sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-22 05:57:43 +03:00
Code

s4-auth Remove special case for account_sid from auth_serversupplied_info

Browse Source 
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett
This commit is contained in:
Andrew Bartlett 2011-01-20 23:39:37 +11:00
parent cce5231b4d
commit fbe6d155bf
14 changed files with 257 additions and 288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
source4/auth/auth.h
View File

@ -50,11 +50,8 @@ struct loadparm_context;
struct auth_serversupplied_info
{
struct dom_sid *account_sid;
struct dom_sid *primary_group_sid;
size_t n_domain_groups;
struct dom_sid **domain_groups;
size_t num_sids;
struct dom_sid *sids;
DATA_BLOB user_session_key;
DATA_BLOB lm_session_key;

152
source4/auth/auth_sam_reply.c
View File

@ -29,12 +29,32 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
struct auth_serversupplied_info *server_info,
struct netr_SamBaseInfo **_sam)
{
NTSTATUS status;
struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo);
NT_STATUS_HAVE_NO_MEMORY(sam);
sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid);
NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid);
sam->domain_sid->num_auths--;
if (server_info->num_sids > PRIMARY_USER_SID_INDEX) {
status = dom_sid_split_rid(sam, &server_info->sids[PRIMARY_USER_SID_INDEX],
&sam->domain_sid, &sam->rid);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
} else {
return NT_STATUS_INVALID_PARAMETER;
}
if (server_info->num_sids > PRIMARY_GROUP_SID_INDEX) {
status = dom_sid_split_rid(NULL, &server_info->sids[PRIMARY_GROUP_SID_INDEX],
NULL, &sam->primary_gid);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
} else {
/* if we have to encode something like SYSTEM (with no
* second SID in the token) then this is the only
* choice */
sam->primary_gid = sam->rid;
}
sam->last_logon = server_info->last_logon;
sam->last_logoff = server_info->last_logoff;
@ -52,22 +72,19 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
sam->logon_count = server_info->logon_count;
sam->bad_password_count = sam->bad_password_count;
sam->rid = server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1];
sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1];
sam->groups.count = 0;
sam->groups.rids = NULL;
if (server_info->n_domain_groups > 0) {
if (server_info->num_sids > 2) {
size_t i;
sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute,
server_info->n_domain_groups);
server_info->num_sids);
if (sam->groups.rids == NULL)
return NT_STATUS_NO_MEMORY;
for (i=0; i<server_info->n_domain_groups; i++) {
struct dom_sid *group_sid = server_info->domain_groups[i];
for (i=2; i<server_info->num_sids; i++) {
struct dom_sid *group_sid = &server_info->sids[i];
if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
/* We handle this elsewhere */
continue;
@ -116,8 +133,9 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
size_t i;
NT_STATUS_HAVE_NO_MEMORY(sam3);
status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
status = auth_convert_server_info_sambaseinfo(sam3, server_info, &sam);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(sam3);
return status;
}
sam3->base = *sam;
@ -126,14 +144,16 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
sam3->sids = talloc_array(sam, struct netr_SidAttr,
server_info->n_domain_groups);
NT_STATUS_HAVE_NO_MEMORY(sam3->sids);
for (i=0; i<server_info->n_domain_groups; i++) {
if (dom_sid_in_domain(sam->domain_sid, server_info->domain_groups[i])) {
server_info->num_sids);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids, sam3);
/* We don't put the user and group SIDs in there */
for (i=2; i<server_info->num_sids; i++) {
if (dom_sid_in_domain(sam->domain_sid, &server_info->sids[i])) {
continue;
}
sam3->sids[sam3->sidcount].sid = talloc_reference(sam3->sids,server_info->domain_groups[i]);
sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &server_info->sids[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids[sam3->sidcount].sid, sam3);
sam3->sids[sam3->sidcount].attributes =
SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
sam3->sidcount += 1;
@ -192,24 +212,38 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
trusted domains, and verify that the SID
matches.
*/
server_info->account_sid = dom_sid_add_rid(server_info, base->domain_sid, base->rid);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
if (!base->domain_sid) {
DEBUG(0, ("Cannot operate on a Netlogon Validation without a domain SID"));
return NT_STATUS_INVALID_PARAMETER;
}
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
if (base->groups.count > 65535) {
return NT_STATUS_INVALID_PARAMETER;
}
server_info->primary_group_sid = dom_sid_add_rid(server_info, base->domain_sid, base->primary_gid);
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->num_sids = 2;
server_info->n_domain_groups = base->groups.count;
if (base->groups.count) {
server_info->domain_groups = talloc_array(server_info, struct dom_sid*, base->groups.count);
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups);
} else {
server_info->domain_groups = NULL;
server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids + base->groups.count);
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
server_info->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid;
if (!sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], base->rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
server_info->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid;
if (!sid_append_rid(&server_info->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) {
return NT_STATUS_INVALID_PARAMETER;
}
for (i = 0; i < base->groups.count; i++) {
server_info->domain_groups[i] = dom_sid_add_rid(server_info->domain_groups, base->domain_sid, base->groups.rids[i].rid);
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]);
server_info->sids[server_info->num_sids] = *base->domain_sid;
if (!sid_append_rid(&server_info->sids[server_info->num_sids], base->groups.rids[i].rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
server_info->num_sids++;
}
/* Copy 'other' sids. We need to do sid filtering here to
@ -219,21 +253,29 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
*/
if (validation_level == 3) {
struct dom_sid **dgrps = server_info->domain_groups;
size_t sidcount = server_info->n_domain_groups + validation->sam3->sidcount;
size_t n_dgrps = server_info->n_domain_groups;
struct dom_sid *dgrps = server_info->sids;
size_t sidcount;
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
if (validation->sam3->sidcount > 65535) {
return NT_STATUS_INVALID_PARAMETER;
}
sidcount = server_info->num_sids + validation->sam3->sidcount;
if (validation->sam3->sidcount > 0) {
dgrps = talloc_realloc(server_info, dgrps, struct dom_sid*, sidcount);
dgrps = talloc_realloc(server_info, dgrps, struct dom_sid, sidcount);
NT_STATUS_HAVE_NO_MEMORY(dgrps);
for (i = 0; i < validation->sam3->sidcount; i++) {
dgrps[n_dgrps + i] = talloc_reference(dgrps, validation->sam3->sids[i].sid);
if (validation->sam3->sids[i].sid) {
dgrps[server_info->num_sids] = *validation->sam3->sids[i].sid;
server_info->num_sids++;
}
}
}
server_info->n_domain_groups = sidcount;
server_info->domain_groups = dgrps;
server_info->sids = dgrps;
/* Where are the 'global' sids?... */
}
@ -307,18 +349,36 @@ NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
}
if (pac_logon_info->res_groups.count > 0) {
struct dom_sid **rgrps;
size_t sidcount = server_info->n_domain_groups + pac_logon_info->res_groups.count;
server_info->domain_groups = rgrps
= talloc_realloc(server_info, server_info->domain_groups, struct dom_sid *, sidcount);
NT_STATUS_HAVE_NO_MEMORY(rgrps);
size_t sidcount;
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
if (pac_logon_info->res_groups.count > 65535) {
talloc_free(server_info);
return NT_STATUS_INVALID_PARAMETER;
}
/*
Here is where we should check the list of
trusted domains, and verify that the SID
matches.
*/
if (!pac_logon_info->res_group_dom_sid) {
DEBUG(0, ("Cannot operate on a PAC without a resource domain SID"));
return NT_STATUS_INVALID_PARAMETER;
}
sidcount = server_info->num_sids + pac_logon_info->res_groups.count;
server_info->sids
= talloc_realloc(server_info, server_info->sids, struct dom_sid, sidcount);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
size_t sid_idx = server_info->n_domain_groups + i;
rgrps[sid_idx]
= dom_sid_add_rid(rgrps, pac_logon_info->res_group_dom_sid,
pac_logon_info->res_groups.rids[i].rid);
NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]);
server_info->sids[server_info->num_sids] = *pac_logon_info->res_group_dom_sid;
if (!sid_append_rid(&server_info->sids[server_info->num_sids],
pac_logon_info->res_groups.rids[i].rid)) {
return NT_STATUS_INVALID_PARAMETER;
}
server_info->num_sids++;
}
}
*_server_info = server_info;

14
source4/auth/ntlm/auth_developer.c
View File

@ -68,15 +68,11 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
/* is this correct? */
server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS);
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->n_domain_groups = 0;
server_info->domain_groups = NULL;
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
server_info->num_sids = 1;
server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */

13
source4/auth/ntlm/auth_server.c
View File

@ -159,15 +159,12 @@ static NTSTATUS server_check_password(struct auth_method_context *ctx,
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
server_info->num_sids = 1;
/* is this correct? */
server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS);
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->n_domain_groups = 0;
server_info->domain_groups = NULL;
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */

6
source4/auth/ntlm/auth_unix.c
View File

@ -65,10 +65,8 @@ static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx,
NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
/* This isn't in any way correct.. */
server_info->account_sid = NULL;
server_info->primary_group_sid = NULL;
server_info->n_domain_groups = 0;
server_info->domain_groups = NULL;
server_info->num_sids = 0;
server_info->sids = NULL;
}
server_info->user_session_key = data_blob(NULL,0);
server_info->lm_session_key = data_blob(NULL,0);

68
source4/auth/sam.c
View File

@ -282,13 +282,12 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
const char *str, *filter;
/* SIDs for the account and his primary group */
struct dom_sid *account_sid;
struct dom_sid *primary_group_sid;
const char *primary_group_string;
const char *primary_group_dn;
DATA_BLOB primary_group_blob;
/* SID structures for the expanded group memberships */
struct dom_sid **groupSIDs = NULL;
unsigned int num_groupSIDs = 0, i;
struct dom_sid *sids = NULL;
unsigned int num_sids = 0, i;
struct dom_sid *domain_sid;
TALLOC_CTX *tmp_ctx;
struct ldb_message_element *el;
@ -299,6 +298,11 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
tmp_ctx = talloc_new(server_info);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, server_info);
sids = talloc_array(server_info, struct dom_sid, 2);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, server_info);
num_sids = 2;
account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info);
@ -308,10 +312,9 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
return status;
}
primary_group_sid = dom_sid_add_rid(server_info,
domain_sid,
ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, server_info);
sids[PRIMARY_USER_SID_INDEX] = *account_sid;
sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
/* Filter out builtin groups from this token. We will search
* for builtin groups later, and not include them in the PAC
@ -319,7 +322,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, server_info);
primary_group_string = dom_sid_string(tmp_ctx, primary_group_sid);
primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
@ -337,7 +340,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
* 'only childs' flag to true
*/
status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
server_info, &groupSIDs, &num_groupSIDs);
server_info, &sids, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(server_info);
return status;
@ -350,18 +353,15 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
* them, as long as they meet the filter - so only
* domain groups, not builtin groups */
status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter,
server_info, &groupSIDs, &num_groupSIDs);
server_info, &sids, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(server_info);
return status;
}
}
server_info->account_sid = account_sid;
server_info->primary_group_sid = primary_group_sid;
server_info->domain_groups = groupSIDs;
server_info->n_domain_groups = num_groupSIDs;
server_info->sids = sids;
server_info->num_sids = num_sids;
server_info->account_name = talloc_steal(server_info,
ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
@ -433,33 +433,27 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
if (server_info->acct_flags & ACB_SVRTRUST) {
/* the SID_NT_ENTERPRISE_DCS SID gets added into the
PAC */
server_info->domain_groups = talloc_realloc(server_info,
server_info->domain_groups,
struct dom_sid *,
server_info->n_domain_groups+1);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
server_info->domain_groups[server_info->n_domain_groups] =
dom_sid_parse_talloc(server_info->domain_groups,
SID_NT_ENTERPRISE_DCS);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
server_info);
server_info->n_domain_groups++;
server_info->sids = talloc_realloc(server_info,
server_info->sids,
struct dom_sid,
server_info->num_sids+1);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
server_info->sids[server_info->num_sids] = global_sid_Enterprise_DCs;
server_info->num_sids++;
}
if ((server_info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
(ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) {
/* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */
server_info->domain_groups = talloc_realloc(server_info,
server_info->domain_groups,
struct dom_sid *,
server_info->n_domain_groups+1);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
server_info->domain_groups[server_info->n_domain_groups] =
dom_sid_add_rid(server_info->domain_groups, domain_sid,
DOMAIN_RID_ENTERPRISE_READONLY_DCS);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
server_info);
server_info->n_domain_groups++;
server_info->sids = talloc_realloc(server_info,
server_info->sids,
struct dom_sid,
server_info->num_sids+1);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
server_info->sids[server_info->num_sids] = *domain_sid;
sid_append_rid(&server_info->sids[server_info->num_sids],
DOMAIN_RID_ENTERPRISE_READONLY_DCS);
server_info->num_sids++;
}
server_info->authenticated = true;

112
source4/auth/session.c
View File

@ -50,17 +50,11 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
{
struct auth_session_info *session_info;
NTSTATUS nt_status;
unsigned int i, num_groupSIDs = 0;
const char *account_sid_string;
const char *account_sid_dn;
DATA_BLOB account_sid_blob;
const char *primary_group_string;
const char *primary_group_dn;
DATA_BLOB primary_group_blob;
unsigned int i, num_sids = 0;
const char *filter;
struct dom_sid **groupSIDs = NULL;
struct dom_sid *sids = NULL;
const struct dom_sid *anonymous_sid, *system_sid;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@ -81,96 +75,50 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
if (!groupSIDs) {
sids = talloc_array(tmp_ctx, struct dom_sid, server_info->num_sids);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx);
if (!sids) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
num_groupSIDs = server_info->n_domain_groups;
num_sids = server_info->num_sids;
for (i=0; i < server_info->n_domain_groups; i++) {
groupSIDs[i] = server_info->domain_groups[i];
for (i=0; i < server_info->num_sids; i++) {
sids[i] = server_info->sids[i];
}
if (dom_sid_equal(anonymous_sid, server_info->account_sid)) {
if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
} else if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
/* Search for each group in the token */
/* Expands the account SID - this function takes in
* memberOf-like values, so we fake one up with the
* <SID=S-...> format of DN and then let it expand
* them, as long as they meet the filter - so only
* builtin groups
*
* We already have the primary group in the token, so set
* 'only childs' flag to true
*/
account_sid_string = dom_sid_string(tmp_ctx, server_info->account_sid);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_string, server_info);
account_sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", account_sid_string);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_dn, server_info);
account_sid_blob = data_blob_string_const(account_sid_dn);
nt_status = dsdb_expand_nested_groups(sam_ctx, &account_sid_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
/* Expands the primary group - this function takes in
* memberOf-like values, so we fake one up with the
* <SID=S-...> format of DN and then let it expand
* them, as long as they meet the filter - so only
* builtin groups
*
* We already have the primary group in the token, so set
* 'only childs' flag to true
*/
primary_group_string = dom_sid_string(tmp_ctx, server_info->primary_group_sid);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info);
primary_group_blob = data_blob_string_const(primary_group_dn);
nt_status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
for (i = 0; i < server_info->n_domain_groups; i++) {
char *group_string;
const char *group_dn;
DATA_BLOB group_blob;
for (i = 0; i < server_info->num_sids; i++) {
char *sid_string;
const char *sid_dn;
DATA_BLOB sid_blob;
group_string = dom_sid_string(tmp_ctx,
server_info->domain_groups[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_string, server_info);
sid_string = dom_sid_string(tmp_ctx,
&server_info->sids[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, server_info);
group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", group_string);
talloc_free(group_string);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_dn, server_info);
group_blob = data_blob_string_const(group_dn);
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
talloc_free(sid_string);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, server_info);
sid_blob = data_blob_string_const(sid_dn);
/* This function takes in memberOf values and expands
* them, as long as they meet the filter - so only
* builtin groups */
nt_status = dsdb_expand_nested_groups(sam_ctx, &group_blob, true, filter,
tmp_ctx, &groupSIDs, &num_groupSIDs);
* builtin groups
*
* We already have the SID in the token, so set
* 'only childs' flag to true */
nt_status = dsdb_expand_nested_groups(sam_ctx, &sid_blob, true, filter,
tmp_ctx, &sids, &num_sids);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
@ -180,10 +128,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
nt_status = security_token_create(session_info,
lp_ctx,
server_info->account_sid,
server_info->primary_group_sid,
num_groupSIDs,
groupSIDs,
num_sids,
sids,
session_info_flags,
&session_info->security_token);
NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);

56
source4/auth/system_session.c
View File

@ -106,15 +106,11 @@ NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
/* is this correct? */
server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->n_domain_groups = 0;
server_info->domain_groups = NULL;
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
server_info->num_sids = 1;
server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
@ -182,21 +178,25 @@ static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
server_info->account_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINISTRATOR);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
server_info->num_sids = 7;
server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids);
server_info->primary_group_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
server_info->n_domain_groups = 6;
server_info->domain_groups = talloc_array(server_info, struct dom_sid *, server_info->n_domain_groups);
server_info->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS);
server_info->domain_groups[0] = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
server_info->domain_groups[1] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINS);
server_info->domain_groups[2] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
server_info->domain_groups[3] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
server_info->domain_groups[4] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_POLICY_ADMINS);
server_info->domain_groups[5] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
server_info->sids[2] = global_sid_Builtin_Administrators;
server_info->sids[3] = *domain_sid;
sid_append_rid(&server_info->sids[3], DOMAIN_RID_ADMINS);
server_info->sids[4] = *domain_sid;
sid_append_rid(&server_info->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
server_info->sids[5] = *domain_sid;
sid_append_rid(&server_info->sids[5], DOMAIN_RID_POLICY_ADMINS);
server_info->sids[6] = *domain_sid;
sid_append_rid(&server_info->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
/* What should the session key be?*/
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
@ -337,15 +337,11 @@ _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
server_info = talloc(mem_ctx, struct auth_serversupplied_info);
NT_STATUS_HAVE_NO_MEMORY(server_info);
server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
/* The anonymous user has only one SID in it's token, but we need to fill something in here */
server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
server_info->n_domain_groups = 0;
server_info->domain_groups = NULL;
/* This returns a pointer to a struct dom_sid, which is the
* same as a 1 element list of struct dom_sid */
server_info->num_sids = 1;
server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
/* annoying, but the Anonymous really does have a session key... */
server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);

13
source4/dsdb/common/util_groups.c
View File

@ -27,14 +27,14 @@
#include "dsdb/common/util.h"
/* This function tests if a SID structure "sids" contains the SID "sid" */
static bool sids_contains_sid(const struct dom_sid **sids,
static bool sids_contains_sid(const struct dom_sid *sids,
const unsigned int num_sids,
const struct dom_sid *sid)
{
unsigned int i;
for (i = 0; i < num_sids; i++) {
if (dom_sid_equal(sids[i], sid))
if (dom_sid_equal(&sids[i], sid))
return true;
}
return false;
@ -56,7 +56,7 @@ static bool sids_contains_sid(const struct dom_sid **sids,
*/
NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
struct ldb_val *dn_val, const bool only_childs, const char *filter,
TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids,
unsigned int *num_res_sids)
{
const char * const attrs[] = { "memberOf", NULL };
@ -114,7 +114,7 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
DSDB_SEARCH_SHOW_EXTENDED_DN);
} else {
/* This is an O(n^2) linear search */
already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
already_there = sids_contains_sid(*res_sids,
*num_res_sids, &sid);
if (already_there) {
talloc_free(tmp_ctx);
@ -148,10 +148,9 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
/* We only apply this test once we know the SID matches the filter */
if (!only_childs) {
*res_sids = talloc_realloc(res_sids_ctx, *res_sids,
struct dom_sid *, *num_res_sids + 1);
struct dom_sid, *num_res_sids + 1);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*res_sids, tmp_ctx);
(*res_sids)[*num_res_sids] = dom_sid_dup(*res_sids, &sid);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE((*res_sids)[*num_res_sids], tmp_ctx);
(*res_sids)[*num_res_sids] = sid;
++(*num_res_sids);
}

4
source4/dsdb/samdb/ldb_modules/operational.c
View File

@ -149,7 +149,7 @@ static int construct_token_groups(struct ldb_module *module,
const char *account_sid_string;
const char *account_sid_dn;
DATA_BLOB account_sid_blob;
struct dom_sid **groupSIDs = NULL;
struct dom_sid *groupSIDs = NULL;
unsigned int num_groupSIDs = 0;
struct dom_sid *domain_sid;
@ -254,7 +254,7 @@ static int construct_token_groups(struct ldb_module *module,
}
for (i=0; i < num_groupSIDs; i++) {
ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", groupSIDs[i]);
ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]);
if (ret) {
talloc_free(tmp_ctx);
return ret;

53
source4/dsdb/samdb/samdb.c
View File

@ -144,10 +144,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
****************************************************************************/
NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
struct dom_sid *user_sid,
struct dom_sid *group_sid,
unsigned int n_groupSIDs,
struct dom_sid **groupSIDs,
unsigned int num_sids,
struct dom_sid *sids,
uint32_t session_info_flags,
struct security_token **token)
{
@ -158,22 +156,32 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken = security_token_initialise(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(ptoken);
ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 6 /* over-allocate */);
ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
ptoken->num_sids = 1;
ptoken->num_sids = 0;
ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
for (i = 0; i < num_sids; i++) {
size_t check_sid_idx;
for (check_sid_idx = 0;
check_sid_idx < ptoken->num_sids;
check_sid_idx++) {
if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) {
break;
}
}
ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid;
if (!dom_sid_equal(user_sid, group_sid)) {
ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid;
ptoken->num_sids++;
if (check_sid_idx == ptoken->num_sids) {
ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
ptoken->sids[ptoken->num_sids] = sids[i];
ptoken->num_sids++;
}
}
/*
* Finally add the "standard" SIDs.
* Finally add the "standard" sids.
* The only difference between guest and "anonymous"
* is the addition of Authenticated_Users.
*/
@ -203,25 +211,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
ptoken->num_sids++;
}
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1;
check_sid_idx < ptoken->num_sids;
check_sid_idx++) {
if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) {
break;
}
}
if (check_sid_idx == ptoken->num_sids) {
ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
ptoken->sids[ptoken->num_sids] = *groupSIDs[i];
ptoken->num_sids++;
}
}
/* The caller may have requested simple privilages, for example if there isn't a local DB */
if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
/* Shortcuts to prevent recursion and avoid lookups */

2
source4/smbd/service_named_pipe.c
View File

@ -169,7 +169,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
}
session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!dom_sid_equal(anonymous_sid, server_info->account_sid)) {
if (server_info->num_sids > 1 && !dom_sid_equal(anonymous_sid, &server_info->sids[0])) {
session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}

25
source4/torture/auth/pac.c
View File

@ -167,8 +167,9 @@ static bool torture_pac_self_check(struct torture_context *tctx)
smb_krb5_context->krb5_context,
&server_info_out);
if (!dom_sid_equal(server_info->account_sid,
server_info_out->account_sid)) {
/* The user's SID is the first element in the list */
if (!dom_sid_equal(server_info->sids,
server_info_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
&krbtgt_keyblock);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
@ -179,8 +180,8 @@ static bool torture_pac_self_check(struct torture_context *tctx)
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
dom_sid_string(mem_ctx, server_info->account_sid),
dom_sid_string(mem_ctx, server_info_out->account_sid)));
dom_sid_string(mem_ctx, server_info->sids),
dom_sid_string(mem_ctx, server_info_out->sids)));
}
talloc_free(server_info_out);
@ -229,13 +230,13 @@ static bool torture_pac_self_check(struct torture_context *tctx)
nt_errstr(nt_status)));
}
if (!dom_sid_equal(server_info->account_sid,
server_info_out->account_sid)) {
if (!dom_sid_equal(server_info->sids,
server_info_out->sids)) {
torture_fail(tctx,
talloc_asprintf(tctx,
"(self test) PAC Decode resulted in *different* domain SID: %s != %s",
dom_sid_string(mem_ctx, server_info->account_sid),
dom_sid_string(mem_ctx, server_info_out->account_sid)));
dom_sid_string(mem_ctx, server_info->sids),
dom_sid_string(mem_ctx, server_info_out->sids)));
}
return true;
}
@ -444,7 +445,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
server_info_out->account_sid)) {
server_info_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
@ -455,7 +456,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
talloc_asprintf(tctx,
"(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
dom_sid_string(mem_ctx, server_info_out->account_sid)));
dom_sid_string(mem_ctx, server_info_out->sids)));
}
talloc_free(server_info_out);
@ -503,7 +504,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
if (!pac_file &&
!dom_sid_equal(dom_sid_parse_talloc(mem_ctx,
"S-1-5-21-3048156945-3961193616-3706469200-1005"),
server_info_out->account_sid)) {
server_info_out->sids)) {
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
krbtgt_keyblock_p);
krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
@ -514,7 +515,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
talloc_asprintf(tctx,
"(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
"S-1-5-21-3048156945-3961193616-3706469200-1005",
dom_sid_string(mem_ctx, server_info_out->account_sid)));
dom_sid_string(mem_ctx, server_info_out->sids)));
}
if (krbtgt_bytes == NULL) {

20
source4/torture/rpc/remote_pac.c
View File

@ -603,21 +603,17 @@ static bool test_S2U4Self(struct torture_context *tctx,
s2u4self_session_info->server_info->account_name, "Account name differs for S2U4Self");
torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, kinit_session_info->server_info->full_name, "Full name differs for kinit-based PAC");
torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, s2u4self_session_info->server_info->full_name, "Full name differs for S2U4Self");
torture_assert(tctx, dom_sid_equal(netlogon_server_info->account_sid, kinit_session_info->server_info->account_sid), "Account SID differs for kinit-based PAC");
torture_assert(tctx, dom_sid_equal(netlogon_server_info->primary_group_sid, kinit_session_info->server_info->primary_group_sid), "Primary Group SID differs for kinit-based PAC");
torture_assert(tctx, dom_sid_equal(netlogon_server_info->account_sid, s2u4self_session_info->server_info->account_sid), "Account SID differs for S2U4Self");
torture_assert(tctx, dom_sid_equal(netlogon_server_info->primary_group_sid, s2u4self_session_info->server_info->primary_group_sid), "Primary Group SID differs for S2U4Self");
torture_assert_int_equal(tctx, netlogon_server_info->n_domain_groups, kinit_session_info->server_info->n_domain_groups, "Different numbers of domain groups for kinit-based PAC");
torture_assert_int_equal(tctx, netlogon_server_info->n_domain_groups, s2u4self_session_info->server_info->n_domain_groups, "Different numbers of domain groups for S2U4Self");
torture_assert_int_equal(tctx, netlogon_server_info->num_sids, kinit_session_info->server_info->num_sids, "Different numbers of domain groups for kinit-based PAC");
torture_assert_int_equal(tctx, netlogon_server_info->num_sids, s2u4self_session_info->server_info->num_sids, "Different numbers of domain groups for S2U4Self");
builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
for (i = 0; i < kinit_session_info->server_info->n_domain_groups; i++) {
torture_assert(tctx, dom_sid_equal(netlogon_server_info->domain_groups[i], kinit_session_info->server_info->domain_groups[i]), "Different domain groups for kinit-based PAC");
torture_assert(tctx, dom_sid_equal(netlogon_server_info->domain_groups[i], s2u4self_session_info->server_info->domain_groups[i]), "Different domain groups for S2U4Self");
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, s2u4self_session_info->server_info->domain_groups[i]), "Returned BUILTIN domain in groups for S2U4Self");
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, kinit_session_info->server_info->domain_groups[i]), "Returned BUILTIN domain in groups kinit-based PAC");
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, netlogon_server_info->domain_groups[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
for (i = 0; i < kinit_session_info->server_info->num_sids; i++) {
torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &kinit_session_info->server_info->sids[i]), "Different domain groups for kinit-based PAC");
torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &s2u4self_session_info->server_info->sids[i]), "Different domain groups for S2U4Self");
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups for S2U4Self");
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_server_info->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
}
return true;