[PATCH 07/22] auth: Create an admin token with the forest SID set correctly
abartlet at samba.org
abartlet at samba.org
Tue Aug 19 20:06:42 MDT 2014
From: Andrew Bartlett <abartlet at samba.org>
The forest SID, used for the enterprise admins and schema admins groups can be different if we
are joining as subdomain.
Change-Id: I3b29654a90424551a36d8da9c8b25b16db7d9836
Pair-programmed-with: Graming Sam <garming at catalyst.net.nz>
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
---
python/samba/provision/__init__.py | 2 +-
source4/auth/pyauth.c | 21 ++++++++++++++++++---
source4/auth/session.h | 3 ++-
source4/auth/system_session.c | 17 ++++++++++++-----
4 files changed, 33 insertions(+), 10 deletions(-)
diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 06daa0e..287b633 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1276,7 +1276,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
logger.info("Adding DomainDN: %s" % names.domaindn)
# impersonate domain admin
- admin_session_info = admin_session(lp, str(names.domainsid))
+ admin_session_info = admin_session(lp, str(names.domainsid), str(names.forestsid))
samdb.set_session_info(admin_session_info)
if names.domainguid is not None:
domainguid_line = "objectGUID: %s\n-" % names.domainguid
diff --git a/source4/auth/pyauth.c b/source4/auth/pyauth.c
index d79d417..027e99f 100644
--- a/source4/auth/pyauth.c
+++ b/source4/auth/pyauth.c
@@ -81,12 +81,14 @@ static PyObject *py_admin_session(PyObject *module, PyObject *args)
{
PyObject *py_lp_ctx;
PyObject *py_sid;
+ PyObject *py_forest_sid = NULL;
struct loadparm_context *lp_ctx = NULL;
struct auth_session_info *session;
struct dom_sid *domain_sid = NULL;
+ struct dom_sid *forest_sid = NULL;
TALLOC_CTX *mem_ctx;
- if (!PyArg_ParseTuple(args, "OO", &py_lp_ctx, &py_sid))
+ if (!PyArg_ParseTuple(args, "OO|O", &py_lp_ctx, &py_sid, &py_forest_sid))
return NULL;
mem_ctx = talloc_new(NULL);
@@ -103,12 +105,25 @@ static PyObject *py_admin_session(PyObject *module, PyObject *args)
domain_sid = dom_sid_parse_talloc(mem_ctx, PyString_AsString(py_sid));
if (domain_sid == NULL) {
- PyErr_Format(PyExc_RuntimeError, "Unable to parse sid %s",
+ PyErr_Format(PyExc_RuntimeError, "Unable to parse domain sid %s",
PyString_AsString(py_sid));
talloc_free(mem_ctx);
return NULL;
}
- session = admin_session(NULL, lp_ctx, domain_sid);
+
+ if (py_forest_sid) {
+ forest_sid = dom_sid_parse_talloc(mem_ctx, PyString_AsString(py_forest_sid));
+ if (forest_sid == NULL) {
+ PyErr_Format(PyExc_RuntimeError, "Unable to parse forest sid %s",
+ PyString_AsString(py_forest_sid));
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+ } else {
+ forest_sid = domain_sid;
+ }
+
+ session = admin_session(NULL, lp_ctx, domain_sid, forest_sid);
talloc_free(mem_ctx);
return PyAuthSession_FromSession(session);
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 97a8aba..e70c1cd 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -73,7 +73,8 @@ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
- struct dom_sid *domain_sid);
+ struct dom_sid *domain_sid,
+ struct dom_sid *forest_sid);
#endif /* _SAMBA_AUTH_SESSION_H */
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index 3b9edd7..631afbd 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -175,6 +175,7 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
const char *netbios_name,
const char *domain_name,
struct dom_sid *domain_sid,
+ struct dom_sid *forest_sid,
struct auth_user_info_dc **_user_info_dc)
{
struct auth_user_info_dc *user_info_dc;
@@ -196,11 +197,11 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
user_info_dc->sids[3] = *domain_sid;
sid_append_rid(&user_info_dc->sids[3], DOMAIN_RID_ADMINS);
- user_info_dc->sids[4] = *domain_sid;
+ user_info_dc->sids[4] = *forest_sid;
sid_append_rid(&user_info_dc->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
user_info_dc->sids[5] = *domain_sid;
sid_append_rid(&user_info_dc->sids[5], DOMAIN_RID_POLICY_ADMINS);
- user_info_dc->sids[6] = *domain_sid;
+ user_info_dc->sids[6] = *forest_sid;
sid_append_rid(&user_info_dc->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
/* What should the session key be?*/
@@ -262,6 +263,7 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
struct loadparm_context *lp_ctx,
struct dom_sid *domain_sid,
+ struct dom_sid *forest_sid,
struct auth_session_info **session_info)
{
NTSTATUS nt_status;
@@ -271,8 +273,9 @@ static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
nt_status = auth_domain_admin_user_info_dc(mem_ctx, lpcfg_netbios_name(lp_ctx),
- lpcfg_workgroup(lp_ctx), domain_sid,
- &user_info_dc);
+ lpcfg_workgroup(lp_ctx), domain_sid,
+ forest_sid,
+ &user_info_dc);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(mem_ctx);
return nt_status;
@@ -289,13 +292,17 @@ static NTSTATUS auth_domain_admin_session_info(TALLOC_CTX *parent_ctx,
return nt_status;
}
-_PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct dom_sid *domain_sid)
+_PUBLIC_ struct auth_session_info *admin_session(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ struct dom_sid *domain_sid,
+ struct dom_sid *forest_sid)
{
NTSTATUS nt_status;
struct auth_session_info *session_info = NULL;
nt_status = auth_domain_admin_session_info(mem_ctx,
lp_ctx,
domain_sid,
+ forest_sid,
&session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
return NULL;
--
2.0.1
More information about the samba-technical
mailing list