sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-02 09:47:23 +03:00
Code

s3:auth: pass AUTH_SESSION_INFO_* flags to finalize_local_nt_token()

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Stefan Metzmacher 2018-03-06 23:40:10 +01:00 committed by Ralph Boehme
parent 4f81ef9353
commit d3aae5ba65
1 changed files with 39 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

58
source3/auth/token_util.c
View File

@ -282,7 +282,7 @@ static NTSTATUS add_builtin_guests(struct security_token *token,
static NTSTATUS add_local_groups(struct security_token *result,
bool is_guest);
static NTSTATUS finalize_local_nt_token(struct security_token *result,
bool is_guest);
uint32_t session_info_flags);
NTSTATUS get_user_sid_info3_and_extra(const struct netr_SamInfo3 *info3,
const struct extra_auth_info *extra,
@ -313,6 +313,7 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
struct security_token **ntok)
{
struct security_token *usrtok = NULL;
uint32_t session_info_flags = 0;
NTSTATUS status;
int i;
@ -403,7 +404,12 @@ NTSTATUS create_local_nt_token_from_info3(TALLOC_CTX *mem_ctx,
return status;
}
status = finalize_local_nt_token(usrtok, is_guest);
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!is_guest) {
session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
status = finalize_local_nt_token(usrtok, session_info_flags);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Failed to finalize nt token\n"));
TALLOC_FREE(usrtok);
@ -427,6 +433,7 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
struct security_token *result = NULL;
int i;
NTSTATUS status;
uint32_t session_info_flags = 0;
DEBUG(10, ("Create local NT token for %s\n",
sid_string_dbg(user_sid)));
@ -478,7 +485,12 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
return NULL;
}
status = finalize_local_nt_token(result, is_guest);
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!is_guest) {
session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
status = finalize_local_nt_token(result, session_info_flags);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(result);
return NULL;
@ -605,7 +617,7 @@ static NTSTATUS add_local_groups(struct security_token *result,
}
static NTSTATUS finalize_local_nt_token(struct security_token *result,
bool is_guest)
uint32_t session_info_flags)
{
struct dom_sid _dom_sid = { 0, };
struct dom_sid *domain_sid = NULL;
@ -620,17 +632,17 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
return NT_STATUS_INVALID_TOKEN;
}
/* Add in BUILTIN sids */
status = add_sid_to_array(result, &global_sid_World,
&result->sids, &result->num_sids);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
status = add_sid_to_array(result, &global_sid_Network,
&result->sids, &result->num_sids);
if (!NT_STATUS_IS_OK(status)) {
return status;
if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) {
status = add_sid_to_array(result, &global_sid_World,
&result->sids, &result->num_sids);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
status = add_sid_to_array(result, &global_sid_Network,
&result->sids, &result->num_sids);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
}
/*
@ -650,7 +662,7 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
return NT_STATUS_OK;
}
if (!is_guest) {
if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) {
status = add_sid_to_array(result,
&global_sid_Authenticated_Users,
&result->sids,
@ -660,6 +672,8 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
}
}
/* Add in BUILTIN sids */
become_root();
ok = secrets_fetch_domain_sid(lp_workgroup(), &_dom_sid);
if (ok) {
@ -772,10 +786,16 @@ static NTSTATUS finalize_local_nt_token(struct security_token *result,
unbecome_root();
}
/* Add privileges based on current user sids */
get_privileges_for_sids(&result->privilege_mask, result->sids,
result->num_sids);
if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
if (security_token_has_builtin_administrators(result)) {
result->privilege_mask = ~0;
}
} else {
/* Add privileges based on current user sids */
get_privileges_for_sids(&result->privilege_mask, result->sids,
result->num_sids);
}
return NT_STATUS_OK;
}