_errstr(status));
 		talloc_free(tmp_ctx);
-		ldb_asprintf_errstring(ldb, "Cannot provide tokenGroups attribute: auth_generate_session_info failed: %s", nt_errstr(status));
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	/* We start at 1, as the first SID is the user's SID, not included in the tokenGroups */
-	for (i = 1; i < session_info->security_token->num_sids; i++) {
-		ret = samdb_msg_add_dom_sid(ldb, msg, msg,
-					    "tokenGroups",
-					    &session_info->security_token->sids[i]);
-		if (ret != LDB_SUCCESS) {
+	for (i=0; i < num_groupSIDs; i++) {
+		ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", groupSIDs[i]);
+		if (ret) {
 			talloc_free(tmp_ctx);
 			return ret;
 		}
@@ -542,7 +614,7 @@ static const struct {
 	{ "structuralObjectClass", NULL, NULL , NULL },
 	{ "canonicalName", NULL, NULL , construct_canonical_name },
 	{ "primaryGroupToken", "objectClass", "objectSid", construct_primary_group_token },
-	{ "tokenGroups", "objectClass", NULL, construct_token_groups },
+	{ "tokenGroups", "primaryGroupID", "objectSid", construct_token_groups },
 	{ "parentGUID", NULL, NULL, construct_parent_guid },
 	{ "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry },
 	{ "msDS-isRODC", "objectClass", "objectCategory", construct_msds_isrodc },
diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build
index 59ef1b9062..f595f3c26f 100644
--- a/source4/dsdb/wscript_build
+++ b/source4/dsdb/wscript_build
@@ -13,7 +13,7 @@ bld.SAMBA_LIBRARY('samdb',
 
 
 bld.SAMBA_LIBRARY('samdb-common',
-	source='common/util.c common/util_samr.c common/dsdb_dn.c common/dsdb_access.c ../../libds/common/flag_mapping.c',
+	source='common/util.c common/util_groups.c common/util_samr.c common/dsdb_dn.c common/dsdb_access.c ../../libds/common/flag_mapping.c',
 	autoproto='common/proto.h',
 	private_library=True,
 	deps='ldb NDR_DRSBLOBS UTIL_LDB LIBCLI_AUTH samba-hostconfig samba_socket LIBCLI_LDAP_NDR'