From 710ea949886dd57c66dc6d397e0ea41c89736107 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 27 Apr 2006 16:09:17 +0000 Subject: r15297: Move create_security_token() to samdb as it requires SAMDB (and the rest of LIBSECURITY doesn't) Make the ldb password_hash module only depend on some keys manipulation code, not full heimdal Some other dependency fixes (This used to be commit 5b3ab728edfc9cdd9eee16ad0fe6dfd4b5ced630) --- source4/dsdb/samdb/ldb_modules/config.mk | 10 ++--- source4/dsdb/samdb/samdb.c | 76 ++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 6 deletions(-) (limited to 'source4/dsdb/samdb') diff --git a/source4/dsdb/samdb/ldb_modules/config.mk b/source4/dsdb/samdb/ldb_modules/config.mk index 207fdf8201..20f6e182e5 100644 --- a/source4/dsdb/samdb/ldb_modules/config.mk +++ b/source4/dsdb/samdb/ldb_modules/config.mk @@ -17,7 +17,6 @@ SUBSYSTEM = ldb INIT_FUNCTION = samldb_module_init OBJ_FILES = \ samldb.o -PUBLIC_DEPENDENCIES = SAMDB # # End MODULE ldb_samldb ################################################ @@ -62,10 +61,9 @@ OBJ_FILES = \ [MODULE::ldb_password_hash] SUBSYSTEM = ldb INIT_FUNCTION = password_hash_module_init -OBJ_FILES = \ - password_hash.o -PUBLIC_DEPENDENCIES = \ - HEIMDAL_HDB HEIMDAL_KRB5 +OBJ_FILES = password_hash.o +PUBLIC_DEPENDENCIES = HEIMDAL_KRB5 +PRIVATE_DEPENDENCIES = HEIMDAL_HDB_KEYS # # End MODULE ldb_rootdse ################################################ @@ -78,7 +76,7 @@ INIT_FUNCTION = ldb_kludge_acl_init OBJ_FILES = \ kludge_acl.o PUBLIC_DEPENDENCIES = \ - LIB_SECURITY + LIBSECURITY # # End MODULE ldb_rootdse ################################################ diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index bd133c8745..5dbfd4ee87 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -1353,3 +1353,79 @@ _PUBLIC_ NTSTATUS samdb_set_password_sid(struct ldb_context *ctx, TALLOC_CTX *me } return NT_STATUS_OK; } + +/**************************************************************************** + Create the SID list for this user. +****************************************************************************/ +NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, + struct dom_sid *user_sid, + struct dom_sid *group_sid, + int n_groupSIDs, + struct dom_sid **groupSIDs, + BOOL is_authenticated, + struct security_token **token) +{ + struct security_token *ptoken; + int i; + NTSTATUS status; + + ptoken = security_token_initialise(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(ptoken); + + ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); + + ptoken->user_sid = talloc_reference(ptoken, user_sid); + ptoken->group_sid = talloc_reference(ptoken, group_sid); + ptoken->privilege_mask = 0; + + ptoken->sids[0] = ptoken->user_sid; + ptoken->sids[1] = ptoken->group_sid; + + /* + * Finally add the "standard" SIDs. + * The only difference between guest and "anonymous" + * is the addition of Authenticated_Users. + */ + ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_WORLD); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]); + ptoken->sids[3] = dom_sid_parse_talloc(ptoken->sids, SID_NT_NETWORK); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[3]); + ptoken->num_sids = 4; + + if (is_authenticated) { + ptoken->sids[4] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS); + NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[4]); + ptoken->num_sids++; + } + + for (i = 0; i < n_groupSIDs; i++) { + size_t check_sid_idx; + for (check_sid_idx = 1; + check_sid_idx < ptoken->num_sids; + check_sid_idx++) { + if (dom_sid_equal(ptoken->sids[check_sid_idx], groupSIDs[i])) { + break; + } + } + + if (check_sid_idx == ptoken->num_sids) { + ptoken->sids[ptoken->num_sids++] = talloc_reference(ptoken->sids, groupSIDs[i]); + } + } + + /* setup the privilege mask for this token */ + status = samdb_privilege_setup(ptoken); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(ptoken); + return status; + } + + security_token_debug(10, ptoken); + + *token = ptoken; + + return NT_STATUS_OK; +} + + -- cgit