From a82e3abc707ecaf68ee26828f11987d621ec1bb5 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 2 Oct 2010 05:09:42 +1000
Subject: s4-auth Add make_server_info_pac() to include 'resource domain'
 groups

Previously, our PAC code didn't include these groups into the
server_info from which we would eventually calculate the full
list of tokenGroups.

Andrew Bartlett
---
 source4/auth/auth_sam_reply.c        | 37 ++++++++++++++++++++++++++++++++++++
 source4/auth/kerberos/kerberos_pac.c |  8 +++-----
 2 files changed, 40 insertions(+), 5 deletions(-)

(limited to 'source4')

diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c
index b234f87215..0c03e78493 100644
--- a/source4/auth/auth_sam_reply.c
+++ b/source4/auth/auth_sam_reply.c
@@ -287,3 +287,40 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
 	return NT_STATUS_OK;
 }
 
+/**
+ * Make a server_info struct from the PAC_LOGON_INFO supplied in the krb5 logon
+ */
+NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
+			      struct PAC_LOGON_INFO *pac_logon_info,
+			      struct auth_serversupplied_info **_server_info)
+{
+	uint32_t i;
+	NTSTATUS nt_status;
+	union netr_Validation validation;
+	struct auth_serversupplied_info *server_info;
+
+	validation.sam3 = &pac_logon_info->info3;
+
+	nt_status = make_server_info_netlogon_validation(mem_ctx, "", 3, &validation, &server_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		return nt_status;
+	}
+
+	if (pac_logon_info->res_groups.count > 0) {
+		struct dom_sid **rgrps;
+		size_t sidcount = server_info->n_domain_groups + pac_logon_info->res_groups.count;
+		server_info->domain_groups = rgrps
+			= talloc_realloc(server_info, server_info->domain_groups, struct dom_sid *, sidcount);
+		NT_STATUS_HAVE_NO_MEMORY(rgrps);
+
+		for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
+			size_t sid_idx = server_info->n_domain_groups + i;
+			rgrps[sid_idx]
+				= dom_sid_add_rid(rgrps, pac_logon_info->res_group_dom_sid,
+						  pac_logon_info->res_groups.rids[i].rid);
+			NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]);
+		}
+	}
+	*_server_info = server_info;
+	return NT_STATUS_OK;
+}
diff --git a/source4/auth/kerberos/kerberos_pac.c b/source4/auth/kerberos/kerberos_pac.c
index aca807e78d..40f0cf7cf8 100644
--- a/source4/auth/kerberos/kerberos_pac.c
+++ b/source4/auth/kerberos/kerberos_pac.c
@@ -684,11 +684,9 @@ krb5_error_code kerberos_pac_to_server_info(TALLOC_CTX *mem_ctx,
 	}
 
 	/* Pull this right into the normal auth sysstem structures */
-	validation.sam3 = &info.logon_info.info->info3;
-	nt_status = make_server_info_netlogon_validation(mem_ctx,
-							 "",
-							 3, &validation,
-							 &server_info_out);
+	nt_status = make_server_info_pac(mem_ctx,
+					 info.logon_info.info,
+					 &server_info_out);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		talloc_free(tmp_ctx);
 		return EINVAL;
-- 
cgit