[PATCH] Adds support for Resource SID Compression a new Windows Server 2012 KDC feature - 3rd Version

Markus Baier Markus_Baier at baier-network.de
Tue Apr 2 05:58:55 MDT 2013 

Hello,

this is a new patch for adding support for the resource sid
compression feature of Microsoft Server 2012 KDC

This patch version manipulates the PAC_LOGON_INFO structure
within the decode_pac_data function in /source3/libads/authdata.c
Now this one works for modules which receive the PAC Data from a
deeper point in the program structure, like CIFS logins, too.

Maybe somebody can review the patch.


Best Regards
Markus Baier
-------------- next part --------------
diff -u -r -N a/source3/libads/authdata.c b/source3/libads/authdata.c
--- a/source3/libads/authdata.c	2013-04-02 13:48:28.066298171 +0200
+++ b/source3/libads/authdata.c	2013-04-02 13:43:43.576302479 +0200
@@ -331,6 +331,66 @@
 		 logon_info->info3.base.account_name.string,
 		 logon_info->info3.base.full_name.string));
 
+
+        /* Check if PAC_LOGON_INFO contains Resource Groups.
+           Therefore we check if the H Flag in the user_flags mask is set.
+           A Windows Server 2012 KDC sends doamin local Groups
+           as Resource Groups when the new "resource sid compression" feature
+           is enabled. The feature is enabled by default. */
+	DEBUG(3,("Check if Informations are stored in the ResourceGroupsIDs field\n"));
+	if (logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) { //Check if the H Flag in the user_flags mask is set
+		if (dom_sid_equal(logon_info->info3.base.domain_sid, logon_info->res_group_dom_sid)) { //Check if the ResourceGroupDomain sid is the same as the LogonDomainID sid
+			uint32_t i;
+                        uint32_t groups_count_total;
+                        struct samr_RidWithAttribute *new_rids;
+			
+			groups_count_total = logon_info->info3.base.groups.count + logon_info->res_groups.count; //Calculate the new total numbers of rids in the array
+			new_rids = talloc_realloc(mem_ctx,logon_info->info3.base.groups.rids,struct samr_RidWithAttribute, groups_count_total); //Expand the array
+			if (new_rids == NULL) {
+				DEBUG(10, ("talloc_realloc: Failed to expand array for new rids\n"));
+				DEBUGADD(10, ("Copy the rid from ResourceGroupIds to GroupIds not possible\n"));
+				talloc_free(new_rids);
+			} else {
+				logon_info->info3.base.groups.rids = new_rids;
+				/* Start to copy the ResourceGroupIds into the  GroupIds array */
+				for (i=0; i < logon_info->res_groups.count; i++) {
+					new_rids[logon_info->info3.base.groups.count + i].rid = logon_info->res_groups.rids[i].rid; //Copy the rid from ResourceGroupIds to GroupIds
+					new_rids[logon_info->info3.base.groups.count + i].attributes = logon_info->res_groups.rids[i].attributes; //Copy the attributes from ResourceGroupIds to GroupIds
+				}
+				logon_info->res_groups.count = 0;
+				logon_info->res_group_dom_sid = NULL;
+				talloc_free(logon_info->res_groups.rids);
+				logon_info->info3.base.user_flags &= ~NETLOGON_RESOURCE_GROUPS; //Clear the H flag
+				logon_info->info3.base.groups.count = groups_count_total; //Update the GroupCount field with the new number of groups;
+			}
+		} else {
+			uint32_t i;
+                        uint32_t groups_count_total;
+                        struct netr_SidAttr *user_sids;
+
+			groups_count_total = logon_info->info3.sidcount + logon_info->res_groups.count; //Calculate the new total numbers of SID in the user_sids array
+			user_sids = talloc_realloc(mem_ctx, logon_info->info3.sids, struct netr_SidAttr, groups_count_total); //Expand the array
+			if (user_sids == NULL) {
+				DEBUG(10, ("talloc_realloc: Failed to expand array for new sids\n"));
+				DEBUGADD(10, ("Combine the sid from ResourceGroupIds not possible\n"));
+				talloc_free(user_sids);
+			} else {
+				logon_info->info3.sids = user_sids;
+				/* Start to copy the ResourceGroupIds into the SID array */
+				for (i=0; i < logon_info->res_groups.count; i++) {
+					user_sids[logon_info->info3.sidcount + i].sid = talloc(mem_ctx, struct dom_sid);
+					sid_compose(user_sids[logon_info->info3.sidcount + i].sid, logon_info->info3.base.domain_sid, logon_info->res_groups.rids[i].rid);
+					user_sids[logon_info->info3.sidcount + i].attributes = logon_info->res_groups.rids[i].attributes;
+				}
+				logon_info->res_groups.count = 0;
+				logon_info->res_group_dom_sid = NULL;
+				talloc_free(logon_info->res_groups.rids);
+				logon_info->info3.base.user_flags &= ~NETLOGON_RESOURCE_GROUPS; //Clear the H flag
+				logon_info->info3.sidcount = groups_count_total; //Update the sidcount field with the new number of SIDs
+			}
+		}
+	}
+
 	DEBUG(10,("Successfully validated Kerberos PAC\n"));
 
 	if (DEBUGLEVEL >= 10) {

More information about the samba-technical mailing list