diff options
| -rw-r--r-- | source4/auth/session.c | 44 | ||||
| -rw-r--r-- | source4/dsdb/common/util_groups.c | 25 | ||||
| -rw-r--r-- | source4/dsdb/samdb/samdb.c | 31 |
3 files changed, 64 insertions, 36 deletions
diff --git a/source4/auth/session.c b/source4/auth/session.c index de417cc54b..bb0b5bca63 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -102,22 +102,56 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, sids[i] = user_info_dc->sids[i]; } - if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { + /* + * Finally add the "standard" sids. + * The only difference between guest and "anonymous" + * is the addition of Authenticated_Users. + */ + + if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { + sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 2); + NT_STATUS_HAVE_NO_MEMORY(sids); + + if (!dom_sid_parse(SID_WORLD, &sids[num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } + num_sids++; + + if (!dom_sid_parse(SID_NT_NETWORK, &sids[num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } + num_sids++; + } + + if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { + sids = talloc_realloc(tmp_ctx, sids, struct dom_sid, num_sids + 1); + NT_STATUS_HAVE_NO_MEMORY(sids); + + if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &sids[num_sids])) { + return NT_STATUS_INTERNAL_ERROR; + } + num_sids++; + } + + + + if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ - } else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) { + } else if (num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &sids[PRIMARY_USER_SID_INDEX])) { /* Don't expand nested groups of system, anonymous etc*/ } else if (sam_ctx) { filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP); /* Search for each group in the token */ - for (i = 0; i < user_info_dc->num_sids; i++) { + for (i = 0; i < num_sids; i++) { char *sid_string; const char *sid_dn; DATA_BLOB sid_blob; - + int ret; + sid_string = dom_sid_string(tmp_ctx, - &user_info_dc->sids[i]); + &sids[i]); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc); sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string); diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c index b5aecbafe9..6a96ce89d1 100644 --- a/source4/dsdb/common/util_groups.c +++ b/source4/dsdb/common/util_groups.c @@ -126,6 +126,31 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, filter); } + /* + * We have the problem with the caller creating a <SID=S-....> + * DN for ForeignSecurityPrincipals as they also have + * duplicate objects with the SAME SID under CN=Configuration. + * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba + * and on Windows. So, we allow this to fail, and + * double-check if we can find it with a search in the main + * domain partition. + */ + if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) { + char *sid_string = dom_sid_string(tmp_ctx, + &sid); + if (!sid_string) { + talloc_free(tmp_ctx); + return NT_STATUS_OK; + } + + ret = dsdb_search(sam_ctx, tmp_ctx, &res, + ldb_get_default_basedn(sam_ctx), + LDB_SCOPE_SUBTREE, + attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, + "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))", + sid_string); + } + if (ret == LDB_ERR_NO_SUCH_OBJECT) { talloc_free(tmp_ctx); return NT_STATUS_OK; diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 713448c4e8..361ece79f0 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -143,37 +143,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, } } - /* - * Finally add the "standard" sids. - * The only difference between guest and "anonymous" - * is the addition of Authenticated_Users. - */ - - if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 2); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - if (!dom_sid_parse(SID_WORLD, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - - if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - } - - if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - } - /* The caller may have requested simple privilages, for example if there isn't a local DB */ if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { /* Shortcuts to prevent recursion and avoid lookups */ |