diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-01-20 23:39:37 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-01-20 23:44:05 +0100 |
commit | fbe6d155bf177c610ee549cc534650b0f0700e8a (patch) | |
tree | 58d82c2cadfc460ad8cf6a7e9b3ec6c162234ec7 /source4 | |
parent | cce5231b4d4ee9d4918004586bda9d499596d3d4 (diff) | |
download | samba-fbe6d155bf177c610ee549cc534650b0f0700e8a.tar.gz samba-fbe6d155bf177c610ee549cc534650b0f0700e8a.tar.bz2 samba-fbe6d155bf177c610ee549cc534650b0f0700e8a.zip |
s4-auth Remove special case for account_sid from auth_serversupplied_info
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **. This is in keeping with
the other sid lists in the security_token etc.
In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.
Andrew Bartlett
Diffstat (limited to 'source4')
-rw-r--r-- | source4/auth/auth.h | 7 | ||||
-rw-r--r-- | source4/auth/auth_sam_reply.c | 152 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_developer.c | 14 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_server.c | 13 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_unix.c | 6 | ||||
-rw-r--r-- | source4/auth/sam.c | 68 | ||||
-rw-r--r-- | source4/auth/session.c | 112 | ||||
-rw-r--r-- | source4/auth/system_session.c | 56 | ||||
-rw-r--r-- | source4/dsdb/common/util_groups.c | 13 | ||||
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/operational.c | 4 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 53 | ||||
-rw-r--r-- | source4/smbd/service_named_pipe.c | 2 | ||||
-rw-r--r-- | source4/torture/auth/pac.c | 25 | ||||
-rw-r--r-- | source4/torture/rpc/remote_pac.c | 20 |
14 files changed, 257 insertions, 288 deletions
diff --git a/source4/auth/auth.h b/source4/auth/auth.h index 6d3dedefbf..21790c4d5c 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -50,11 +50,8 @@ struct loadparm_context; struct auth_serversupplied_info { - struct dom_sid *account_sid; - struct dom_sid *primary_group_sid; - - size_t n_domain_groups; - struct dom_sid **domain_groups; + size_t num_sids; + struct dom_sid *sids; DATA_BLOB user_session_key; DATA_BLOB lm_session_key; diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c index 0c03e78493..bb2b6eb534 100644 --- a/source4/auth/auth_sam_reply.c +++ b/source4/auth/auth_sam_reply.c @@ -29,12 +29,32 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx, struct auth_serversupplied_info *server_info, struct netr_SamBaseInfo **_sam) { + NTSTATUS status; struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo); NT_STATUS_HAVE_NO_MEMORY(sam); - sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid); - NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid); - sam->domain_sid->num_auths--; + if (server_info->num_sids > PRIMARY_USER_SID_INDEX) { + status = dom_sid_split_rid(sam, &server_info->sids[PRIMARY_USER_SID_INDEX], + &sam->domain_sid, &sam->rid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } else { + return NT_STATUS_INVALID_PARAMETER; + } + + if (server_info->num_sids > PRIMARY_GROUP_SID_INDEX) { + status = dom_sid_split_rid(NULL, &server_info->sids[PRIMARY_GROUP_SID_INDEX], + NULL, &sam->primary_gid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } else { + /* if we have to encode something like SYSTEM (with no + * second SID in the token) then this is the only + * choice */ + sam->primary_gid = sam->rid; + } sam->last_logon = server_info->last_logon; sam->last_logoff = server_info->last_logoff; @@ -52,22 +72,19 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx, sam->logon_count = server_info->logon_count; sam->bad_password_count = sam->bad_password_count; - sam->rid = server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1]; - sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1]; - sam->groups.count = 0; sam->groups.rids = NULL; - if (server_info->n_domain_groups > 0) { + if (server_info->num_sids > 2) { size_t i; sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute, - server_info->n_domain_groups); + server_info->num_sids); if (sam->groups.rids == NULL) return NT_STATUS_NO_MEMORY; - for (i=0; i<server_info->n_domain_groups; i++) { - struct dom_sid *group_sid = server_info->domain_groups[i]; + for (i=2; i<server_info->num_sids; i++) { + struct dom_sid *group_sid = &server_info->sids[i]; if (!dom_sid_in_domain(sam->domain_sid, group_sid)) { /* We handle this elsewhere */ continue; @@ -116,8 +133,9 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx, size_t i; NT_STATUS_HAVE_NO_MEMORY(sam3); - status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam); + status = auth_convert_server_info_sambaseinfo(sam3, server_info, &sam); if (!NT_STATUS_IS_OK(status)) { + talloc_free(sam3); return status; } sam3->base = *sam; @@ -126,14 +144,16 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx, sam3->sids = talloc_array(sam, struct netr_SidAttr, - server_info->n_domain_groups); - NT_STATUS_HAVE_NO_MEMORY(sam3->sids); - - for (i=0; i<server_info->n_domain_groups; i++) { - if (dom_sid_in_domain(sam->domain_sid, server_info->domain_groups[i])) { + server_info->num_sids); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids, sam3); + + /* We don't put the user and group SIDs in there */ + for (i=2; i<server_info->num_sids; i++) { + if (dom_sid_in_domain(sam->domain_sid, &server_info->sids[i])) { continue; } - sam3->sids[sam3->sidcount].sid = talloc_reference(sam3->sids,server_info->domain_groups[i]); + sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &server_info->sids[i]); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids[sam3->sidcount].sid, sam3); sam3->sids[sam3->sidcount].attributes = SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; sam3->sidcount += 1; @@ -192,24 +212,38 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, trusted domains, and verify that the SID matches. */ - server_info->account_sid = dom_sid_add_rid(server_info, base->domain_sid, base->rid); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); + if (!base->domain_sid) { + DEBUG(0, ("Cannot operate on a Netlogon Validation without a domain SID")); + return NT_STATUS_INVALID_PARAMETER; + } + /* The IDL layer would be a better place to check this, but to + * guard the integer addition below, we double-check */ + if (base->groups.count > 65535) { + return NT_STATUS_INVALID_PARAMETER; + } - server_info->primary_group_sid = dom_sid_add_rid(server_info, base->domain_sid, base->primary_gid); - NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); + server_info->num_sids = 2; - server_info->n_domain_groups = base->groups.count; - if (base->groups.count) { - server_info->domain_groups = talloc_array(server_info, struct dom_sid*, base->groups.count); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups); - } else { - server_info->domain_groups = NULL; + server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids + base->groups.count); + NT_STATUS_HAVE_NO_MEMORY(server_info->sids); + + server_info->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid; + if (!sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], base->rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + + server_info->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid; + if (!sid_append_rid(&server_info->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) { + return NT_STATUS_INVALID_PARAMETER; } for (i = 0; i < base->groups.count; i++) { - server_info->domain_groups[i] = dom_sid_add_rid(server_info->domain_groups, base->domain_sid, base->groups.rids[i].rid); - NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]); + server_info->sids[server_info->num_sids] = *base->domain_sid; + if (!sid_append_rid(&server_info->sids[server_info->num_sids], base->groups.rids[i].rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + server_info->num_sids++; } /* Copy 'other' sids. We need to do sid filtering here to @@ -219,21 +253,29 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, */ if (validation_level == 3) { - struct dom_sid **dgrps = server_info->domain_groups; - size_t sidcount = server_info->n_domain_groups + validation->sam3->sidcount; - size_t n_dgrps = server_info->n_domain_groups; + struct dom_sid *dgrps = server_info->sids; + size_t sidcount; + + /* The IDL layer would be a better place to check this, but to + * guard the integer addition below, we double-check */ + if (validation->sam3->sidcount > 65535) { + return NT_STATUS_INVALID_PARAMETER; + } + sidcount = server_info->num_sids + validation->sam3->sidcount; if (validation->sam3->sidcount > 0) { - dgrps = talloc_realloc(server_info, dgrps, struct dom_sid*, sidcount); + dgrps = talloc_realloc(server_info, dgrps, struct dom_sid, sidcount); NT_STATUS_HAVE_NO_MEMORY(dgrps); for (i = 0; i < validation->sam3->sidcount; i++) { - dgrps[n_dgrps + i] = talloc_reference(dgrps, validation->sam3->sids[i].sid); + if (validation->sam3->sids[i].sid) { + dgrps[server_info->num_sids] = *validation->sam3->sids[i].sid; + server_info->num_sids++; + } } } - server_info->n_domain_groups = sidcount; - server_info->domain_groups = dgrps; + server_info->sids = dgrps; /* Where are the 'global' sids?... */ } @@ -307,18 +349,36 @@ NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx, } if (pac_logon_info->res_groups.count > 0) { - struct dom_sid **rgrps; - size_t sidcount = server_info->n_domain_groups + pac_logon_info->res_groups.count; - server_info->domain_groups = rgrps - = talloc_realloc(server_info, server_info->domain_groups, struct dom_sid *, sidcount); - NT_STATUS_HAVE_NO_MEMORY(rgrps); + size_t sidcount; + /* The IDL layer would be a better place to check this, but to + * guard the integer addition below, we double-check */ + if (pac_logon_info->res_groups.count > 65535) { + talloc_free(server_info); + return NT_STATUS_INVALID_PARAMETER; + } + + /* + Here is where we should check the list of + trusted domains, and verify that the SID + matches. + */ + if (!pac_logon_info->res_group_dom_sid) { + DEBUG(0, ("Cannot operate on a PAC without a resource domain SID")); + return NT_STATUS_INVALID_PARAMETER; + } + + sidcount = server_info->num_sids + pac_logon_info->res_groups.count; + server_info->sids + = talloc_realloc(server_info, server_info->sids, struct dom_sid, sidcount); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info); for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) { - size_t sid_idx = server_info->n_domain_groups + i; - rgrps[sid_idx] - = dom_sid_add_rid(rgrps, pac_logon_info->res_group_dom_sid, - pac_logon_info->res_groups.rids[i].rid); - NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]); + server_info->sids[server_info->num_sids] = *pac_logon_info->res_group_dom_sid; + if (!sid_append_rid(&server_info->sids[server_info->num_sids], + pac_logon_info->res_groups.rids[i].rid)) { + return NT_STATUS_INVALID_PARAMETER; + } + server_info->num_sids++; } } *_server_info = server_info; diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c index 96491d62c9..6384d98986 100644 --- a/source4/auth/ntlm/auth_developer.c +++ b/source4/auth/ntlm/auth_developer.c @@ -68,15 +68,11 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx, server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); - server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); - - /* is this correct? */ - server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS); - NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); - - server_info->n_domain_groups = 0; - server_info->domain_groups = NULL; + /* This returns a pointer to a struct dom_sid, which is the + * same as a 1 element list of struct dom_sid */ + server_info->num_sids = 1; + server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); + NT_STATUS_HAVE_NO_MEMORY(server_info->sids); /* annoying, but the Anonymous really does have a session key, and it is all zeros! */ diff --git a/source4/auth/ntlm/auth_server.c b/source4/auth/ntlm/auth_server.c index 898e2cce67..8e9e73c43d 100644 --- a/source4/auth/ntlm/auth_server.c +++ b/source4/auth/ntlm/auth_server.c @@ -159,15 +159,12 @@ static NTSTATUS server_check_password(struct auth_method_context *ctx, server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); - server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); + server_info->num_sids = 1; - /* is this correct? */ - server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS); - NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); - - server_info->n_domain_groups = 0; - server_info->domain_groups = NULL; + /* This returns a pointer to a struct dom_sid, which is the + * same as a 1 element list of struct dom_sid */ + server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); + NT_STATUS_HAVE_NO_MEMORY(server_info->sids); /* annoying, but the Anonymous really does have a session key, and it is all zeros! */ diff --git a/source4/auth/ntlm/auth_unix.c b/source4/auth/ntlm/auth_unix.c index 1c026f6990..ba37e0a95e 100644 --- a/source4/auth/ntlm/auth_unix.c +++ b/source4/auth/ntlm/auth_unix.c @@ -65,10 +65,8 @@ static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx, NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name); /* This isn't in any way correct.. */ - server_info->account_sid = NULL; - server_info->primary_group_sid = NULL; - server_info->n_domain_groups = 0; - server_info->domain_groups = NULL; + server_info->num_sids = 0; + server_info->sids = NULL; } server_info->user_session_key = data_blob(NULL,0); server_info->lm_session_key = data_blob(NULL,0); diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 0a97d81b82..c9ce644cbf 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -282,13 +282,12 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, const char *str, *filter; /* SIDs for the account and his primary group */ struct dom_sid *account_sid; - struct dom_sid *primary_group_sid; const char *primary_group_string; const char *primary_group_dn; DATA_BLOB primary_group_blob; /* SID structures for the expanded group memberships */ - struct dom_sid **groupSIDs = NULL; - unsigned int num_groupSIDs = 0, i; + struct dom_sid *sids = NULL; + unsigned int num_sids = 0, i; struct dom_sid *domain_sid; TALLOC_CTX *tmp_ctx; struct ldb_message_element *el; @@ -299,6 +298,11 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, tmp_ctx = talloc_new(server_info); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, server_info); + sids = talloc_array(server_info, struct dom_sid, 2); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, server_info); + + num_sids = 2; + account_sid = samdb_result_dom_sid(server_info, msg, "objectSid"); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info); @@ -308,10 +312,9 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, return status; } - primary_group_sid = dom_sid_add_rid(server_info, - domain_sid, - ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0)); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, server_info); + sids[PRIMARY_USER_SID_INDEX] = *account_sid; + sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; + sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0)); /* Filter out builtin groups from this token. We will search * for builtin groups later, and not include them in the PAC @@ -319,7 +322,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, server_info); - primary_group_string = dom_sid_string(tmp_ctx, primary_group_sid); + primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info); primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string); @@ -337,7 +340,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, * 'only childs' flag to true */ status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter, - server_info, &groupSIDs, &num_groupSIDs); + server_info, &sids, &num_sids); if (!NT_STATUS_IS_OK(status)) { talloc_free(server_info); return status; @@ -350,18 +353,15 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, * them, as long as they meet the filter - so only * domain groups, not builtin groups */ status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter, - server_info, &groupSIDs, &num_groupSIDs); + server_info, &sids, &num_sids); if (!NT_STATUS_IS_OK(status)) { talloc_free(server_info); return status; } } - server_info->account_sid = account_sid; - server_info->primary_group_sid = primary_group_sid; - - server_info->domain_groups = groupSIDs; - server_info->n_domain_groups = num_groupSIDs; + server_info->sids = sids; + server_info->num_sids = num_sids; server_info->account_name = talloc_steal(server_info, ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL)); @@ -433,33 +433,27 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, if (server_info->acct_flags & ACB_SVRTRUST) { /* the SID_NT_ENTERPRISE_DCS SID gets added into the PAC */ - server_info->domain_groups = talloc_realloc(server_info, - server_info->domain_groups, - struct dom_sid *, - server_info->n_domain_groups+1); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info); - server_info->domain_groups[server_info->n_domain_groups] = - dom_sid_parse_talloc(server_info->domain_groups, - SID_NT_ENTERPRISE_DCS); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups], - server_info); - server_info->n_domain_groups++; + server_info->sids = talloc_realloc(server_info, + server_info->sids, + struct dom_sid, + server_info->num_sids+1); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info); + server_info->sids[server_info->num_sids] = global_sid_Enterprise_DCs; + server_info->num_sids++; } if ((server_info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) == (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) { /* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */ - server_info->domain_groups = talloc_realloc(server_info, - server_info->domain_groups, - struct dom_sid *, - server_info->n_domain_groups+1); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info); - server_info->domain_groups[server_info->n_domain_groups] = - dom_sid_add_rid(server_info->domain_groups, domain_sid, - DOMAIN_RID_ENTERPRISE_READONLY_DCS); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups], - server_info); - server_info->n_domain_groups++; + server_info->sids = talloc_realloc(server_info, + server_info->sids, + struct dom_sid, + server_info->num_sids+1); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info); + server_info->sids[server_info->num_sids] = *domain_sid; + sid_append_rid(&server_info->sids[server_info->num_sids], + DOMAIN_RID_ENTERPRISE_READONLY_DCS); + server_info->num_sids++; } server_info->authenticated = true; diff --git a/source4/auth/session.c b/source4/auth/session.c index 00a59229ec..060f6d2eb6 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -50,17 +50,11 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, { struct auth_session_info *session_info; NTSTATUS nt_status; - unsigned int i, num_groupSIDs = 0; - const char *account_sid_string; - const char *account_sid_dn; - DATA_BLOB account_sid_blob; - const char *primary_group_string; - const char *primary_group_dn; - DATA_BLOB primary_group_blob; + unsigned int i, num_sids = 0; const char *filter; - struct dom_sid **groupSIDs = NULL; + struct dom_sid *sids = NULL; const struct dom_sid *anonymous_sid, *system_sid; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); @@ -81,96 +75,50 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx); - groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx); - if (!groupSIDs) { + sids = talloc_array(tmp_ctx, struct dom_sid, server_info->num_sids); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx); + if (!sids) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } - num_groupSIDs = server_info->n_domain_groups; + num_sids = server_info->num_sids; - for (i=0; i < server_info->n_domain_groups; i++) { - groupSIDs[i] = server_info->domain_groups[i]; + for (i=0; i < server_info->num_sids; i++) { + sids[i] = server_info->sids[i]; } - if (dom_sid_equal(anonymous_sid, server_info->account_sid)) { + if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (dom_sid_equal(system_sid, server_info->account_sid)) { + } else if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ } else if (sam_ctx) { filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP); /* Search for each group in the token */ - - /* Expands the account SID - this function takes in - * memberOf-like values, so we fake one up with the - * <SID=S-...> format of DN and then let it expand - * them, as long as they meet the filter - so only - * builtin groups - * - * We already have the primary group in the token, so set - * 'only childs' flag to true - */ - account_sid_string = dom_sid_string(tmp_ctx, server_info->account_sid); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_string, server_info); - - account_sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", account_sid_string); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_dn, server_info); - - account_sid_blob = data_blob_string_const(account_sid_dn); - - nt_status = dsdb_expand_nested_groups(sam_ctx, &account_sid_blob, true, filter, - tmp_ctx, &groupSIDs, &num_groupSIDs); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - - /* Expands the primary group - this function takes in - * memberOf-like values, so we fake one up with the - * <SID=S-...> format of DN and then let it expand - * them, as long as they meet the filter - so only - * builtin groups - * - * We already have the primary group in the token, so set - * 'only childs' flag to true - */ - primary_group_string = dom_sid_string(tmp_ctx, server_info->primary_group_sid); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info); - - primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info); - - primary_group_blob = data_blob_string_const(primary_group_dn); - - nt_status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter, - tmp_ctx, &groupSIDs, &num_groupSIDs); - if (!NT_STATUS_IS_OK(nt_status)) { - talloc_free(tmp_ctx); - return nt_status; - } - - for (i = 0; i < server_info->n_domain_groups; i++) { - char *group_string; - const char *group_dn; - DATA_BLOB group_blob; + for (i = 0; i < server_info->num_sids; i++) { + char *sid_string; + const char *sid_dn; + DATA_BLOB sid_blob; - group_string = dom_sid_string(tmp_ctx, - server_info->domain_groups[i]); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_string, server_info); + sid_string = dom_sid_string(tmp_ctx, + &server_info->sids[i]); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, server_info); - group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", group_string); - talloc_free(group_string); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_dn, server_info); - group_blob = data_blob_string_const(group_dn); + sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string); + talloc_free(sid_string); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, server_info); + sid_blob = data_blob_string_const(sid_dn); /* This function takes in memberOf values and expands * them, as long as they meet the filter - so only - * builtin groups */ - nt_status = dsdb_expand_nested_groups(sam_ctx, &group_blob, true, filter, - tmp_ctx, &groupSIDs, &num_groupSIDs); + * builtin groups + * + * We already have the SID in the token, so set + * 'only childs' flag to true */ + nt_status = dsdb_expand_nested_groups(sam_ctx, &sid_blob, true, filter, + tmp_ctx, &sids, &num_sids); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return nt_status; @@ -180,10 +128,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, nt_status = security_token_create(session_info, lp_ctx, - server_info->account_sid, - server_info->primary_group_sid, - num_groupSIDs, - groupSIDs, + num_sids, + sids, session_info_flags, &session_info->security_token); NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx); diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c index 1058f19f5e..6df12fb701 100644 --- a/source4/auth/system_session.c +++ b/source4/auth/system_session.c @@ -106,15 +106,11 @@ NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name, server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); - server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); - - /* is this correct? */ - server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS); - NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); - - server_info->n_domain_groups = 0; - server_info->domain_groups = NULL; + /* This returns a pointer to a struct dom_sid, which is the + * same as a 1 element list of struct dom_sid */ + server_info->num_sids = 1; + server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM); + NT_STATUS_HAVE_NO_MEMORY(server_info->sids); /* annoying, but the Anonymous really does have a session key, and it is all zeros! */ @@ -182,21 +178,25 @@ static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx, server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); - server_info->account_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINISTRATOR); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); + server_info->num_sids = 7; + server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids); + + server_info->sids[PRIMARY_USER_SID_INDEX] = *domain_sid; + sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR); - server_info->primary_group_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS); - NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); + server_info->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid; + sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS); - server_info->n_domain_groups = 6; - server_info->domain_groups = talloc_array(server_info, struct dom_sid *, server_info->n_domain_groups); + server_info->sids[2] = global_sid_Builtin_Administrators; - server_info->domain_groups[0] = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS); - server_info->domain_groups[1] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINS); - server_info->domain_groups[2] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS); - server_info->domain_groups[3] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS); - server_info->domain_groups[4] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_POLICY_ADMINS); - server_info->domain_groups[5] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_SCHEMA_ADMINS); + server_info->sids[3] = *domain_sid; + sid_append_rid(&server_info->sids[3], DOMAIN_RID_ADMINS); + server_info->sids[4] = *domain_sid; + sid_append_rid(&server_info->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS); + server_info->sids[5] = *domain_sid; + sid_append_rid(&server_info->sids[5], DOMAIN_RID_POLICY_ADMINS); + server_info->sids[6] = *domain_sid; + sid_append_rid(&server_info->sids[6], DOMAIN_RID_SCHEMA_ADMINS); /* What should the session key be?*/ server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); @@ -337,15 +337,11 @@ _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx, server_info = talloc(mem_ctx, struct auth_serversupplied_info); NT_STATUS_HAVE_NO_MEMORY(server_info); - server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); - NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid); - - /* The anonymous user has only one SID in it's token, but we need to fill something in here */ - server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); - NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid); - - server_info->n_domain_groups = 0; - server_info->domain_groups = NULL; + /* This returns a pointer to a struct dom_sid, which is the + * same as a 1 element list of struct dom_sid */ + server_info->num_sids = 1; + server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS); + NT_STATUS_HAVE_NO_MEMORY(server_info->sids); /* annoying, but the Anonymous really does have a session key... */ server_info->user_session_key = data_blob_talloc(server_info, NULL, 16); diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c index d41305577c..b5aecbafe9 100644 --- a/source4/dsdb/common/util_groups.c +++ b/source4/dsdb/common/util_groups.c @@ -27,14 +27,14 @@ #include "dsdb/common/util.h" /* This function tests if a SID structure "sids" contains the SID "sid" */ -static bool sids_contains_sid(const struct dom_sid **sids, +static bool sids_contains_sid(const struct dom_sid *sids, const unsigned int num_sids, const struct dom_sid *sid) { unsigned int i; for (i = 0; i < num_sids; i++) { - if (dom_sid_equal(sids[i], sid)) + if (dom_sid_equal(&sids[i], sid)) return true; } return false; @@ -56,7 +56,7 @@ static bool sids_contains_sid(const struct dom_sid **sids, */ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, struct ldb_val *dn_val, const bool only_childs, const char *filter, - TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids, + TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids, unsigned int *num_res_sids) { const char * const attrs[] = { "memberOf", NULL }; @@ -114,7 +114,7 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, DSDB_SEARCH_SHOW_EXTENDED_DN); } else { /* This is an O(n^2) linear search */ - already_there = sids_contains_sid((const struct dom_sid**) *res_sids, + already_there = sids_contains_sid(*res_sids, *num_res_sids, &sid); if (already_there) { talloc_free(tmp_ctx); @@ -148,10 +148,9 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, /* We only apply this test once we know the SID matches the filter */ if (!only_childs) { *res_sids = talloc_realloc(res_sids_ctx, *res_sids, - struct dom_sid *, *num_res_sids + 1); + struct dom_sid, *num_res_sids + 1); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*res_sids, tmp_ctx); - (*res_sids)[*num_res_sids] = dom_sid_dup(*res_sids, &sid); - NT_STATUS_HAVE_NO_MEMORY_AND_FREE((*res_sids)[*num_res_sids], tmp_ctx); + (*res_sids)[*num_res_sids] = sid; ++(*num_res_sids); } diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index ae61089198..1df56e8fe0 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -149,7 +149,7 @@ static int construct_token_groups(struct ldb_module *module, const char *account_sid_string; const char *account_sid_dn; DATA_BLOB account_sid_blob; - struct dom_sid **groupSIDs = NULL; + struct dom_sid *groupSIDs = NULL; unsigned int num_groupSIDs = 0; struct dom_sid *domain_sid; @@ -254,7 +254,7 @@ static int construct_token_groups(struct ldb_module *module, } for (i=0; i < num_groupSIDs; i++) { - ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", groupSIDs[i]); + ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]); if (ret) { talloc_free(tmp_ctx); return ret; diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 11913fbbce..53be12cd52 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -144,10 +144,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx, ****************************************************************************/ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, - struct dom_sid *user_sid, - struct dom_sid *group_sid, - unsigned int n_groupSIDs, - struct dom_sid **groupSIDs, + unsigned int num_sids, + struct dom_sid *sids, uint32_t session_info_flags, struct security_token **token) { @@ -158,22 +156,32 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken = security_token_initialise(mem_ctx); NT_STATUS_HAVE_NO_MEMORY(ptoken); - ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 6 /* over-allocate */); + ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */); NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - ptoken->num_sids = 1; + ptoken->num_sids = 0; - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + for (i = 0; i < num_sids; i++) { + size_t check_sid_idx; + for (check_sid_idx = 0; + check_sid_idx < ptoken->num_sids; + check_sid_idx++) { + if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) { + break; + } + } - ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid; - if (!dom_sid_equal(user_sid, group_sid)) { - ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid; - ptoken->num_sids++; + if (check_sid_idx == ptoken->num_sids) { + ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + + ptoken->sids[ptoken->num_sids] = sids[i]; + ptoken->num_sids++; + } } /* - * Finally add the "standard" SIDs. + * Finally add the "standard" sids. * The only difference between guest and "anonymous" * is the addition of Authenticated_Users. */ @@ -203,25 +211,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken->num_sids++; } - for (i = 0; i < n_groupSIDs; i++) { - size_t check_sid_idx; - for (check_sid_idx = 1; - check_sid_idx < ptoken->num_sids; - check_sid_idx++) { - if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) { - break; - } - } - - if (check_sid_idx == ptoken->num_sids) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - ptoken->sids[ptoken->num_sids] = *groupSIDs[i]; - ptoken->num_sids++; - } - } - /* The caller may have requested simple privilages, for example if there isn't a local DB */ if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { /* Shortcuts to prevent recursion and avoid lookups */ diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c index 25d37af8c4..d9e09f1209 100644 --- a/source4/smbd/service_named_pipe.c +++ b/source4/smbd/service_named_pipe.c @@ -169,7 +169,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq) } session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; - if (!dom_sid_equal(anonymous_sid, server_info->account_sid)) { + if (server_info->num_sids > 1 && !dom_sid_equal(anonymous_sid, &server_info->sids[0])) { session_flags |= AUTH_SESSION_INFO_AUTHENTICATED; } diff --git a/source4/torture/auth/pac.c b/source4/torture/auth/pac.c index 13796bd3db..e76f0820d4 100644 --- a/source4/torture/auth/pac.c +++ b/source4/torture/auth/pac.c @@ -167,8 +167,9 @@ static bool torture_pac_self_check(struct torture_context *tctx) smb_krb5_context->krb5_context, &server_info_out); - if (!dom_sid_equal(server_info->account_sid, - server_info_out->account_sid)) { + /* The user's SID is the first element in the list */ + if (!dom_sid_equal(server_info->sids, + server_info_out->sids)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &krbtgt_keyblock); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -179,8 +180,8 @@ static bool torture_pac_self_check(struct torture_context *tctx) torture_fail(tctx, talloc_asprintf(tctx, "(self test) PAC Decode resulted in *different* domain SID: %s != %s", - dom_sid_string(mem_ctx, server_info->account_sid), - dom_sid_string(mem_ctx, server_info_out->account_sid))); + dom_sid_string(mem_ctx, server_info->sids), + dom_sid_string(mem_ctx, server_info_out->sids))); } talloc_free(server_info_out); @@ -229,13 +230,13 @@ static bool torture_pac_self_check(struct torture_context *tctx) nt_errstr(nt_status))); } - if (!dom_sid_equal(server_info->account_sid, - server_info_out->account_sid)) { + if (!dom_sid_equal(server_info->sids, + server_info_out->sids)) { torture_fail(tctx, talloc_asprintf(tctx, "(self test) PAC Decode resulted in *different* domain SID: %s != %s", - dom_sid_string(mem_ctx, server_info->account_sid), - dom_sid_string(mem_ctx, server_info_out->account_sid))); + dom_sid_string(mem_ctx, server_info->sids), + dom_sid_string(mem_ctx, server_info_out->sids))); } return true; } @@ -444,7 +445,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), - server_info_out->account_sid)) { + server_info_out->sids)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -455,7 +456,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) talloc_asprintf(tctx, "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, server_info_out->account_sid))); + dom_sid_string(mem_ctx, server_info_out->sids))); } talloc_free(server_info_out); @@ -503,7 +504,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) if (!pac_file && !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, "S-1-5-21-3048156945-3961193616-3706469200-1005"), - server_info_out->account_sid)) { + server_info_out->sids)) { krb5_free_keyblock_contents(smb_krb5_context->krb5_context, krbtgt_keyblock_p); krb5_free_keyblock_contents(smb_krb5_context->krb5_context, @@ -514,7 +515,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx) talloc_asprintf(tctx, "(saved test) PAC Decode resulted in *different* domain SID: %s != %s", "S-1-5-21-3048156945-3961193616-3706469200-1005", - dom_sid_string(mem_ctx, server_info_out->account_sid))); + dom_sid_string(mem_ctx, server_info_out->sids))); } if (krbtgt_bytes == NULL) { diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 8f4d677c44..73e62a3b6f 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -603,21 +603,17 @@ static bool test_S2U4Self(struct torture_context *tctx, s2u4self_session_info->server_info->account_name, "Account name differs for S2U4Self"); torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, kinit_session_info->server_info->full_name, "Full name differs for kinit-based PAC"); torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, s2u4self_session_info->server_info->full_name, "Full name differs for S2U4Self"); - torture_assert(tctx, dom_sid_equal(netlogon_server_info->account_sid, kinit_session_info->server_info->account_sid), "Account SID differs for kinit-based PAC"); - torture_assert(tctx, dom_sid_equal(netlogon_server_info->primary_group_sid, kinit_session_info->server_info->primary_group_sid), "Primary Group SID differs for kinit-based PAC"); - torture_assert(tctx, dom_sid_equal(netlogon_server_info->account_sid, s2u4self_session_info->server_info->account_sid), "Account SID differs for S2U4Self"); - torture_assert(tctx, dom_sid_equal(netlogon_server_info->primary_group_sid, s2u4self_session_info->server_info->primary_group_sid), "Primary Group SID differs for S2U4Self"); - torture_assert_int_equal(tctx, netlogon_server_info->n_domain_groups, kinit_session_info->server_info->n_domain_groups, "Different numbers of domain groups for kinit-based PAC"); - torture_assert_int_equal(tctx, netlogon_server_info->n_domain_groups, s2u4self_session_info->server_info->n_domain_groups, "Different numbers of domain groups for S2U4Self"); + torture_assert_int_equal(tctx, netlogon_server_info->num_sids, kinit_session_info->server_info->num_sids, "Different numbers of domain groups for kinit-based PAC"); + torture_assert_int_equal(tctx, netlogon_server_info->num_sids, s2u4self_session_info->server_info->num_sids, "Different numbers of domain groups for S2U4Self"); builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN); - for (i = 0; i < kinit_session_info->server_info->n_domain_groups; i++) { - torture_assert(tctx, dom_sid_equal(netlogon_server_info->domain_groups[i], kinit_session_info->server_info->domain_groups[i]), "Different domain groups for kinit-based PAC"); - torture_assert(tctx, dom_sid_equal(netlogon_server_info->domain_groups[i], s2u4self_session_info->server_info->domain_groups[i]), "Different domain groups for S2U4Self"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, s2u4self_session_info->server_info->domain_groups[i]), "Returned BUILTIN domain in groups for S2U4Self"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, kinit_session_info->server_info->domain_groups[i]), "Returned BUILTIN domain in groups kinit-based PAC"); - torture_assert(tctx, !dom_sid_in_domain(builtin_domain, netlogon_server_info->domain_groups[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply"); + for (i = 0; i < kinit_session_info->server_info->num_sids; i++) { + torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &kinit_session_info->server_info->sids[i]), "Different domain groups for kinit-based PAC"); + torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &s2u4self_session_info->server_info->sids[i]), "Different domain groups for S2U4Self"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups for S2U4Self"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups kinit-based PAC"); + torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_server_info->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply"); } return true; |