summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-01-20 23:39:37 +1100
committerAndrew Bartlett <abartlet@samba.org>2011-01-20 23:44:05 +0100
commitfbe6d155bf177c610ee549cc534650b0f0700e8a (patch)
tree58d82c2cadfc460ad8cf6a7e9b3ec6c162234ec7 /source4/dsdb/samdb
parentcce5231b4d4ee9d4918004586bda9d499596d3d4 (diff)
downloadsamba-fbe6d155bf177c610ee549cc534650b0f0700e8a.tar.gz
samba-fbe6d155bf177c610ee549cc534650b0f0700e8a.tar.bz2
samba-fbe6d155bf177c610ee549cc534650b0f0700e8a.zip
s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now a struct dom_sid *, not a struct dom_sid **. This is in keeping with the other sid lists in the security_token etc. In the process, I also tidy up the talloc tree (move more structures under their logical parents) and check for some possible overflows in situations with a pathological number of sids. Andrew Bartlett
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/operational.c4
-rw-r--r--source4/dsdb/samdb/samdb.c53
2 files changed, 23 insertions, 34 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index ae61089198..1df56e8fe0 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -149,7 +149,7 @@ static int construct_token_groups(struct ldb_module *module,
const char *account_sid_string;
const char *account_sid_dn;
DATA_BLOB account_sid_blob;
- struct dom_sid **groupSIDs = NULL;
+ struct dom_sid *groupSIDs = NULL;
unsigned int num_groupSIDs = 0;
struct dom_sid *domain_sid;
@@ -254,7 +254,7 @@ static int construct_token_groups(struct ldb_module *module,
}
for (i=0; i < num_groupSIDs; i++) {
- ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", groupSIDs[i]);
+ ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]);
if (ret) {
talloc_free(tmp_ctx);
return ret;
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 11913fbbce..53be12cd52 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -144,10 +144,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
****************************************************************************/
NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
- struct dom_sid *user_sid,
- struct dom_sid *group_sid,
- unsigned int n_groupSIDs,
- struct dom_sid **groupSIDs,
+ unsigned int num_sids,
+ struct dom_sid *sids,
uint32_t session_info_flags,
struct security_token **token)
{
@@ -158,22 +156,32 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken = security_token_initialise(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(ptoken);
- ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 6 /* over-allocate */);
+ ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->num_sids = 1;
+ ptoken->num_sids = 0;
- ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+ for (i = 0; i < num_sids; i++) {
+ size_t check_sid_idx;
+ for (check_sid_idx = 0;
+ check_sid_idx < ptoken->num_sids;
+ check_sid_idx++) {
+ if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) {
+ break;
+ }
+ }
- ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid;
- if (!dom_sid_equal(user_sid, group_sid)) {
- ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid;
- ptoken->num_sids++;
+ if (check_sid_idx == ptoken->num_sids) {
+ ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+ ptoken->sids[ptoken->num_sids] = sids[i];
+ ptoken->num_sids++;
+ }
}
/*
- * Finally add the "standard" SIDs.
+ * Finally add the "standard" sids.
* The only difference between guest and "anonymous"
* is the addition of Authenticated_Users.
*/
@@ -203,25 +211,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken->num_sids++;
}
- for (i = 0; i < n_groupSIDs; i++) {
- size_t check_sid_idx;
- for (check_sid_idx = 1;
- check_sid_idx < ptoken->num_sids;
- check_sid_idx++) {
- if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) {
- break;
- }
- }
-
- if (check_sid_idx == ptoken->num_sids) {
- ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
- ptoken->sids[ptoken->num_sids] = *groupSIDs[i];
- ptoken->num_sids++;
- }
- }
-
/* The caller may have requested simple privilages, for example if there isn't a local DB */
if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
/* Shortcuts to prevent recursion and avoid lookups */