mirror of
https://github.com/samba-team/samba.git
synced 2025-01-10 01:18:15 +03:00
libcli/security: add dom_sid_is_valid_account_domain()
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
parent
1f1e221a8f
commit
8a1c930e1b
@ -358,6 +358,69 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
|
||||
return dom_sid_compare_auth(domain_sid, sid) == 0;
|
||||
}
|
||||
|
||||
bool dom_sid_is_valid_account_domain(const struct dom_sid *sid)
|
||||
{
|
||||
/*
|
||||
* We expect S-1-5-21-9-8-7, but we don't
|
||||
* allow S-1-5-21-0-0-0 as this is used
|
||||
* for claims and compound identities.
|
||||
*
|
||||
* With this structure:
|
||||
*
|
||||
* struct dom_sid {
|
||||
* uint8_t sid_rev_num;
|
||||
* int8_t num_auths; [range(0,15)]
|
||||
* uint8_t id_auth[6];
|
||||
* uint32_t sub_auths[15];
|
||||
* }
|
||||
*
|
||||
* S-1-5-21-9-8-7 looks like this:
|
||||
* {1, 4, {0,0,0,0,0,5}, {21,9,8,7,0,0,0,0,0,0,0,0,0,0,0}};
|
||||
*/
|
||||
if (sid == NULL) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if (sid->sid_rev_num != 1) {
|
||||
return false;
|
||||
}
|
||||
if (sid->num_auths != 4) {
|
||||
return false;
|
||||
}
|
||||
if (sid->id_auth[5] != 5) {
|
||||
return false;
|
||||
}
|
||||
if (sid->id_auth[4] != 0) {
|
||||
return false;
|
||||
}
|
||||
if (sid->id_auth[3] != 0) {
|
||||
return false;
|
||||
}
|
||||
if (sid->id_auth[2] != 0) {
|
||||
return false;
|
||||
}
|
||||
if (sid->id_auth[1] != 0) {
|
||||
return false;
|
||||
}
|
||||
if (sid->id_auth[0] != 0) {
|
||||
return false;
|
||||
}
|
||||
if (sid->sub_auths[0] != 21) {
|
||||
return false;
|
||||
}
|
||||
if (sid->sub_auths[1] == 0) {
|
||||
return false;
|
||||
}
|
||||
if (sid->sub_auths[2] == 0) {
|
||||
return false;
|
||||
}
|
||||
if (sid->sub_auths[3] == 0) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/*
|
||||
Convert a dom_sid to a string, printing into a buffer. Return the
|
||||
string length. If it overflows, return the string length that would
|
||||
|
@ -96,6 +96,7 @@ NTSTATUS dom_sid_split_rid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
|
||||
struct dom_sid **domain, uint32_t *rid);
|
||||
bool dom_sid_in_domain(const struct dom_sid *domain_sid,
|
||||
const struct dom_sid *sid);
|
||||
bool dom_sid_is_valid_account_domain(const struct dom_sid *sid);
|
||||
|
||||
#define DOM_SID_STR_BUFLEN (15*11+25)
|
||||
int dom_sid_string_buf(const struct dom_sid *sid, char *buf, int buflen);
|
||||
|
Loading…
Reference in New Issue
Block a user