s4:kdc: Add a flag indicating that the device should be added to Authenticated Users

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/common_auth.h

@@ -42,6 +42,7 @@ enum auth_password_state {
 #define AUTH_SESSION_INFO_NTLM               0x10 /* The returned token must have authenticated-with-NTLM flag set */
 #define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION  0x20 /* The user authenticated with a device. */
 #define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS     0x40 /* Add the device to the default world and network groups */
+#define AUTH_SESSION_INFO_DEVICE_AUTHENTICATED      0x80 /* Add the device to the 'authenticated users' group */
 
 struct auth_usersupplied_info
 {

source4/auth/session.c

@@ -213,6 +213,22 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
 				.attrs = SE_GROUP_DEFAULT_FLAGS,
 			};
 		}
+
+		if (session_info_flags & AUTH_SESSION_INFO_DEVICE_AUTHENTICATED) {
+			device_sids = talloc_realloc(tmp_ctx,
+						     device_sids,
+						     struct auth_SidAttr,
+						     num_device_sids + 1);
+			if (device_sids == NULL) {
+				TALLOC_FREE(tmp_ctx);
+				return NT_STATUS_NO_MEMORY;
+			}
+
+			device_sids[num_device_sids++] = (struct auth_SidAttr) {
+				.sid = global_sid_Authenticated_Users,
+				.attrs = SE_GROUP_DEFAULT_FLAGS,
+			};
+		}
 	}
 
 	nt_status = security_token_create(mem_ctx,