From a82e3abc707ecaf68ee26828f11987d621ec1bb5 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 2 Oct 2010 05:09:42 +1000 Subject: s4-auth Add make_server_info_pac() to include 'resource domain' groups Previously, our PAC code didn't include these groups into the server_info from which we would eventually calculate the full list of tokenGroups. Andrew Bartlett --- source4/auth/auth_sam_reply.c | 37 ++++++++++++++++++++++++++++++++++++ source4/auth/kerberos/kerberos_pac.c | 8 +++----- 2 files changed, 40 insertions(+), 5 deletions(-) (limited to 'source4') diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c index b234f87215..0c03e78493 100644 --- a/source4/auth/auth_sam_reply.c +++ b/source4/auth/auth_sam_reply.c @@ -287,3 +287,40 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } +/** + * Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon + */ +NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx, + struct PAC_LOGON_INFO *pac_logon_info, + struct auth_serversupplied_info **_server_info) +{ + uint32_t i; + NTSTATUS nt_status; + union netr_Validation validation; + struct auth_serversupplied_info *server_info; + + validation.sam3 = &pac_logon_info->info3; + + nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3, &validation, &server_info); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; + } + + if (pac_logon_info->res_groups.count > 0) { + struct dom_sid **rgrps; + size_t sidcount = server_info->n_domain_groups + pac_logon_info->res_groups.count; + server_info->domain_groups = rgrps + = talloc_realloc(server_info, server_info->domain_groups, struct dom_sid *, sidcount); + NT_STATUS_HAVE_NO_MEMORY(rgrps); + + for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) { + size_t sid_idx = server_info->n_domain_groups + i; + rgrps[sid_idx] + = dom_sid_add_rid(rgrps, pac_logon_info->res_group_dom_sid, + pac_logon_info->res_groups.rids[i].rid); + NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]); + } + } + *_server_info = server_info; + return NT_STATUS_OK; +} diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c index aca807e78d..40f0cf7cf8 100644 --- a/source4/auth/kerberos/kerberos_pac.c +++ b/source4/auth/kerberos/kerberos_pac.c @@ -684,11 +684,9 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx, } /* Pull this right into the normal auth sysstem structures */ - validation.sam3 = &info.logon_info.info->info3; - nt_status = make_server_info_netlogon_validation(mem_ctx, - "", - 3, &validation, - &server_info_out); + nt_status = make_server_info_pac(mem_ctx, + info.logon_info.info, + &server_info_out); if (!NT_STATUS_IS_OK(nt_status)) { talloc_free(tmp_ctx); return EINVAL; -- cgit