1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

r22745: Add local groups to the --required-membership-sid test. This needs

merging to 3_0_26 once Michael's net conf changes have been merged. It
depends on token_utils.c.
(This used to be commit a99ab3a2ed)
This commit is contained in:
Volker Lendecke 2007-05-07 13:56:57 +00:00 committed by Gerald (Jerry) Carter
parent f50ff7345d
commit b1e866c3b7
2 changed files with 62 additions and 89 deletions

View File

@ -829,7 +829,8 @@ WINBINDD_OBJ1 = \
nsswitch/winbindd_async.o \
nsswitch/winbindd_creds.o \
nsswitch/winbindd_cred_cache.o \
nsswitch/winbindd_ccache_access.o
nsswitch/winbindd_ccache_access.o \
auth/token_util.o
WINBINDD_OBJ = \
$(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \

View File

@ -127,17 +127,12 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
{
DOM_SID *require_membership_of_sid;
size_t num_require_membership_of_sid;
DOM_SID *all_sids;
/* UserSID, GroupSID, Grooup2SIDs, OtherSIDs, WellKnownSIDs */
size_t num_all_sids = (2 +
info3->num_groups2 +
info3->num_other_sids +
2 );
size_t i, j = 0, k;
size_t group_sid_length;
const char *search_location;
char *single_group_sid;
const char *comma;
fstring req_sid;
const char *p;
DOM_SID sid;
size_t i;
struct nt_user_token *token;
NTSTATUS status;
/* Parse the 'required group' SID */
@ -146,93 +141,59 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
return NT_STATUS_OK;
}
num_require_membership_of_sid = 1;
group_sid_length = strlen(group_sid);
for (i = 0; i < group_sid_length; i++) {
if (',' == group_sid[i]) {
num_require_membership_of_sid++;
}
if (!(token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token))) {
DEBUG(0, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
require_membership_of_sid = TALLOC_ARRAY(mem_ctx, DOM_SID, num_require_membership_of_sid);
if (!require_membership_of_sid)
return NT_STATUS_NO_MEMORY;
num_require_membership_of_sid = 0;
require_membership_of_sid = NULL;
i = 0;
search_location = group_sid;
p = group_sid;
if (num_require_membership_of_sid > 1) {
while (next_token(&p, req_sid, ",", sizeof(req_sid))) {
if (!string_to_sid(&sid, req_sid)) {
DEBUG(0, ("check_info3_in_group: could not parse %s "
"as a SID!", req_sid));
return NT_STATUS_INVALID_PARAMETER;
}
/* Allocate the maximum possible size */
single_group_sid = TALLOC(mem_ctx, group_sid_length);
if (!single_group_sid)
if (!add_sid_to_array(mem_ctx, &sid,
&require_membership_of_sid,
&num_require_membership_of_sid)) {
DEBUG(0, ("add_sid_to_array failed\n"));
return NT_STATUS_NO_MEMORY;
while ( (comma = strstr(search_location, ",")) != NULL ) {
strncpy(single_group_sid, search_location, comma - search_location);
single_group_sid[comma - search_location] = 0;
if (!string_to_sid(&require_membership_of_sid[i++], single_group_sid)) {
DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
single_group_sid));
return NT_STATUS_INVALID_PARAMETER;
}
search_location = comma + 1;
}
}
if (!string_to_sid(&require_membership_of_sid[i++], search_location)) {
DEBUG(0, ("check_info3_in_group: could not parse %s as a SID!",
search_location));
return NT_STATUS_INVALID_PARAMETER;
}
all_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, num_all_sids);
if (!all_sids)
return NT_STATUS_NO_MEMORY;
/* and create (by appending rids) the 'domain' sids */
sid_copy(&all_sids[0], &(info3->dom_sid.sid));
if (!sid_append_rid(&all_sids[0], info3->user_rid)) {
DEBUG(3,("could not append user's primary RID 0x%x\n",
if (!sid_compose(&sid, &(info3->dom_sid.sid),
info3->user_rid)
|| !add_sid_to_array(mem_ctx, &sid,
&token->user_sids, &token->num_sids)) {
DEBUG(3,("could not add user SID from rid 0x%x\n",
info3->user_rid));
return NT_STATUS_INVALID_PARAMETER;
}
j++;
sid_copy(&all_sids[1], &(info3->dom_sid.sid));
if (!sid_append_rid(&all_sids[1], info3->group_rid)) {
if (!sid_compose(&sid, &(info3->dom_sid.sid),
info3->group_rid)
|| !add_sid_to_array(mem_ctx, &sid,
&token->user_sids, &token->num_sids)) {
DEBUG(3,("could not append additional group rid 0x%x\n",
info3->group_rid));
return NT_STATUS_INVALID_PARAMETER;
}
j++;
/* Well-Known SIDs */
sid_copy( &all_sids[j++], &global_sid_World );
sid_copy( &all_sids[j++], &global_sid_Authenticated_Users );
for (i = 0; i < info3->num_groups2; i++) {
sid_copy(&all_sids[j], &(info3->dom_sid.sid));
if (!sid_append_rid(&all_sids[j], info3->gids[i].g_rid)) {
if (!sid_compose(&sid, &(info3->dom_sid.sid),
info3->gids[i].g_rid)
|| !add_sid_to_array(mem_ctx, &sid,
&token->user_sids, &token->num_sids)) {
DEBUG(3,("could not append additional group rid 0x%x\n",
info3->gids[i].g_rid));
info3->gids[i].g_rid));
return NT_STATUS_INVALID_PARAMETER;
}
j++;
}
/* Copy 'other' sids. We need to do sid filtering here to
@ -242,21 +203,32 @@ static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
*/
for (i = 0; i < info3->num_other_sids; i++) {
sid_copy(&all_sids[info3->num_groups2 + i + 2],
&info3->other_sids[i].sid);
j++;
if (!add_sid_to_array(mem_ctx, &info3->other_sids[i].sid,
&token->user_sids, &token->num_sids)) {
DEBUG(3, ("could not add SID to array: %s\n",
sid_string_static(&info3->other_sids[i].sid)));
return NT_STATUS_NO_MEMORY;
}
}
for (i = 0; i < j; i++) {
fstring sid1, sid2;
DEBUG(10, ("User has SID: %s\n",
sid_to_string(sid1, &all_sids[i])));
for (k = 0; k < num_require_membership_of_sid; k++) {
if (sid_equal(&require_membership_of_sid[k], &all_sids[i])) {
DEBUG(10, ("SID %s matches %s - user permitted to authenticate!\n",
sid_to_string(sid1, &require_membership_of_sid[k]), sid_to_string(sid2, &all_sids[i])));
return NT_STATUS_OK;
}
if (!NT_STATUS_IS_OK(status = add_aliases(get_global_sam_sid(),
token))
|| !NT_STATUS_IS_OK(status = add_aliases(&global_sid_Builtin,
token))) {
DEBUG(3, ("could not add aliases: %s\n",
nt_errstr(status)));
return status;
}
debug_nt_user_token(DBGC_CLASS, 10, token);
for (i=0; i<num_require_membership_of_sid; i++) {
DEBUG(10, ("Checking SID %s\n", sid_string_static(
&require_membership_of_sid[i])));
if (nt_token_check_sid(&require_membership_of_sid[i],
token)) {
DEBUG(10, ("Access ok\n"));
return NT_STATUS_OK;
}
}