[PATCH] Adds support for Resource SID Compression a new Windows Server 2012 KDC feature - 3rd Version
Markus Baier
Markus_Baier at baier-network.de
Tue Apr 2 05:58:55 MDT 2013
Hello,
this is a new patch for adding support for the resource sid
compression feature of Microsoft Server 2012 KDC
This patch version manipulates the PAC_LOGON_INFO structure
within the decode_pac_data function in /source3/libads/authdata.c
Now this one works for modules which receive the PAC Data from a
deeper point in the program structure, like CIFS logins, too.
Maybe somebody can review the patch.
Best Regards
Markus Baier
-------------- next part --------------
diff -u -r -N a/source3/libads/authdata.c b/source3/libads/authdata.c
--- a/source3/libads/authdata.c 2013-04-02 13:48:28.066298171 +0200
+++ b/source3/libads/authdata.c 2013-04-02 13:43:43.576302479 +0200
@@ -331,6 +331,66 @@
logon_info->info3.base.account_name.string,
logon_info->info3.base.full_name.string));
+
+ /* Check if PAC_LOGON_INFO contains Resource Groups.
+ Therefore we check if the H Flag in the user_flags mask is set.
+ A Windows Server 2012 KDC sends doamin local Groups
+ as Resource Groups when the new "resource sid compression" feature
+ is enabled. The feature is enabled by default. */
+ DEBUG(3,("Check if Informations are stored in the ResourceGroupsIDs field\n"));
+ if (logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) { //Check if the H Flag in the user_flags mask is set
+ if (dom_sid_equal(logon_info->info3.base.domain_sid, logon_info->res_group_dom_sid)) { //Check if the ResourceGroupDomain sid is the same as the LogonDomainID sid
+ uint32_t i;
+ uint32_t groups_count_total;
+ struct samr_RidWithAttribute *new_rids;
+
+ groups_count_total = logon_info->info3.base.groups.count + logon_info->res_groups.count; //Calculate the new total numbers of rids in the array
+ new_rids = talloc_realloc(mem_ctx,logon_info->info3.base.groups.rids,struct samr_RidWithAttribute, groups_count_total); //Expand the array
+ if (new_rids == NULL) {
+ DEBUG(10, ("talloc_realloc: Failed to expand array for new rids\n"));
+ DEBUGADD(10, ("Copy the rid from ResourceGroupIds to GroupIds not possible\n"));
+ talloc_free(new_rids);
+ } else {
+ logon_info->info3.base.groups.rids = new_rids;
+ /* Start to copy the ResourceGroupIds into the GroupIds array */
+ for (i=0; i < logon_info->res_groups.count; i++) {
+ new_rids[logon_info->info3.base.groups.count + i].rid = logon_info->res_groups.rids[i].rid; //Copy the rid from ResourceGroupIds to GroupIds
+ new_rids[logon_info->info3.base.groups.count + i].attributes = logon_info->res_groups.rids[i].attributes; //Copy the attributes from ResourceGroupIds to GroupIds
+ }
+ logon_info->res_groups.count = 0;
+ logon_info->res_group_dom_sid = NULL;
+ talloc_free(logon_info->res_groups.rids);
+ logon_info->info3.base.user_flags &= ~NETLOGON_RESOURCE_GROUPS; //Clear the H flag
+ logon_info->info3.base.groups.count = groups_count_total; //Update the GroupCount field with the new number of groups;
+ }
+ } else {
+ uint32_t i;
+ uint32_t groups_count_total;
+ struct netr_SidAttr *user_sids;
+
+ groups_count_total = logon_info->info3.sidcount + logon_info->res_groups.count; //Calculate the new total numbers of SID in the user_sids array
+ user_sids = talloc_realloc(mem_ctx, logon_info->info3.sids, struct netr_SidAttr, groups_count_total); //Expand the array
+ if (user_sids == NULL) {
+ DEBUG(10, ("talloc_realloc: Failed to expand array for new sids\n"));
+ DEBUGADD(10, ("Combine the sid from ResourceGroupIds not possible\n"));
+ talloc_free(user_sids);
+ } else {
+ logon_info->info3.sids = user_sids;
+ /* Start to copy the ResourceGroupIds into the SID array */
+ for (i=0; i < logon_info->res_groups.count; i++) {
+ user_sids[logon_info->info3.sidcount + i].sid = talloc(mem_ctx, struct dom_sid);
+ sid_compose(user_sids[logon_info->info3.sidcount + i].sid, logon_info->info3.base.domain_sid, logon_info->res_groups.rids[i].rid);
+ user_sids[logon_info->info3.sidcount + i].attributes = logon_info->res_groups.rids[i].attributes;
+ }
+ logon_info->res_groups.count = 0;
+ logon_info->res_group_dom_sid = NULL;
+ talloc_free(logon_info->res_groups.rids);
+ logon_info->info3.base.user_flags &= ~NETLOGON_RESOURCE_GROUPS; //Clear the H flag
+ logon_info->info3.sidcount = groups_count_total; //Update the sidcount field with the new number of SIDs
+ }
+ }
+ }
+
DEBUG(10,("Successfully validated Kerberos PAC\n"));
if (DEBUGLEVEL >= 10) {
More information about the samba-technical
mailing list