The branch, master has been updated
via 7e4095b45c0 s4:kdc: pass the full samba_kdc_db_context to most
helper functions
via 5275bbc3c12 s4:kdc: let struct samba_kdc_entry_pac remember the
krbtgt samba_kdc_entry
via 2db636088ef s4:kdc: always go through
samba_kdc_get_device_info_blob()
via 4a5f0f25772 auth: remember the origin of sids from the PAC
via 551e236255d s4:auth: simplify authsam_make_user_info_dc()
via 8be52767912 s4:auth: let authsam_make_user_info_dc() use helper
variables for the rodcsid
via 2605d5b968d s4:auth: let authsam_make_user_info_dc() use helper
variables for the groupsid
via 700d5111bd2 s4:auth: let auth_domain_admin_user_info_dc() use
talloc_zero_array(struct auth_SidAttr)
via 850e030d8e1 s4:auth: simplify auth_anonymous_user_info_dc()
via b6f74717451 s4:auth: simplify auth_system_user_info_dc()
via 2eeecfcc4aa s4:auth: let auth_generate_security_token() use
auth_user_info_dc_expand_sids() for device_info
via ef7ff8bc160 s4:auth: split auth_user_info_dc_expand_sids() out of
auth_generate_security_token()
via 1877155c0c6 s4:dsdb/common: simplify the logic in
dsdb_expand_nested_groups()
via 11d1cde2566 s4:dsdb/common: use talloc_zero() in
samdb_result_dom_sid_attrs()
via 068413a17a5 s4:auth/ntlm: simplifiy logic in
name_to_ntstatus_check_password()
via bd7b769c20a libcli/security: simplify logic in
add_sid_to_array_attrs()
via 0dc403192bd auth: simplify logic in
make_user_info_dc_{netlogon_validation,pac}()
via b8c7bf8fb41 auth: let make_user_info_dc_netlogon_validation
allocate the sid array in one go
via ab3a62404fd auth: let make_user_info_dc_netlogon_validation
validate all parameters first
via 5f5d6e8b050 auth: remove sid-filtering comment in
make_user_info_dc_netlogon_validation
via 37bdab354cc auth.idl: make sure ndr_{push,pull}_auth_SidAttr() is
never used
via 2921f025ec6 libcli/security: add some more global_sid_ values
required for SID filtering
from 436d888684f ndr_claims: only use compression if it actually reduces
the size
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7e4095b45c0fd0a5c44d10620ac679ea5833ff96
Author: Stefan Metzmacher <[email protected]>
Date: Mon Dec 2 14:45:18 2024 +0100
s4:kdc: pass the full samba_kdc_db_context to most helper functions
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
Autobuild-User(master): Stefan Metzmacher <[email protected]>
Autobuild-Date(master): Fri Feb 14 15:19:24 UTC 2025 on atb-devel-224
commit 5275bbc3c12a9fe96fe741e70170a3c1d3de40a7
Author: Stefan Metzmacher <[email protected]>
Date: Fri Nov 29 12:08:00 2024 +0100
s4:kdc: let struct samba_kdc_entry_pac remember the krbtgt samba_kdc_entry
This will allow us later to find the information needed to do
sid filtering of the pac.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 2db636088ef8f7ba34bae69fc596d2e2a7439b97
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 16:26:39 2025 +0100
s4:kdc: always go through samba_kdc_get_device_info_blob()
This means we always go through samba_kdc_get_user_info_dc()
both for client and also device pac.
It means we use the same logic regarding samba_krb5_pac_is_trusted()
and calling authsam_update_user_info_dc().
It means we do all logic on struct auth_user_info_dc
and only convert to PAC_DEVICE_INFO at the end.
Before we tried a mix of calling authsam_update_user_info_dc()
on a half constructed auth_user_info_dc,
while trying to apply the diff on auth_user_info_dc
to the also half constructed PAC_DEVICE_INFO.
Which can't work once auth_user_info_dc() will
apply sid filtering and the number of sids
may shrink.
Now we use authsam_update_user_info_dc()
followed by auth_convert_user_info_dc_saminfo3()
and samba_kdc_make_device_info().
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 4a5f0f25772cb9381352a149ee54f579fe4c38f6
Author: Stefan Metzmacher <[email protected]>
Date: Thu Dec 19 18:30:49 2024 +0100
auth: remember the origin of sids from the PAC
So far the conversion from TGT PAC to
struct auth_user_info_dc back to TGS PAC
looses the information in what part of
the PAC_LOGON_INFO a sid was stored.
With this change we let
make_user_info_dc_{netlogon_validation,pac}()
remember this, so that
auth_convert_user_info_dc_sam{baseinfo,info6}()
can rebuild the information into the desired
parts of the PAC_LOGON_INFO.
This was found and fixed for sid filter related
tests, but it turns out that it already
fixes a few tests from samba.tests.krb5.device_tests.
All other places get an implicit AUTH_SID_ORIGIN_UNKNOWN (=0),
which means we use the same logic as before.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 551e236255d1b758e84dd2c588e5e2ab29c938c5
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 11:34:42 2025 +0100
s4:auth: simplify authsam_make_user_info_dc()
By using (struct auth_SidAttr) {} we don't leave
uninitialized memory if struct auth_SidAttr changes.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 8be527679122bdb3e72b1ddaa71f5cea153693d8
Author: Stefan Metzmacher <[email protected]>
Date: Tue Feb 11 21:16:02 2025 +0100
s4:auth: let authsam_make_user_info_dc() use helper variables for the
rodcsid
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 2605d5b968d2015a14e9c28f65efe0b1b40fbf24
Author: Stefan Metzmacher <[email protected]>
Date: Tue Feb 11 21:16:02 2025 +0100
s4:auth: let authsam_make_user_info_dc() use helper variables for the
groupsid
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 700d5111bd2c429ceee51126dc428cb3ce671810
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 11:36:52 2025 +0100
s4:auth: let auth_domain_admin_user_info_dc() use talloc_zero_array(struct
auth_SidAttr)
This means we won't leave uninitialized memory if
struct auth_SidAttr changes.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 850e030d8e15b018076f32c5bd311a50dcde70a6
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 11:34:42 2025 +0100
s4:auth: simplify auth_anonymous_user_info_dc()
By using (struct auth_SidAttr) {} we don't leave
uninitialized memory if struct auth_SidAttr changes.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit b6f74717451afa9fcb65cf152034e680442aa213
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 11:34:42 2025 +0100
s4:auth: simplify auth_system_user_info_dc()
By using (struct auth_SidAttr) {} we don't leave
uninitialized memory if struct auth_SidAttr changes.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 2eeecfcc4aae2fb94cbcd5b1049f58d2f27ce645
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 11:26:32 2025 +0100
s4:auth: let auth_generate_security_token() use
auth_user_info_dc_expand_sids() for device_info
This means we'll also expand local groups for the device,
which was missing before.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit ef7ff8bc16005876fb21420e6ae6a649c51059e9
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 11:17:42 2025 +0100
s4:auth: split auth_user_info_dc_expand_sids() out of
auth_generate_security_token()
This way we'll be able to reuse it for the device sids in the
next commit.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 1877155c0c6990af184060020522a17a704e5a21
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 10:02:45 2025 +0100
s4:dsdb/common: simplify the logic in dsdb_expand_nested_groups()
By using (struct auth_SidAttr) {} we make sure struct auth_SidAttr
can change without leaving uninitialized memory.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 11d1cde2566bcae1e60da8ca942fd63702ddab97
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 09:55:20 2025 +0100
s4:dsdb/common: use talloc_zero() in samdb_result_dom_sid_attrs()
This means struct auth_SidAttr can change without leaving
uninitialized memory.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 068413a17a53376ae63f12cb44b91462420d4665
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 09:52:37 2025 +0100
s4:auth/ntlm: simplifiy logic in name_to_ntstatus_check_password()
Using (struct auth_SidAttr) {} means we won't leave
uninitialized memory arround if struct auth_SidAttr will
change in the following commits.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit bd7b769c20a116b5b0f168c2e668d02568d023ac
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 09:43:44 2025 +0100
libcli/security: simplify logic in add_sid_to_array_attrs()
(struct auth_SidAttr) {} makes sure we don't leave uninitialized
memory in case struct auth_SidAttr will change (which will happen in
the next commits).
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 0dc403192bdc1f4f08cd840683703b656d18baaf
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 09:36:32 2025 +0100
auth: simplify logic in make_user_info_dc_{netlogon_validation,pac}()
It's better to use (struct auth_SidAttr) {} in order to
intialize all members.
struct auth_SidAttr will change in the next commits
and this makes it easier to review that we don't
leave some parts uninitialized.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit b8c7bf8fb4182ecba62288471670bf18baa311c7
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 09:36:32 2025 +0100
auth: let make_user_info_dc_netlogon_validation allocate the sid array in
one go
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit ab3a62404fd1078c255a68238f88295ecdb06858
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 09:36:32 2025 +0100
auth: let make_user_info_dc_netlogon_validation validate all parameters
first
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 5f5d6e8b050d95c76f8b456725392cfc6043e476
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jan 29 09:36:32 2025 +0100
auth: remove sid-filtering comment in make_user_info_dc_netlogon_validation
sid filtering will be done at a different level...
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 37bdab354cc2eae92a2ddc517b02616fbfe0b0c7
Author: Stefan Metzmacher <[email protected]>
Date: Tue Jan 28 19:49:23 2025 +0100
auth.idl: make sure ndr_{push,pull}_auth_SidAttr() is never used
auth_SidAttr is currently not used for any IPC traffic,
with this change demonstrates that and makes sure it
stays that way.
It means we are free to change auth_SidAttr without the
need to change any ipc protocol version.
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
commit 2921f025ec60687c2a6438d8442fb981a9e4f257
Author: Stefan Metzmacher <[email protected]>
Date: Thu Feb 1 16:23:02 2018 +0100
libcli/security: add some more global_sid_ values required for SID filtering
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Jennifer Sutton <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_sam_reply.c | 137 ++++++++------
libcli/security/dom_sid.h | 8 +
libcli/security/util_sid.c | 40 +++-
librpc/idl/auth.idl | 12 +-
librpc/ndr/ndr_auth.c | 12 ++
selftest/knownfail_heimdal_kdc.d/device-info | 4 -
source4/auth/ntlm/auth_developer.c | 6 +-
source4/auth/sam.c | 41 +++--
source4/auth/session.c | 265 +++++++++++++++------------
source4/auth/system_session.c | 20 +-
source4/dsdb/common/util.c | 2 +-
source4/dsdb/common/util_groups.c | 6 +-
source4/kdc/db-glue.c | 2 +-
source4/kdc/hdb-samba4.c | 12 +-
source4/kdc/kdc-glue.c | 2 +-
source4/kdc/mit_samba.c | 11 +-
source4/kdc/pac-glue.c | 223 +++++-----------------
source4/kdc/pac-glue.h | 23 +--
source4/kdc/wdc-samba4.c | 25 ++-
19 files changed, 428 insertions(+), 423 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 8c0ebe5f156..2123094bf0a 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -29,6 +29,14 @@
static bool is_base_sid(const struct auth_SidAttr *sid,
const struct dom_sid *domain_sid)
{
+ if (sid->origin == AUTH_SID_ORIGIN_BASE) {
+ goto check_domain;
+ }
+
+ if (sid->origin != AUTH_SID_ORIGIN_UNKNOWN) {
+ return false;
+ }
+
if (sid->attrs & SE_GROUP_RESOURCE) {
/*
* Resource groups don't belong in the base
@@ -37,6 +45,7 @@ static bool is_base_sid(const struct auth_SidAttr *sid,
return false;
}
+check_domain:
/*
* This SID belongs in the base structure only if it's in the account's
* domain.
@@ -145,6 +154,13 @@ static NTSTATUS store_sid(struct netr_SidAttr *sids,
const uint32_t allocated_resource_groups,
const enum auth_group_inclusion group_inclusion)
{
+ if (sid->origin == AUTH_SID_ORIGIN_BASE) {
+ return NT_STATUS_OK;
+ }
+ if (sid->origin == AUTH_SID_ORIGIN_EXTRA) {
+ goto store_in_extra;
+ }
+
/* See if it's a resource SID. */
if (sid->attrs & SE_GROUP_RESOURCE) {
/*
@@ -176,7 +192,7 @@ static NTSTATUS store_sid(struct netr_SidAttr *sids,
return NT_STATUS_INVALID_PARAMETER;
}
}
-
+store_in_extra:
/* Just store the SID in Extra SIDs. */
return store_extra_sid(sids,
sidcount,
@@ -653,6 +669,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX
*mem_ctx,
const struct netr_SamBaseInfo *base = NULL;
uint32_t sidcount = 0;
const struct netr_SidAttr *sids = NULL;
+ struct dom_sid tmpsid = { 0, };
const char *dns_domainname = NULL;
const char *principal = NULL;
uint32_t i;
@@ -686,11 +703,6 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX
*mem_ctx,
return NT_STATUS_INVALID_LEVEL;
}
- user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
- if (user_info_dc == NULL) {
- return NT_STATUS_NO_MEMORY;
- }
-
/*
Here is where we should check the list of
trusted domains, and verify that the SID
@@ -698,34 +710,51 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX
*mem_ctx,
*/
if (!base->domain_sid) {
DEBUG(0, ("Cannot operate on a Netlogon Validation without a
domain SID\n"));
- talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
- if (base->groups.count > 65535) {
- talloc_free(user_info_dc);
+ if (base->groups.count > UINT16_MAX) {
return NT_STATUS_INVALID_PARAMETER;
}
- user_info_dc->num_sids = PRIMARY_SIDS_COUNT;
+ /*
+ * The IDL layer would be a better place to check this, but to
+ * guard the integer addition below, we double-check
+ */
+ if (sidcount > UINT16_MAX) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr,
user_info_dc->num_sids + base->groups.count);
+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
+ if (user_info_dc == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ user_info_dc->sids = talloc_array(user_info_dc,
+ struct auth_SidAttr,
+ PRIMARY_SIDS_COUNT +
+ base->groups.count +
+ sidcount);
if (user_info_dc->sids == NULL) {
talloc_free(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
- user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *base->domain_sid;
- if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid,
base->rid)) {
+ tmpsid = *base->domain_sid;
+ if (!sid_append_rid(&tmpsid, base->rid)) {
talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
- user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs =
SE_GROUP_DEFAULT_FLAGS;
+ user_info_dc->sids[PRIMARY_USER_SID_INDEX] = (struct auth_SidAttr) {
+ .sid = tmpsid,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ .origin = AUTH_SID_ORIGIN_BASE,
+ };
- user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid;
- if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid,
base->primary_gid)) {
+ tmpsid = *base->domain_sid;
+ if (!sid_append_rid(&tmpsid, base->primary_gid)) {
talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
@@ -735,56 +764,43 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX
*mem_ctx,
* group in the first place, and besides, these attributes will never
* make their way into a PAC.
*/
- user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].attrs =
SE_GROUP_DEFAULT_FLAGS;
+ user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = (struct auth_SidAttr) {
+ .sid = tmpsid,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ .origin = AUTH_SID_ORIGIN_BASE,
+ };
+
+ user_info_dc->num_sids = PRIMARY_SIDS_COUNT;
for (i = 0; i < base->groups.count; i++) {
- user_info_dc->sids[user_info_dc->num_sids].sid =
*base->domain_sid;
- if
(!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid,
base->groups.rids[i].rid)) {
+ struct auth_SidAttr *bgrps = user_info_dc->sids;
+
+ tmpsid = *base->domain_sid;
+ if (!sid_append_rid(&tmpsid, base->groups.rids[i].rid)) {
talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
- user_info_dc->sids[user_info_dc->num_sids].attrs =
base->groups.rids[i].attributes;
+ bgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
+ .sid = tmpsid,
+ .attrs = base->groups.rids[i].attributes,
+ .origin = AUTH_SID_ORIGIN_BASE,
+ };
user_info_dc->num_sids++;
}
- /* Copy 'other' sids. We need to do sid filtering here to
- prevent possible elevation of privileges. See:
-
-
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
- */
-
- /*
- * The IDL layer would be a better place to check this, but to
- * guard the integer addition below, we double-check
- */
- if (sidcount > UINT16_MAX) {
- talloc_free(user_info_dc);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- if (sidcount > 0) {
+ for (i = 0; i < sidcount; i++) {
struct auth_SidAttr *dgrps = user_info_dc->sids;
- size_t dgrps_count;
-
- dgrps_count = user_info_dc->num_sids + sidcount;
- dgrps = talloc_realloc(user_info_dc, dgrps, struct auth_SidAttr,
- dgrps_count);
- if (dgrps == NULL) {
- talloc_free(user_info_dc);
- return NT_STATUS_NO_MEMORY;
- }
- for (i = 0; i < sidcount; i++) {
- if (sids[i].sid) {
- dgrps[user_info_dc->num_sids].sid =
*sids[i].sid;
- dgrps[user_info_dc->num_sids].attrs =
sids[i].attributes;
- user_info_dc->num_sids++;
- }
+ if (sids[i].sid == NULL) {
+ continue;
}
- user_info_dc->sids = dgrps;
-
- /* Where are the 'global' sids?... */
+ dgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
+ .sid = *sids[i].sid,
+ .attrs = sids[i].attributes,
+ .origin = AUTH_SID_ORIGIN_EXTRA,
+ };
+ user_info_dc->num_sids++;
}
status = make_user_info_SamBaseInfo(user_info_dc, account_name, base,
authenticated, &user_info_dc->info);
@@ -912,16 +928,21 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
}
for (i = 0; i < rg->groups.count; i++) {
+ struct auth_SidAttr *rgrps = user_info_dc->sids;
+ struct dom_sid tmpsid = { 0, };
bool ok;
- user_info_dc->sids[user_info_dc->num_sids].sid =
*rg->domain_sid;
- ok =
sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid,
- rg->groups.rids[i].rid);
+ tmpsid = *rg->domain_sid;
+ ok = sid_append_rid(&tmpsid, rg->groups.rids[i].rid);
if (!ok) {
talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
- user_info_dc->sids[user_info_dc->num_sids].attrs =
rg->groups.rids[i].attributes;
+ rgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
+ .sid = tmpsid,
+ .attrs = rg->groups.rids[i].attributes,
+ .origin = AUTH_SID_ORIGIN_RESOURCE,
+ };
user_info_dc->num_sids++;
}
}
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 84e20f4aaa5..54ae3c34412 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -34,6 +34,7 @@ extern const struct dom_sid global_sid_World_Domain;
extern const struct dom_sid global_sid_World;
extern const struct dom_sid global_sid_Local_Authority;
extern const struct dom_sid global_sid_Creator_Owner_Domain;
+extern const struct dom_sid global_sid_NonUnique_Authority;
extern const struct dom_sid global_sid_NT_Authority;
extern const struct dom_sid global_sid_Enterprise_DCs;
extern const struct dom_sid global_sid_System;
@@ -41,6 +42,7 @@ extern const struct dom_sid global_sid_NULL;
extern const struct dom_sid global_sid_Self;
extern const struct dom_sid global_sid_Authenticated_Users;
extern const struct dom_sid global_sid_Network;
+extern const struct dom_sid global_sid_NTLM_Authentication;
extern const struct dom_sid global_sid_Asserted_Identity;
extern const struct dom_sid global_sid_Asserted_Identity_Service;
extern const struct dom_sid
global_sid_Asserted_Identity_Authentication_Authority;
@@ -51,6 +53,12 @@ extern const struct dom_sid global_sid_Owner_Rights;
extern const struct dom_sid global_sid_Anonymous;
extern const struct dom_sid global_sid_Compounded_Authentication;
extern const struct dom_sid global_sid_Claims_Valid;
+extern const struct dom_sid global_sid_This_Organization;
+extern const struct dom_sid global_sid_This_Organization_Certificate;
+extern const struct dom_sid global_sid_Other_Organization;
+extern const struct dom_sid global_sid_Passport_Authority;
+extern const struct dom_sid global_sid_Mandatory_Label_Authority;
+extern const struct dom_sid global_sid_Builtin_Package_Any_Package;
extern const struct dom_sid global_sid_Builtin;
extern const struct dom_sid global_sid_Builtin_Administrators;
extern const struct dom_sid global_sid_Builtin_Users;
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 13d24e04254..f69ad76d629 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -52,6 +52,9 @@ const struct dom_sid global_sid_Local_Authority =
/* Local Authority
/* S-1-3 */
const struct dom_sid global_sid_Creator_Owner_Domain = /* Creator Owner
domain */
{ 1, 0, {0,0,0,0,0,3}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+/* S-1-4 */
+const struct dom_sid global_sid_NonUnique_Authority = /* NonUnique
Authority */
+{ 1, 0, {0,0,0,0,0,4}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
/* S-1-5 */
const struct dom_sid global_sid_NT_Authority = /* NT Authority
*/
{ 1, 0, {0,0,0,0,0,5}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
@@ -73,6 +76,10 @@ const struct dom_sid global_sid_Restricted =
/* Restricted Code */
{ 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
#endif
+/* S-1-5-64-10 NTLM Authentication */
+const struct dom_sid global_sid_NTLM_Authentication =
+{ 1, 2, {0,0,0,0,0,5}, {64,10,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
/* S-1-18 */
const struct dom_sid global_sid_Asserted_Identity = /* Asserted Identity
*/
{ 1, 0, {0,0,0,0,0,18}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
@@ -112,6 +119,29 @@ const struct dom_sid global_sid_Compounded_Authentication
= /* Compounded Authe
/* S-1-5-21-0-0-0-497 */
const struct dom_sid global_sid_Claims_Valid = /* Claims Valid
*/
{1, 5, {0,0,0,0,0,5}, {21,0,0,0,497,0,0,0,0,0,0,0,0,0,0}};
+
+/* S-1-5-15 This Organization */
+const struct dom_sid global_sid_This_Organization =
+{ 1, 1, {0,0,0,0,0,5}, {15,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+/* S-1-5-65-1 This Organization Certificate */
+const struct dom_sid global_sid_This_Organization_Certificate =
+{ 1, 2, {0,0,0,0,0,5}, {65,1,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+/* S-1-5-1000 Other Organization */
+const struct dom_sid global_sid_Other_Organization =
+{ 1, 1, {0,0,0,0,0,5}, {1000,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+/* S-1-10 Passport Authority */
+const struct dom_sid global_sid_Passport_Authority =
+{ 1, 0, {0,0,0,0,0,10}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+/* S-1-16 Mandatory Label Authority */
+const struct dom_sid global_sid_Mandatory_Label_Authority =
+{ 1, 0, {0,0,0,0,0,16}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+/* S-1-15-2-1 BUILTIN_PACKAGE_ANY_PACKAGE */
+const struct dom_sid global_sid_Builtin_Package_Any_Package =
+{ 1, 2, {0,0,0,0,0,15}, {2,1,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
/* S-1-5-32 */
const struct dom_sid global_sid_Builtin = /* Local
well-known domain */
{ 1, 1, {0,0,0,0,0,5}, {32,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
@@ -414,6 +444,10 @@ NTSTATUS add_sid_to_array_attrs(TALLOC_CTX *mem_ctx,
{
struct auth_SidAttr *tmp = NULL;
+ if (sid == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
if ((*num) == UINT32_MAX) {
return NT_STATUS_INTEGER_OVERFLOW;
}
@@ -425,8 +459,10 @@ NTSTATUS add_sid_to_array_attrs(TALLOC_CTX *mem_ctx,
}
*sids = tmp;
- sid_copy(&((*sids)[*num].sid), sid);
- (*sids)[*num].attrs = attrs;
+ (*sids)[*num] = (struct auth_SidAttr) {
+ .sid = *sid,
+ .attrs = attrs,
+ };
*num += 1;
return NT_STATUS_OK;
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
index ab5675ef8c5..f2998b2b7d6 100644
--- a/librpc/idl/auth.idl
+++ b/librpc/idl/auth.idl
@@ -109,16 +109,24 @@ interface auth
* resource groups and resource groups in other domains are always
* discarded.
*/
- typedef enum {
+ typedef [nopush,nopull] enum {
AUTH_GROUP_INCLUSION_INVALID = 0, /* require invalid values to
be handled. */
AUTH_INCLUDE_RESOURCE_GROUPS = 2,
AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED = 3,
AUTH_EXCLUDE_RESOURCE_GROUPS = 4
} auth_group_inclusion;
- typedef [public] struct {
+ typedef [nopush,nopull] enum {
+ AUTH_SID_ORIGIN_UNKNOWN = 0,
+ AUTH_SID_ORIGIN_BASE = 1,
+ AUTH_SID_ORIGIN_EXTRA = 2,
+ AUTH_SID_ORIGIN_RESOURCE = 3
+ } auth_sid_origin;
+
+ typedef [nopush,nopull] struct {
dom_sid sid;
security_GroupAttrs attrs;
+ auth_sid_origin origin;
} auth_SidAttr;
/* This is the interim product of the auth subsystem, before
diff --git a/librpc/ndr/ndr_auth.c b/librpc/ndr/ndr_auth.c
index 0600586ed16..b60d8bff4b0 100644
--- a/librpc/ndr/ndr_auth.c
+++ b/librpc/ndr/ndr_auth.c
@@ -41,4 +41,16 @@ _PUBLIC_ enum ndr_err_code ndr_push_cli_credentials(struct
ndr_push *ndr, ndr_fl
return ndr_push_pointer(ndr, ndr_flags, NULL);
}
+_PUBLIC_ enum ndr_err_code ndr_push_auth_SidAttr(struct ndr_push *ndr,
ndr_flags_type ndr_flags, const struct auth_SidAttr *r)
+{
+ return ndr_push_error(ndr,
+ NDR_ERR_INVALID_POINTER,
+ "ndr_push_auth_SidAttr not supported");
+}
+_PUBLIC_ enum ndr_err_code ndr_pull_auth_SidAttr(struct ndr_pull *ndr,
ndr_flags_type ndr_flags, struct auth_SidAttr *r)
+{
+ return ndr_pull_error(ndr,
+ NDR_ERR_INVALID_POINTER,
+ "ndr_pull_auth_SidAttr not supported");
+}
diff --git a/selftest/knownfail_heimdal_kdc.d/device-info
b/selftest/knownfail_heimdal_kdc.d/device-info
index 46e403dd786..8582c9cc61a 100644
--- a/selftest/knownfail_heimdal_kdc.d/device-info
+++ b/selftest/knownfail_heimdal_kdc.d/device-info
@@ -3,7 +3,3 @@
#
^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_compressed.ad_dc
^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_uncompressed.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_krbtgt.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc
diff --git a/source4/auth/ntlm/auth_developer.c
b/source4/auth/ntlm/auth_developer.c
index 89db15d0ee7..19ea7b5fbc7 100644
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -85,8 +85,10 @@ static NTSTATUS name_to_ntstatus_check_password(struct
auth_method_context *ctx,
user_info_dc->sids = talloc(user_info_dc, struct auth_SidAttr);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids);
- user_info_dc->sids->sid = global_sid_Anonymous;
- user_info_dc->sids->attrs = SE_GROUP_DEFAULT_FLAGS;
+ user_info_dc->sids[0] = (struct auth_SidAttr) {
+ .sid = global_sid_Anonymous,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
/* annoying, but the Anonymous really does have a session key,
and it is all zeros! */
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index f21827118cf..32475de8780 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -383,6 +383,8 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX
*mem_ctx,
uint32_t num_sids = 0;
unsigned int i;
struct dom_sid *domain_sid;
+ uint32_t group_rid;
+ struct dom_sid groupsid = {};
TALLOC_CTX *tmp_ctx;
struct ldb_message_element *el;
static const char * const group_type_attrs[] = { "groupType", NULL };
@@ -425,11 +427,19 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX
*mem_ctx,
return status;
}
- sids[PRIMARY_USER_SID_INDEX].sid = *account_sid;
- sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
- sids[PRIMARY_GROUP_SID_INDEX].sid = *domain_sid;
- sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX].sid,
ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
- sids[PRIMARY_GROUP_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS;
+ group_rid = ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0);
+ groupsid = *domain_sid;
+ sid_append_rid(&groupsid, group_rid);
+
+ sids[PRIMARY_USER_SID_INDEX] = (struct auth_SidAttr) {
+ .sid = *account_sid,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
+
+ sids[PRIMARY_GROUP_SID_INDEX] = (struct auth_SidAttr) {
+ .sid = groupsid,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
/*
* Filter out builtin groups from this token. We will search
@@ -660,13 +670,18 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX
*mem_ctx,
TALLOC_FREE(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
- user_info_dc->sids[user_info_dc->num_sids].sid =
global_sid_Enterprise_DCs;
- user_info_dc->sids[user_info_dc->num_sids].attrs =
SE_GROUP_DEFAULT_FLAGS;
+
+ user_info_dc->sids[user_info_dc->num_sids] = (struct
auth_SidAttr) {
+ .sid = global_sid_Enterprise_DCs,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
user_info_dc->num_sids++;
}
if ((info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
(ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) {
+ struct dom_sid rodcsid = {};
+
/* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */
user_info_dc->sids = talloc_realloc(user_info_dc,
user_info_dc->sids,
@@ -676,10 +691,14 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX
*mem_ctx,
TALLOC_FREE(user_info_dc);
return NT_STATUS_NO_MEMORY;
}
- user_info_dc->sids[user_info_dc->num_sids].sid = *domain_sid;
- sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids].sid,
- DOMAIN_RID_ENTERPRISE_READONLY_DCS);
- user_info_dc->sids[user_info_dc->num_sids].attrs =
SE_GROUP_DEFAULT_FLAGS;
--
Samba Shared Repository
