s4:kdc: Add a flag indicating that the device should be added to the default groups

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

auth/common_auth.h

@@ -41,6 +41,7 @@ enum auth_password_state {
 #define AUTH_SESSION_INFO_UNIX_TOKEN         0x08 /* The returned token must have the unix_token and unix_info elements provided */
 #define AUTH_SESSION_INFO_NTLM               0x10 /* The returned token must have authenticated-with-NTLM flag set */
 #define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION  0x20 /* The user authenticated with a device. */
+#define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS     0x40 /* Add the device to the default world and network groups */
 
 struct auth_usersupplied_info
 {

source4/auth/session.c

@@ -190,10 +190,29 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
 			return NT_STATUS_NO_MEMORY;
 		}
 
-		/*
+		for (i = 0; i < num_device_sids; i++) {
-		 * TODO: if we find out that we need to add default SIDs to the device
+			device_sids[i] = device_info_dc->sids[i];
-		 * SIDs, as well as to the client SIDs, we’ll do that here.
+		}
-		 */
+
+		if (session_info_flags & AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS) {
+			device_sids = talloc_realloc(tmp_ctx,
+						     device_sids,
+						     struct auth_SidAttr,
+						     num_device_sids + 2);
+			if (device_sids == NULL) {
+				TALLOC_FREE(tmp_ctx);
+				return NT_STATUS_NO_MEMORY;
+			}
+
+			device_sids[num_device_sids++] = (struct auth_SidAttr) {
+				.sid = global_sid_World,
+				.attrs = SE_GROUP_DEFAULT_FLAGS,
+			};
+			device_sids[num_device_sids++] = (struct auth_SidAttr) {
+				.sid = global_sid_Network,
+				.attrs = SE_GROUP_DEFAULT_FLAGS,
+			};
+		}
 	}
 
 	nt_status = security_token_create(mem_ctx,