Author: gd
Date: 2006-03-10 08:26:40 +0000 (Fri, 10 Mar 2006)
New Revision: 14129
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14129
Log:
Add the group sids from the Kerberos PAC to the user token.
Guenther
Modified:
branches/SAMBA_3_0/source/auth/auth_util.c
trunk/source/auth/auth_util.c
Changeset:
Modified: branches/SAMBA_3_0/source/auth/auth_util.c
===================================================================
--- branches/SAMBA_3_0/source/auth/auth_util.c 2006-03-10 04:18:29 UTC (rev 14128)
+++ branches/SAMBA_3_0/source/auth/auth_util.c 2006-03-10 08:26:40 UTC (rev 14129)
@@ -1102,6 +1102,7 @@
DOM_SID user_sid, group_sid;
fstring dom_name;
auth_serversupplied_info *result;
+ int i;
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
@@ -1139,10 +1140,36 @@
result->uid = pwd->pw_uid;
result->gid = pwd->pw_gid;
- /* TODO: Add groups from pac */
result->sids = NULL;
result->num_sids = 0;
+ /* and create (by appending rids) the 'domain' sids */
+
+ for (i = 0; i < logon_info->info3.num_groups2; i++) {
+ DOM_SID sid;
+ if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid,
+ logon_info->info3.gids[i].g_rid)) {
+ DEBUG(3,("could not append additional group rid "
+ "0x%x\n", logon_info->info3.gids[i].g_rid));
+ TALLOC_FREE(result);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ add_sid_to_array(result, &sid, &result->sids,
+ &result->num_sids);
+ }
+
+ /* Copy 'other' sids. We need to do sid filtering here to
+ prevent possible elevation of privileges. See:
+
+ http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
+ */
+
+ for (i = 0; i < logon_info->info3.num_other_sids; i++) {
+ add_sid_to_array(result, &logon_info->info3.other_sids[i].sid,
+ &result->sids,
+ &result->num_sids);
+ }
+
*server_info = result;
return NT_STATUS_OK;
Modified: trunk/source/auth/auth_util.c
===================================================================
--- trunk/source/auth/auth_util.c 2006-03-10 04:18:29 UTC (rev 14128)
+++ trunk/source/auth/auth_util.c 2006-03-10 08:26:40 UTC (rev 14129)
@@ -1102,6 +1102,7 @@
DOM_SID user_sid, group_sid;
fstring dom_name;
auth_serversupplied_info *result;
+ int i;
if ( !(sampass = samu_new( NULL )) ) {
return NT_STATUS_NO_MEMORY;
@@ -1139,10 +1140,36 @@
result->uid = pwd->pw_uid;
result->gid = pwd->pw_gid;
- /* TODO: Add groups from pac */
result->sids = NULL;
result->num_sids = 0;
+ /* and create (by appending rids) the 'domain' sids */
+
+ for (i = 0; i < logon_info->info3.num_groups2; i++) {
+ DOM_SID sid;
+ if (!sid_compose(&sid, &logon_info->info3.dom_sid.sid,
+ logon_info->info3.gids[i].g_rid)) {
+ DEBUG(3,("could not append additional group rid "
+ "0x%x\n", logon_info->info3.gids[i].g_rid));
+ TALLOC_FREE(result);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ add_sid_to_array(result, &sid, &result->sids,
+ &result->num_sids);
+ }
+
+ /* Copy 'other' sids. We need to do sid filtering here to
+ prevent possible elevation of privileges. See:
+
+ http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
+ */
+
+ for (i = 0; i < logon_info->info3.num_other_sids; i++) {
+ add_sid_to_array(result, &logon_info->info3.other_sids[i].sid,
+ &result->sids,
+ &result->num_sids);
+ }
+
*server_info = result;
return NT_STATUS_OK;