diff --git a/source3/Makefile.in b/source3/Makefile.in index f26afb11791..17f5ad4a493 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -697,7 +697,7 @@ NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_domain.o utils/net_help.o \ utils/netlookup.o utils/net_sam.o utils/net_rpc_shell.o \ utils/net_util.o utils/net_rpc_sh_acct.o utils/net_rpc_audit.o \ $(PASSWD_UTIL_OBJ) utils/net_dns.o utils/net_ads_gpo.o \ - utils/net_conf.o + utils/net_conf.o auth/token_util.o NET_OBJ = $(NET_OBJ1) $(PARAM_WITHOUT_REG_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \ $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ diff --git a/source3/include/gpo.h b/source3/include/gpo.h index 073dad0a112..85a0b82d657 100644 --- a/source3/include/gpo.h +++ b/source3/include/gpo.h @@ -93,10 +93,3 @@ struct GP_EXT { #define GPO_CACHE_DIR "gpo_cache" #define GPT_INI "GPT.INI" - -struct GPO_SID_TOKEN { - DOM_SID object_sid; - DOM_SID primary_group_sid; - size_t num_token_sids; - DOM_SID *token_sids; -}; diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c index 07b453d6370..4f983b261d8 100644 --- a/source3/libgpo/gpo_ldap.c +++ b/source3/libgpo/gpo_ldap.c @@ -1,7 +1,7 @@ /* * Unix SMB/CIFS implementation. * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005 + * Copyright (C) Guenther Deschner 2005,2007 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -427,7 +427,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, return ADS_ERROR(LDAP_NO_MEMORY); } - /* sure ??? */ if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) { return ADS_ERROR(LDAP_NO_MEMORY); } @@ -441,7 +440,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, gpo->name = ads_pull_string(ads, mem_ctx, res, "name"); ADS_ERROR_HAVE_NO_MEMORY(gpo->name); - /* ???, this is optional to have and what does it depend on, the 'flags' ?) */ gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames"); gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames"); @@ -536,7 +534,7 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, struct GP_LINK *gp_link, enum GPO_LINK_TYPE link_type, BOOL only_add_forced_gpos, - struct GPO_SID_TOKEN *token) + const struct nt_user_token *token) { ADS_STATUS status; int i; @@ -592,10 +590,10 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, /**************************************************************** ****************************************************************/ -static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *dn, - struct GPO_SID_TOKEN **token) +ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *dn, + struct nt_user_token **token) { ADS_STATUS status; DOM_SID object_sid; @@ -604,12 +602,9 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads, size_t num_ad_token_sids = 0; DOM_SID *token_sids; size_t num_token_sids = 0; - struct GPO_SID_TOKEN *new_token = NULL; + struct nt_user_token *new_token = NULL; int i; - new_token = TALLOC_ZERO_P(mem_ctx, struct GPO_SID_TOKEN); - ADS_ERROR_HAVE_NO_MEMORY(new_token); - status = ads_get_tokensids(ads, mem_ctx, dn, &object_sid, &primary_group_sid, &ad_token_sids, &num_ad_token_sids); @@ -617,12 +612,14 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads, return status; } - new_token->object_sid = object_sid; - new_token->primary_group_sid = primary_group_sid; - token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1); ADS_ERROR_HAVE_NO_MEMORY(token_sids); + if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids, + &num_token_sids)) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + for (i = 0; i < num_ad_token_sids; i++) { if (sid_check_is_in_builtin(&ad_token_sids[i])) { @@ -635,22 +632,17 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads, } } - /* Add S-1-5-11 to token */ - if (!add_sid_to_array_unique(mem_ctx, &global_sid_Authenticated_Users, - &token_sids, &num_token_sids)) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - - new_token->token_sids = token_sids; - new_token->num_token_sids = num_token_sids; + new_token = create_local_nt_token(mem_ctx, &object_sid, False, + num_token_sids, token_sids); + ADS_ERROR_HAVE_NO_MEMORY(new_token); *token = new_token; + debug_nt_user_token(DBGC_CLASS, 5, *token); + return ADS_ERROR_LDAP(LDAP_SUCCESS); } - /**************************************************************** get the full list of GROUP_POLICY_OBJECTs for a given dn ****************************************************************/ @@ -665,15 +657,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, ADS_STATUS status; struct GP_LINK gp_link; - struct GPO_SID_TOKEN *token = NULL; + struct nt_user_token *token = NULL; const char *parent_dn, *site_dn, *tmp_dn; BOOL add_only_forced_gpos = False; ZERO_STRUCTP(gpo_list); + if (!dn) { + return ADS_ERROR(LDAP_PARAM_ERROR); + } + DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn)); - status = ads_get_gpo_sid_token(ads, mem_ctx, dn, &token); + status = ads_get_sid_token(ads, mem_ctx, dn, &token); if (!ADS_ERR_OK(status)) { return status; } diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c index abdcd17378d..5286da57dee 100644 --- a/source3/libgpo/gpo_sec.c +++ b/source3/libgpo/gpo_sec.c @@ -43,7 +43,7 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec &ext_right_apg_guid)) { return True; } - case SEC_ACE_OBJECT_INHERITED_PRESENT: + case SEC_ACE_OBJECT_INHERITED_PRESENT: if (GUID_equal(&object->inherited_type.inherited_type, &ext_right_apg_guid)) { return True; @@ -60,11 +60,11 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace) { - if (sec_ace_object(ace->type)) { - return gpo_sd_check_agp_object_guid(&ace->object.object); + if (!sec_ace_object(ace->type)) { + return False; } - return False; + return gpo_sd_check_agp_object_guid(&ace->object.object); } /**************************************************************** @@ -92,21 +92,13 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask) /**************************************************************** ****************************************************************/ -static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, - const struct GPO_SID_TOKEN *token) +static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, + const struct nt_user_token *token) { int i; - if (sid_equal(trustee, &token->object_sid)) { - return True; - } - - if (sid_equal(trustee, &token->primary_group_sid)) { - return True; - } - - for (i = 0; i < token->num_token_sids; i++) { - if (sid_equal(trustee, &token->token_sids[i])) { + for (i = 0; i < token->num_sids; i++) { + if (sid_equal(trustee, &token->user_sids[i])) { return True; } } @@ -118,7 +110,7 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, ****************************************************************/ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, - const struct GPO_SID_TOKEN *token) + const struct nt_user_token *token) { if (gpo_sd_check_agp_object(ace) && gpo_sd_check_agp_access_bits(ace->access_mask) && @@ -135,7 +127,7 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, ****************************************************************/ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, - const struct GPO_SID_TOKEN *token) + const struct nt_user_token *token) { if (gpo_sd_check_agp_object(ace) && gpo_sd_check_agp_access_bits(ace->access_mask) && @@ -152,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, ****************************************************************/ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, - const struct GPO_SID_TOKEN *token) + const struct nt_user_token *token) { switch (ace->type) { case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: @@ -168,7 +160,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, ****************************************************************/ NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, - const struct GPO_SID_TOKEN *token) + const struct nt_user_token *token) { SEC_DESC *sd = gpo->security_descriptor; SEC_ACL *dacl = NULL;