mirror of
https://github.com/samba-team/samba.git
synced 2025-01-03 01:18:10 +03:00
r23921: Remove GPO_SID_TOKEN struct and use nt_user_token instead, that already has
S-1-5-11 in the token.
Guenther
(This used to be commit 83c734690a)
This commit is contained in:
Günther Deschner
Gerald (Jerry) Carter
parent
95d5042803
commit
db4099884a
@ -697,7 +697,7 @@ NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_domain.o utils/net_help.o \
|
||||
utils/netlookup.o utils/net_sam.o utils/net_rpc_shell.o \
|
||||
utils/net_util.o utils/net_rpc_sh_acct.o utils/net_rpc_audit.o \
|
||||
$(PASSWD_UTIL_OBJ) utils/net_dns.o utils/net_ads_gpo.o \
|
||||
utils/net_conf.o
|
||||
utils/net_conf.o auth/token_util.o
|
||||
|
||||
NET_OBJ = $(NET_OBJ1) $(PARAM_WITHOUT_REG_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
|
||||
$(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
|
||||
|
||||
@ -93,10 +93,3 @@ struct GP_EXT {
|
||||
|
||||
#define GPO_CACHE_DIR "gpo_cache"
|
||||
#define GPT_INI "GPT.INI"
|
||||
|
||||
struct GPO_SID_TOKEN {
|
||||
DOM_SID object_sid;
|
||||
DOM_SID primary_group_sid;
|
||||
size_t num_token_sids;
|
||||
DOM_SID *token_sids;
|
||||
};
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* Unix SMB/CIFS implementation.
|
||||
* Group Policy Object Support
|
||||
* Copyright (C) Guenther Deschner 2005
|
||||
* Copyright (C) Guenther Deschner 2005,2007
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License as published by
|
||||
@ -427,7 +427,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
|
||||
return ADS_ERROR(LDAP_NO_MEMORY);
|
||||
}
|
||||
|
||||
/* sure ??? */
|
||||
if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
|
||||
return ADS_ERROR(LDAP_NO_MEMORY);
|
||||
}
|
||||
@ -441,7 +440,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
|
||||
gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
|
||||
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
|
||||
|
||||
/* ???, this is optional to have and what does it depend on, the 'flags' ?) */
|
||||
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
|
||||
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
|
||||
|
||||
@ -536,7 +534,7 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
|
||||
struct GP_LINK *gp_link,
|
||||
enum GPO_LINK_TYPE link_type,
|
||||
BOOL only_add_forced_gpos,
|
||||
struct GPO_SID_TOKEN *token)
|
||||
const struct nt_user_token *token)
|
||||
{
|
||||
ADS_STATUS status;
|
||||
int i;
|
||||
@ -592,10 +590,10 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
|
||||
/****************************************************************
|
||||
****************************************************************/
|
||||
|
||||
static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const char *dn,
|
||||
struct GPO_SID_TOKEN **token)
|
||||
ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
|
||||
TALLOC_CTX *mem_ctx,
|
||||
const char *dn,
|
||||
struct nt_user_token **token)
|
||||
{
|
||||
ADS_STATUS status;
|
||||
DOM_SID object_sid;
|
||||
@ -604,12 +602,9 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
|
||||
size_t num_ad_token_sids = 0;
|
||||
DOM_SID *token_sids;
|
||||
size_t num_token_sids = 0;
|
||||
struct GPO_SID_TOKEN *new_token = NULL;
|
||||
struct nt_user_token *new_token = NULL;
|
||||
int i;
|
||||
|
||||
new_token = TALLOC_ZERO_P(mem_ctx, struct GPO_SID_TOKEN);
|
||||
ADS_ERROR_HAVE_NO_MEMORY(new_token);
|
||||
|
||||
status = ads_get_tokensids(ads, mem_ctx, dn,
|
||||
&object_sid, &primary_group_sid,
|
||||
&ad_token_sids, &num_ad_token_sids);
|
||||
@ -617,12 +612,14 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
|
||||
return status;
|
||||
}
|
||||
|
||||
new_token->object_sid = object_sid;
|
||||
new_token->primary_group_sid = primary_group_sid;
|
||||
|
||||
token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
|
||||
ADS_ERROR_HAVE_NO_MEMORY(token_sids);
|
||||
|
||||
if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
|
||||
&num_token_sids)) {
|
||||
return ADS_ERROR(LDAP_NO_MEMORY);
|
||||
}
|
||||
|
||||
for (i = 0; i < num_ad_token_sids; i++) {
|
||||
|
||||
if (sid_check_is_in_builtin(&ad_token_sids[i])) {
|
||||
@ -635,22 +632,17 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
|
||||
}
|
||||
}
|
||||
|
||||
/* Add S-1-5-11 to token */
|
||||
if (!add_sid_to_array_unique(mem_ctx, &global_sid_Authenticated_Users,
|
||||
&token_sids, &num_token_sids)) {
|
||||
return ADS_ERROR(LDAP_NO_MEMORY);
|
||||
}
|
||||
|
||||
|
||||
new_token->token_sids = token_sids;
|
||||
new_token->num_token_sids = num_token_sids;
|
||||
new_token = create_local_nt_token(mem_ctx, &object_sid, False,
|
||||
num_token_sids, token_sids);
|
||||
ADS_ERROR_HAVE_NO_MEMORY(new_token);
|
||||
|
||||
*token = new_token;
|
||||
|
||||
debug_nt_user_token(DBGC_CLASS, 5, *token);
|
||||
|
||||
return ADS_ERROR_LDAP(LDAP_SUCCESS);
|
||||
}
|
||||
|
||||
|
||||
/****************************************************************
|
||||
get the full list of GROUP_POLICY_OBJECTs for a given dn
|
||||
****************************************************************/
|
||||
@ -665,15 +657,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
|
||||
|
||||
ADS_STATUS status;
|
||||
struct GP_LINK gp_link;
|
||||
struct GPO_SID_TOKEN *token = NULL;
|
||||
struct nt_user_token *token = NULL;
|
||||
const char *parent_dn, *site_dn, *tmp_dn;
|
||||
BOOL add_only_forced_gpos = False;
|
||||
|
||||
ZERO_STRUCTP(gpo_list);
|
||||
|
||||
if (!dn) {
|
||||
return ADS_ERROR(LDAP_PARAM_ERROR);
|
||||
}
|
||||
|
||||
DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
|
||||
|
||||
status = ads_get_gpo_sid_token(ads, mem_ctx, dn, &token);
|
||||
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
|
||||
if (!ADS_ERR_OK(status)) {
|
||||
return status;
|
||||
}
|
||||
|
||||
@ -43,7 +43,7 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
|
||||
&ext_right_apg_guid)) {
|
||||
return True;
|
||||
}
|
||||
case SEC_ACE_OBJECT_INHERITED_PRESENT:
|
||||
case SEC_ACE_OBJECT_INHERITED_PRESENT:
|
||||
if (GUID_equal(&object->inherited_type.inherited_type,
|
||||
&ext_right_apg_guid)) {
|
||||
return True;
|
||||
@ -60,11 +60,11 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
|
||||
|
||||
static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
|
||||
{
|
||||
if (sec_ace_object(ace->type)) {
|
||||
return gpo_sd_check_agp_object_guid(&ace->object.object);
|
||||
if (!sec_ace_object(ace->type)) {
|
||||
return False;
|
||||
}
|
||||
|
||||
return False;
|
||||
return gpo_sd_check_agp_object_guid(&ace->object.object);
|
||||
}
|
||||
|
||||
/****************************************************************
|
||||
@ -92,21 +92,13 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
|
||||
/****************************************************************
|
||||
****************************************************************/
|
||||
|
||||
static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
|
||||
const struct GPO_SID_TOKEN *token)
|
||||
static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
|
||||
const struct nt_user_token *token)
|
||||
{
|
||||
int i;
|
||||
|
||||
if (sid_equal(trustee, &token->object_sid)) {
|
||||
return True;
|
||||
}
|
||||
|
||||
if (sid_equal(trustee, &token->primary_group_sid)) {
|
||||
return True;
|
||||
}
|
||||
|
||||
for (i = 0; i < token->num_token_sids; i++) {
|
||||
if (sid_equal(trustee, &token->token_sids[i])) {
|
||||
for (i = 0; i < token->num_sids; i++) {
|
||||
if (sid_equal(trustee, &token->user_sids[i])) {
|
||||
return True;
|
||||
}
|
||||
}
|
||||
@ -118,7 +110,7 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
|
||||
****************************************************************/
|
||||
|
||||
static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
|
||||
const struct GPO_SID_TOKEN *token)
|
||||
const struct nt_user_token *token)
|
||||
{
|
||||
if (gpo_sd_check_agp_object(ace) &&
|
||||
gpo_sd_check_agp_access_bits(ace->access_mask) &&
|
||||
@ -135,7 +127,7 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
|
||||
****************************************************************/
|
||||
|
||||
static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
|
||||
const struct GPO_SID_TOKEN *token)
|
||||
const struct nt_user_token *token)
|
||||
{
|
||||
if (gpo_sd_check_agp_object(ace) &&
|
||||
gpo_sd_check_agp_access_bits(ace->access_mask) &&
|
||||
@ -152,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
|
||||
****************************************************************/
|
||||
|
||||
static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
|
||||
const struct GPO_SID_TOKEN *token)
|
||||
const struct nt_user_token *token)
|
||||
{
|
||||
switch (ace->type) {
|
||||
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
|
||||
@ -168,7 +160,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
|
||||
****************************************************************/
|
||||
|
||||
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
|
||||
const struct GPO_SID_TOKEN *token)
|
||||
const struct nt_user_token *token)
|
||||
{
|
||||
SEC_DESC *sd = gpo->security_descriptor;
|
||||
SEC_ACL *dacl = NULL;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user