summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--source4/auth/session.c44
-rw-r--r--source4/dsdb/common/util_groups.c25
-rw-r--r--source4/dsdb/samdb/samdb.c31
3 files changed, 64 insertions, 36 deletions
diff --git a/source4/auth/session.c b/source4/auth/session.c
index de417cc54b..bb0b5bca63 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -102,22 +102,56 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
sids[i] = user_info_dc->sids[i];
}
- if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
+ /*
+ * Finally add the "standard" sids.
+ * The only difference between guest and "anonymous"
+ * is the addition of Authenticated_Users.
+ */
+
+ if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 2);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_WORLD, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+
+ if (!dom_sid_parse(SID_NT_NETWORK, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
+
+ if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
+ sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(sids);
+
+ if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[num_sids])) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ num_sids++;
+ }
+
+
+
+ if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
- } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
+ } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
/* Search for each group in the token */
- for (i = 0; i < user_info_dc->num_sids; i++) {
+ for (i = 0; i < num_sids; i++) {
char *sid_string;
const char *sid_dn;
DATA_BLOB sid_blob;
-
+ int ret;
+
sid_string = dom_sid_string(tmp_ctx,
- &user_info_dc->sids[i]);
+ &sids[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c
index b5aecbafe9..6a96ce89d1 100644
--- a/source4/dsdb/common/util_groups.c
+++ b/source4/dsdb/common/util_groups.c
@@ -126,6 +126,31 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
filter);
}
+ /*
+ * We have the problem with the caller creating a <SID=S-....>
+ * DN for ForeignSecurityPrincipals as they also have
+ * duplicate objects with the SAME SID under CN=Configuration.
+ * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba
+ * and on Windows. So, we allow this to fail, and
+ * double-check if we can find it with a search in the main
+ * domain partition.
+ */
+ if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) {
+ char *sid_string = dom_sid_string(tmp_ctx,
+ &sid);
+ if (!sid_string) {
+ talloc_free(tmp_ctx);
+ return NT_STATUS_OK;
+ }
+
+ ret = dsdb_search(sam_ctx, tmp_ctx, &res,
+ ldb_get_default_basedn(sam_ctx),
+ LDB_SCOPE_SUBTREE,
+ attrs, DSDB_SEARCH_SHOW_EXTENDED_DN,
+ "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))",
+ sid_string);
+ }
+
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 713448c4e8..361ece79f0 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -143,37 +143,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
}
}
- /*
- * Finally add the "standard" sids.
- * The only difference between guest and "anonymous"
- * is the addition of Authenticated_Users.
- */
-
- if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
- ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 2);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
- if (!dom_sid_parse(SID_WORLD, &ptoken->sids[ptoken->num_sids])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- ptoken->num_sids++;
-
- if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[ptoken->num_sids])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- ptoken->num_sids++;
- }
-
- if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
- ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
- if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[ptoken->num_sids])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- ptoken->num_sids++;
- }
-
/* The caller may have requested simple privilages, for example if there isn't a local DB */
if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
/* Shortcuts to prevent recursion and avoid lookups */
generated by cgit (git 2.34.1) at 2024-11-22 22:36:24 +0000