From bf94d68df82f3c7085a6e468b4247fa55d4648ba Mon Sep 17 00:00:00 2001 From: Matthias Dieter Wallnöfer Date: Thu, 4 Mar 2010 13:58:16 +0100 Subject: s4:operational LDB - implement the "tokenGroups" constructed attribute It contains the transitive SID closure (expand member/memberOf attributes) of a certain SAM object. The "tokenGroups" attribute never contains the SID of the object itself. References: http://msdn.microsoft.com/en-us/library/ms680275(VS.85).aspx, http://support.microsoft.com/kb/301916, MS-ADTS 3.1.1.4.5.19. --- source4/dsdb/samdb/ldb_modules/config.mk | 2 +- source4/dsdb/samdb/ldb_modules/operational.c | 95 ++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+), 1 deletion(-) (limited to 'source4/dsdb/samdb/ldb_modules') diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index e13f44af09..586e937b6c 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -400,7 +400,7 @@ ldb_instancetype_OBJ_FILES = $(dsdbsrcdir)/samdb/ldb_modules/instancetype.o [MODULE::ldb_operational] SUBSYSTEM = LIBLDB CFLAGS = -Ilib/ldb/include -PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS +PRIVATE_DEPENDENCIES = LIBTALLOC LIBTEVENT LIBSAMBA-UTIL SAMDB_COMMON DSDB_MODULE_HELPERS auth_sam INIT_FUNCTION = LDB_MODULE(operational) # End MODULE ldb_operational ################################################ diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c index 413ea6b528..7bb74689c6 100644 --- a/source4/dsdb/samdb/ldb_modules/operational.c +++ b/source4/dsdb/samdb/ldb_modules/operational.c @@ -72,6 +72,9 @@ #include "dsdb/samdb/samdb.h" #include "dsdb/samdb/ldb_modules/util.h" +#include "auth/auth.h" +#include "libcli/security/dom_sid.h" + #ifndef ARRAY_SIZE #define ARRAY_SIZE(a) (sizeof(a)/sizeof(a[0])) #endif @@ -118,6 +121,97 @@ static int construct_primary_group_token(struct ldb_module *module, } } +/* + construct the token groups for SAM objects from a message +*/ +static int construct_token_groups(struct ldb_module *module, + struct ldb_message *msg) +{ + struct ldb_context *ldb; + const struct dom_sid *sid; + + ldb = ldb_module_get_ctx(module); + + sid = samdb_result_dom_sid(msg, msg, "objectSid"); + if (sid != NULL) { + NTSTATUS status; + uint32_t prim_group_rid; + struct dom_sid **sids = NULL; + unsigned int i, num_sids = 0; + int ret; + + prim_group_rid = samdb_result_uint(msg, "primaryGroupID", 0); + if (prim_group_rid != 0) { + struct dom_sid *prim_group_sid; + + prim_group_sid = dom_sid_add_rid(msg, + samdb_domain_sid(ldb), + prim_group_rid); + if (prim_group_sid == NULL) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + + /* onlyChilds = false, we want to consider also the + * "primaryGroupID" for membership */ + status = authsam_expand_nested_groups(ldb, + prim_group_sid, + false, msg, + &sids, &num_sids); + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + if (!NT_STATUS_IS_OK(status)) { + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i = 0; i < num_sids; i++) { + ret = samdb_msg_add_dom_sid(ldb, msg, msg, + "tokenGroups", + sids[i]); + if (ret != LDB_SUCCESS) { + talloc_free(sids); + return ret; + } + } + + talloc_free(sids); + } + + sids = NULL; + num_sids = 0; + + /* onlyChils = true, we don't want to have the SAM object itself + * in the result */ + status = authsam_expand_nested_groups(ldb, sid, true, msg, + &sids, &num_sids); + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_MEMORY)) { + ldb_oom(ldb); + return LDB_ERR_OPERATIONS_ERROR; + } + if (!NT_STATUS_IS_OK(status)) { + return LDB_ERR_OPERATIONS_ERROR; + } + + for (i = 0; i < num_sids; i++) { + ret = samdb_msg_add_dom_sid(ldb, msg, msg, + "tokenGroups", sids[i]); + if (ret != LDB_SUCCESS) { + talloc_free(sids); + return ret; + } + } + + talloc_free(sids); + } + + return LDB_SUCCESS; +} + +/* + construct the parent GUID for an entry from a message +*/ static int construct_parent_guid(struct ldb_module *module, struct ldb_message *msg) { @@ -207,6 +301,7 @@ static const struct { { "structuralObjectClass", "objectClass", NULL , NULL }, { "canonicalName", "distinguishedName", NULL , construct_canonical_name }, { "primaryGroupToken", "objectClass", "objectSid", construct_primary_group_token }, + { "tokenGroups", "objectSid", "primaryGroupID", construct_token_groups }, { "parentGUID", NULL, NULL, construct_parent_guid }, { "subSchemaSubEntry", NULL, NULL, construct_subschema_subentry } }; -- cgit