1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

libcli/security: add dom_sid_is_valid_account_domain()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2018-01-25 09:50:17 +01:00 committed by Andreas Schneider
parent 1f1e221a8f
commit 8a1c930e1b
2 changed files with 64 additions and 0 deletions

View File

@ -358,6 +358,69 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
return dom_sid_compare_auth(domain_sid, sid) == 0;
}
bool dom_sid_is_valid_account_domain(const struct dom_sid *sid)
{
/*
* We expect S-1-5-21-9-8-7, but we don't
* allow S-1-5-21-0-0-0 as this is used
* for claims and compound identities.
*
* With this structure:
*
* struct dom_sid {
* uint8_t sid_rev_num;
* int8_t num_auths; [range(0,15)]
* uint8_t id_auth[6];
* uint32_t sub_auths[15];
* }
*
* S-1-5-21-9-8-7 looks like this:
* {1, 4, {0,0,0,0,0,5}, {21,9,8,7,0,0,0,0,0,0,0,0,0,0,0}};
*/
if (sid == NULL) {
return false;
}
if (sid->sid_rev_num != 1) {
return false;
}
if (sid->num_auths != 4) {
return false;
}
if (sid->id_auth[5] != 5) {
return false;
}
if (sid->id_auth[4] != 0) {
return false;
}
if (sid->id_auth[3] != 0) {
return false;
}
if (sid->id_auth[2] != 0) {
return false;
}
if (sid->id_auth[1] != 0) {
return false;
}
if (sid->id_auth[0] != 0) {
return false;
}
if (sid->sub_auths[0] != 21) {
return false;
}
if (sid->sub_auths[1] == 0) {
return false;
}
if (sid->sub_auths[2] == 0) {
return false;
}
if (sid->sub_auths[3] == 0) {
return false;
}
return true;
}
/*
Convert a dom_sid to a string, printing into a buffer. Return the
string length. If it overflows, return the string length that would

View File

@ -96,6 +96,7 @@ NTSTATUS dom_sid_split_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
struct dom_sid **domain, uint32_t *rid);
bool dom_sid_in_domain(const struct dom_sid *domain_sid,
const struct dom_sid *sid);
bool dom_sid_is_valid_account_domain(const struct dom_sid *sid);
#define DOM_SID_STR_BUFLEN (15*11+25)
int dom_sid_string_buf(const struct dom_sid *sid, char *buf, int buflen);