summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Tridgell <tridge@samba.org>2010-09-25 19:14:42 -0700
committerAndrew Tridgell <tridge@samba.org>2010-09-26 07:09:08 +0000
commit7dbfeb0dc040889244a1110940af2d070f823374 (patch)
tree3138243ba4e9b84159a416dd4e2e7e39d27bd7eb /source4
parent65fc066ef43786faae9d4adf8f0941d86315f398 (diff)
downloadsamba-7dbfeb0dc040889244a1110940af2d070f823374.tar.gz
samba-7dbfeb0dc040889244a1110940af2d070f823374.tar.bz2
samba-7dbfeb0dc040889244a1110940af2d070f823374.zip
s4-auth: fixed the SID list for DCs in the PAC
the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Autobuild-User: Andrew Tridgell <tridge@samba.org> Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth.h1
-rw-r--r--source4/auth/sam.c16
-rw-r--r--source4/auth/session.c18
-rw-r--r--source4/dsdb/samdb/samdb.c10
4 files changed, 16 insertions, 29 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index ce583c871c..2f0af027bc 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -46,7 +46,6 @@ struct loadparm_context;
#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
-#define AUTH_SESSION_INFO_ENTERPRISE_DC 0x04 /* Add the user to the 'enterprise DC' group */
struct auth_serversupplied_info
{
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 6bf1d5f9e3..bdbf6906a3 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -558,6 +558,22 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
server_info);
}
+ if (server_info->acct_flags & ACB_SVRTRUST) {
+ /* the SID_NT_ENTERPRISE_DCS SID gets added into the
+ PAC */
+ server_info->domain_groups = talloc_realloc(server_info,
+ server_info->domain_groups,
+ struct dom_sid *,
+ server_info->n_domain_groups+1);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
+ server_info->domain_groups[server_info->n_domain_groups] =
+ dom_sid_parse_talloc(server_info->domain_groups,
+ SID_NT_ENTERPRISE_DCS);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
+ server_info);
+ server_info->n_domain_groups++;
+ }
+
server_info->authenticated = true;
talloc_free(tmp_ctx);
diff --git a/source4/auth/session.c b/source4/auth/session.c
index bd1be8eebb..68d03aeeec 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -91,24 +91,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (auth_context) {
- if (server_info->acct_flags & ACB_SVRTRUST) {
- dom_sid = samdb_domain_sid(auth_context->sam_ctx);
- if (dom_sid) {
- if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
- session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
- } else {
- DEBUG(2, ("DC %s is not in our domain. "
- "It will not have Enterprise Domain Controllers membership on this server",
- server_info->account_name));
- }
- } else {
- DEBUG(2, ("Could not obtain local domain SID, "
- "so can not determine if DC %s is a DC of this domain. "
- "It will not have Enterprise Domain Controllers membership",
- server_info->account_name));
- }
- }
-
groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
if (!groupSIDs) {
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 32698ea412..637da4fcf2 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -202,16 +202,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken->num_sids++;
}
- if (session_info_flags & AUTH_SESSION_INFO_ENTERPRISE_DC) {
- ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
- if (!dom_sid_parse(SID_NT_ENTERPRISE_DCS, &ptoken->sids[ptoken->num_sids])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- ptoken->num_sids++;
- }
-
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1;