s4-auth Remove special case for account_sid from auth_serversupplied_info
authorAndrew Bartlett <abartlet@samba.org>
Thu, 20 Jan 2011 12:39:37 +0000 (23:39 +1100)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 20 Jan 2011 22:44:05 +0000 (23:44 +0100)
This makes everything reference a server_info->sids list, which is now
a struct dom_sid *, not a struct dom_sid **.  This is in keeping with
the other sid lists in the security_token etc.

In the process, I also tidy up the talloc tree (move more structures
under their logical parents) and check for some possible overflows in
situations with a pathological number of sids.

Andrew Bartlett

14 files changed:
source4/auth/auth.h
source4/auth/auth_sam_reply.c
source4/auth/ntlm/auth_developer.c
source4/auth/ntlm/auth_server.c
source4/auth/ntlm/auth_unix.c
source4/auth/sam.c
source4/auth/session.c
source4/auth/system_session.c
source4/dsdb/common/util_groups.c
source4/dsdb/samdb/ldb_modules/operational.c
source4/dsdb/samdb/samdb.c
source4/smbd/service_named_pipe.c
source4/torture/auth/pac.c
source4/torture/rpc/remote_pac.c

index 6d3dedefbf7fec6bd93d85c41b92b0b9239c34cc..21790c4d5cfff9975cd2e169ecfc06272a8b7941 100644 (file)
@@ -50,11 +50,8 @@ struct loadparm_context;
 
 struct auth_serversupplied_info
 {
 
 struct auth_serversupplied_info
 {
-       struct dom_sid *account_sid;
-       struct dom_sid *primary_group_sid;
-
-       size_t n_domain_groups;
-       struct dom_sid **domain_groups;
+       size_t num_sids;
+       struct dom_sid *sids;
 
        DATA_BLOB user_session_key;
        DATA_BLOB lm_session_key;
 
        DATA_BLOB user_session_key;
        DATA_BLOB lm_session_key;
index 0c03e78493d098040cadf3b0e5d8e193980b909e..bb2b6eb534d816fcc2045c7ab77c12803a08cf9f 100644 (file)
@@ -29,12 +29,32 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
                                              struct auth_serversupplied_info *server_info, 
                                              struct netr_SamBaseInfo **_sam)
 {
                                              struct auth_serversupplied_info *server_info, 
                                              struct netr_SamBaseInfo **_sam)
 {
+       NTSTATUS status;
        struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo);
        NT_STATUS_HAVE_NO_MEMORY(sam);
 
        struct netr_SamBaseInfo *sam = talloc_zero(mem_ctx, struct netr_SamBaseInfo);
        NT_STATUS_HAVE_NO_MEMORY(sam);
 
-       sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid);
-       NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid);
-       sam->domain_sid->num_auths--;
+       if (server_info->num_sids > PRIMARY_USER_SID_INDEX) {
+               status = dom_sid_split_rid(sam, &server_info->sids[PRIMARY_USER_SID_INDEX],
+                                          &sam->domain_sid, &sam->rid);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+       } else {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       if (server_info->num_sids > PRIMARY_GROUP_SID_INDEX) {
+               status = dom_sid_split_rid(NULL, &server_info->sids[PRIMARY_GROUP_SID_INDEX],
+                                          NULL, &sam->primary_gid);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+       } else {
+               /* if we have to encode something like SYSTEM (with no
+                * second SID in the token) then this is the only
+                * choice */
+               sam->primary_gid = sam->rid;
+       }
 
        sam->last_logon = server_info->last_logon;
        sam->last_logoff =  server_info->last_logoff;
 
        sam->last_logon = server_info->last_logon;
        sam->last_logoff =  server_info->last_logoff;
@@ -52,22 +72,19 @@ NTSTATUS auth_convert_server_info_sambaseinfo(TALLOC_CTX *mem_ctx,
 
        sam->logon_count = server_info->logon_count;
        sam->bad_password_count = sam->bad_password_count;
 
        sam->logon_count = server_info->logon_count;
        sam->bad_password_count = sam->bad_password_count;
-       sam->rid = server_info->account_sid->sub_auths[server_info->account_sid->num_auths-1];
-       sam->primary_gid = server_info->primary_group_sid->sub_auths[server_info->primary_group_sid->num_auths-1];
-
        sam->groups.count = 0;
        sam->groups.rids = NULL;
 
        sam->groups.count = 0;
        sam->groups.rids = NULL;
 
-       if (server_info->n_domain_groups > 0) {
+       if (server_info->num_sids > 2) {
                size_t i;
                sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute,
                size_t i;
                sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute,
-                                               server_info->n_domain_groups);
+                                               server_info->num_sids);
 
                if (sam->groups.rids == NULL)
                        return NT_STATUS_NO_MEMORY;
 
 
                if (sam->groups.rids == NULL)
                        return NT_STATUS_NO_MEMORY;
 
-               for (i=0; i<server_info->n_domain_groups; i++) {
-                       struct dom_sid *group_sid = server_info->domain_groups[i];
+               for (i=2; i<server_info->num_sids; i++) {
+                       struct dom_sid *group_sid = &server_info->sids[i];
                        if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
                                /* We handle this elsewhere */
                                continue;
                        if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
                                /* We handle this elsewhere */
                                continue;
@@ -116,8 +133,9 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
        size_t i;
        NT_STATUS_HAVE_NO_MEMORY(sam3);
 
        size_t i;
        NT_STATUS_HAVE_NO_MEMORY(sam3);
 
-       status = auth_convert_server_info_sambaseinfo(mem_ctx, server_info, &sam);
+       status = auth_convert_server_info_sambaseinfo(sam3, server_info, &sam);
        if (!NT_STATUS_IS_OK(status)) {
        if (!NT_STATUS_IS_OK(status)) {
+               talloc_free(sam3);
                return status;
        }
        sam3->base = *sam;
                return status;
        }
        sam3->base = *sam;
@@ -126,14 +144,16 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
 
        
        sam3->sids = talloc_array(sam, struct netr_SidAttr,
 
        
        sam3->sids = talloc_array(sam, struct netr_SidAttr,
-                                 server_info->n_domain_groups);
-       NT_STATUS_HAVE_NO_MEMORY(sam3->sids);
-       
-       for (i=0; i<server_info->n_domain_groups; i++) {
-               if (dom_sid_in_domain(sam->domain_sid, server_info->domain_groups[i])) {
+                                 server_info->num_sids);
+       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids, sam3);
+
+       /* We don't put the user and group SIDs in there */
+       for (i=2; i<server_info->num_sids; i++) {
+               if (dom_sid_in_domain(sam->domain_sid, &server_info->sids[i])) {
                        continue;
                }
                        continue;
                }
-               sam3->sids[sam3->sidcount].sid = talloc_reference(sam3->sids,server_info->domain_groups[i]);
+               sam3->sids[sam3->sidcount].sid = dom_sid_dup(sam3->sids, &server_info->sids[i]);
+               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sam3->sids[sam3->sidcount].sid, sam3);
                sam3->sids[sam3->sidcount].attributes =
                        SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
                sam3->sidcount += 1;
                sam3->sids[sam3->sidcount].attributes =
                        SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
                sam3->sidcount += 1;
@@ -192,24 +212,38 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
           trusted domains, and verify that the SID 
           matches.
        */
           trusted domains, and verify that the SID 
           matches.
        */
-       server_info->account_sid = dom_sid_add_rid(server_info, base->domain_sid, base->rid);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
+       if (!base->domain_sid) {
+               DEBUG(0, ("Cannot operate on a Netlogon Validation without a domain SID"));
+               return NT_STATUS_INVALID_PARAMETER;
+       }
 
 
+       /* The IDL layer would be a better place to check this, but to
+        * guard the integer addition below, we double-check */
+       if (base->groups.count > 65535) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
 
 
-       server_info->primary_group_sid = dom_sid_add_rid(server_info, base->domain_sid, base->primary_gid);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
+       server_info->num_sids = 2;
 
 
-       server_info->n_domain_groups = base->groups.count;
-       if (base->groups.count) {
-               server_info->domain_groups = talloc_array(server_info, struct dom_sid*, base->groups.count);
-               NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups);
-       } else {
-               server_info->domain_groups = NULL;
+       server_info->sids = talloc_array(server_info, struct dom_sid,  server_info->num_sids + base->groups.count);
+       NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
+
+       server_info->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid;
+       if (!sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], base->rid)) {
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+
+       server_info->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid;
+       if (!sid_append_rid(&server_info->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) {
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
        for (i = 0; i < base->groups.count; i++) {
        }
 
        for (i = 0; i < base->groups.count; i++) {
-               server_info->domain_groups[i] = dom_sid_add_rid(server_info->domain_groups, base->domain_sid, base->groups.rids[i].rid);
-               NT_STATUS_HAVE_NO_MEMORY(server_info->domain_groups[i]);
+               server_info->sids[server_info->num_sids] = *base->domain_sid;
+               if (!sid_append_rid(&server_info->sids[server_info->num_sids], base->groups.rids[i].rid)) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+               server_info->num_sids++;
        }
 
        /* Copy 'other' sids.  We need to do sid filtering here to
        }
 
        /* Copy 'other' sids.  We need to do sid filtering here to
@@ -219,21 +253,29 @@ NTSTATUS make_server_info_netlogon_validation(TALLOC_CTX *mem_ctx,
          */
 
        if (validation_level == 3) {
          */
 
        if (validation_level == 3) {
-               struct dom_sid **dgrps = server_info->domain_groups;
-               size_t sidcount = server_info->n_domain_groups + validation->sam3->sidcount;
-               size_t n_dgrps = server_info->n_domain_groups;
+               struct dom_sid *dgrps = server_info->sids;
+               size_t sidcount;
+
+               /* The IDL layer would be a better place to check this, but to
+                * guard the integer addition below, we double-check */
+               if (validation->sam3->sidcount > 65535) {
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
 
 
+               sidcount = server_info->num_sids + validation->sam3->sidcount;
                if (validation->sam3->sidcount > 0) {
                if (validation->sam3->sidcount > 0) {
-                       dgrps = talloc_realloc(server_info, dgrps, struct dom_sid*, sidcount);
+                       dgrps = talloc_realloc(server_info, dgrps, struct dom_sid, sidcount);
                        NT_STATUS_HAVE_NO_MEMORY(dgrps);
 
                        for (i = 0; i < validation->sam3->sidcount; i++) {
                        NT_STATUS_HAVE_NO_MEMORY(dgrps);
 
                        for (i = 0; i < validation->sam3->sidcount; i++) {
-                               dgrps[n_dgrps + i] = talloc_reference(dgrps, validation->sam3->sids[i].sid);
+                               if (validation->sam3->sids[i].sid) {
+                                       dgrps[server_info->num_sids] = *validation->sam3->sids[i].sid;
+                                       server_info->num_sids++;
+                               }
                        }
                }
 
                        }
                }
 
-               server_info->n_domain_groups = sidcount;
-               server_info->domain_groups = dgrps;
+               server_info->sids = dgrps;
 
                /* Where are the 'global' sids?... */
        }
 
                /* Where are the 'global' sids?... */
        }
@@ -307,18 +349,36 @@ NTSTATUS make_server_info_pac(TALLOC_CTX *mem_ctx,
        }
 
        if (pac_logon_info->res_groups.count > 0) {
        }
 
        if (pac_logon_info->res_groups.count > 0) {
-               struct dom_sid **rgrps;
-               size_t sidcount = server_info->n_domain_groups + pac_logon_info->res_groups.count;
-               server_info->domain_groups = rgrps
-                       = talloc_realloc(server_info, server_info->domain_groups, struct dom_sid *, sidcount);
-               NT_STATUS_HAVE_NO_MEMORY(rgrps);
+               size_t sidcount;
+               /* The IDL layer would be a better place to check this, but to
+                * guard the integer addition below, we double-check */
+               if (pac_logon_info->res_groups.count > 65535) {
+                       talloc_free(server_info);
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+
+               /*
+                 Here is where we should check the list of
+                 trusted domains, and verify that the SID
+                 matches.
+               */
+               if (!pac_logon_info->res_group_dom_sid) {
+                       DEBUG(0, ("Cannot operate on a PAC without a resource domain SID"));
+                       return NT_STATUS_INVALID_PARAMETER;
+               }
+
+               sidcount = server_info->num_sids + pac_logon_info->res_groups.count;
+               server_info->sids
+                       = talloc_realloc(server_info, server_info->sids, struct dom_sid, sidcount);
+               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
 
                for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
 
                for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
-                       size_t sid_idx = server_info->n_domain_groups + i;
-                       rgrps[sid_idx]
-                               = dom_sid_add_rid(rgrps, pac_logon_info->res_group_dom_sid,
-                                                 pac_logon_info->res_groups.rids[i].rid);
-                       NT_STATUS_HAVE_NO_MEMORY(rgrps[server_info->n_domain_groups + sid_idx]);
+                       server_info->sids[server_info->num_sids] = *pac_logon_info->res_group_dom_sid;
+                       if (!sid_append_rid(&server_info->sids[server_info->num_sids],
+                                           pac_logon_info->res_groups.rids[i].rid)) {
+                               return NT_STATUS_INVALID_PARAMETER;
+                       }
+                       server_info->num_sids++;
                }
        }
        *_server_info = server_info;
                }
        }
        *_server_info = server_info;
index 96491d62c9d7b2be2f6cf140b48833301a6b5098..6384d98986ad05e0e895567c3c2fef201ff47072 100644 (file)
@@ -68,15 +68,11 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
-       server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
-
-       /* is this correct? */
-       server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
-       server_info->n_domain_groups = 0;
-       server_info->domain_groups = NULL;
+       /* This returns a pointer to a struct dom_sid, which is the
+        * same as a 1 element list of struct dom_sid */
+       server_info->num_sids = 1;
+       server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
+       NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
 
        /* annoying, but the Anonymous really does have a session key, 
           and it is all zeros! */
 
        /* annoying, but the Anonymous really does have a session key, 
           and it is all zeros! */
index 898e2cce675ff301642d4860abc184fa3f5447c0..8e9e73c43dee9b113b5882c16b566a8cc3008e3e 100644 (file)
@@ -159,15 +159,12 @@ static NTSTATUS server_check_password(struct auth_method_context *ctx,
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
-       server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
+       server_info->num_sids = 1;
 
 
-       /* is this correct? */
-       server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_GUESTS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
-       server_info->n_domain_groups = 0;
-       server_info->domain_groups = NULL;
+       /* This returns a pointer to a struct dom_sid, which is the
+        * same as a 1 element list of struct dom_sid */
+       server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
+       NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
 
        /* annoying, but the Anonymous really does have a session key, 
           and it is all zeros! */
 
        /* annoying, but the Anonymous really does have a session key, 
           and it is all zeros! */
index 1c026f6990fbd770b5f943bba0a7b9a48b909513..ba37e0a95ec7e4f7ebd04482c8b234c8683e193e 100644 (file)
@@ -65,10 +65,8 @@ static NTSTATUS authunix_make_server_info(TALLOC_CTX *mem_ctx,
                NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
 
                /* This isn't in any way correct.. */
                NT_STATUS_HAVE_NO_MEMORY(server_info->domain_name);
 
                /* This isn't in any way correct.. */
-               server_info->account_sid = NULL;
-               server_info->primary_group_sid = NULL;
-               server_info->n_domain_groups = 0;
-               server_info->domain_groups = NULL;
+               server_info->num_sids = 0;
+               server_info->sids = NULL;
        }
        server_info->user_session_key = data_blob(NULL,0);
        server_info->lm_session_key = data_blob(NULL,0);
        }
        server_info->user_session_key = data_blob(NULL,0);
        server_info->lm_session_key = data_blob(NULL,0);
index 0a97d81b8284e792de9270f82c18b5f4c7a638c0..c9ce644cbf49b711de5e05b91093a09a5f5068fe 100644 (file)
@@ -282,13 +282,12 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
        const char *str, *filter;
        /* SIDs for the account and his primary group */
        struct dom_sid *account_sid;
        const char *str, *filter;
        /* SIDs for the account and his primary group */
        struct dom_sid *account_sid;
-       struct dom_sid *primary_group_sid;
        const char *primary_group_string;
        const char *primary_group_dn;
        DATA_BLOB primary_group_blob;
        /* SID structures for the expanded group memberships */
        const char *primary_group_string;
        const char *primary_group_dn;
        DATA_BLOB primary_group_blob;
        /* SID structures for the expanded group memberships */
-       struct dom_sid **groupSIDs = NULL;
-       unsigned int num_groupSIDs = 0, i;
+       struct dom_sid *sids = NULL;
+       unsigned int num_sids = 0, i;
        struct dom_sid *domain_sid;
        TALLOC_CTX *tmp_ctx;
        struct ldb_message_element *el;
        struct dom_sid *domain_sid;
        TALLOC_CTX *tmp_ctx;
        struct ldb_message_element *el;
@@ -299,6 +298,11 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
        tmp_ctx = talloc_new(server_info);
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, server_info);
 
        tmp_ctx = talloc_new(server_info);
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, server_info);
 
+       sids = talloc_array(server_info, struct dom_sid, 2);
+       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, server_info);
+
+       num_sids = 2;
+
        account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info);
 
        account_sid = samdb_result_dom_sid(server_info, msg, "objectSid");
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, server_info);
 
@@ -308,10 +312,9 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
                return status;
        }
 
                return status;
        }
 
-       primary_group_sid = dom_sid_add_rid(server_info,
-                                           domain_sid,
-                                           ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, server_info);
+       sids[PRIMARY_USER_SID_INDEX] = *account_sid;
+       sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
+       sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
 
        /* Filter out builtin groups from this token.  We will search
         * for builtin groups later, and not include them in the PAC
 
        /* Filter out builtin groups from this token.  We will search
         * for builtin groups later, and not include them in the PAC
@@ -319,7 +322,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
        filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, server_info);
 
        filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, server_info);
 
-       primary_group_string = dom_sid_string(tmp_ctx, primary_group_sid);
+       primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]);
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
 
        primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
 
        primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
@@ -337,7 +340,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
         * 'only childs' flag to true
         */
        status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
         * 'only childs' flag to true
         */
        status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
-                                          server_info, &groupSIDs, &num_groupSIDs);
+                                          server_info, &sids, &num_sids);
        if (!NT_STATUS_IS_OK(status)) {
                talloc_free(server_info);
                return status;
        if (!NT_STATUS_IS_OK(status)) {
                talloc_free(server_info);
                return status;
@@ -350,18 +353,15 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
                 * them, as long as they meet the filter - so only
                 * domain groups, not builtin groups */
                status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter,
                 * them, as long as they meet the filter - so only
                 * domain groups, not builtin groups */
                status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter,
-                                                  server_info, &groupSIDs, &num_groupSIDs);
+                                                  server_info, &sids, &num_sids);
                if (!NT_STATUS_IS_OK(status)) {
                        talloc_free(server_info);
                        return status;
                }
        }
 
                if (!NT_STATUS_IS_OK(status)) {
                        talloc_free(server_info);
                        return status;
                }
        }
 
-       server_info->account_sid = account_sid;
-       server_info->primary_group_sid = primary_group_sid;
-       
-       server_info->domain_groups = groupSIDs;
-       server_info->n_domain_groups = num_groupSIDs;
+       server_info->sids = sids;
+       server_info->num_sids = num_sids;
 
        server_info->account_name = talloc_steal(server_info,
                ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
 
        server_info->account_name = talloc_steal(server_info,
                ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
@@ -433,33 +433,27 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
        if (server_info->acct_flags & ACB_SVRTRUST) {
                /* the SID_NT_ENTERPRISE_DCS SID gets added into the
                   PAC */
        if (server_info->acct_flags & ACB_SVRTRUST) {
                /* the SID_NT_ENTERPRISE_DCS SID gets added into the
                   PAC */
-               server_info->domain_groups = talloc_realloc(server_info,
-                                                           server_info->domain_groups,
-                                                           struct dom_sid *,
-                                                           server_info->n_domain_groups+1);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
-               server_info->domain_groups[server_info->n_domain_groups] =
-                       dom_sid_parse_talloc(server_info->domain_groups,
-                                            SID_NT_ENTERPRISE_DCS);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
-                                                 server_info);
-               server_info->n_domain_groups++;
+               server_info->sids = talloc_realloc(server_info,
+                                                  server_info->sids,
+                                                  struct dom_sid,
+                                                  server_info->num_sids+1);
+               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
+               server_info->sids[server_info->num_sids] = global_sid_Enterprise_DCs;
+               server_info->num_sids++;
        }
 
        if ((server_info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
            (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) {
                /* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */
        }
 
        if ((server_info->acct_flags & (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) ==
            (ACB_PARTIAL_SECRETS_ACCOUNT | ACB_WSTRUST)) {
                /* the DOMAIN_RID_ENTERPRISE_READONLY_DCS PAC */
-               server_info->domain_groups = talloc_realloc(server_info,
-                                                           server_info->domain_groups,
-                                                           struct dom_sid *,
-                                                           server_info->n_domain_groups+1);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
-               server_info->domain_groups[server_info->n_domain_groups] =
-                       dom_sid_add_rid(server_info->domain_groups, domain_sid,
-                               DOMAIN_RID_ENTERPRISE_READONLY_DCS);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
-                                                 server_info);
-               server_info->n_domain_groups++;
+               server_info->sids = talloc_realloc(server_info,
+                                                  server_info->sids,
+                                                  struct dom_sid,
+                                                  server_info->num_sids+1);
+               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->sids, server_info);
+               server_info->sids[server_info->num_sids] = *domain_sid;
+               sid_append_rid(&server_info->sids[server_info->num_sids],
+                           DOMAIN_RID_ENTERPRISE_READONLY_DCS);
+               server_info->num_sids++;
        }
 
        server_info->authenticated = true;
        }
 
        server_info->authenticated = true;
index 00a59229ecef956ebdaf926179ba9032e0181ec3..060f6d2eb6fd4c096a0e82456caa78420f4fb64d 100644 (file)
@@ -50,17 +50,11 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 {
        struct auth_session_info *session_info;
        NTSTATUS nt_status;
 {
        struct auth_session_info *session_info;
        NTSTATUS nt_status;
-       unsigned int i, num_groupSIDs = 0;
-       const char *account_sid_string;
-       const char *account_sid_dn;
-       DATA_BLOB account_sid_blob;
-       const char *primary_group_string;
-       const char *primary_group_dn;
-       DATA_BLOB primary_group_blob;
+       unsigned int i, num_sids = 0;
 
        const char *filter;
 
 
        const char *filter;
 
-       struct dom_sid **groupSIDs = NULL;
+       struct dom_sid *sids = NULL;
        const struct dom_sid *anonymous_sid, *system_sid;
 
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
        const struct dom_sid *anonymous_sid, *system_sid;
 
        TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
@@ -81,96 +75,50 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
        system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
 
        system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
        NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
 
-       groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
-       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
-       if (!groupSIDs) {
+       sids = talloc_array(tmp_ctx, struct dom_sid, server_info->num_sids);
+       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx);
+       if (!sids) {
                talloc_free(tmp_ctx);
                return NT_STATUS_NO_MEMORY;
        }
 
                talloc_free(tmp_ctx);
                return NT_STATUS_NO_MEMORY;
        }
 
-       num_groupSIDs = server_info->n_domain_groups;
+       num_sids = server_info->num_sids;
 
 
-       for (i=0; i < server_info->n_domain_groups; i++) {
-               groupSIDs[i] = server_info->domain_groups[i];
+       for (i=0; i < server_info->num_sids; i++) {
+               sids[i] = server_info->sids[i];
        }
 
        }
 
-       if (dom_sid_equal(anonymous_sid, server_info->account_sid)) {
+       if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
                /* Don't expand nested groups of system, anonymous etc*/
                /* Don't expand nested groups of system, anonymous etc*/
-       } else if (dom_sid_equal(system_sid, server_info->account_sid)) {
+       } else if (server_info->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &server_info->sids[PRIMARY_USER_SID_INDEX])) {
                /* Don't expand nested groups of system, anonymous etc*/
        } else if (sam_ctx) {
                filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
                                         GROUP_TYPE_BUILTIN_LOCAL_GROUP);
 
                /* Search for each group in the token */
                /* Don't expand nested groups of system, anonymous etc*/
        } else if (sam_ctx) {
                filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
                                         GROUP_TYPE_BUILTIN_LOCAL_GROUP);
 
                /* Search for each group in the token */
-
-               /* Expands the account SID - this function takes in
-                * memberOf-like values, so we fake one up with the
-                * <SID=S-...> format of DN and then let it expand
-                * them, as long as they meet the filter - so only
-                * builtin groups
-                *
-                * We already have the primary group in the token, so set
-                * 'only childs' flag to true
-                */
-               account_sid_string = dom_sid_string(tmp_ctx, server_info->account_sid);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_string, server_info);
-               
-               account_sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", account_sid_string);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid_dn, server_info);
-               
-               account_sid_blob = data_blob_string_const(account_sid_dn);
-               
-               nt_status = dsdb_expand_nested_groups(sam_ctx, &account_sid_blob, true, filter,
-                                                     tmp_ctx, &groupSIDs, &num_groupSIDs);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       talloc_free(tmp_ctx);
-                       return nt_status;
-               }
-
-               /* Expands the primary group - this function takes in
-                * memberOf-like values, so we fake one up with the
-                * <SID=S-...> format of DN and then let it expand
-                * them, as long as they meet the filter - so only
-                * builtin groups
-                *
-                * We already have the primary group in the token, so set
-                * 'only childs' flag to true
-                */
-               primary_group_string = dom_sid_string(tmp_ctx, server_info->primary_group_sid);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, server_info);
-               
-               primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, server_info);
-               
-               primary_group_blob = data_blob_string_const(primary_group_dn);
-               
-               nt_status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
-                                                     tmp_ctx, &groupSIDs, &num_groupSIDs);
-               if (!NT_STATUS_IS_OK(nt_status)) {
-                       talloc_free(tmp_ctx);
-                       return nt_status;
-               }
-               
-               for (i = 0; i < server_info->n_domain_groups; i++) {
-                       char *group_string;
-                       const char *group_dn;
-                       DATA_BLOB group_blob;
+               for (i = 0; i < server_info->num_sids; i++) {
+                       char *sid_string;
+                       const char *sid_dn;
+                       DATA_BLOB sid_blob;
                        
                        
-                       group_string = dom_sid_string(tmp_ctx,
-                                                     server_info->domain_groups[i]);
-                       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_string, server_info);
+                       sid_string = dom_sid_string(tmp_ctx,
+                                                     &server_info->sids[i]);
+                       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, server_info);
                        
                        
-                       group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", group_string);
-                       talloc_free(group_string);
-                       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(group_dn, server_info);
-                       group_blob = data_blob_string_const(group_dn);
+                       sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
+                       talloc_free(sid_string);
+                       NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, server_info);
+                       sid_blob = data_blob_string_const(sid_dn);
                        
                        /* This function takes in memberOf values and expands
                         * them, as long as they meet the filter - so only
                        
                        /* This function takes in memberOf values and expands
                         * them, as long as they meet the filter - so only
-                        * builtin groups */
-                       nt_status = dsdb_expand_nested_groups(sam_ctx, &group_blob, true, filter,
-                                                             tmp_ctx, &groupSIDs, &num_groupSIDs);
+                        * builtin groups
+                        *
+                        * We already have the SID in the token, so set
+                        * 'only childs' flag to true */
+                       nt_status = dsdb_expand_nested_groups(sam_ctx, &sid_blob, true, filter,
+                                                             tmp_ctx, &sids, &num_sids);
                        if (!NT_STATUS_IS_OK(nt_status)) {
                                talloc_free(tmp_ctx);
                                return nt_status;
                        if (!NT_STATUS_IS_OK(nt_status)) {
                                talloc_free(tmp_ctx);
                                return nt_status;
@@ -180,10 +128,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 
        nt_status = security_token_create(session_info,
                                          lp_ctx,
 
        nt_status = security_token_create(session_info,
                                          lp_ctx,
-                                         server_info->account_sid,
-                                         server_info->primary_group_sid,
-                                         num_groupSIDs,
-                                         groupSIDs,
+                                         num_sids,
+                                         sids,
                                          session_info_flags,
                                          &session_info->security_token);
        NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);
                                          session_info_flags,
                                          &session_info->security_token);
        NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);
index 1058f19f5e6386aa9a997b38007952b85eabd964..6df12fb701db7172938c71c2de29a9c0a029be43 100644 (file)
@@ -106,15 +106,11 @@ NTSTATUS auth_system_server_info(TALLOC_CTX *mem_ctx, const char *netbios_name,
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
-       server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
-
-       /* is this correct? */
-       server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
-       server_info->n_domain_groups = 0;
-       server_info->domain_groups = NULL;
+       /* This returns a pointer to a struct dom_sid, which is the
+        * same as a 1 element list of struct dom_sid */
+       server_info->num_sids = 1;
+       server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_SYSTEM);
+       NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
 
        /* annoying, but the Anonymous really does have a session key, 
           and it is all zeros! */
 
        /* annoying, but the Anonymous really does have a session key, 
           and it is all zeros! */
@@ -182,21 +178,25 @@ static NTSTATUS auth_domain_admin_server_info(TALLOC_CTX *mem_ctx,
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
-       server_info->account_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINISTRATOR);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
+       server_info->num_sids = 7;
+       server_info->sids = talloc_array(server_info, struct dom_sid, server_info->num_sids);
+
+       server_info->sids[PRIMARY_USER_SID_INDEX] = *domain_sid;
+       sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_ADMINISTRATOR);
 
 
-       server_info->primary_group_sid = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
+       server_info->sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
+       sid_append_rid(&server_info->sids[PRIMARY_USER_SID_INDEX], DOMAIN_RID_USERS);
 
 
-       server_info->n_domain_groups = 6;
-       server_info->domain_groups = talloc_array(server_info, struct dom_sid *, server_info->n_domain_groups);
+       server_info->sids[2] = global_sid_Builtin_Administrators;
 
 
-       server_info->domain_groups[0] = dom_sid_parse_talloc(server_info, SID_BUILTIN_ADMINISTRATORS);
-       server_info->domain_groups[1] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ADMINS);
-       server_info->domain_groups[2] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_USERS);
-       server_info->domain_groups[3] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_ENTERPRISE_ADMINS);
-       server_info->domain_groups[4] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_POLICY_ADMINS);
-       server_info->domain_groups[5] = dom_sid_add_rid(server_info, domain_sid, DOMAIN_RID_SCHEMA_ADMINS);
+       server_info->sids[3] = *domain_sid;
+       sid_append_rid(&server_info->sids[3], DOMAIN_RID_ADMINS);
+       server_info->sids[4] = *domain_sid;
+       sid_append_rid(&server_info->sids[4], DOMAIN_RID_ENTERPRISE_ADMINS);
+       server_info->sids[5] = *domain_sid;
+       sid_append_rid(&server_info->sids[5], DOMAIN_RID_POLICY_ADMINS);
+       server_info->sids[6] = *domain_sid;
+       sid_append_rid(&server_info->sids[6], DOMAIN_RID_SCHEMA_ADMINS);
 
        /* What should the session key be?*/
        server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
 
        /* What should the session key be?*/
        server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
@@ -337,15 +337,11 @@ _PUBLIC_ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
        server_info = talloc(mem_ctx, struct auth_serversupplied_info);
        NT_STATUS_HAVE_NO_MEMORY(server_info);
 
-       server_info->account_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->account_sid);
-
-       /* The anonymous user has only one SID in it's token, but we need to fill something in here */
-       server_info->primary_group_sid = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
-       NT_STATUS_HAVE_NO_MEMORY(server_info->primary_group_sid);
-
-       server_info->n_domain_groups = 0;
-       server_info->domain_groups = NULL;
+       /* This returns a pointer to a struct dom_sid, which is the
+        * same as a 1 element list of struct dom_sid */
+       server_info->num_sids = 1;
+       server_info->sids = dom_sid_parse_talloc(server_info, SID_NT_ANONYMOUS);
+       NT_STATUS_HAVE_NO_MEMORY(server_info->sids);
 
        /* annoying, but the Anonymous really does have a session key... */
        server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
 
        /* annoying, but the Anonymous really does have a session key... */
        server_info->user_session_key = data_blob_talloc(server_info, NULL, 16);
index d41305577c817155376b75c5b82bda188a6cc49a..b5aecbafe916fe81f5659e7c64dba04a77715cb3 100644 (file)
 #include "dsdb/common/util.h"
 
 /* This function tests if a SID structure "sids" contains the SID "sid" */
 #include "dsdb/common/util.h"
 
 /* This function tests if a SID structure "sids" contains the SID "sid" */
-static bool sids_contains_sid(const struct dom_sid **sids,
+static bool sids_contains_sid(const struct dom_sid *sids,
                              const unsigned int num_sids,
                              const struct dom_sid *sid)
 {
        unsigned int i;
 
        for (i = 0; i < num_sids; i++) {
                              const unsigned int num_sids,
                              const struct dom_sid *sid)
 {
        unsigned int i;
 
        for (i = 0; i < num_sids; i++) {
-               if (dom_sid_equal(sids[i], sid))
+               if (dom_sid_equal(&sids[i], sid))
                        return true;
        }
        return false;
                        return true;
        }
        return false;
@@ -56,7 +56,7 @@ static bool sids_contains_sid(const struct dom_sid **sids,
  */
 NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
                                   struct ldb_val *dn_val, const bool only_childs, const char *filter,
  */
 NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
                                   struct ldb_val *dn_val, const bool only_childs, const char *filter,
-                                  TALLOC_CTX *res_sids_ctx, struct dom_sid ***res_sids,
+                                  TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids,
                                   unsigned int *num_res_sids)
 {
        const char * const attrs[] = { "memberOf", NULL };
                                   unsigned int *num_res_sids)
 {
        const char * const attrs[] = { "memberOf", NULL };
@@ -114,7 +114,7 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
                                     DSDB_SEARCH_SHOW_EXTENDED_DN);
        } else {
                /* This is an O(n^2) linear search */
                                     DSDB_SEARCH_SHOW_EXTENDED_DN);
        } else {
                /* This is an O(n^2) linear search */
-               already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
+               already_there = sids_contains_sid(*res_sids,
                                                  *num_res_sids, &sid);
                if (already_there) {
                        talloc_free(tmp_ctx);
                                                  *num_res_sids, &sid);
                if (already_there) {
                        talloc_free(tmp_ctx);
@@ -148,10 +148,9 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
        /* We only apply this test once we know the SID matches the filter */
        if (!only_childs) {
                *res_sids = talloc_realloc(res_sids_ctx, *res_sids,
        /* We only apply this test once we know the SID matches the filter */
        if (!only_childs) {
                *res_sids = talloc_realloc(res_sids_ctx, *res_sids,
-                       struct dom_sid *, *num_res_sids + 1);
+                       struct dom_sid, *num_res_sids + 1);
                NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*res_sids, tmp_ctx);
                NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*res_sids, tmp_ctx);
-               (*res_sids)[*num_res_sids] = dom_sid_dup(*res_sids, &sid);
-               NT_STATUS_HAVE_NO_MEMORY_AND_FREE((*res_sids)[*num_res_sids], tmp_ctx);
+               (*res_sids)[*num_res_sids] = sid;
                ++(*num_res_sids);
        }
 
                ++(*num_res_sids);
        }
 
index ae61089198ff41eb4579056da7eb53851a4b981d..1df56e8fe08716e63c3be807bf2bd4e23db857b5 100644 (file)
@@ -149,7 +149,7 @@ static int construct_token_groups(struct ldb_module *module,
        const char *account_sid_string;
        const char *account_sid_dn;
        DATA_BLOB account_sid_blob;
        const char *account_sid_string;
        const char *account_sid_dn;
        DATA_BLOB account_sid_blob;
-       struct dom_sid **groupSIDs = NULL;
+       struct dom_sid *groupSIDs = NULL;
        unsigned int num_groupSIDs = 0;
 
        struct dom_sid *domain_sid;
        unsigned int num_groupSIDs = 0;
 
        struct dom_sid *domain_sid;
@@ -254,7 +254,7 @@ static int construct_token_groups(struct ldb_module *module,
        }
 
        for (i=0; i < num_groupSIDs; i++) {
        }
 
        for (i=0; i < num_groupSIDs; i++) {
-               ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", groupSIDs[i]);
+               ret = samdb_msg_add_dom_sid(ldb, msg, msg, "tokenGroups", &groupSIDs[i]);
                if (ret) {
                        talloc_free(tmp_ctx);
                        return ret;
                if (ret) {
                        talloc_free(tmp_ctx);
                        return ret;
index 11913fbbced79b4e9d39f427c3a716f8af4f6765..53be12cd524f7fd5e350c23e4f6fc968abe661b6 100644 (file)
@@ -144,10 +144,8 @@ struct ldb_context *samdb_connect(TALLOC_CTX *mem_ctx,
 ****************************************************************************/
 NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, 
                               struct loadparm_context *lp_ctx,
 ****************************************************************************/
 NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, 
                               struct loadparm_context *lp_ctx,
-                              struct dom_sid *user_sid,
-                              struct dom_sid *group_sid, 
-                              unsigned int n_groupSIDs,
-                              struct dom_sid **groupSIDs, 
+                              unsigned int num_sids,
+                              struct dom_sid *sids,
                               uint32_t session_info_flags,
                               struct security_token **token)
 {
                               uint32_t session_info_flags,
                               struct security_token **token)
 {
@@ -158,22 +156,32 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
        ptoken = security_token_initialise(mem_ctx);
        NT_STATUS_HAVE_NO_MEMORY(ptoken);
 
        ptoken = security_token_initialise(mem_ctx);
        NT_STATUS_HAVE_NO_MEMORY(ptoken);
 
-       ptoken->sids = talloc_array(ptoken, struct dom_sid, n_groupSIDs + 6 /* over-allocate */);
+       ptoken->sids = talloc_array(ptoken, struct dom_sid, num_sids + 6 /* over-allocate */);
        NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
 
        NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
 
-       ptoken->num_sids = 1;
+       ptoken->num_sids = 0;
 
 
-       ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
-       NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+       for (i = 0; i < num_sids; i++) {
+               size_t check_sid_idx;
+               for (check_sid_idx = 0;
+                    check_sid_idx < ptoken->num_sids;
+                    check_sid_idx++) {
+                       if (dom_sid_equal(&ptoken->sids[check_sid_idx], &sids[i])) {
+                               break;
+                       }
+               }
 
 
-       ptoken->sids[PRIMARY_USER_SID_INDEX] = *user_sid;
-       if (!dom_sid_equal(user_sid, group_sid)) {
-               ptoken->sids[PRIMARY_GROUP_SID_INDEX] = *group_sid;
-               ptoken->num_sids++;
+               if (check_sid_idx == ptoken->num_sids) {
+                       ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
+                       NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
+
+                       ptoken->sids[ptoken->num_sids] = sids[i];
+                       ptoken->num_sids++;
+               }
        }
 
        /*
        }
 
        /*
-        * Finally add the "standard" SIDs.
+        * Finally add the "standard" sids.
         * The only difference between guest and "anonymous"
         * is the addition of Authenticated_Users.
         */
         * The only difference between guest and "anonymous"
         * is the addition of Authenticated_Users.
         */
@@ -203,25 +211,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
                ptoken->num_sids++;
        }
 
                ptoken->num_sids++;
        }
 
-       for (i = 0; i < n_groupSIDs; i++) {
-               size_t check_sid_idx;
-               for (check_sid_idx = 1; 
-                    check_sid_idx < ptoken->num_sids; 
-                    check_sid_idx++) {
-                       if (dom_sid_equal(&ptoken->sids[check_sid_idx], groupSIDs[i])) {
-                               break;
-                       }
-               }
-
-               if (check_sid_idx == ptoken->num_sids) {
-                       ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1);
-                       NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
-
-                       ptoken->sids[ptoken->num_sids] = *groupSIDs[i];
-                       ptoken->num_sids++;
-               }
-       }
-
        /* The caller may have requested simple privilages, for example if there isn't a local DB */
        if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
                /* Shortcuts to prevent recursion and avoid lookups */
        /* The caller may have requested simple privilages, for example if there isn't a local DB */
        if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) {
                /* Shortcuts to prevent recursion and avoid lookups */
index 25d37af8c4040dd120d4d0a3aba802502a835756..d9e09f12095a0648fb82f3f8db09a8caa96f4d16 100644 (file)
@@ -169,7 +169,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq)
                }
 
                session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
                }
 
                session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
-               if (!dom_sid_equal(anonymous_sid, server_info->account_sid)) {
+               if (server_info->num_sids > 1 && !dom_sid_equal(anonymous_sid, &server_info->sids[0])) {
                        session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
                }
 
                        session_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
                }
 
index 13796bd3db9849a1c90d8812831d2630eeda4079..e76f0820d43cba9ea3990e31139f34fa500989a3 100644 (file)
@@ -167,8 +167,9 @@ static bool torture_pac_self_check(struct torture_context *tctx)
                                                     smb_krb5_context->krb5_context,
                                                     &server_info_out);
 
                                                     smb_krb5_context->krb5_context,
                                                     &server_info_out);
 
-       if (!dom_sid_equal(server_info->account_sid, 
-                          server_info_out->account_sid)) {
+       /* The user's SID is the first element in the list */
+       if (!dom_sid_equal(server_info->sids,
+                          server_info_out->sids)) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            &krbtgt_keyblock);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -179,8 +180,8 @@ static bool torture_pac_self_check(struct torture_context *tctx)
                torture_fail(tctx,  
                             talloc_asprintf(tctx, 
                                             "(self test) PAC Decode resulted in *different* domain SID: %s != %s",
                torture_fail(tctx,  
                             talloc_asprintf(tctx, 
                                             "(self test) PAC Decode resulted in *different* domain SID: %s != %s",
-                                            dom_sid_string(mem_ctx, server_info->account_sid), 
-                                            dom_sid_string(mem_ctx, server_info_out->account_sid)));
+                                            dom_sid_string(mem_ctx, server_info->sids),
+                                            dom_sid_string(mem_ctx, server_info_out->sids)));
        }
        talloc_free(server_info_out);
 
        }
        talloc_free(server_info_out);
 
@@ -229,13 +230,13 @@ static bool torture_pac_self_check(struct torture_context *tctx)
                                             nt_errstr(nt_status)));
        }
        
                                             nt_errstr(nt_status)));
        }
        
-       if (!dom_sid_equal(server_info->account_sid, 
-                          server_info_out->account_sid)) {
+       if (!dom_sid_equal(server_info->sids,
+                          server_info_out->sids)) {
                torture_fail(tctx,  
                             talloc_asprintf(tctx, 
                                             "(self test) PAC Decode resulted in *different* domain SID: %s != %s",
                torture_fail(tctx,  
                             talloc_asprintf(tctx, 
                                             "(self test) PAC Decode resulted in *different* domain SID: %s != %s",
-                                            dom_sid_string(mem_ctx, server_info->account_sid), 
-                                            dom_sid_string(mem_ctx, server_info_out->account_sid)));
+                                            dom_sid_string(mem_ctx, server_info->sids),
+                                            dom_sid_string(mem_ctx, server_info_out->sids)));
        }
        return true;
 }
        }
        return true;
 }
@@ -444,7 +445,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
        if (!pac_file &&
            !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 
                                                "S-1-5-21-3048156945-3961193616-3706469200-1005"), 
        if (!pac_file &&
            !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 
                                                "S-1-5-21-3048156945-3961193616-3706469200-1005"), 
-                          server_info_out->account_sid)) {
+                          server_info_out->sids)) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            krbtgt_keyblock_p);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            krbtgt_keyblock_p);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -455,7 +456,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
                             talloc_asprintf(tctx, 
                                             "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
                                             "S-1-5-21-3048156945-3961193616-3706469200-1005", 
                             talloc_asprintf(tctx, 
                                             "(saved test) Heimdal PAC Decode resulted in *different* domain SID: %s != %s",
                                             "S-1-5-21-3048156945-3961193616-3706469200-1005", 
-                                            dom_sid_string(mem_ctx, server_info_out->account_sid)));
+                                            dom_sid_string(mem_ctx, server_info_out->sids)));
        }
 
        talloc_free(server_info_out);
        }
 
        talloc_free(server_info_out);
@@ -503,7 +504,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
        if (!pac_file &&
            !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 
                                                "S-1-5-21-3048156945-3961193616-3706469200-1005"), 
        if (!pac_file &&
            !dom_sid_equal(dom_sid_parse_talloc(mem_ctx, 
                                                "S-1-5-21-3048156945-3961193616-3706469200-1005"), 
-                          server_info_out->account_sid)) {
+                          server_info_out->sids)) {
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            krbtgt_keyblock_p);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
                                            krbtgt_keyblock_p);
                krb5_free_keyblock_contents(smb_krb5_context->krb5_context, 
@@ -514,7 +515,7 @@ static bool torture_pac_saved_check(struct torture_context *tctx)
                             talloc_asprintf(tctx, 
                                             "(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
                                             "S-1-5-21-3048156945-3961193616-3706469200-1005", 
                             talloc_asprintf(tctx, 
                                             "(saved test) PAC Decode resulted in *different* domain SID: %s != %s",
                                             "S-1-5-21-3048156945-3961193616-3706469200-1005", 
-                                            dom_sid_string(mem_ctx, server_info_out->account_sid)));
+                                            dom_sid_string(mem_ctx, server_info_out->sids)));
        }
 
        if (krbtgt_bytes == NULL) {
        }
 
        if (krbtgt_bytes == NULL) {
index 8f4d677c44aaf9dca861f9743d7b2d1df4cf1671..73e62a3b6f4fc809f94aebb1773ce180f9db4676 100644 (file)
@@ -603,21 +603,17 @@ static bool test_S2U4Self(struct torture_context *tctx,
                                 s2u4self_session_info->server_info->account_name, "Account name differs for S2U4Self");
        torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, kinit_session_info->server_info->full_name, "Full name differs for kinit-based PAC");
        torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, s2u4self_session_info->server_info->full_name, "Full name differs for S2U4Self");
                                 s2u4self_session_info->server_info->account_name, "Account name differs for S2U4Self");
        torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, kinit_session_info->server_info->full_name, "Full name differs for kinit-based PAC");
        torture_assert_str_equal(tctx, netlogon_server_info->full_name == NULL ? "" : netlogon_server_info->full_name, s2u4self_session_info->server_info->full_name, "Full name differs for S2U4Self");
-       torture_assert(tctx, dom_sid_equal(netlogon_server_info->account_sid, kinit_session_info->server_info->account_sid), "Account SID differs for kinit-based PAC");
-       torture_assert(tctx, dom_sid_equal(netlogon_server_info->primary_group_sid, kinit_session_info->server_info->primary_group_sid), "Primary Group SID differs for kinit-based PAC");
-       torture_assert(tctx, dom_sid_equal(netlogon_server_info->account_sid, s2u4self_session_info->server_info->account_sid), "Account SID differs for S2U4Self");
-       torture_assert(tctx, dom_sid_equal(netlogon_server_info->primary_group_sid, s2u4self_session_info->server_info->primary_group_sid), "Primary Group SID differs for S2U4Self");
-       torture_assert_int_equal(tctx, netlogon_server_info->n_domain_groups, kinit_session_info->server_info->n_domain_groups, "Different numbers of domain groups for kinit-based PAC");
-       torture_assert_int_equal(tctx, netlogon_server_info->n_domain_groups, s2u4self_session_info->server_info->n_domain_groups, "Different numbers of domain groups for S2U4Self");
+       torture_assert_int_equal(tctx, netlogon_server_info->num_sids, kinit_session_info->server_info->num_sids, "Different numbers of domain groups for kinit-based PAC");
+       torture_assert_int_equal(tctx, netlogon_server_info->num_sids, s2u4self_session_info->server_info->num_sids, "Different numbers of domain groups for S2U4Self");
 
        builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
 
 
        builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
 
-       for (i = 0; i < kinit_session_info->server_info->n_domain_groups; i++) {
-               torture_assert(tctx, dom_sid_equal(netlogon_server_info->domain_groups[i], kinit_session_info->server_info->domain_groups[i]), "Different domain groups for kinit-based PAC");
-               torture_assert(tctx, dom_sid_equal(netlogon_server_info->domain_groups[i], s2u4self_session_info->server_info->domain_groups[i]), "Different domain groups for S2U4Self");
-               torture_assert(tctx, !dom_sid_in_domain(builtin_domain, s2u4self_session_info->server_info->domain_groups[i]), "Returned BUILTIN domain in groups for S2U4Self");
-               torture_assert(tctx, !dom_sid_in_domain(builtin_domain, kinit_session_info->server_info->domain_groups[i]), "Returned BUILTIN domain in groups kinit-based PAC");
-               torture_assert(tctx, !dom_sid_in_domain(builtin_domain, netlogon_server_info->domain_groups[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
+       for (i = 0; i < kinit_session_info->server_info->num_sids; i++) {
+               torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &kinit_session_info->server_info->sids[i]), "Different domain groups for kinit-based PAC");
+               torture_assert(tctx, dom_sid_equal(&netlogon_server_info->sids[i], &s2u4self_session_info->server_info->sids[i]), "Different domain groups for S2U4Self");
+               torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s2u4self_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups for S2U4Self");
+               torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &kinit_session_info->server_info->sids[i]), "Returned BUILTIN domain in groups kinit-based PAC");
+               torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &netlogon_server_info->sids[i]), "Returned BUILTIN domian in groups from NETLOGON SamLogon reply");
        }
 
        return true;
        }
 
        return true;