diff options
author | Günther Deschner <gd@samba.org> | 2006-03-10 08:26:40 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:11:14 -0500 |
commit | d3d4e224785cae86b99cc748555aff9ac57de200 (patch) | |
tree | 258026cb30b9110c1c7e32357c92327db7aeb260 /source3/auth | |
parent | 58752bccdd301a9742f9bc3c5bd0c2978077e4ff (diff) | |
download | samba-d3d4e224785cae86b99cc748555aff9ac57de200.tar.gz samba-d3d4e224785cae86b99cc748555aff9ac57de200.tar.bz2 samba-d3d4e224785cae86b99cc748555aff9ac57de200.zip |
r14129: Add the group sids from the Kerberos PAC to the user token.
Guenther
(This used to be commit 1280d79111ae56c6a1b4daf7a1d6d413d1f4df64)
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth_util.c | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 357da1fdb7..99ce6620c3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1102,6 +1102,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, DOM_SID user_sid, group_sid; fstring dom_name; auth_serversupplied_info *result; + int i; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1139,10 +1140,36 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, result->uid = pwd->pw_uid; result->gid = pwd->pw_gid; - /* TODO: Add groups from pac */ result->sids = NULL; result->num_sids = 0; + /* and create (by appending rids) the 'domain' sids */ + + for (i = 0; i < logon_info->info3.num_groups2; i++) { + DOM_SID sid; + if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid, + logon_info->info3.gids[i].g_rid)) { + DEBUG(3,("could not append additional group rid " + "0x%x\n", logon_info->info3.gids[i].g_rid)); + TALLOC_FREE(result); + return NT_STATUS_INVALID_PARAMETER; + } + add_sid_to_array(result, &sid, &result->sids, + &result->num_sids); + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < logon_info->info3.num_other_sids; i++) { + add_sid_to_array(result, &logon_info->info3.other_sids[i].sid, + &result->sids, + &result->num_sids); + } + *server_info = result; return NT_STATUS_OK; |