[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Feb 8 01:06:01 UTC 2023
The branch, master has been updated
via 075bd6b9f15 s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc()
via 6f09f06adca auth: Free empty SID arrays
via 77036bba013 tests/krb5: Use consistent ordering for etypes
via e5a6b001fd2 auth: Discard non-base SIDs when creating SamInfo2
via 690748412ec tests/krb5: Test groups returned by SamLogon
via 718da90414d tests/krb5: Return validation structure from _test_samlogon()
via f38d4a33a6f tests/krb5: Allow tests to set SamLogon validation level
via f44943b2bae tests/krb5: Move _test_samlogon() to base class
via d2dc8370dd1 s4/dsdb/samldb: Disallow setting a domain-local group as a primary group
via 4f2f3162138 selftest: Expect setting domain-local group as primary group to fail
via 1c3a8fa20c7 auth: Correct primary group handling
via 4e213629356 s4-dsdb: Use correct primary group SID in token group test
via 39e2413585f s4:torture: Remove assertion that primary group is not duplicated in user_info_dc
via 96485d8e164 tests/krb5: Add tests for the primary group
via e00eeed9d2b auth: Align integer types
via 24512accc7a s4-dsdb: Simplify search expression
via c17e46a2311 ldap: Make use of LDB_OID_COMPARATOR constants
via 618d95822ed ldap: Cut down on string substitution
via e20067c52d6 auth: Make more liberal use of SID index constants
via 5147f011d9b auth: Shorten long SID flags combinations
via e3fdb2d0015 s4:kdc: Add resource SID compression
via 14d94460ca1 auth: Pass through entire PAC flags value in auth_user_info
via 8aef16bbbc1 named_pipe_auth: Bump info5 to info6
via 5043bbed999 s4:torture: Make use of torture_assert_sid_equal()
via 61e4ad691b9 tests/krb5: Add tests of NETLOGON_RESOURCE_GROUPS flag handling
via 9a362f99e0e tests/krb5: Allow setting or resetting PAC flags
via 0245a588f4f tests/krb5: Add group tests simulating PACs from a trusted domain
via bd4af42130c tests/krb5: Allow changing the SID of a user's PAC
via 11aa940fb34 tests/krb5: Add some more test cases for PAC group handling
via 7831634be37 tests/krb5: Improve assertion failure message
via 4ec34d297d0 tests/krb5: Remove tests of KDCs without resource SID compression support
via c21d5bf6740 s4: Add 'const' to some parameters
via c00fe707937 s4-dsdb: Make sid_list_match() static
via 6dab2ecddf6 s4-dsdb: Check for talloc failure in dsdb_expand_nested_groups()
via 3d846db42db auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set
via c7b76764dc1 auth: Remove early return from make_user_info_dc_pac()
via 94cda2dfd58 auth: Exclude resource groups from a TGT
via 673ee782d97 s4:torture: Assert that group attributes match
via 7050e057429 auth: Store group attributes in auth_user_info_dc
via 53d72c87e63 s4-dsdb: Add samdb_result_dom_sid_attrs()
via 8ef6e7dba7f libcli/security: Add auth_SidAttr utility functions
via c0011bcdc8d auth.idl: Add auth_SidAttr type
via 2debc394001 s4:torture: Skip over asserted identity SIDs when comparing groups
via c7104fd8ecf s4:torture: Zero-initialise netr_NetworkInfo structure
via 449163b21d3 tests/krb5: Declare supported encryption types of service account
from 024571a7a85 waf: Add support for MemorySanitizer
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 075bd6b9f1572c539dbed0d790059a9c6b882137
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Feb 8 10:59:56 2023 +1300
s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc()
It is up to the caller to choose if it wants to clean up the user_info_dc
memory early, we do so only in the KDC as was allocated on a context
provided to samba_kdc_update_pac_blob(), whereas auth_winbind uses
a locally managed tevent state as the memory context.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Feb 8 01:05:47 UTC 2023 on atb-devel-224
commit 6f09f06adcae036a7197cb1bffaac86ab0c72945
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 22 12:50:26 2022 +1300
auth: Free empty SID arrays
In the unlikely event that these arrays are empty, they can be freed
early.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 77036bba013751021f7229f0d78011298b634501
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 19 13:43:08 2022 +1300
tests/krb5: Use consistent ordering for etypes
The 'etype' field in a Kerberos request is ordered. Make this fact
clearer by using a tuple or an array to represent etypes rather than a
set.
get_default_enctypes() now returns encryption types in order of
strength. As a consequence, the encryption type chosen by the MIT KDC
matches up with that chosen by Windows, and more tests begin to pass.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e5a6b001fd2844bfa5fa56047fb4cc09563966c4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 15 14:07:06 2022 +1300
auth: Discard non-base SIDs when creating SamInfo2
Our SamLogon tests are now all passing.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 690748412ec05a60a598d86c83b84d61015a0669
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 15 14:06:59 2022 +1300
tests/krb5: Test groups returned by SamLogon
Levels NetlogonValidationSamInfo2 and NetlogonValidationSamInfo4 behave
as might be expected, so we pass those tests. NetlogonValidationSamInfo
returns no resource groups and doesn't set the NETLOGON_EXTRA_SIDS flag,
and we fail its test.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 718da90414d1b3c56b872b930850615c0668c2f9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 15 12:32:02 2022 +1300
tests/krb5: Return validation structure from _test_samlogon()
This lets us check the groups that are returned.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f38d4a33a6fab9fa6e8e6436f66b0a220d6325ea
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 15 12:17:13 2022 +1300
tests/krb5: Allow tests to set SamLogon validation level
We'll want to test various levels to ensure they all behave as expected.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f44943b2bae99a1dde8b5d26baa6ed258b43c2e5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 15 12:16:00 2022 +1300
tests/krb5: Move _test_samlogon() to base class
We'll want to make use of it in the group tests.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d2dc8370dd1916dffa01257b1681fad00f0d33cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 22 15:54:14 2022 +1300
s4/dsdb/samldb: Disallow setting a domain-local group as a primary group
Windows also disallows this. Note that changing a primary group to a
domain-local group is allowed by both Windows and Samba.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4f2f31621385209efa8d715e9bee9256d6ddc71e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 23 07:29:58 2022 +1300
selftest: Expect setting domain-local group as primary group to fail
This will no longer be allowed.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1c3a8fa20c79dfbc944b941d47586894d32fcedb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 13 09:04:47 2022 +1300
auth: Correct primary group handling
Heretofore we have treated the primary group SID specially, storing it
in a fixed position as the second element of the user_info_dc->sids
array, and filtering out other copies in the PAC_LOGON_INFO base
structure. This filtering has made it difficult to distinguish between
the case where the primary group is a universal or global group, located
in the base RIDs, and the case where it is a domain-local group, missing
from the base RIDs; especially since the attributes of a domain-local
primary group are lost by being stored in the PAC. Domain-local primary
groups are normally disallowed by Windows, but are allowed by Samba, and
so it is reasonable to support them with at least some measure of
consistency.
The second element of user_info_dc->sids is still reserved for the
primary group's SID, but we no longer filter out any other copies in the
array. The first two elements are no more than the SIDs of the user and
the primary group respectively; and the remaining SIDs are as if taken
without modification from arrays of SIDs in the PAC. user_info_dc->sids
should therefore become a more faithful representation of the SIDs in
the PAC. After adding resource SIDs to it with
dsdb_expand_resource_groups(), we should have a result that more closely
and in more cases matches that of Windows.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4e213629356b2f3dd8b31713ebad317353665fd8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 16 12:41:50 2022 +1300
s4-dsdb: Use correct primary group SID in token group test
This test will thereby continue to pass when we correct the handling of
primary groups.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 39e2413585fdb76c11cb6b321cd247eb89f05659
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 16 12:47:02 2022 +1300
s4:torture: Remove assertion that primary group is not duplicated in user_info_dc
This assertion is one we will be breaking shortly.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 96485d8e164df24053cb5b44e88d74c177cd9f79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 16 12:47:41 2022 +1300
tests/krb5: Add tests for the primary group
Primary groups are handled differently from normal groups of which a
user is simply a member. Of particular note is the case where a
domain-local group is made a primary group; a case normally disallowed
by Windows, but not by Samba. Therefore we want tests for it.
Our testing framework must be able to set the user's primary group, and
to clean up afterwards; to set the primary group RID of a PAC; and to
check that the primary group RID is as expected in the PAC returned to
us.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e00eeed9d2bdb97ab9bd8e7517f7ed1aa0617d43
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 16 12:52:51 2022 +1300
auth: Align integer types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 24512accc7a2cca572ae834d54b8f4f6da5a2efe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 16 12:45:29 2022 +1300
s4-dsdb: Simplify search expression
We want to find objects for which the groupType attribute has at least
one of GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_UNIVERSAL_GROUP set. For
this the OR comparator is perfectly suited. It produces a true result if
at least one set bit is shared between both operands.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c17e46a23118b9beb0160d15bd6d8d9cc723448c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 16 14:24:18 2022 +1300
ldap: Make use of LDB_OID_COMPARATOR constants
These constants allow one to tell at a glance what search operation is
being performed.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 618d95822edb83a5f107c23dac450c0025b3e295
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 16 12:41:03 2022 +1300
ldap: Cut down on string substitution
Constant strings can be inserted directly into format strings, reducing
the amount of string substitution to be performed.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e20067c52d642123b7ed929c1e35a2c0d144b13c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 16 12:08:41 2022 +1300
auth: Make more liberal use of SID index constants
Arrays of SIDs are handled not fully consistently throughout the
codebase. Sometimes SIDs in the first and second positions represent a
user and a primary group respectively; other times they don't mean
anything in particular. Using these index constants in situations of the
former sort can help to clarify our intent.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5147f011d9b2b37dd46939d4b50d71d50a6776c1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 15 11:58:11 2022 +1300
auth: Shorten long SID flags combinations
The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very
commonly used, and introducing a shorter alias for it makes the code
clearer.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e3fdb2d00152d86558a2ba29b92fd36440055461
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 2 10:49:20 2022 +1300
s4:kdc: Add resource SID compression
The domain-local groups that are added to the PAC of a service ticket
are now, if the service doesn't disclaim support for SID compression,
placed into the resource groups structure in PAC_LOGON_INFO.
In a TGS exchange directed to a KDC, rather than to a service, the
resource groups structure is simply copied into the updated PAC without
any processing being done.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 14d94460ca1ef22269373f36ec50df248aca9465
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 10:50:01 2022 +1300
auth: Pass through entire PAC flags value in auth_user_info
Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8aef16bbbc1e55f0a9f5a8ec87e5348688d93785
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 22 17:48:26 2022 +1300
named_pipe_auth: Bump info5 to info6
In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5043bbed9993cc08ee752a3fe44f835aedbbc129
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 10:28:45 2022 +1300
s4:torture: Make use of torture_assert_sid_equal()
This macro produces a slightly more useful message if the assertion
fails.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61e4ad691b9b01890b2c29fdd395c59225344451
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 11:20:18 2022 +1300
tests/krb5: Add tests of NETLOGON_RESOURCE_GROUPS flag handling
This lets us test what happens in TGS-REQ exchanges to the KDC, when the
flags and resource groups are simply passed through into the new PAC,
regardless of what value the flags hold.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9a362f99e0e657f4d63e987ce5b0a6a1e4a177f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 11:08:28 2022 +1300
tests/krb5: Allow setting or resetting PAC flags
This lets us test what happens when the flags in the PAC, such as
NETLOGON_RESOURCE_GROUPS, are given "interesting" values.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0245a588f4f06f9dd2f8b3eff56d6bef102f4879
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 11:20:53 2022 +1300
tests/krb5: Add group tests simulating PACs from a trusted domain
Crucially, in these tests the user's domain and its SID are different
from our domain and its SID. These tests will assert that in such a case
resource groups are added to the PAC and handled correctly.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bd4af42130c40fff5bcbab938da0f99e1b3ea4de
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 11:05:05 2022 +1300
tests/krb5: Allow changing the SID of a user's PAC
This lets us simulate a ticket of a user from another domain.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 11aa940fb347e9541754f7ab365f6d09bba20395
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 11:17:19 2022 +1300
tests/krb5: Add some more test cases for PAC group handling
Change some of the attributes in TGS-REQ PACs to ensure they are handled
correctly.
Add a test of a PAC containing resource SIDs for a service without
resource SID compression support, ensuring the SIDs are correctly
removed.
Add a Samba 4.17 compatibility test for a service with resource SID
compression support.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7831634be3765cc3958003ebfd031c7b96d381dd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 11:02:29 2022 +1300
tests/krb5: Improve assertion failure message
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ec34d297d077ccb7b41770d1c6cb22cdbaee712
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 10:57:42 2022 +1300
tests/krb5: Remove tests of KDCs without resource SID compression support
As part of mitigations of CVE-2022-37966, we no longer regard the
msDS-SupportedEncryptionTypes attribute of the KDC when determining its
supported encryption types. Thus, these tests that try to disable SID
compression support by setting this attribute run to no purpose.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c21d5bf6740d246a5d887f696f21940cf7cf4079
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 7 14:14:18 2022 +1300
s4: Add 'const' to some parameters
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c00fe707937f7f19cb9107d8459ae614f1baa8aa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 7 14:23:26 2022 +1300
s4-dsdb: Make sid_list_match() static
It's not used anywhere other than this file.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6dab2ecddf6b9ebc10d1ed3cfcb5f8f4f2236f1c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 7 14:32:23 2022 +1300
s4-dsdb: Check for talloc failure in dsdb_expand_nested_groups()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3d846db42db15465d47f2c5e285d3e958bdf5f98
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 7 19:27:24 2022 +1300
auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set
MS-PAC section 2.5 states that if the resource_groups member is
non-NULL, or resource_groups.groups.count is not zero, the
NETLOGON_RESOURCE_GROUPS flag MUST be set. Thus, there's no need to
process resource groups if the flag is not set.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c7b76764dc10fd2479f51ddf3fb4f1eb20790371
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 7 19:37:12 2022 +1300
auth: Remove early return from make_user_info_dc_pac()
'rg' is never NULL, so this codepath is never taken. But if it were, we
would return early and entirely neglect filling in the UPN_DNS_INFO from
the 'pac_upn_dns_info' parameter. So remove the early return.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 27 14:51:54 2022 +1300
auth: Exclude resource groups from a TGT
Resource group SIDs should only be placed into a service ticket, but we
were including them in all tickets. Now that we have access to the group
attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if
we're creating a TGT.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 673ee782d97c19bf240e37d4714e8a51fbf80457
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 8 13:34:14 2022 +1300
s4:torture: Assert that group attributes match
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7050e05742956bb75c4b27f39f97adc4d544e0f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 27 15:13:12 2022 +1300
auth: Store group attributes in auth_user_info_dc
Group expansion, performed in dsdb_expand_nested_groups(), now
incorporates a check of the type of each group. Those that are resource
groups receive the SE_GROUP_RESOURCE bit in the attributes which are now
carried alongside each group SID.
Whereas before, in auth_convert_user_info_dc_sambaseinfo() and
auth_convert_user_info_dc_saminfo6(), we invariantly used the flag
combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT |
SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct
attributes from user_info_dc.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 53d72c87e6362e24eb922a5a9040e5d631c7fce4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 7 14:28:21 2022 +1300
s4-dsdb: Add samdb_result_dom_sid_attrs()
This function is modelled on samdb_result_dom_sid(). It allocates,
rather than a dom_sid, an auth_SidAttr object, which we can pass to
other functions accepting an auth_SidAttr.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8ef6e7dba7f243310db3d9769f3fb4a3ad4d6daa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 27 15:12:52 2022 +1300
libcli/security: Add auth_SidAttr utility functions
These functions are modelled on add_sid_to_array() and
add_sid_to_array_unique(). They differ in that they operate not on an
array of dom_sid, but of auth_SidAttr, and take an additional 'attrs'
parameter of type uint32_t.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c0011bcdc8dbe6495180268a13b95d1f5b64f525
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 27 15:12:19 2022 +1300
auth.idl: Add auth_SidAttr type
This type incorporates, alongside a SID, a group attributes member,
through which attributes from a PAC or the AD database can be conveyed
into the completed PAC. A useful benefit this provides is the ability to
distinguish and exclude domain-local groups, which only belong in
service tickets, from the PAC of a TGT.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2debc39400118754eaf402def73dd4e9008f0f21
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 8 13:34:07 2022 +1300
s4:torture: Skip over asserted identity SIDs when comparing groups
We've already tested for the existence of these SIDs, and the assumption
that they are always the last element in a PAC is false. We must check
all the SIDs in each array, skipping over ones that were found to be
asserted identity SIDS.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c7104fd8ecf8572304e16ef554961e3cdc55c0ff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 8 13:33:25 2022 +1300
s4:torture: Zero-initialise netr_NetworkInfo structure
This ensures that no members contain garbage data.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 449163b21d314186460b09178e2c6656bae80f51
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Dec 12 11:01:20 2022 +1300
tests/krb5: Declare supported encryption types of service account
If SID compression support is disabled for a created account,
msDS-SupportedEncryptionTypes will be set to a value that includes the
RESOURCE_SID_COMPRESSION_DISABLED bit, but no actual encryption type
bits. Since stricter encryption type handling was introduced to address
CVE-2022-37966, this combination has been interpreted as an expression
of no encryption type support, and trying to make a Kerberos request to
a service with such a combination of bits will fail with
ERR_ETYPE_NOSUPP.
To allow us to make Kerberos requests to test service accounts again, we
must set some actual encryption type bits.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_log.c | 4 +-
auth/auth_sam_reply.c | 381 +++++--
auth/auth_sam_reply.h | 10 +-
auth/wbc_auth_util.c | 16 +-
lib/afs/afs_funcs.c | 2 +-
libcli/named_pipe_auth/npa_tstream.c | 114 +--
libcli/named_pipe_auth/npa_tstream.h | 4 +-
libcli/security/dom_sid.h | 7 +
libcli/security/security_token.h | 2 +
libcli/security/util_sid.c | 68 ++
libgpo/gpo_reg.c | 10 +-
librpc/idl/auth.idl | 32 +-
librpc/idl/named_pipe_auth.idl | 8 +-
librpc/idl/netlogon.idl | 1 +
librpc/idl/security.idl | 5 +
librpc/rpc/dcesrv_handles.c | 8 +-
python/samba/tests/krb5/as_req_tests.py | 20 +-
python/samba/tests/krb5/group_tests.py | 1178 ++++++++++++++++++++--
python/samba/tests/krb5/kdc_base_test.py | 120 ++-
python/samba/tests/krb5/protected_users_tests.py | 92 +-
python/samba/tests/krb5/raw_testcase.py | 53 +-
python/samba/tests/krb5/s4u_tests.py | 4 +-
selftest/knownfail_heimdal_kdc | 21 -
selftest/knownfail_mit_kdc | 36 -
selftest/knownfail_mit_kdc_1_20 | 14 +
source3/auth/auth_ntlmssp.c | 2 +-
source3/auth/auth_samba4.c | 4 +-
source3/auth/auth_util.c | 41 +-
source3/auth/server_info.c | 4 +-
source3/lib/util_sid.c | 3 -
source3/librpc/idl/rpc_host.idl | 2 +-
source3/passdb/pdb_ldap.c | 147 +--
source3/passdb/pdb_samba_dsdb.c | 8 +-
source3/rpc_client/local_np.c | 44 +-
source3/rpc_server/rpc_host.c | 66 +-
source3/rpc_server/rpc_worker.c | 50 +-
source3/rpc_server/samr/srv_samr_nt.c | 11 +-
source3/winbindd/idmap_ldap.c | 3 +-
source3/winbindd/winbindd_ads.c | 11 +-
source4/auth/auth.h | 2 +-
source4/auth/kerberos/kerberos.h | 1 +
source4/auth/kerberos/kerberos_pac.c | 34 +-
source4/auth/ntlm/auth.c | 6 +-
source4/auth/ntlm/auth_developer.c | 7 +-
source4/auth/ntlm/auth_simple.c | 2 +-
source4/auth/sam.c | 98 +-
source4/auth/session.c | 32 +-
source4/auth/system_session.c | 57 +-
source4/auth/unix_token.c | 26 +-
source4/dns_server/dlz_bind9.c | 2 +-
source4/dsdb/common/rodc_helper.c | 20 +-
source4/dsdb/common/util.c | 41 +-
source4/dsdb/common/util_groups.c | 60 +-
source4/dsdb/samdb/cracknames.c | 4 +-
source4/dsdb/samdb/ldb_modules/audit_util.c | 4 +-
source4/dsdb/samdb/ldb_modules/operational.c | 49 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 14 +-
source4/dsdb/samdb/samdb.c | 6 +-
source4/dsdb/samdb/samdb.h | 1 +
source4/dsdb/tests/python/token_group.py | 4 +-
source4/kdc/db-glue.c | 12 +-
source4/kdc/db-glue.h | 2 +-
source4/kdc/mit_samba.c | 20 +-
source4/kdc/pac-glue.c | 148 ++-
source4/kdc/pac-glue.h | 12 +-
source4/kdc/wdc-samba4.c | 19 +-
source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 2 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 +-
source4/rpc_server/samr/dcesrv_samr.c | 20 +-
source4/setup/tests/blackbox_group.sh | 3 +-
source4/smb_server/smb/sesssetup.c | 4 +-
source4/torture/auth/pac.c | 24 +-
source4/torture/krb5/kdc-canon-heimdal.c | 2 +-
source4/torture/rpc/remote_pac.c | 50 +-
source4/torture/winbind/winbind.c | 38 +-
75 files changed, 2568 insertions(+), 871 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/auth_log.c b/auth/auth_log.c
index dc1cea12390..787a9ec6b42 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -407,7 +407,7 @@ static void log_successful_authz_event_json(
goto failure;
}
rc = json_add_sid(
- &authorization, "sid", &session_info->security_token->sids[0]);
+ &authorization, "sid", &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
if (rc != 0) {
goto failure;
}
@@ -758,7 +758,7 @@ static void log_successful_authz_event_human_readable(
auth_type,
log_escape(frame, session_info->info->domain_name),
log_escape(frame, session_info->info->account_name),
- dom_sid_str_buf(&session_info->security_token->sids[0],
+ dom_sid_str_buf(&session_info->security_token->sids[PRIMARY_USER_SID_INDEX],
&sid_buf),
ts,
remote_str,
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 173a5132964..2a35723e355 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -25,6 +25,165 @@
#include "libcli/security/security.h"
#include "auth/auth_sam_reply.h"
+/* Returns true if this SID belongs in SamBaseInfo, otherwise false. */
+static bool is_base_sid(const struct auth_SidAttr *sid,
+ const struct dom_sid *domain_sid)
+{
+ if (sid->attrs & SE_GROUP_RESOURCE) {
+ /*
+ * Resource groups don't belong in the base
+ * RIDs, they're handled elsewhere.
+ */
+ return false;
+ }
+
+ /*
+ * This SID belongs in the base structure only if it's in the account's
+ * domain.
+ */
+ return dom_sid_in_domain(domain_sid, &sid->sid);
+}
+
+/* Stores a SID in a previously allocated array. */
+static NTSTATUS store_extra_sid(struct netr_SidAttr *sids,
+ uint32_t *sidcount,
+ const uint32_t allocated_sids,
+ const struct auth_SidAttr *sid)
+{
+ /* Check we aren't about to overflow our allocation. */
+ if (*sidcount >= allocated_sids) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ sids[*sidcount].sid = dom_sid_dup(sids, &sid->sid);
+ if (sids[*sidcount].sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ sids[*sidcount].attributes = sid->attrs;
+ *sidcount += 1;
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Stores a resource SID in a previously allocated array, either Extra SIDs or
+ * Resource SIDs. Any SID within the domain of the first SID so added is stored
+ * there, while remaining SIDs are stored in Extra SIDs.
+ */
+static NTSTATUS store_resource_sid(struct netr_SidAttr *sids,
+ uint32_t *sidcount,
+ const uint32_t allocated_sids,
+ const struct auth_SidAttr *sid,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups,
+ const uint32_t allocated_resource_groups)
+{
+ NTSTATUS status;
+
+ struct dom_sid *resource_domain = NULL;
+ uint32_t rid;
+
+ if (resource_groups == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* Split the SID into domain and RID. */
+ status = dom_sid_split_rid(resource_groups, &sid->sid, &resource_domain, &rid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (resource_groups->domain_sid == NULL) {
+ /*
+ * There is no domain SID set. Set it to the domain of this SID.
+ */
+ resource_groups->domain_sid = resource_domain;
+ } else {
+ /*
+ * A domain SID has already been set. Check whether this SID's
+ * domain matches.
+ *
+ * Assuming that resource SIDs have been obtained with
+ * dsdb_expand_nested_groups(), they should all be within the
+ * same domain (ours), so unless something has gone horribly
+ * wrong, we should always find that they match.
+ */
+ bool match = dom_sid_equal(resource_groups->domain_sid, resource_domain);
+ talloc_free(resource_domain);
+ if (!match) {
+ /*
+ * It doesn't match, so we can't store this SID here. It
+ * will have to go in Extra SIDs.
+ */
+ return store_extra_sid(sids, sidcount, allocated_sids, sid);
+ }
+ }
+
+ /* Store the SID in Resource SIDs. */
+
+ /* Check we aren't about to overflow our allocation. */
+ if (resource_groups->groups.count >= allocated_resource_groups) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ resource_groups->groups.rids[resource_groups->groups.count].rid = rid;
+ resource_groups->groups.rids[resource_groups->groups.count].attributes = sid->attrs;
+ resource_groups->groups.count++;
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Stores a SID in a previously allocated array, or excludes it if we are not
+ * storing resource groups. It will be placed in either Extra SIDs or Resource
+ * SIDs, depending on which is appropriate.
+ */
+static NTSTATUS store_sid(struct netr_SidAttr *sids,
+ uint32_t *sidcount,
+ const uint32_t allocated_sids,
+ const struct auth_SidAttr *sid,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups,
+ const uint32_t allocated_resource_groups,
+ const enum auth_group_inclusion group_inclusion)
+{
+ /* See if it's a resource SID. */
+ if (sid->attrs & SE_GROUP_RESOURCE) {
+ /*
+ * If this is the SID of a resource group, determine whether it
+ * should be included or filtered out.
+ */
+ switch (group_inclusion) {
+ case AUTH_INCLUDE_RESOURCE_GROUPS:
+ /* Include this SID in Extra SIDs. */
+ break;
+ case AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED:
+ /*
+ * Try to include this SID in Resource Groups. If this
+ * can't be arranged, we shall fall back to Extra
+ * SIDs.
+ */
+ return store_resource_sid(sids,
+ sidcount,
+ allocated_sids,
+ sid,
+ resource_groups,
+ allocated_resource_groups);
+ case AUTH_EXCLUDE_RESOURCE_GROUPS:
+ /* Ignore this SID. */
+ return NT_STATUS_OK;
+ default:
+ /* This means we have a bug. */
+ DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ /* Just store the SID in Extra SIDs. */
+ return store_extra_sid(sids,
+ sidcount,
+ allocated_sids,
+ sid);
+}
+
static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
struct netr_SamBaseInfo *sam)
@@ -35,7 +194,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
ZERO_STRUCTP(sam);
if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) {
- status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX],
+ status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid,
&sam->domain_sid, &sam->rid);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -45,7 +204,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
}
if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) {
- status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX],
+ status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid,
NULL, &sam->primary_gid);
if (!NT_STATUS_IS_OK(status)) {
return status;
@@ -89,7 +248,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
sam->groups.count = 0;
sam->groups.rids = NULL;
- if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) {
+ if (user_info_dc->num_sids > REMAINING_SIDS_INDEX) {
size_t i;
sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithAttribute,
user_info_dc->num_sids);
@@ -97,25 +256,27 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
if (sam->groups.rids == NULL)
return NT_STATUS_NO_MEMORY;
- for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) {
- struct dom_sid *group_sid = &user_info_dc->sids[i];
- if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
+ for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) {
+ struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
+
+ bool belongs_in_base = is_base_sid(group_sid, sam->domain_sid);
+ if (!belongs_in_base) {
/* We handle this elsewhere */
continue;
}
sam->groups.rids[sam->groups.count].rid =
- group_sid->sub_auths[group_sid->num_auths-1];
+ group_sid->sid.sub_auths[group_sid->sid.num_auths-1];
- sam->groups.rids[sam->groups.count].attributes =
- SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+ sam->groups.rids[sam->groups.count].attributes = group_sid->attrs;
sam->groups.count += 1;
}
- }
- sam->user_flags = 0; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
- if (!user_info_dc->info->authenticated) {
- sam->user_flags |= NETLOGON_GUEST;
+ if (sam->groups.count == 0) {
+ TALLOC_FREE(sam->groups.rids);
+ }
}
+
+ sam->user_flags = info->user_flags; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
sam->acct_flags = user_info_dc->info->acct_flags;
sam->sub_auth_status = 0;
sam->last_successful_logon = 0;
@@ -137,54 +298,108 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
-/* Note that the validity of the _sam6 structure is only as long as
- * the user_info_dc it was generated from */
+/* Note that the validity of the _sam6 and resource_groups structures is only as
+ * long as the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
- struct netr_SamInfo6 **_sam6)
+ enum auth_group_inclusion group_inclusion,
+ struct netr_SamInfo6 **_sam6,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups)
{
NTSTATUS status;
struct netr_SamInfo6 *sam6 = NULL;
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
size_t i;
+ const uint32_t allocated_sids = user_info_dc->num_sids;
+ uint32_t allocated_resource_groups = 0;
+
sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
if (sam6 == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ if (_resource_groups == NULL) {
+ if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) {
+ DBG_ERR("_resource_groups parameter not provided to receive resource groups!\n");
+ TALLOC_FREE(sam6);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ } else if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) {
+ *_resource_groups = NULL;
+
+ /* Allocate resource groups structure. */
+ resource_groups = talloc_zero(mem_ctx, struct PAC_DOMAIN_GROUP_MEMBERSHIP);
+ if (resource_groups == NULL) {
+ TALLOC_FREE(sam6);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * Allocate enough space to store user_info_dc->num_sids
+ * RIDs in the worst case.
+ */
+ allocated_resource_groups = user_info_dc->num_sids;
+ resource_groups->groups.rids = talloc_zero_array(resource_groups,
+ struct samr_RidWithAttribute,
+ allocated_resource_groups);
+ if (resource_groups->groups.rids == NULL) {
+ TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ /* No resource groups will be provided. */
+ *_resource_groups = NULL;
+ }
+
status = auth_convert_user_info_dc_sambaseinfo(sam6,
user_info_dc,
&sam6->base);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
return status;
}
- sam6->sids = talloc_array(sam6, struct netr_SidAttr,
- user_info_dc->num_sids);
+ /*
+ * Allocate enough space to store user_info_dc->num_sids SIDs in the
+ * worst case.
+ */
+ sam6->sids = talloc_zero_array(sam6, struct netr_SidAttr,
+ allocated_sids);
if (sam6->sids == NULL) {
TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
return NT_STATUS_NO_MEMORY;
}
/* We don't put the user and group SIDs in there */
- for (i=2; i<user_info_dc->num_sids; i++) {
- if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i])) {
+ for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) {
+ struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
+ bool belongs_in_base = is_base_sid(group_sid, sam6->base.domain_sid);
+ if (belongs_in_base) {
+ /* We already handled this in the base. */
continue;
}
- sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i]);
- if (sam6->sids[sam6->sidcount].sid == NULL) {
+
+ status = store_sid(sam6->sids,
+ &sam6->sidcount,
+ allocated_sids,
+ group_sid,
+ resource_groups,
+ allocated_resource_groups,
+ group_inclusion);
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam6);
- return NT_STATUS_NO_MEMORY;
+ TALLOC_FREE(resource_groups);
+ return status;
}
- sam6->sids[sam6->sidcount].attributes =
- SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
- sam6->sidcount += 1;
}
if (sam6->sidcount) {
sam6->base.user_flags |= NETLOGON_EXTRA_SIDS;
} else {
- sam6->sids = NULL;
+ TALLOC_FREE(sam6->sids);
}
if (user_info_dc->info->dns_domain_name != NULL) {
@@ -192,6 +407,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
user_info_dc->info->dns_domain_name);
if (sam6->dns_domainname.string == NULL) {
TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
return NT_STATUS_NO_MEMORY;
}
}
@@ -201,11 +417,19 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
user_info_dc->info->user_principal_name);
if (sam6->principal_name.string == NULL) {
TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
return NT_STATUS_NO_MEMORY;
}
}
*_sam6 = sam6;
+ if (resource_groups != NULL) {
+ if (resource_groups->groups.count > 0) {
+ *_resource_groups = resource_groups;
+ } else {
+ TALLOC_FREE(resource_groups);
+ }
+ }
return NT_STATUS_OK;
}
@@ -213,6 +437,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
* the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo2 **_sam2)
{
NTSTATUS status;
@@ -224,12 +449,20 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, &sam6);
+ status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc,
+ group_inclusion, &sam6,
+ NULL);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam2);
return status;
}
sam2->base = sam6->base;
+ /*
+ * We have nowhere to put sam6->sids, so we follow Windows here and drop
+ * it. Any resource groups it happened to be contain are lost.
+ */
+ sam2->base.user_flags &= ~NETLOGON_EXTRA_SIDS;
+ TALLOC_FREE(sam6->sids);
*_sam2 = sam2;
return NT_STATUS_OK;
@@ -239,7 +472,9 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
* the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
- struct netr_SamInfo3 **_sam3)
+ enum auth_group_inclusion group_inclusion,
+ struct netr_SamInfo3 **_sam3,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups)
{
NTSTATUS status;
struct netr_SamInfo6 *sam6 = NULL;
@@ -250,7 +485,9 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, &sam6);
+ status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc,
+ group_inclusion, &sam6,
+ _resource_groups);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam3);
return status;
@@ -326,8 +563,14 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
info->bad_password_count = base->bad_password_count;
info->acct_flags = base->acct_flags;
- /* Only set authenticated if both NETLOGON_GUEST is not set, and authenticated is set */
- info->authenticated = (authenticated && (!(base->user_flags & NETLOGON_GUEST)));
+ info->user_flags = base->user_flags;
+ if (!authenticated) {
+ /*
+ * We only consider the user authenticated if NETLOGON_GUEST is
+ * not set, and authenticated is set
+ */
+ info->user_flags |= NETLOGON_GUEST;
+ }
*_user_info = info;
return NT_STATUS_OK;
@@ -435,30 +678,35 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
return NT_STATUS_INVALID_PARAMETER;
}
- user_info_dc->num_sids = 2;
+ user_info_dc->num_sids = PRIMARY_SIDS_COUNT;
- user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids + base->groups.count);
+ user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids + base->groups.count);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
- user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid;
- if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], base->rid)) {
+ user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *base->domain_sid;
+ if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, base->rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
+ user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
- user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid;
- if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) {
+ user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid;
+ if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, base->primary_gid)) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list