s4-auth Remove special case for account_sid from auth_serversupplied_info

This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett

2 files changed, 21 insertions, 24 deletions

diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c
index 13796bd3db..e76f0820d4 100644
--- a/source4/torture/auth/pac.c
+++ b/source4/torture/auth/pac.c
@@ -167,8 +167,9 @@ static bool torture_pac_self_check(struct torture_context *tctx)
 						     smb_krb5_context->krb5_context,
 						     &server_info_out);
 
-	if (!dom_sid_equal(server_info->account_sid, 
-			   server_info_out->account_sid)) {
+	/* The user's SID is the first element in the list */
+	if (!dom_sid_equal(server_info->sids,
+			   server_info_out->sids)) {
 		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
 					    &krbtgt_keyblock);
 		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -179,8 +180,8 @@ static bool torture_pac_self_check(struct torture_context *tctx)
 		torture_fail(tctx,  
 			     talloc_asprintf(tctx, 
 					     "(self test) PAC Decode resulted in *different* domain SID: %s != %s",
-					     dom_sid_string(mem_ctx, server_info->account_sid), 
-					     dom_sid_string(mem_ctx, server_info_out->account_sid)));
+					     dom_sid_string(mem_ctx, server_info->sids),
+					     dom_sid_string(mem_ctx, server_info_out->sids)));
 	}
 	talloc_free(server_info_out);
 
@@ -229,13 +230,13 @@ static bool torture_pac_self_check(struct torture_context *tctx)
 					     nt_errstr(nt_status)));
 	}
 	
-	if (!dom_sid_equal(server_info->account_sid, 
-			   server_info_out->account_sid)) {
+	if (!dom_sid_equal(server_info->sids,
+			   server_info_out->sids)) {
 		torture_fail(tctx,  
 			     talloc_asprintf(tctx, 
 					     "(self test) PAC Decode resulted in *different* domain SID: %s != %s",
-					     dom_sid_string(mem_ctx, server_info->account_sid), 
-					     dom_sid_string(mem_ctx, server_info_out->account_sid)));
+					     dom_sid_string(mem_ctx, server_info->sids),
+					     dom_sid_string(mem_ctx, server_info_out->sids)));
 	}
 	return true;
 }
@@ -444,7 +445,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
 	if (!pac_file &&
 	    !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 
 						"S-1-5-21-3048156945-3961193616-3706469200-1005"), 
-			   server_info_out->account_sid)) {
+			   server_info_out->sids)) {
 		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
 					    krbtgt_keyblock_p);
 		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -455,7 +456,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
 			     talloc_asprintf(tctx, 
 					     "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
 					     "S-1-5-21-3048156945-3961193616-3706469200-1005", 
-					     dom_sid_string(mem_ctx, server_info_out->account_sid)));
+					     dom_sid_string(mem_ctx, server_info_out->sids)));
 	}
 
 	talloc_free(server_info_out);
@@ -503,7 +504,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
 	if (!pac_file &&
 	    !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 
 						"S-1-5-21-3048156945-3961193616-3706469200-1005"), 
-			   server_info_out->account_sid)) {
+			   server_info_out->sids)) {
 		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
 					    krbtgt_keyblock_p);
 		krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -514,7 +515,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
 			     talloc_asprintf(tctx, 
 					     "(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
 					     "S-1-5-21-3048156945-3961193616-3706469200-1005", 
-					     dom_sid_string(mem_ctx, server_info_out->account_sid)));
+					     dom_sid_string(mem_ctx, server_info_out->sids)));
 	}
 
 	if (krbtgt_bytes == NULL) {
diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 8f4d677c44..73e62a3b6f 100644
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -603,21 +603,17 @@ static bool test_S2U4Self(struct torture_context *tctx,
 				 s2u4self_session_info->server_info->account_name, "Account name differs for S2U4Self");
 	torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, kinit_session_info->server_info->full_name, "Full name differs for kinit-based PAC");
 	torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, s2u4self_session_info->server_info->full_name, "Full name differs for S2U4Self");
-	torture_assert(tctx, dom_sid_equal(netlogon_server_info->account_sid, kinit_session_info->server_info->account_sid), "Account SID differs for kinit-based PAC");
-	torture_assert(tctx, dom_sid_equal(netlogon_server_info->primary_group_sid, kinit_session_info->server_info->primary_group_sid), "Primary Group SID differs for kinit-based PAC");
-	torture_assert(tctx, dom_sid_equal(netlogon_server_info->account_sid, s2u4self_session_info->server_info->account_sid), "Account SID differs for S2U4Self");
-	torture_assert(tctx, dom_sid_equal(netlogon_server_info->primary_group_sid, s2u4self_session_info->server_info->primary_group_sid), "Primary Group SID differs for S2U4Self");
-	torture_assert_int_equal(tctx, netlogon_server_info->n_domain_groups, kinit_session_info->server_info->n_domain_groups, "Different numbers of domain groups for kinit-based PAC");
-	torture_assert_int_equal(tctx, netlogon_server_info->n_domain_groups, s2u4self_session_info->server_info->n_domain_groups, "Different numbers of domain groups for S2U4Self");
+	torture_assert_int_equal(tctx, netlogon_server_info->num_sids, kinit_session_info->server_info->num_sids, "Different numbers of domain groups for kinit-based PAC");
+	torture_assert_int_equal(tctx, netlogon_server_info->num_sids, s2u4self_session_info->server_info->num_sids, "Different numbers of domain groups for S2U4Self");
 
 	builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
 
-	for (i = 0; i < kinit_session_info->server_info->n_domain_groups; i++) {
-		torture_assert(tctx, dom_sid_equal(netlogon_server_info->domain_groups[i], kinit_session_info->server_info->domain_groups[i]), "Different domain groups for kinit-based PAC");
-		torture_assert(tctx, dom_sid_equal(netlogon_server_info->domain_groups[i], s2u4self_session_info->server_info->domain_groups[i]), "Different domain groups for S2U4Self");
-		torture_assert(tctx, !dom_sid_in_domain(builtin_domain, s2u4self_session_info->server_info->domain_groups[i]), "Returned BUILTIN domain in groups for S2U4Self");
-		torture_assert(tctx, !dom_sid_in_domain(builtin_domain, kinit_session_info->server_info->domain_groups[i]), "Returned BUILTIN domain in groups kinit-based PAC");
-		torture_assert(tctx, !dom_sid_in_domain(builtin_domain, netlogon_server_info->domain_groups[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
+	for (i = 0; i < kinit_session_info->server_info->num_sids; i++) {
+		torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &kinit_session_info->server_info->sids[i]), "Different domain groups for kinit-based PAC");
+		torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &s2u4self_session_info->server_info->sids[i]), "Different domain groups for S2U4Self");
+		torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups for S2U4Self");
+		torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
+		torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_server_info->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
 	}
 
 	return true;