summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-03-10 08:26:40 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:11:14 -0500
commitd3d4e224785cae86b99cc748555aff9ac57de200 (patch)
tree258026cb30b9110c1c7e32357c92327db7aeb260 /source3/auth
parent58752bccdd301a9742f9bc3c5bd0c2978077e4ff (diff)
downloadsamba-d3d4e224785cae86b99cc748555aff9ac57de200.tar.gz
samba-d3d4e224785cae86b99cc748555aff9ac57de200.tar.bz2
samba-d3d4e224785cae86b99cc748555aff9ac57de200.zip
r14129: Add the group sids from the Kerberos PAC to the user token.
Guenther (This used to be commit 1280d79111ae56c6a1b4daf7a1d6d413d1f4df64)
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth_util.c29
1 files changed, 28 insertions, 1 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 357da1fdb7..99ce6620c3 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1102,6 +1102,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info,
DOM_SID user_sid, group_sid;
fstring dom_name;
auth_serversupplied_info *result;
+ int i;
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
@@ -1139,10 +1140,36 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info,
result->uid = pwd->pw_uid;
result->gid = pwd->pw_gid;
- /* TODO: Add groups from pac */
result->sids = NULL;
result->num_sids = 0;
+ /* and create (by appending rids) the 'domain' sids */
+
+ for (i = 0; i < logon_info->info3.num_groups2; i++) {
+ DOM_SID sid;
+ if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid,
+ logon_info->info3.gids[i].g_rid)) {
+ DEBUG(3,("could not append additional group rid "
+ "0x%x\n", logon_info->info3.gids[i].g_rid));
+ TALLOC_FREE(result);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ add_sid_to_array(result, &sid, &result->sids,
+ &result->num_sids);
+ }
+
+ /* Copy 'other' sids. We need to do sid filtering here to
+ prevent possible elevation of privileges. See:
+
+ http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
+ */
+
+ for (i = 0; i < logon_info->info3.num_other_sids; i++) {
+ add_sid_to_array(result, &logon_info->info3.other_sids[i].sid,
+ &result->sids,
+ &result->num_sids);
+ }
+
*server_info = result;
return NT_STATUS_OK;