the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104
#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
#define AUTH_SESSION_INFO_AUTHENTICATED 0x02 /* Add the user to the 'authenticated users' group */
-#define AUTH_SESSION_INFO_ENTERPRISE_DC 0x04 /* Add the user to the 'enterprise DC' group */
struct auth_serversupplied_info
{
server_info);
}
+ if (server_info->acct_flags & ACB_SVRTRUST) {
+ /* the SID_NT_ENTERPRISE_DCS SID gets added into the
+ PAC */
+ server_info->domain_groups = talloc_realloc(server_info,
+ server_info->domain_groups,
+ struct dom_sid *,
+ server_info->n_domain_groups+1);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
+ server_info->domain_groups[server_info->n_domain_groups] =
+ dom_sid_parse_talloc(server_info->domain_groups,
+ SID_NT_ENTERPRISE_DCS);
+ NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
+ server_info);
+ server_info->n_domain_groups++;
+ }
+
server_info->authenticated = true;
talloc_free(tmp_ctx);
} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (auth_context) {
- if (server_info->acct_flags & ACB_SVRTRUST) {
- dom_sid = samdb_domain_sid(auth_context->sam_ctx);
- if (dom_sid) {
- if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
- session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
- } else {
- DEBUG(2, ("DC %s is not in our domain. "
- "It will not have Enterprise Domain Controllers membership on this server",
- server_info->account_name));
- }
- } else {
- DEBUG(2, ("Could not obtain local domain SID, "
- "so can not determine if DC %s is a DC of this domain. "
- "It will not have Enterprise Domain Controllers membership",
- server_info->account_name));
- }
- }
-
groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
if (!groupSIDs) {
ptoken->num_sids++;
}
- if (session_info_flags & AUTH_SESSION_INFO_ENTERPRISE_DC) {
- ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
- NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
- if (!dom_sid_parse(SID_NT_ENTERPRISE_DCS, &ptoken->sids[ptoken->num_sids])) {
- return NT_STATUS_INTERNAL_ERROR;
- }
- ptoken->num_sids++;
- }
-
for (i = 0; i < n_groupSIDs; i++) {
size_t check_sid_idx;
for (check_sid_idx = 1;
git.samba.org / samba.git / commitdiff