r23921: Remove GPO_SID_TOKEN struct and use nt_user_token instead, that already has

S-1-5-11 in the token. Guenther (This used to be commit 83c734690ab09a0fe103ee9fdb855fbdd31db39c)
author: Günther Deschner <gd@samba.org> 2007-07-17 09:39:39 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 12:28:42 -0500
commit: db4099884a44168a5a986093dc11426efef9803c (patch)
tree: a23967d7f4b0e276169ef05a51edcf240d770688
parent: 95d504280383f6348ce809b519b7b9027dab7df8 (diff)
download: samba-db4099884a44168a5a986093dc11426efef9803c.tar.gz
samba-db4099884a44168a5a986093dc11426efef9803c.tar.bz2
samba-db4099884a44168a5a986093dc11426efef9803c.zip
4 files changed, 36 insertions, 55 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in
index f26afb1179..17f5ad4a49 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -697,7 +697,7 @@ NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_domain.o utils/net_help.o \
 	   utils/netlookup.o utils/net_sam.o utils/net_rpc_shell.o \
 	   utils/net_util.o utils/net_rpc_sh_acct.o utils/net_rpc_audit.o \
 	   $(PASSWD_UTIL_OBJ) utils/net_dns.o utils/net_ads_gpo.o \
-	   utils/net_conf.o
+	   utils/net_conf.o auth/token_util.o
 
 NET_OBJ = $(NET_OBJ1) $(PARAM_WITHOUT_REG_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
 	  $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
diff --git a/source3/include/gpo.h b/source3/include/gpo.h
index 073dad0a11..85a0b82d65 100644
--- a/source3/include/gpo.h
+++ b/source3/include/gpo.h
@@ -93,10 +93,3 @@ struct GP_EXT {
 
 #define GPO_CACHE_DIR "gpo_cache"
 #define GPT_INI "GPT.INI"
-
-struct GPO_SID_TOKEN {
-	DOM_SID object_sid;
-	DOM_SID primary_group_sid;
-	size_t num_token_sids;
-	DOM_SID *token_sids;
-};
diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c
index 07b453d637..4f983b261d 100644
--- a/source3/libgpo/gpo_ldap.c
+++ b/source3/libgpo/gpo_ldap.c
@@ -1,7 +1,7 @@
 /* 
  *  Unix SMB/CIFS implementation.
  *  Group Policy Object Support
- *  Copyright (C) Guenther Deschner 2005
+ *  Copyright (C) Guenther Deschner 2005,2007
  *  
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -427,7 +427,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
 		return ADS_ERROR(LDAP_NO_MEMORY);
 	}
 
-	/* sure ??? */
 	if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
 		return ADS_ERROR(LDAP_NO_MEMORY);
 	}
@@ -441,7 +440,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
 	gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
 	ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
 
-	/* ???, this is optional to have and what does it depend on, the 'flags' ?) */
 	gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
 	gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
 
@@ -536,7 +534,7 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
 					 struct GP_LINK *gp_link,
 					 enum GPO_LINK_TYPE link_type,
 					 BOOL only_add_forced_gpos,
-					 struct GPO_SID_TOKEN *token)
+					 const struct nt_user_token *token)
 {
 	ADS_STATUS status;
 	int i;
@@ -592,10 +590,10 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
 /****************************************************************
 ****************************************************************/
 
-static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
-					TALLOC_CTX *mem_ctx,
-					const char *dn,
-					struct GPO_SID_TOKEN **token)
+ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
+			     TALLOC_CTX *mem_ctx,
+			     const char *dn,
+			     struct nt_user_token **token)
 {
 	ADS_STATUS status;
 	DOM_SID object_sid;
@@ -604,12 +602,9 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
 	size_t num_ad_token_sids = 0;
 	DOM_SID *token_sids;
 	size_t num_token_sids = 0;
-	struct GPO_SID_TOKEN *new_token = NULL;
+	struct nt_user_token *new_token = NULL;
 	int i;
 
-	new_token = TALLOC_ZERO_P(mem_ctx, struct GPO_SID_TOKEN);
-	ADS_ERROR_HAVE_NO_MEMORY(new_token);
-
 	status = ads_get_tokensids(ads, mem_ctx, dn, 
 				   &object_sid, &primary_group_sid,
 				   &ad_token_sids, &num_ad_token_sids);
@@ -617,12 +612,14 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
 		return status;
 	}
 
-	new_token->object_sid = object_sid;
-	new_token->primary_group_sid = primary_group_sid;
-
 	token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
 	ADS_ERROR_HAVE_NO_MEMORY(token_sids);
 
+	if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids, 
+				     &num_token_sids)) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
 	for (i = 0; i < num_ad_token_sids; i++) {
 		
 		if (sid_check_is_in_builtin(&ad_token_sids[i])) {
@@ -635,22 +632,17 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
 		}
 	}
 
-	/* Add S-1-5-11 to token */
-	if (!add_sid_to_array_unique(mem_ctx, &global_sid_Authenticated_Users,
-				     &token_sids, &num_token_sids)) {
-		return ADS_ERROR(LDAP_NO_MEMORY);
-	}
-
-
-	new_token->token_sids = token_sids;
-	new_token->num_token_sids = num_token_sids;
+	new_token = create_local_nt_token(mem_ctx, &object_sid, False, 
+					  num_token_sids, token_sids);
+	ADS_ERROR_HAVE_NO_MEMORY(new_token);
 
 	*token = new_token;
 
+	debug_nt_user_token(DBGC_CLASS, 5, *token);
+
 	return ADS_ERROR_LDAP(LDAP_SUCCESS);
 }
 
-
 /****************************************************************
  get the full list of GROUP_POLICY_OBJECTs for a given dn
 ****************************************************************/
@@ -665,15 +657,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
 	
 	ADS_STATUS status;
 	struct GP_LINK gp_link;
-	struct GPO_SID_TOKEN *token = NULL;
+	struct nt_user_token *token = NULL;
 	const char *parent_dn, *site_dn, *tmp_dn;
 	BOOL add_only_forced_gpos = False;
 
 	ZERO_STRUCTP(gpo_list);
 
+	if (!dn) {
+		return ADS_ERROR(LDAP_PARAM_ERROR);
+	}
+
 	DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
 
-	status = ads_get_gpo_sid_token(ads, mem_ctx, dn, &token);
+	status = ads_get_sid_token(ads, mem_ctx, dn, &token);
 	if (!ADS_ERR_OK(status)) {
 		return status;
 	}
diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c
index abdcd17378..5286da57de 100644
--- a/source3/libgpo/gpo_sec.c
+++ b/source3/libgpo/gpo_sec.c
@@ -43,7 +43,7 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
 				       &ext_right_apg_guid)) {
 				return True;
 			}
-		case  SEC_ACE_OBJECT_INHERITED_PRESENT:
+		case SEC_ACE_OBJECT_INHERITED_PRESENT:
 			if (GUID_equal(&object->inherited_type.inherited_type,
 				       &ext_right_apg_guid)) {
 				return True;
@@ -60,11 +60,11 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
 
 static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
 {
-	if (sec_ace_object(ace->type)) {
-		return gpo_sd_check_agp_object_guid(&ace->object.object);
+	if (!sec_ace_object(ace->type)) {
+		return False;
 	}
 
-	return False;
+	return gpo_sd_check_agp_object_guid(&ace->object.object);
 }
 
 /****************************************************************
@@ -92,21 +92,13 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
 /****************************************************************
 ****************************************************************/
 
-static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, 
-					      const struct GPO_SID_TOKEN *token)
+static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
+					      const struct nt_user_token *token)
 {
 	int i;
 
-	if (sid_equal(trustee, &token->object_sid)) {
-		return True;
-	}
-
-	if (sid_equal(trustee, &token->primary_group_sid)) {
-		return True;
-	}
-
-	for (i = 0; i < token->num_token_sids; i++) {
-		if (sid_equal(trustee, &token->token_sids[i])) {
+	for (i = 0; i < token->num_sids; i++) {
+		if (sid_equal(trustee, &token->user_sids[i])) {
 			return True;
 		}
 	}
@@ -118,7 +110,7 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, 
-					       const struct GPO_SID_TOKEN *token) 
+					       const struct nt_user_token *token) 
 {
 	if (gpo_sd_check_agp_object(ace) &&
 	    gpo_sd_check_agp_access_bits(ace->access_mask) &&
@@ -135,7 +127,7 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, 
-						const struct GPO_SID_TOKEN *token) 
+						const struct nt_user_token *token) 
 {
 	if (gpo_sd_check_agp_object(ace) &&
 	    gpo_sd_check_agp_access_bits(ace->access_mask) && 
@@ -152,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, 
-				 const struct GPO_SID_TOKEN *token) 
+				 const struct nt_user_token *token) 
 {
 	switch (ace->type) {
 		case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
@@ -168,7 +160,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
 ****************************************************************/
 
 NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, 
-				      const struct GPO_SID_TOKEN *token)
+				      const struct nt_user_token *token)
 {
 	SEC_DESC *sd = gpo->security_descriptor;
 	SEC_ACL *dacl = NULL;
author	Günther Deschner <gd@samba.org>	2007-07-17 09:39:39 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 12:28:42 -0500
commit	db4099884a44168a5a986093dc11426efef9803c (patch)
tree	a23967d7f4b0e276169ef05a51edcf240d770688
parent	95d504280383f6348ce809b519b7b9027dab7df8 (diff)
download	samba-db4099884a44168a5a986093dc11426efef9803c.tar.gz samba-db4099884a44168a5a986093dc11426efef9803c.tar.bz2 samba-db4099884a44168a5a986093dc11426efef9803c.zip