diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-04-19 15:51:57 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-05-20 17:39:10 +1000 |
commit | 9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5 (patch) | |
tree | 1526cb9826169a6ea4162b5c3f13f279cda4ff7b /source4/dsdb/samdb/samdb.c | |
parent | 3ff2766231625863140434bab18b27d5105deb3c (diff) | |
download | samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.tar.gz samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.tar.bz2 samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.zip |
s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
Diffstat (limited to 'source4/dsdb/samdb/samdb.c')
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 61 |
1 files changed, 46 insertions, 15 deletions
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 9e4156407e..67b55385cb 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -41,6 +41,7 @@ #include "lib/events/events.h" #include "auth/credentials/credentials.h" #include "param/secrets.h" +#include "auth/auth.h" char *samdb_relative_path(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, @@ -146,8 +147,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, struct dom_sid *group_sid, unsigned int n_groupSIDs, struct dom_sid **groupSIDs, - bool is_authenticated, - bool is_dc, + uint32_t session_info_flags, struct security_token **token) { struct security_token *ptoken; @@ -157,36 +157,61 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken = security_token_initialise(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(ptoken); - ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 6); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->user_sid = talloc_reference(ptoken, user_sid); ptoken->group_sid = talloc_reference(ptoken, group_sid); ptoken->privilege_mask = 0; + ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 6 /* over-allocate */); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + + ptoken->num_sids = 1; + + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + ptoken->sids[0] = ptoken->user_sid; ptoken->sids[1] = ptoken->group_sid; + ptoken->num_sids++; /* * Finally add the "standard" SIDs. * The only difference between guest and "anonymous" * is the addition of Authenticated_Users. */ - ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]); - ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]); - ptoken->num_sids = 4; - if (is_authenticated) { + if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + + ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); + ptoken->num_sids++; + + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + + ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); + ptoken->num_sids++; + + + } + + if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); ptoken->num_sids++; } - if (is_dc) { + if (session_info_flags & AUTH_SESSION_INFO_ENTERPRISE_DC) { + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_ENTERPRISE_DCS); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); ptoken->num_sids++; } @@ -201,7 +226,13 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, } if (check_sid_idx == ptoken->num_sids) { - ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]); + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + + ptoken->sids[ptoken->num_sids] = talloc_reference(ptoken->sids, groupSIDs[i]); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]); + ptoken->num_sids++; + } } |