From 7dbfeb0dc040889244a1110940af2d070f823374 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Sat, 25 Sep 2010 19:14:42 -0700 Subject: s4-auth: fixed the SID list for DCs in the PAC the S-1-5-9 SID is added in the PAC by the KDC, not on the server that receives the PAC Pair-Programmed-With: Andrew Bartlett Pair-Programmed-With: Stefan Metzmacher Autobuild-User: Andrew Tridgell Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104 --- source4/auth/auth.h | 1 - source4/auth/sam.c | 16 ++++++++++++++++ source4/auth/session.c | 18 ------------------ source4/dsdb/samdb/samdb.c | 10 ---------- 4 files changed, 16 insertions(+), 29 deletions(-) diff --git a/source4/auth/auth.h b/source4/auth/auth.h index ce583c871c..2f0af027bc 100644 --- a/source4/auth/auth.h +++ b/source4/auth/auth.h @@ -46,7 +46,6 @@ struct loadparm_context; #define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */ #define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */ -#define AUTH_SESSION_INFO_ENTERPRISE_DC 0x04 /* Add the user to the 'enterprise DC' group */ struct auth_serversupplied_info { diff --git a/source4/auth/sam.c b/source4/auth/sam.c index 6bf1d5f9e3..bdbf6906a3 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -558,6 +558,22 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, server_info); } + if (server_info->acct_flags & ACB_SVRTRUST) { + /* the SID_NT_ENTERPRISE_DCS SID gets added into the + PAC */ + server_info->domain_groups = talloc_realloc(server_info, + server_info->domain_groups, + struct dom_sid *, + server_info->n_domain_groups+1); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info); + server_info->domain_groups[server_info->n_domain_groups] = + dom_sid_parse_talloc(server_info->domain_groups, + SID_NT_ENTERPRISE_DCS); + NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups], + server_info); + server_info->n_domain_groups++; + } + server_info->authenticated = true; talloc_free(tmp_ctx); diff --git a/source4/auth/session.c b/source4/auth/session.c index bd1be8eebb..68d03aeeec 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -91,24 +91,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, } else if (dom_sid_equal(system_sid, server_info->account_sid)) { /* Don't expand nested groups of system, anonymous etc*/ } else if (auth_context) { - if (server_info->acct_flags & ACB_SVRTRUST) { - dom_sid = samdb_domain_sid(auth_context->sam_ctx); - if (dom_sid) { - if (dom_sid_in_domain(dom_sid, server_info->account_sid)) { - session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC; - } else { - DEBUG(2, ("DC %s is not in our domain. " - "It will not have Enterprise Domain Controllers membership on this server", - server_info->account_name)); - } - } else { - DEBUG(2, ("Could not obtain local domain SID, " - "so can not determine if DC %s is a DC of this domain. " - "It will not have Enterprise Domain Controllers membership", - server_info->account_name)); - } - } - groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups); NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx); if (!groupSIDs) { diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 32698ea412..637da4fcf2 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -202,16 +202,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, ptoken->num_sids++; } - if (session_info_flags & AUTH_SESSION_INFO_ENTERPRISE_DC) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - if (!dom_sid_parse(SID_NT_ENTERPRISE_DCS, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - } - for (i = 0; i < n_groupSIDs; i++) { size_t check_sid_idx; for (check_sid_idx = 1; -- cgit