r15297: Move create_security_token() to samdb as it requires SAMDB (and the rest of LIBSECURITY doesn't)

Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal
Some other dependency fixes
(This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630)

3 files changed, 81 insertions, 7 deletions

diff --git a/source4/dsdb/config.mk b/source4/dsdb/config.mk
index 15aa9fd0aa..e0426167e3 100644
--- a/source4/dsdb/config.mk
+++ b/source4/dsdb/config.mk
@@ -7,7 +7,7 @@ include samdb/ldb_modules/config.mk
 [SUBSYSTEM::SAMDB]
 PUBLIC_PROTO_HEADER = samdb/samdb_proto.h
 PUBLIC_HEADERS = samdb/samdb.h
-PUBLIC_DEPENDENCIES = DB_WRAP LIBCLI_LDAP
+PUBLIC_DEPENDENCIES = ldb LIBCLI_LDAP
 OBJ_FILES = \
 		samdb/samdb.o \
 		samdb/samdb_privilege.o \
diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk
index 207fdf8201..20f6e182e5 100644
--- a/source4/dsdb/samdb/ldb_modules/config.mk
+++ b/source4/dsdb/samdb/ldb_modules/config.mk
@@ -17,7 +17,6 @@ SUBSYSTEM = ldb
 INIT_FUNCTION = samldb_module_init
 OBJ_FILES = \
 		samldb.o
-PUBLIC_DEPENDENCIES = SAMDB
 #
 # End MODULE ldb_samldb
 ################################################
@@ -62,10 +61,9 @@ OBJ_FILES = \
 [MODULE::ldb_password_hash]
 SUBSYSTEM = ldb
 INIT_FUNCTION = password_hash_module_init
-OBJ_FILES = \
-		password_hash.o
-PUBLIC_DEPENDENCIES = \
-		HEIMDAL_HDB HEIMDAL_KRB5
+OBJ_FILES = password_hash.o
+PUBLIC_DEPENDENCIES = HEIMDAL_KRB5
+PRIVATE_DEPENDENCIES = HEIMDAL_HDB_KEYS
 #
 # End MODULE ldb_rootdse
 ################################################
@@ -78,7 +76,7 @@ INIT_FUNCTION = ldb_kludge_acl_init
 OBJ_FILES = \
 		kludge_acl.o
 PUBLIC_DEPENDENCIES = \
-		LIB_SECURITY
+		LIBSECURITY
 #
 # End MODULE ldb_rootdse
 ################################################
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index bd133c8745..5dbfd4ee87 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -1353,3 +1353,79 @@ _PUBLIC_ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *me
 	}
 	return NT_STATUS_OK;
 }
+
+/****************************************************************************
+ Create the SID list for this user.
+****************************************************************************/
+NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, 
+			       struct dom_sid *user_sid,
+			       struct dom_sid *group_sid, 
+			       int n_groupSIDs,
+			       struct dom_sid **groupSIDs, 
+			       BOOL is_authenticated,
+			       struct security_token **token)
+{
+	struct security_token *ptoken;
+	int i;
+	NTSTATUS status;
+
+	ptoken = security_token_initialise(mem_ctx);
+	NT_STATUS_HAVE_NO_MEMORY(ptoken);
+
+	ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5);
+	NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+	ptoken->user_sid = talloc_reference(ptoken, user_sid);
+	ptoken->group_sid = talloc_reference(ptoken, group_sid);
+	ptoken->privilege_mask = 0;
+
+	ptoken->sids[0] = ptoken->user_sid;
+	ptoken->sids[1] = ptoken->group_sid;
+
+	/*
+	 * Finally add the "standard" SIDs.
+	 * The only difference between guest and "anonymous"
+	 * is the addition of Authenticated_Users.
+	 */
+	ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD);
+	NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]);
+	ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK);
+	NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]);
+	ptoken->num_sids = 4;
+
+	if (is_authenticated) {
+		ptoken->sids[4] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS);
+		NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]);
+		ptoken->num_sids++;
+	}
+
+	for (i = 0; i < n_groupSIDs; i++) {
+		size_t check_sid_idx;
+		for (check_sid_idx = 1; 
+		     check_sid_idx < ptoken->num_sids; 
+		     check_sid_idx++) {
+			if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) {
+				break;
+			}
+		}
+
+		if (check_sid_idx == ptoken->num_sids) {
+			ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]);
+		}
+	}
+
+	/* setup the privilege mask for this token */
+	status = samdb_privilege_setup(ptoken);
+	if (!NT_STATUS_IS_OK(status)) {
+		talloc_free(ptoken);
+		return status;
+	}
+
+	security_token_debug(10, ptoken);
+
+	*token = ptoken;
+
+	return NT_STATUS_OK;
+}
+
+