From 9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 19 Apr 2010 15:51:57 +1000
Subject: s4:auth Change auth_generate_session_info to take flags

This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.

In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.

This also takes more care to allocate the right length ptoken->sids

Andrew Bartlett
---
 source4/dsdb/samdb/ldb_modules/operational.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

(limited to 'source4/dsdb/samdb/ldb_modules')

diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index acd8b80161..d51a8588bb 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -149,6 +149,7 @@ static int construct_token_groups(struct ldb_module *module,
 		ldb_module_oom(module);
 		return LDB_ERR_OPERATIONS_ERROR;
 	} else if (!NT_STATUS_IS_OK(status)) {
+		ldb_set_errstring(ldb, "Cannot provide tokenGroups attribute, could not create authContext");
 		talloc_free(tmp_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
@@ -158,30 +159,29 @@ static int construct_token_groups(struct ldb_module *module,
 		talloc_free(tmp_ctx);
 		ldb_module_oom(module);
 		return LDB_ERR_OPERATIONS_ERROR;
+	} else if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+		/* Not a user, we have no tokenGroups */
+		talloc_free(tmp_ctx);
+		return LDB_SUCCESS;
 	} else if (!NT_STATUS_IS_OK(status)) {
 		talloc_free(tmp_ctx);
+		ldb_asprintf_errstring(ldb, "Cannot provide tokenGroups attribute: auth_get_server_info_principal failed: %s", nt_errstr(status));
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	status = auth_generate_session_info(tmp_ctx, auth_context, server_info, &session_info);
+	status = auth_generate_session_info(tmp_ctx, auth_context, server_info, 0, &session_info);
 	if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) {
 		talloc_free(tmp_ctx);
 		ldb_module_oom(module);
 		return LDB_ERR_OPERATIONS_ERROR;
 	} else if (!NT_STATUS_IS_OK(status)) {
 		talloc_free(tmp_ctx);
+		ldb_asprintf_errstring(ldb, "Cannot provide tokenGroups attribute: auth_generate_session_info failed: %s", nt_errstr(status));
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	ret = samdb_msg_add_dom_sid(ldb, msg, msg,
-				    "tokenGroups",
-				    session_info->security_token->group_sid);
-	if (ret != LDB_SUCCESS) {
-		talloc_free(tmp_ctx);
-		return ret;
-	}
-
-	for (i = 0; i < session_info->security_token->num_sids; i++) {
+	/* We start at 1, as the first SID is the user's SID, not included in the tokenGroups */
+	for (i = 1; i < session_info->security_token->num_sids; i++) {
 		ret = samdb_msg_add_dom_sid(ldb, msg, msg,
 					    "tokenGroups",
 					    session_info->security_token->sids[i]);
-- 
cgit