#include "libcli/security/security.h"
#include "auth/auth_sam_reply.h"
+/* Returns true if this SID belongs in SamBaseInfo, otherwise false. */
+static bool is_base_sid(const struct auth_SidAttr *sid,
+ const struct dom_sid *domain_sid)
+{
+ if (sid->attrs & SE_GROUP_RESOURCE) {
+ /*
+ * Resource groups don't belong in the base
+ * RIDs, they're handled elsewhere.
+ */
+ return false;
+ }
+
+ /*
+ * This SID belongs in the base structure only if it's in the account's
+ * domain.
+ */
+ return dom_sid_in_domain(domain_sid, &sid->sid);
+}
+
+/* Stores a SID in a previously allocated array. */
+static NTSTATUS store_extra_sid(struct netr_SidAttr *sids,
+ uint32_t *sidcount,
+ const uint32_t allocated_sids,
+ const struct auth_SidAttr *sid)
+{
+ /* Check we aren't about to overflow our allocation. */
+ if (*sidcount >= allocated_sids) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ sids[*sidcount].sid = dom_sid_dup(sids, &sid->sid);
+ if (sids[*sidcount].sid == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ sids[*sidcount].attributes = sid->attrs;
+ *sidcount += 1;
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Stores a resource SID in a previously allocated array, either Extra SIDs or
+ * Resource SIDs. Any SID within the domain of the first SID so added is stored
+ * there, while remaining SIDs are stored in Extra SIDs.
+ */
+static NTSTATUS store_resource_sid(struct netr_SidAttr *sids,
+ uint32_t *sidcount,
+ const uint32_t allocated_sids,
+ const struct auth_SidAttr *sid,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups,
+ const uint32_t allocated_resource_groups)
+{
+ NTSTATUS status;
+
+ struct dom_sid *resource_domain = NULL;
+ uint32_t rid;
+
+ if (resource_groups == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* Split the SID into domain and RID. */
+ status = dom_sid_split_rid(resource_groups, &sid->sid, &resource_domain, &rid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ if (resource_groups->domain_sid == NULL) {
+ /*
+ * There is no domain SID set. Set it to the domain of this SID.
+ */
+ resource_groups->domain_sid = resource_domain;
+ } else {
+ /*
+ * A domain SID has already been set. Check whether this SID's
+ * domain matches.
+ *
+ * Assuming that resource SIDs have been obtained with
+ * dsdb_expand_nested_groups(), they should all be within the
+ * same domain (ours), so unless something has gone horribly
+ * wrong, we should always find that they match.
+ */
+ bool match = dom_sid_equal(resource_groups->domain_sid, resource_domain);
+ talloc_free(resource_domain);
+ if (!match) {
+ /*
+ * It doesn't match, so we can't store this SID here. It
+ * will have to go in Extra SIDs.
+ */
+ return store_extra_sid(sids, sidcount, allocated_sids, sid);
+ }
+ }
+
+ /* Store the SID in Resource SIDs. */
+
+ /* Check we aren't about to overflow our allocation. */
+ if (resource_groups->groups.count >= allocated_resource_groups) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ resource_groups->groups.rids[resource_groups->groups.count].rid = rid;
+ resource_groups->groups.rids[resource_groups->groups.count].attributes = sid->attrs;
+ resource_groups->groups.count++;
+
+ return NT_STATUS_OK;
+}
+
+/*
+ * Stores a SID in a previously allocated array, or excludes it if we are not
+ * storing resource groups. It will be placed in either Extra SIDs or Resource
+ * SIDs, depending on which is appropriate.
+ */
+static NTSTATUS store_sid(struct netr_SidAttr *sids,
+ uint32_t *sidcount,
+ const uint32_t allocated_sids,
+ const struct auth_SidAttr *sid,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups,
+ const uint32_t allocated_resource_groups,
+ const enum auth_group_inclusion group_inclusion)
+{
+ /* See if it's a resource SID. */
+ if (sid->attrs & SE_GROUP_RESOURCE) {
+ /*
+ * If this is the SID of a resource group, determine whether it
+ * should be included or filtered out.
+ */
+ switch (group_inclusion) {
+ case AUTH_INCLUDE_RESOURCE_GROUPS:
+ /* Include this SID in Extra SIDs. */
+ break;
+ case AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED:
+ /*
+ * Try to include this SID in Resource Groups. If this
+ * can't be arranged, we shall fall back to Extra
+ * SIDs.
+ */
+ return store_resource_sid(sids,
+ sidcount,
+ allocated_sids,
+ sid,
+ resource_groups,
+ allocated_resource_groups);
+ case AUTH_EXCLUDE_RESOURCE_GROUPS:
+ /* Ignore this SID. */
+ return NT_STATUS_OK;
+ default:
+ /* This means we have a bug. */
+ DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ }
+
+ /* Just store the SID in Extra SIDs. */
+ return store_extra_sid(sids,
+ sidcount,
+ allocated_sids,
+ sid);
+}
+
static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
struct netr_SamBaseInfo *sam)
for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) {
struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
- if (group_sid->attrs & SE_GROUP_RESOURCE) {
- /*
- * Resource groups don't belong in the base
- * RIDs, they're handled elsewhere.
- */
- continue;
- }
- if (!dom_sid_in_domain(sam->domain_sid, &group_sid->sid)) {
+
+ bool belongs_in_base = is_base_sid(group_sid, sam->domain_sid);
+ if (!belongs_in_base) {
/* We handle this elsewhere */
continue;
}
return NT_STATUS_OK;
}
-/* Note that the validity of the _sam6 structure is only as long as
- * the user_info_dc it was generated from */
+/* Note that the validity of the _sam6 and resource_groups structures is only as
+ * long as the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
enum auth_group_inclusion group_inclusion,
- struct netr_SamInfo6 **_sam6)
+ struct netr_SamInfo6 **_sam6,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups)
{
NTSTATUS status;
struct netr_SamInfo6 *sam6 = NULL;
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL;
size_t i;
+ const uint32_t allocated_sids = user_info_dc->num_sids;
+ uint32_t allocated_resource_groups = 0;
+
sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6);
if (sam6 == NULL) {
return NT_STATUS_NO_MEMORY;
}
+ if (_resource_groups == NULL) {
+ if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) {
+ DBG_ERR("_resource_groups parameter not provided to receive resource groups!\n");
+ TALLOC_FREE(sam6);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ } else if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) {
+ *_resource_groups = NULL;
+
+ /* Allocate resource groups structure. */
+ resource_groups = talloc_zero(mem_ctx, struct PAC_DOMAIN_GROUP_MEMBERSHIP);
+ if (resource_groups == NULL) {
+ TALLOC_FREE(sam6);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /*
+ * Allocate enough space to store user_info_dc->num_sids
+ * RIDs in the worst case.
+ */
+ allocated_resource_groups = user_info_dc->num_sids;
+ resource_groups->groups.rids = talloc_zero_array(resource_groups,
+ struct samr_RidWithAttribute,
+ allocated_resource_groups);
+ if (resource_groups->groups.rids == NULL) {
+ TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
+ return NT_STATUS_NO_MEMORY;
+ }
+ } else {
+ /* No resource groups will be provided. */
+ *_resource_groups = NULL;
+ }
+
status = auth_convert_user_info_dc_sambaseinfo(sam6,
user_info_dc,
&sam6->base);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
return status;
}
- sam6->sids = talloc_array(sam6, struct netr_SidAttr,
- user_info_dc->num_sids);
+ /*
+ * Allocate enough space to store user_info_dc->num_sids SIDs in the
+ * worst case.
+ */
+ sam6->sids = talloc_zero_array(sam6, struct netr_SidAttr,
+ allocated_sids);
if (sam6->sids == NULL) {
TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
return NT_STATUS_NO_MEMORY;
}
/* We don't put the user and group SIDs in there */
for (i=2; i<user_info_dc->num_sids; i++) {
- if (user_info_dc->sids[i].attrs & SE_GROUP_RESOURCE) {
- /*
- * If it's a resource group, check whether it should be
- * included or filtered out.
- */
- switch (group_inclusion) {
- case AUTH_INCLUDE_RESOURCE_GROUPS:
- /* Include it. */
- break;
- case AUTH_EXCLUDE_RESOURCE_GROUPS:
- /* Ignore it. */
- continue;
- }
- } else if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) {
+ struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
+ bool belongs_in_base = is_base_sid(group_sid, sam6->base.domain_sid);
+ if (belongs_in_base) {
+ /* We already handled this in the base. */
continue;
}
- sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i].sid);
- if (sam6->sids[sam6->sidcount].sid == NULL) {
+
+ status = store_sid(sam6->sids,
+ &sam6->sidcount,
+ allocated_sids,
+ group_sid,
+ resource_groups,
+ allocated_resource_groups,
+ group_inclusion);
+ if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam6);
- return NT_STATUS_NO_MEMORY;
+ TALLOC_FREE(resource_groups);
+ return status;
}
- sam6->sids[sam6->sidcount].attributes = user_info_dc->sids[i].attrs;
- sam6->sidcount += 1;
}
if (sam6->sidcount) {
sam6->base.user_flags |= NETLOGON_EXTRA_SIDS;
user_info_dc->info->dns_domain_name);
if (sam6->dns_domainname.string == NULL) {
TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
return NT_STATUS_NO_MEMORY;
}
}
user_info_dc->info->user_principal_name);
if (sam6->principal_name.string == NULL) {
TALLOC_FREE(sam6);
+ TALLOC_FREE(resource_groups);
return NT_STATUS_NO_MEMORY;
}
}
*_sam6 = sam6;
+ if (resource_groups != NULL) {
+ if (resource_groups->groups.count > 0) {
+ *_resource_groups = resource_groups;
+ } else {
+ TALLOC_FREE(resource_groups);
+ }
+ }
return NT_STATUS_OK;
}
}
status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc,
- group_inclusion, &sam6);
+ group_inclusion, &sam6,
+ NULL);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam2);
return status;
NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
enum auth_group_inclusion group_inclusion,
- struct netr_SamInfo3 **_sam3)
+ struct netr_SamInfo3 **_sam3,
+ struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups)
{
NTSTATUS status;
struct netr_SamInfo6 *sam6 = NULL;
}
status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc,
- group_inclusion, &sam6);
+ group_inclusion, &sam6,
+ _resource_groups);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam3);
return status;
}
/**
- * Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5 logon
+ * Make a user_info_dc struct from the PAC_LOGON_INFO supplied in the krb5
+ * logon. For group_inclusion, pass AUTH_INCLUDE_RESOURCE_GROUPS if SIDs from
+ * the resource groups are to be included in the resulting structure, and pass
+ * AUTH_EXCLUDE_RESOURCE_GROUPS otherwise.
*/
NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
const struct PAC_LOGON_INFO *pac_logon_info,
const struct PAC_UPN_DNS_INFO *pac_upn_dns_info,
+ const enum auth_group_inclusion group_inclusion,
struct auth_user_info_dc **_user_info_dc)
{
uint32_t i;
}
if (pac_logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) {
- rg = &pac_logon_info->resource_groups;
+ switch (group_inclusion) {
+ case AUTH_INCLUDE_RESOURCE_GROUPS:
+ /* Take resource groups from the PAC. */
+ rg = &pac_logon_info->resource_groups;
+ break;
+ case AUTH_EXCLUDE_RESOURCE_GROUPS:
+ /*
+ * The PAC is from a TGT, or we don't want to process
+ * its resource groups.
+ */
+ break;
+ default:
+ DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
}
if (rg != NULL && rg->groups.count > 0) {