summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2010-04-19 15:51:57 +1000
committerAndrew Bartlett <abartlet@samba.org>2010-05-20 17:39:10 +1000
commit9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5 (patch)
tree1526cb9826169a6ea4162b5c3f13f279cda4ff7b /source4/dsdb/samdb
parent3ff2766231625863140434bab18b27d5105deb3c (diff)
downloadsamba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.tar.gz
samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.tar.bz2
samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.zip
s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use cases, and in particular to more carefully control the introduction of the 'authenticated' group. In particular, in the 'service_named_pipe' protocol, we do not have control over the addition of the authenticated users group, so we key of 'is this user the anonymous SID'. This also takes more care to allocate the right length ptoken->sids Andrew Bartlett
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/operational.c20
-rw-r--r--source4/dsdb/samdb/samdb.c61
2 files changed, 56 insertions, 25 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index acd8b80161..d51a8588bb 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -149,6 +149,7 @@ static int construct_token_groups(struct ldb_module *module,
ldb_module_oom(module);
return LDB_ERR_OPERATIONS_ERROR;
} else if (!NT_STATUS_IS_OK(status)) {
+ ldb_set_errstring(ldb, "Cannot provide tokenGroups attribute, could not create authContext");
talloc_free(tmp_ctx);
return LDB_ERR_OPERATIONS_ERROR;
}
@@ -158,30 +159,29 @@ static int construct_token_groups(struct ldb_module *module,
talloc_free(tmp_ctx);
ldb_module_oom(module);
return LDB_ERR_OPERATIONS_ERROR;
+ } else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ /* Not a user, we have no tokenGroups */
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
} else if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
+ ldb_asprintf_errstring(ldb, "Cannot provide tokenGroups attribute: auth_get_server_info_principal failed: %s", nt_errstr(status));
return LDB_ERR_OPERATIONS_ERROR;
}
- status = auth_generate_session_info(tmp_ctx, auth_context, server_info, &session_info);
+ status = auth_generate_session_info(tmp_ctx, auth_context, server_info, 0, &session_info);
if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
talloc_free(tmp_ctx);
ldb_module_oom(module);
return LDB_ERR_OPERATIONS_ERROR;
} else if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
+ ldb_asprintf_errstring(ldb, "Cannot provide tokenGroups attribute: auth_generate_session_info failed: %s", nt_errstr(status));
return LDB_ERR_OPERATIONS_ERROR;
}
- ret = samdb_msg_add_dom_sid(ldb, msg, msg,
- "tokenGroups",
- session_info->security_token->group_sid);
- if (ret != LDB_SUCCESS) {
- talloc_free(tmp_ctx);
- return ret;
- }
-
- for (i = 0; i < session_info->security_token->num_sids; i++) {
+ /* We start at 1, as the first SID is the user's SID, not included in the tokenGroups */
+ for (i = 1; i < session_info->security_token->num_sids; i++) {
ret = samdb_msg_add_dom_sid(ldb, msg, msg,
"tokenGroups",
session_info->security_token->sids[i]);
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 9e4156407e..67b55385cb 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -41,6 +41,7 @@
#include "lib/events/events.h"
#include "auth/credentials/credentials.h"
#include "param/secrets.h"
+#include "auth/auth.h"
char *samdb_relative_path(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
@@ -146,8 +147,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
struct dom_sid *group_sid,
unsigned int n_groupSIDs,
struct dom_sid **groupSIDs,
- bool is_authenticated,
- bool is_dc,
+ uint32_t session_info_flags,
struct security_token **token)
{
struct security_token *ptoken;
@@ -157,36 +157,61 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken = security_token_initialise(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(ptoken);
- ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 6);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
ptoken->user_sid = talloc_reference(ptoken, user_sid);
ptoken->group_sid = talloc_reference(ptoken, group_sid);
ptoken->privilege_mask = 0;
+ ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 6 /* over-allocate */);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+ ptoken->num_sids = 1;
+
+ ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
ptoken->sids[0] = ptoken->user_sid;
ptoken->sids[1] = ptoken->group_sid;
+ ptoken->num_sids++;
/*
* Finally add the "standard" SIDs.
* The only difference between guest and "anonymous"
* is the addition of Authenticated_Users.
*/
- ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]);
- ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]);
- ptoken->num_sids = 4;
- if (is_authenticated) {
+ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
+ ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+ ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]);
+ ptoken->num_sids++;
+
+ ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+ ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]);
+ ptoken->num_sids++;
+
+
+ }
+
+ if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
+ ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]);
ptoken->num_sids++;
}
- if (is_dc) {
+ if (session_info_flags & AUTH_SESSION_INFO_ENTERPRISE_DC) {
+ ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
ptoken->sids[ptoken->num_sids] = dom_sid_parse_talloc(ptoken->sids, SID_NT_ENTERPRISE_DCS);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]);
ptoken->num_sids++;
}
@@ -201,7 +226,13 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
}
if (check_sid_idx == ptoken->num_sids) {
- ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]);
+ ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+ ptoken->sids[ptoken->num_sids] = talloc_reference(ptoken->sids, groupSIDs[i]);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[ptoken->num_sids]);
+ ptoken->num_sids++;
+
}
}