From d3d4e224785cae86b99cc748555aff9ac57de200 Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Fri, 10 Mar 2006 08:26:40 +0000 Subject: r14129: Add the group sids from the Kerberos PAC to the user token. Guenther (This used to be commit 1280d79111ae56c6a1b4daf7a1d6d413d1f4df64) --- source3/auth/auth_util.c | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'source3/auth') diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 357da1fdb7..99ce6620c3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1102,6 +1102,7 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, DOM_SID user_sid, group_sid; fstring dom_name; auth_serversupplied_info *result; + int i; if ( !(sampass = samu_new( NULL )) ) { return NT_STATUS_NO_MEMORY; @@ -1139,10 +1140,36 @@ NTSTATUS make_server_info_pac(auth_serversupplied_info **server_info, result->uid = pwd->pw_uid; result->gid = pwd->pw_gid; - /* TODO: Add groups from pac */ result->sids = NULL; result->num_sids = 0; + /* and create (by appending rids) the 'domain' sids */ + + for (i = 0; i < logon_info->info3.num_groups2; i++) { + DOM_SID sid; + if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid, + logon_info->info3.gids[i].g_rid)) { + DEBUG(3,("could not append additional group rid " + "0x%x\n", logon_info->info3.gids[i].g_rid)); + TALLOC_FREE(result); + return NT_STATUS_INVALID_PARAMETER; + } + add_sid_to_array(result, &sid, &result->sids, + &result->num_sids); + } + + /* Copy 'other' sids. We need to do sid filtering here to + prevent possible elevation of privileges. See: + + http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp + */ + + for (i = 0; i < logon_info->info3.num_other_sids; i++) { + add_sid_to_array(result, &logon_info->info3.other_sids[i].sid, + &result->sids, + &result->num_sids); + } + *server_info = result; return NT_STATUS_OK; -- cgit