1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
samba-mirror/auth
Joseph Sutton 1c3a8fa20c auth: Correct primary group handling
Heretofore we have treated the primary group SID specially, storing it
in a fixed position as the second element of the user_info_dc->sids
array, and filtering out other copies in the PAC_LOGON_INFO base
structure. This filtering has made it difficult to distinguish between
the case where the primary group is a universal or global group, located
in the base RIDs, and the case where it is a domain-local group, missing
from the base RIDs; especially since the attributes of a domain-local
primary group are lost by being stored in the PAC. Domain-local primary
groups are normally disallowed by Windows, but are allowed by Samba, and
so it is reasonable to support them with at least some measure of
consistency.

The second element of user_info_dc->sids is still reserved for the
primary group's SID, but we no longer filter out any other copies in the
array. The first two elements are no more than the SIDs of the user and
the primary group respectively; and the remaining SIDs are as if taken
without modification from arrays of SIDs in the PAC. user_info_dc->sids
should therefore become a more faithful representation of the SIDs in
the PAC. After adding resource SIDs to it with
dsdb_expand_resource_groups(), we should have a result that more closely
and in more cases matches that of Windows.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:40 +00:00
..
credentials auth/credentials: Fix unitialized data 2023-02-06 22:51:31 +00:00
gensec spelling: connnect encrytion exisit expection explicit invalide missmatch paramater paramter partion privilige relase reponse seperate unkown verson authencication progagated 2022-06-10 18:12:33 +00:00
kerberos build: Remove unused dependencies 2022-11-08 02:39:37 +00:00
ntlmssp lib/util: Change function to mem_equal_const_time() 2022-06-09 22:49:29 +00:00
auth_log.c auth: Make more liberal use of SID index constants 2023-02-08 00:03:39 +00:00
auth_sam_reply.c auth: Correct primary group handling 2023-02-08 00:03:40 +00:00
auth_sam_reply.h s4:kdc: Add resource SID compression 2023-02-08 00:03:39 +00:00
auth_util.c CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info 2022-07-27 10:52:36 +00:00
auth_util.h auth: Add necessary decoration to auth/auth_util.h 2019-04-03 16:55:27 +00:00
common_auth.h s4-auth: For LDAP simple bind, fall back to checking the ENCTYPE_AES256_CTS_HMAC_SHA1_96 if stored 2022-06-26 22:10:29 +00:00
wbc_auth_util.c auth: Make more liberal use of SID index constants 2023-02-08 00:03:39 +00:00
wscript_build auth: move copy_session_info() from source3 into the global auth context 2018-10-11 10:28:17 +02:00