summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/sam.c41
1 files changed, 24 insertions, 17 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index c8591b3927..562117bb0f 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -282,16 +282,21 @@ static bool sids_contains_sid(const struct dom_sid **sids, const int num_sids,
/*
* This function generates the transitive closure of a given SID "sid" (it
* basically expands nested groups of a SID).
- * - If a SID is a user or a group we've always to consider the "memberOf"
- * attribute. If the SID isn't located in the "res_sids" structure yet, we've
- * to add it.
- * - We also add each object's SID to "red_sids"
+ * If the SID isn't located in the "res_sids" structure yet and the
+ * "only_childs" flag is negative, we add it to "res_sids".
+ * Then we've always to consider the "memberOf" attributes. We invoke the
+ * function recursively on each item of it with the "only_childs" flag set to
+ * "false".
+ * The "only_childs" flag is particularly useful if you have a user SID and
+ * want to include all his groups (referenced with "memberOf") without his SID
+ * itself.
*
- * In the beginning "res_sids" should reference to a NULL pointer.
+ * At the beginning "res_sids" should reference to a NULL pointer.
*/
static NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
- const struct dom_sid *sid, TALLOC_CTX *res_sids_ctx,
- struct dom_sid ***res_sids, int *num_res_sids)
+ const struct dom_sid *sid, const bool only_childs,
+ TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
+ int *num_res_sids)
{
const char * const attrs[] = { "memberOf", NULL };
int i, ret;
@@ -316,13 +321,15 @@ static NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
return NT_STATUS_OK;
}
- tmp_sid = dom_sid_dup(res_sids_ctx, sid);
- NT_STATUS_HAVE_NO_MEMORY(tmp_sid);
- *res_sids = talloc_realloc(res_sids_ctx, *res_sids, struct dom_sid *,
- *num_res_sids + 1);
- NT_STATUS_HAVE_NO_MEMORY(*res_sids);
- (*res_sids)[*num_res_sids] = tmp_sid;
- ++(*num_res_sids);
+ if (!only_childs) {
+ tmp_sid = dom_sid_dup(res_sids_ctx, sid);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_sid);
+ *res_sids = talloc_realloc(res_sids_ctx, *res_sids,
+ struct dom_sid *, *num_res_sids + 1);
+ NT_STATUS_HAVE_NO_MEMORY(*res_sids);
+ (*res_sids)[*num_res_sids] = tmp_sid;
+ ++(*num_res_sids);
+ }
tmp_ctx = talloc_new(sam_ctx);
@@ -346,7 +353,7 @@ static NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
"objectSid", NULL);
status = authsam_expand_nested_groups(sam_ctx, tmp_sid,
- res_sids_ctx, res_sids, num_res_sids);
+ false, res_sids_ctx, res_sids, num_res_sids);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(res);
talloc_free(tmp_ctx);
@@ -386,8 +393,8 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, tmp_ctx);
- status = authsam_expand_nested_groups(sam_ctx, account_sid, server_info,
- &groupSIDs, &group_ret);
+ status = authsam_expand_nested_groups(sam_ctx, account_sid, true,
+ server_info, &groupSIDs, &group_ret);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(tmp_ctx);
return status;