for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) {
struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
+ if (group_sid->attrs & SE_GROUP_RESOURCE) {
+ /*
+ * Resource groups don't belong in the base
+ * RIDs, they're handled elsewhere.
+ */
+ continue;
+ }
if (!dom_sid_in_domain(sam->domain_sid, &group_sid->sid)) {
/* We handle this elsewhere */
continue;
* the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo6 **_sam6)
{
NTSTATUS status;
/* We don't put the user and group SIDs in there */
for (i=2; i<user_info_dc->num_sids; i++) {
- if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) {
+ if (user_info_dc->sids[i].attrs & SE_GROUP_RESOURCE) {
+ /*
+ * If it's a resource group, check whether it should be
+ * included or filtered out.
+ */
+ switch (group_inclusion) {
+ case AUTH_INCLUDE_RESOURCE_GROUPS:
+ /* Include it. */
+ break;
+ case AUTH_EXCLUDE_RESOURCE_GROUPS:
+ /* Ignore it. */
+ continue;
+ }
+ } else if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) {
continue;
}
sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i].sid);
* the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo2 **_sam2)
{
NTSTATUS status;
return NT_STATUS_NO_MEMORY;
}
- status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, &sam6);
+ status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc,
+ group_inclusion, &sam6);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam2);
return status;
* the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo3 **_sam3)
{
NTSTATUS status;
return NT_STATUS_NO_MEMORY;
}
- status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, &sam6);
+ status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc,
+ group_inclusion, &sam6);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam3);
return status;
NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo6 **_sam6);
NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo2 **_sam2);
NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo3 **_sam3);
/**
TICKET_TYPE_NON_TGT = 2
} ticket_type;
+ /*
+ * Used to indicate whether or not to include resource groups in the
+ * formation of SamInfo or a PAC.
+ */
+ typedef enum {
+ AUTH_INCLUDE_RESOURCE_GROUPS = 0,
+ AUTH_EXCLUDE_RESOURCE_GROUPS = 1
+ } auth_group_inclusion;
+
typedef [public] struct {
dom_sid sid;
security_GroupAttrs attrs;
#
# Group tests
#
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_Samba_4_17_tgs_req_to_krbtgt.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_Samba_4_17_tgs_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_as_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_compression_as_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_compression_tgs_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_no_compression_as_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_domain_local_no_compression_tgs_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_domain_local_as_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_domain_local_compression_as_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_domain_local_no_compression_as_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_removal_compression_tgs_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_removal_no_compression_tgs_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_removal_tgs_req_to_krbtgt.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_universal_as_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_universal_compression_as_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_universal_no_compression_as_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_compression_tgs_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_compression_tgs_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_no_compression_tgs_req_to_krbtgt.ad_dc
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
user_info_dc,
+ AUTH_INCLUDE_RESOURCE_GROUPS,
&info3);
if (NT_STATUS_IS_OK(nt_status)) {
/* We need the strings from the server_info to be valid as long as the info3 is around */
talloc_free(pac_data);
return ENOMEM;
}
- nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc, &sam3);
+ nt_status = auth_convert_user_info_dc_saminfo3(LOGON_INFO, user_info_dc,
+ AUTH_INCLUDE_RESOURCE_GROUPS,
+ &sam3);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Getting Samba info failed: %s\n", nt_errstr(nt_status)));
talloc_free(pac_data);
NTSTATUS nt_status;
krb5_error_code code;
struct samba_kdc_entry *skdc_entry;
- bool is_krbtgt;
+ bool is_krbtgt = ks_is_tgs_principal(smb_ctx, server->princ);
+ /* Only include resource groups in a service ticket. */
+ enum auth_group_inclusion group_inclusion = (is_krbtgt)
+ ? AUTH_EXCLUDE_RESOURCE_GROUPS
+ : AUTH_INCLUDE_RESOURCE_GROUPS;
enum samba_asserted_identity asserted_identity =
(flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
SAMBA_ASSERTED_IDENTITY_SERVICE :
cred_ndr_ptr = &cred_ndr;
}
- is_krbtgt = ks_is_tgs_principal(smb_ctx, server->princ);
-
nt_status = samba_kdc_get_pac_blobs(tmp_ctx,
skdc_entry,
asserted_identity,
+ group_inclusion,
&logon_info_blob,
cred_ndr_ptr,
&upn_dns_info_blob,
static
NTSTATUS samba_get_logon_info_pac_blob(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *info,
+ enum auth_group_inclusion group_inclusion,
DATA_BLOB *pac_data,
DATA_BLOB *requester_sid_blob)
{
*requester_sid_blob = data_blob_null;
}
- nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info, &info3);
+ nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx, info,
+ group_inclusion,
+ &info3);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(1, ("Getting Samba info failed: %s\n",
nt_errstr(nt_status)));
NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
struct samba_kdc_entry *p,
enum samba_asserted_identity asserted_identity,
+ enum auth_group_inclusion group_inclusion,
DATA_BLOB **_logon_info_blob,
DATA_BLOB **_cred_ndr_blob,
DATA_BLOB **_upn_info_blob,
nt_status = samba_get_logon_info_pac_blob(logon_blob,
user_info_dc,
+ group_inclusion,
logon_blob,
requester_sid_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
krb5_context context,
struct ldb_context *samdb,
+ enum auth_group_inclusion group_inclusion,
const krb5_pac pac, DATA_BLOB *pac_blob,
struct PAC_SIGNATURE_DATA *pac_srv_sig,
struct PAC_SIGNATURE_DATA *pac_kdc_sig)
}
nt_status = samba_get_logon_info_pac_blob(mem_ctx,
- user_info_dc, pac_blob, NULL);
-
+ user_info_dc,
+ group_inclusion,
+ pac_blob, NULL);
return nt_status;
}
DATA_BLOB *client_claims_blob = NULL;
bool is_untrusted = flags & SAMBA_KDC_FLAG_KRBTGT_IS_UNTRUSTED;
int is_tgs = false;
+ enum auth_group_inclusion group_inclusion;
size_t num_types = 0;
uint32_t *types = NULL;
/*
ssize_t requester_sid_idx = -1;
ssize_t full_checksum_idx = -1;
+ is_tgs = smb_krb5_principal_is_tgs(context, server_principal);
+ if (is_tgs == -1) {
+ code = ENOMEM;
+ goto done;
+ }
+
+ /* Only include resource groups in a service ticket. */
+ group_inclusion = (is_tgs)
+ ? AUTH_EXCLUDE_RESOURCE_GROUPS
+ : AUTH_INCLUDE_RESOURCE_GROUPS;
+
if (client != NULL) {
/*
* Check the objectSID of the client and pac data are the same.
nt_status = samba_kdc_get_pac_blobs(mem_ctx,
client,
asserted_identity,
+ group_inclusion,
&pac_blob,
NULL,
&upn_blob,
nt_status = samba_kdc_update_pac_blob(mem_ctx,
context,
samdb,
+ group_inclusion,
old_pac,
pac_blob,
NULL,
goto done;
}
- is_tgs = smb_krb5_principal_is_tgs(context, server_principal);
- if (is_tgs == -1) {
- code = ENOMEM;
- goto done;
- }
-
if (!is_untrusted && !is_tgs) {
/*
* The client may have requested no PAC when obtaining the
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
+#include "librpc/gen_ndr/auth.h"
+
enum samba_asserted_identity {
SAMBA_ASSERTED_IDENTITY_IGNORE = 0,
SAMBA_ASSERTED_IDENTITY_SERVICE,
NTSTATUS samba_kdc_get_pac_blobs(TALLOC_CTX *mem_ctx,
struct samba_kdc_entry *skdc_entry,
enum samba_asserted_identity asserted_identity,
+ enum auth_group_inclusion group_inclusion,
DATA_BLOB **_logon_info_blob,
DATA_BLOB **_cred_ndr_blob,
DATA_BLOB **_upn_info_blob,
NTSTATUS samba_kdc_update_pac_blob(TALLOC_CTX *mem_ctx,
krb5_context context,
struct ldb_context *samdb,
+ enum auth_group_inclusion group_inclusion,
const krb5_pac pac, DATA_BLOB *pac_blob,
struct PAC_SIGNATURE_DATA *pac_srv_sig,
struct PAC_SIGNATURE_DATA *pac_kdc_sig);
struct samba_kdc_entry *skdc_entry =
talloc_get_type_abort(client->context,
struct samba_kdc_entry);
- bool is_krbtgt;
+ bool is_krbtgt = krb5_principal_is_krbtgt(context, server->principal);
+ /* Only include resource groups in a service ticket. */
+ enum auth_group_inclusion group_inclusion =
+ (is_krbtgt) ?
+ AUTH_EXCLUDE_RESOURCE_GROUPS :
+ AUTH_INCLUDE_RESOURCE_GROUPS;
bool is_s4u2self = samba_wdc_is_s4u2self_req(r);
enum samba_asserted_identity asserted_identity =
(is_s4u2self) ?
cred_ndr_ptr = &cred_ndr;
}
- is_krbtgt = krb5_principal_is_krbtgt(context, server->principal);
-
nt_status = samba_kdc_get_pac_blobs(mem_ctx, skdc_entry,
asserted_identity,
+ group_inclusion,
&logon_blob,
cred_ndr_ptr,
&upn_blob,
case 2:
nt_status = auth_convert_user_info_dc_saminfo2(mem_ctx,
user_info_dc,
+ AUTH_INCLUDE_RESOURCE_GROUPS,
&sam2);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.result = nt_status;
case 3:
nt_status = auth_convert_user_info_dc_saminfo3(mem_ctx,
user_info_dc,
+ AUTH_INCLUDE_RESOURCE_GROUPS,
&sam3);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.result = nt_status;
case 6:
nt_status = auth_convert_user_info_dc_saminfo6(mem_ctx,
user_info_dc,
+ AUTH_INCLUDE_RESOURCE_GROUPS,
&sam6);
if (!NT_STATUS_IS_OK(nt_status)) {
r->out.result = nt_status;