From a621e9ab991144adf1f2d1ef2d0d266cad5f8bbd Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 27 Sep 2023 14:54:06 +1300 Subject: [PATCH] s4:dsdb: Add session info flag to indicate authentication with a device Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- auth/common_auth.h | 1 + source4/dsdb/samdb/samdb.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/auth/common_auth.h b/auth/common_auth.h index 24b7b14f51a..58fb2cd0b3d 100644 --- a/auth/common_auth.h +++ b/auth/common_auth.h @@ -40,6 +40,7 @@ enum auth_password_state { #define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES 0x04 /* Use a trivial map between users and privileges, rather than a DB */ #define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must have the unix_token and unix_info elements provided */ #define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must have authenticated-with-NTLM flag set */ +#define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION 0x20 /* The user authenticated with a device. */ struct auth_usersupplied_info { diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 33cad4b1746..81576829a75 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -178,7 +178,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, enum claims_evaluation_control evaluate_claims; bool sids_are_valid = false; bool device_sids_are_valid = false; - bool authentication_was_compounded = false; + bool authentication_was_compounded = session_info_flags & AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION; /* * Some special-case callers can't supply the lp_ctx, but do -- 2.34.1