summaryrefslogtreecommitdiff
path: root/source4/auth
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-12-29 15:13:54 +1100
committerStefan Metzmacher <metze@samba.org>2013-01-21 16:12:45 +0100
commit8f078cdf247476fad511bb6d7e00c8654fd26e85 (patch)
tree224841e3e6b0531d20de16e336b84a32cdb085e7 /source4/auth
parentd36c03056fb85dfedbafd3a59497e35db63ade17 (diff)
downloadsamba-8f078cdf247476fad511bb6d7e00c8654fd26e85.tar.gz
samba-8f078cdf247476fad511bb6d7e00c8654fd26e85.tar.bz2
samba-8f078cdf247476fad511bb6d7e00c8654fd26e85.zip
dsdb: Ensure "authenticated users" is processed for group memberships
This change moves the addition of "Authenticated Users" from the very end of the token processing to the start. The reason is that we need to see if "Authenticated Users" is a member of other builtin groups, just as we would for any other SID. This picks up the "Pre-Windows 2000 Compatible Access" group, which is in turn often used in ACLs on LDAP objects. Without this change, the eventual token does not contain S-1-5-32-554 and users other than "Administrator" are unable to read uidNumber (in particular). Andrew Bartlett Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'source4/auth')
-rw-r--r--source4/auth/session.c44
1 files changed, 39 insertions, 5 deletions
diff --git a/source4/auth/session.c b/source4/auth/session.c
index de417cc54b..bb0b5bca63 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -102,22 +102,56 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
sids[i] = user_info_dc->sids[i];
}
- if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
+ /*
+ * Finally add the "standard" sids.
+ * The only difference between guest and "anonymous"
+ * is the addition of Authenticated_Users.
+ */
+
+ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 2);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_WORLD, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+
+ if (!dom_sid_parse(SID_NT_NETWORK, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
+
+ if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
+
+
+
+ if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
- } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
+ } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
/* Search for each group in the token */
- for (i = 0; i < user_info_dc->num_sids; i++) {
+ for (i = 0; i < num_sids; i++) {
char *sid_string;
const char *sid_dn;
DATA_BLOB sid_blob;
-
+ int ret;
+
sid_string = dom_sid_string(tmp_ctx,
- &user_info_dc->sids[i]);
+ &sids[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);