mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
r23921: Remove GPO_SID_TOKEN struct and use nt_user_token instead, that already has
S-1-5-11 in the token.
Guenther
(This used to be commit 83c734690a
)
This commit is contained in:
parent
95d5042803
commit
db4099884a
@ -697,7 +697,7 @@ NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_domain.o utils/net_help.o \
|
|||||||
utils/netlookup.o utils/net_sam.o utils/net_rpc_shell.o \
|
utils/netlookup.o utils/net_sam.o utils/net_rpc_shell.o \
|
||||||
utils/net_util.o utils/net_rpc_sh_acct.o utils/net_rpc_audit.o \
|
utils/net_util.o utils/net_rpc_sh_acct.o utils/net_rpc_audit.o \
|
||||||
$(PASSWD_UTIL_OBJ) utils/net_dns.o utils/net_ads_gpo.o \
|
$(PASSWD_UTIL_OBJ) utils/net_dns.o utils/net_ads_gpo.o \
|
||||||
utils/net_conf.o
|
utils/net_conf.o auth/token_util.o
|
||||||
|
|
||||||
NET_OBJ = $(NET_OBJ1) $(PARAM_WITHOUT_REG_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
|
NET_OBJ = $(NET_OBJ1) $(PARAM_WITHOUT_REG_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
|
||||||
$(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
|
$(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
|
||||||
|
@ -93,10 +93,3 @@ struct GP_EXT {
|
|||||||
|
|
||||||
#define GPO_CACHE_DIR "gpo_cache"
|
#define GPO_CACHE_DIR "gpo_cache"
|
||||||
#define GPT_INI "GPT.INI"
|
#define GPT_INI "GPT.INI"
|
||||||
|
|
||||||
struct GPO_SID_TOKEN {
|
|
||||||
DOM_SID object_sid;
|
|
||||||
DOM_SID primary_group_sid;
|
|
||||||
size_t num_token_sids;
|
|
||||||
DOM_SID *token_sids;
|
|
||||||
};
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
/*
|
/*
|
||||||
* Unix SMB/CIFS implementation.
|
* Unix SMB/CIFS implementation.
|
||||||
* Group Policy Object Support
|
* Group Policy Object Support
|
||||||
* Copyright (C) Guenther Deschner 2005
|
* Copyright (C) Guenther Deschner 2005,2007
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify
|
* This program is free software; you can redistribute it and/or modify
|
||||||
* it under the terms of the GNU General Public License as published by
|
* it under the terms of the GNU General Public License as published by
|
||||||
@ -427,7 +427,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
|
|||||||
return ADS_ERROR(LDAP_NO_MEMORY);
|
return ADS_ERROR(LDAP_NO_MEMORY);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* sure ??? */
|
|
||||||
if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
|
if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
|
||||||
return ADS_ERROR(LDAP_NO_MEMORY);
|
return ADS_ERROR(LDAP_NO_MEMORY);
|
||||||
}
|
}
|
||||||
@ -441,7 +440,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
|
|||||||
gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
|
gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
|
||||||
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
|
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
|
||||||
|
|
||||||
/* ???, this is optional to have and what does it depend on, the 'flags' ?) */
|
|
||||||
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
|
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
|
||||||
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
|
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
|
||||||
|
|
||||||
@ -536,7 +534,7 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
|
|||||||
struct GP_LINK *gp_link,
|
struct GP_LINK *gp_link,
|
||||||
enum GPO_LINK_TYPE link_type,
|
enum GPO_LINK_TYPE link_type,
|
||||||
BOOL only_add_forced_gpos,
|
BOOL only_add_forced_gpos,
|
||||||
struct GPO_SID_TOKEN *token)
|
const struct nt_user_token *token)
|
||||||
{
|
{
|
||||||
ADS_STATUS status;
|
ADS_STATUS status;
|
||||||
int i;
|
int i;
|
||||||
@ -592,10 +590,10 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
|
|||||||
/****************************************************************
|
/****************************************************************
|
||||||
****************************************************************/
|
****************************************************************/
|
||||||
|
|
||||||
static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
|
ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
|
||||||
TALLOC_CTX *mem_ctx,
|
TALLOC_CTX *mem_ctx,
|
||||||
const char *dn,
|
const char *dn,
|
||||||
struct GPO_SID_TOKEN **token)
|
struct nt_user_token **token)
|
||||||
{
|
{
|
||||||
ADS_STATUS status;
|
ADS_STATUS status;
|
||||||
DOM_SID object_sid;
|
DOM_SID object_sid;
|
||||||
@ -604,12 +602,9 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
|
|||||||
size_t num_ad_token_sids = 0;
|
size_t num_ad_token_sids = 0;
|
||||||
DOM_SID *token_sids;
|
DOM_SID *token_sids;
|
||||||
size_t num_token_sids = 0;
|
size_t num_token_sids = 0;
|
||||||
struct GPO_SID_TOKEN *new_token = NULL;
|
struct nt_user_token *new_token = NULL;
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
new_token = TALLOC_ZERO_P(mem_ctx, struct GPO_SID_TOKEN);
|
|
||||||
ADS_ERROR_HAVE_NO_MEMORY(new_token);
|
|
||||||
|
|
||||||
status = ads_get_tokensids(ads, mem_ctx, dn,
|
status = ads_get_tokensids(ads, mem_ctx, dn,
|
||||||
&object_sid, &primary_group_sid,
|
&object_sid, &primary_group_sid,
|
||||||
&ad_token_sids, &num_ad_token_sids);
|
&ad_token_sids, &num_ad_token_sids);
|
||||||
@ -617,12 +612,14 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
|
|||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
|
||||||
new_token->object_sid = object_sid;
|
|
||||||
new_token->primary_group_sid = primary_group_sid;
|
|
||||||
|
|
||||||
token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
|
token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
|
||||||
ADS_ERROR_HAVE_NO_MEMORY(token_sids);
|
ADS_ERROR_HAVE_NO_MEMORY(token_sids);
|
||||||
|
|
||||||
|
if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
|
||||||
|
&num_token_sids)) {
|
||||||
|
return ADS_ERROR(LDAP_NO_MEMORY);
|
||||||
|
}
|
||||||
|
|
||||||
for (i = 0; i < num_ad_token_sids; i++) {
|
for (i = 0; i < num_ad_token_sids; i++) {
|
||||||
|
|
||||||
if (sid_check_is_in_builtin(&ad_token_sids[i])) {
|
if (sid_check_is_in_builtin(&ad_token_sids[i])) {
|
||||||
@ -635,22 +632,17 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Add S-1-5-11 to token */
|
new_token = create_local_nt_token(mem_ctx, &object_sid, False,
|
||||||
if (!add_sid_to_array_unique(mem_ctx, &global_sid_Authenticated_Users,
|
num_token_sids, token_sids);
|
||||||
&token_sids, &num_token_sids)) {
|
ADS_ERROR_HAVE_NO_MEMORY(new_token);
|
||||||
return ADS_ERROR(LDAP_NO_MEMORY);
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
new_token->token_sids = token_sids;
|
|
||||||
new_token->num_token_sids = num_token_sids;
|
|
||||||
|
|
||||||
*token = new_token;
|
*token = new_token;
|
||||||
|
|
||||||
|
debug_nt_user_token(DBGC_CLASS, 5, *token);
|
||||||
|
|
||||||
return ADS_ERROR_LDAP(LDAP_SUCCESS);
|
return ADS_ERROR_LDAP(LDAP_SUCCESS);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/****************************************************************
|
/****************************************************************
|
||||||
get the full list of GROUP_POLICY_OBJECTs for a given dn
|
get the full list of GROUP_POLICY_OBJECTs for a given dn
|
||||||
****************************************************************/
|
****************************************************************/
|
||||||
@ -665,15 +657,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
|
|||||||
|
|
||||||
ADS_STATUS status;
|
ADS_STATUS status;
|
||||||
struct GP_LINK gp_link;
|
struct GP_LINK gp_link;
|
||||||
struct GPO_SID_TOKEN *token = NULL;
|
struct nt_user_token *token = NULL;
|
||||||
const char *parent_dn, *site_dn, *tmp_dn;
|
const char *parent_dn, *site_dn, *tmp_dn;
|
||||||
BOOL add_only_forced_gpos = False;
|
BOOL add_only_forced_gpos = False;
|
||||||
|
|
||||||
ZERO_STRUCTP(gpo_list);
|
ZERO_STRUCTP(gpo_list);
|
||||||
|
|
||||||
|
if (!dn) {
|
||||||
|
return ADS_ERROR(LDAP_PARAM_ERROR);
|
||||||
|
}
|
||||||
|
|
||||||
DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
|
DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
|
||||||
|
|
||||||
status = ads_get_gpo_sid_token(ads, mem_ctx, dn, &token);
|
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
|
||||||
if (!ADS_ERR_OK(status)) {
|
if (!ADS_ERR_OK(status)) {
|
||||||
return status;
|
return status;
|
||||||
}
|
}
|
||||||
|
@ -43,7 +43,7 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
|
|||||||
&ext_right_apg_guid)) {
|
&ext_right_apg_guid)) {
|
||||||
return True;
|
return True;
|
||||||
}
|
}
|
||||||
case SEC_ACE_OBJECT_INHERITED_PRESENT:
|
case SEC_ACE_OBJECT_INHERITED_PRESENT:
|
||||||
if (GUID_equal(&object->inherited_type.inherited_type,
|
if (GUID_equal(&object->inherited_type.inherited_type,
|
||||||
&ext_right_apg_guid)) {
|
&ext_right_apg_guid)) {
|
||||||
return True;
|
return True;
|
||||||
@ -60,11 +60,11 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
|
|||||||
|
|
||||||
static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
|
static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
|
||||||
{
|
{
|
||||||
if (sec_ace_object(ace->type)) {
|
if (!sec_ace_object(ace->type)) {
|
||||||
return gpo_sd_check_agp_object_guid(&ace->object.object);
|
return False;
|
||||||
}
|
}
|
||||||
|
|
||||||
return False;
|
return gpo_sd_check_agp_object_guid(&ace->object.object);
|
||||||
}
|
}
|
||||||
|
|
||||||
/****************************************************************
|
/****************************************************************
|
||||||
@ -93,20 +93,12 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
|
|||||||
****************************************************************/
|
****************************************************************/
|
||||||
|
|
||||||
static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
|
static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
|
||||||
const struct GPO_SID_TOKEN *token)
|
const struct nt_user_token *token)
|
||||||
{
|
{
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
if (sid_equal(trustee, &token->object_sid)) {
|
for (i = 0; i < token->num_sids; i++) {
|
||||||
return True;
|
if (sid_equal(trustee, &token->user_sids[i])) {
|
||||||
}
|
|
||||||
|
|
||||||
if (sid_equal(trustee, &token->primary_group_sid)) {
|
|
||||||
return True;
|
|
||||||
}
|
|
||||||
|
|
||||||
for (i = 0; i < token->num_token_sids; i++) {
|
|
||||||
if (sid_equal(trustee, &token->token_sids[i])) {
|
|
||||||
return True;
|
return True;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -118,7 +110,7 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
|
|||||||
****************************************************************/
|
****************************************************************/
|
||||||
|
|
||||||
static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
|
static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
|
||||||
const struct GPO_SID_TOKEN *token)
|
const struct nt_user_token *token)
|
||||||
{
|
{
|
||||||
if (gpo_sd_check_agp_object(ace) &&
|
if (gpo_sd_check_agp_object(ace) &&
|
||||||
gpo_sd_check_agp_access_bits(ace->access_mask) &&
|
gpo_sd_check_agp_access_bits(ace->access_mask) &&
|
||||||
@ -135,7 +127,7 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
|
|||||||
****************************************************************/
|
****************************************************************/
|
||||||
|
|
||||||
static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
|
static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
|
||||||
const struct GPO_SID_TOKEN *token)
|
const struct nt_user_token *token)
|
||||||
{
|
{
|
||||||
if (gpo_sd_check_agp_object(ace) &&
|
if (gpo_sd_check_agp_object(ace) &&
|
||||||
gpo_sd_check_agp_access_bits(ace->access_mask) &&
|
gpo_sd_check_agp_access_bits(ace->access_mask) &&
|
||||||
@ -152,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
|
|||||||
****************************************************************/
|
****************************************************************/
|
||||||
|
|
||||||
static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
|
static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
|
||||||
const struct GPO_SID_TOKEN *token)
|
const struct nt_user_token *token)
|
||||||
{
|
{
|
||||||
switch (ace->type) {
|
switch (ace->type) {
|
||||||
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
|
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
|
||||||
@ -168,7 +160,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
|
|||||||
****************************************************************/
|
****************************************************************/
|
||||||
|
|
||||||
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
|
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
|
||||||
const struct GPO_SID_TOKEN *token)
|
const struct nt_user_token *token)
|
||||||
{
|
{
|
||||||
SEC_DESC *sd = gpo->security_descriptor;
|
SEC_DESC *sd = gpo->security_descriptor;
|
||||||
SEC_ACL *dacl = NULL;
|
SEC_ACL *dacl = NULL;
|
||||||
|
Loading…
Reference in New Issue
Block a user