The branch, master has been updated via 075bd6b9f15 s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc() via 6f09f06adca auth: Free empty SID arrays via 77036bba013 tests/krb5: Use consistent ordering for etypes via e5a6b001fd2 auth: Discard non-base SIDs when creating SamInfo2 via 690748412ec tests/krb5: Test groups returned by SamLogon via 718da90414d tests/krb5: Return validation structure from _test_samlogon() via f38d4a33a6f tests/krb5: Allow tests to set SamLogon validation level via f44943b2bae tests/krb5: Move _test_samlogon() to base class via d2dc8370dd1 s4/dsdb/samldb: Disallow setting a domain-local group as a primary group via 4f2f3162138 selftest: Expect setting domain-local group as primary group to fail via 1c3a8fa20c7 auth: Correct primary group handling via 4e213629356 s4-dsdb: Use correct primary group SID in token group test via 39e2413585f s4:torture: Remove assertion that primary group is not duplicated in user_info_dc via 96485d8e164 tests/krb5: Add tests for the primary group via e00eeed9d2b auth: Align integer types via 24512accc7a s4-dsdb: Simplify search expression via c17e46a2311 ldap: Make use of LDB_OID_COMPARATOR constants via 618d95822ed ldap: Cut down on string substitution via e20067c52d6 auth: Make more liberal use of SID index constants via 5147f011d9b auth: Shorten long SID flags combinations via e3fdb2d0015 s4:kdc: Add resource SID compression via 14d94460ca1 auth: Pass through entire PAC flags value in auth_user_info via 8aef16bbbc1 named_pipe_auth: Bump info5 to info6 via 5043bbed999 s4:torture: Make use of torture_assert_sid_equal() via 61e4ad691b9 tests/krb5: Add tests of NETLOGON_RESOURCE_GROUPS flag handling via 9a362f99e0e tests/krb5: Allow setting or resetting PAC flags via 0245a588f4f tests/krb5: Add group tests simulating PACs from a trusted domain via bd4af42130c tests/krb5: Allow changing the SID of a user's PAC via 11aa940fb34 tests/krb5: Add some more test cases for PAC group handling via 7831634be37 tests/krb5: Improve assertion failure message via 4ec34d297d0 tests/krb5: Remove tests of KDCs without resource SID compression support via c21d5bf6740 s4: Add 'const' to some parameters via c00fe707937 s4-dsdb: Make sid_list_match() static via 6dab2ecddf6 s4-dsdb: Check for talloc failure in dsdb_expand_nested_groups() via 3d846db42db auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set via c7b76764dc1 auth: Remove early return from make_user_info_dc_pac() via 94cda2dfd58 auth: Exclude resource groups from a TGT via 673ee782d97 s4:torture: Assert that group attributes match via 7050e057429 auth: Store group attributes in auth_user_info_dc via 53d72c87e63 s4-dsdb: Add samdb_result_dom_sid_attrs() via 8ef6e7dba7f libcli/security: Add auth_SidAttr utility functions via c0011bcdc8d auth.idl: Add auth_SidAttr type via 2debc394001 s4:torture: Skip over asserted identity SIDs when comparing groups via c7104fd8ecf s4:torture: Zero-initialise netr_NetworkInfo structure via 449163b21d3 tests/krb5: Declare supported encryption types of service account from 024571a7a85 waf: Add support for MemorySanitizer
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 075bd6b9f1572c539dbed0d790059a9c6b882137 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Feb 8 10:59:56 2023 +1300 s4-auth: Free user_info_dc in KDC caller to authsam_update_user_info_dc() It is up to the caller to choose if it wants to clean up the user_info_dc memory early, we do so only in the KDC as was allocated on a context provided to samba_kdc_update_pac_blob(), whereas auth_winbind uses a locally managed tevent state as the memory context. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Feb 8 01:05:47 UTC 2023 on atb-devel-224 commit 6f09f06adcae036a7197cb1bffaac86ab0c72945 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 22 12:50:26 2022 +1300 auth: Free empty SID arrays In the unlikely event that these arrays are empty, they can be freed early. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 77036bba013751021f7229f0d78011298b634501 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 19 13:43:08 2022 +1300 tests/krb5: Use consistent ordering for etypes The 'etype' field in a Kerberos request is ordered. Make this fact clearer by using a tuple or an array to represent etypes rather than a set. get_default_enctypes() now returns encryption types in order of strength. As a consequence, the encryption type chosen by the MIT KDC matches up with that chosen by Windows, and more tests begin to pass. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e5a6b001fd2844bfa5fa56047fb4cc09563966c4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 15 14:07:06 2022 +1300 auth: Discard non-base SIDs when creating SamInfo2 Our SamLogon tests are now all passing. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 690748412ec05a60a598d86c83b84d61015a0669 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 15 14:06:59 2022 +1300 tests/krb5: Test groups returned by SamLogon Levels NetlogonValidationSamInfo2 and NetlogonValidationSamInfo4 behave as might be expected, so we pass those tests. NetlogonValidationSamInfo returns no resource groups and doesn't set the NETLOGON_EXTRA_SIDS flag, and we fail its test. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 718da90414d1b3c56b872b930850615c0668c2f9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 15 12:32:02 2022 +1300 tests/krb5: Return validation structure from _test_samlogon() This lets us check the groups that are returned. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f38d4a33a6fab9fa6e8e6436f66b0a220d6325ea Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 15 12:17:13 2022 +1300 tests/krb5: Allow tests to set SamLogon validation level We'll want to test various levels to ensure they all behave as expected. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f44943b2bae99a1dde8b5d26baa6ed258b43c2e5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 15 12:16:00 2022 +1300 tests/krb5: Move _test_samlogon() to base class We'll want to make use of it in the group tests. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d2dc8370dd1916dffa01257b1681fad00f0d33cf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 22 15:54:14 2022 +1300 s4/dsdb/samldb: Disallow setting a domain-local group as a primary group Windows also disallows this. Note that changing a primary group to a domain-local group is allowed by both Windows and Samba. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4f2f31621385209efa8d715e9bee9256d6ddc71e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 23 07:29:58 2022 +1300 selftest: Expect setting domain-local group as primary group to fail This will no longer be allowed. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1c3a8fa20c79dfbc944b941d47586894d32fcedb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Dec 13 09:04:47 2022 +1300 auth: Correct primary group handling Heretofore we have treated the primary group SID specially, storing it in a fixed position as the second element of the user_info_dc->sids array, and filtering out other copies in the PAC_LOGON_INFO base structure. This filtering has made it difficult to distinguish between the case where the primary group is a universal or global group, located in the base RIDs, and the case where it is a domain-local group, missing from the base RIDs; especially since the attributes of a domain-local primary group are lost by being stored in the PAC. Domain-local primary groups are normally disallowed by Windows, but are allowed by Samba, and so it is reasonable to support them with at least some measure of consistency. The second element of user_info_dc->sids is still reserved for the primary group's SID, but we no longer filter out any other copies in the array. The first two elements are no more than the SIDs of the user and the primary group respectively; and the remaining SIDs are as if taken without modification from arrays of SIDs in the PAC. user_info_dc->sids should therefore become a more faithful representation of the SIDs in the PAC. After adding resource SIDs to it with dsdb_expand_resource_groups(), we should have a result that more closely and in more cases matches that of Windows. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4e213629356b2f3dd8b31713ebad317353665fd8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 16 12:41:50 2022 +1300 s4-dsdb: Use correct primary group SID in token group test This test will thereby continue to pass when we correct the handling of primary groups. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 39e2413585fdb76c11cb6b321cd247eb89f05659 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 16 12:47:02 2022 +1300 s4:torture: Remove assertion that primary group is not duplicated in user_info_dc This assertion is one we will be breaking shortly. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 96485d8e164df24053cb5b44e88d74c177cd9f79 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 16 12:47:41 2022 +1300 tests/krb5: Add tests for the primary group Primary groups are handled differently from normal groups of which a user is simply a member. Of particular note is the case where a domain-local group is made a primary group; a case normally disallowed by Windows, but not by Samba. Therefore we want tests for it. Our testing framework must be able to set the user's primary group, and to clean up afterwards; to set the primary group RID of a PAC; and to check that the primary group RID is as expected in the PAC returned to us. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e00eeed9d2bdb97ab9bd8e7517f7ed1aa0617d43 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 16 12:52:51 2022 +1300 auth: Align integer types Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 24512accc7a2cca572ae834d54b8f4f6da5a2efe Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 16 12:45:29 2022 +1300 s4-dsdb: Simplify search expression We want to find objects for which the groupType attribute has at least one of GROUP_TYPE_ACCOUNT_GROUP and GROUP_TYPE_UNIVERSAL_GROUP set. For this the OR comparator is perfectly suited. It produces a true result if at least one set bit is shared between both operands. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c17e46a23118b9beb0160d15bd6d8d9cc723448c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 16 14:24:18 2022 +1300 ldap: Make use of LDB_OID_COMPARATOR constants These constants allow one to tell at a glance what search operation is being performed. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 618d95822edb83a5f107c23dac450c0025b3e295 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 16 12:41:03 2022 +1300 ldap: Cut down on string substitution Constant strings can be inserted directly into format strings, reducing the amount of string substitution to be performed. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e20067c52d642123b7ed929c1e35a2c0d144b13c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 16 12:08:41 2022 +1300 auth: Make more liberal use of SID index constants Arrays of SIDs are handled not fully consistently throughout the codebase. Sometimes SIDs in the first and second positions represent a user and a primary group respectively; other times they don't mean anything in particular. Using these index constants in situations of the former sort can help to clarify our intent. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5147f011d9b2b37dd46939d4b50d71d50a6776c1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 15 11:58:11 2022 +1300 auth: Shorten long SID flags combinations The combination MANDATORY | ENABLED_BY_DEFAULT | ENABLED is very commonly used, and introducing a shorter alias for it makes the code clearer. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e3fdb2d00152d86558a2ba29b92fd36440055461 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 2 10:49:20 2022 +1300 s4:kdc: Add resource SID compression The domain-local groups that are added to the PAC of a service ticket are now, if the service doesn't disclaim support for SID compression, placed into the resource groups structure in PAC_LOGON_INFO. In a TGS exchange directed to a KDC, rather than to a service, the resource groups structure is simply copied into the updated PAC without any processing being done. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 14d94460ca1ef22269373f36ec50df248aca9465 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 10:50:01 2022 +1300 auth: Pass through entire PAC flags value in auth_user_info Besides the NETLOGON_GUEST bit indicating whether the user has been authenticated, we now carry all of the other bits as well. This lets us match Windows' behaviour of simply passing these bits through to an updated PAC when processing a TGS-REQ. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8aef16bbbc1e55f0a9f5a8ec87e5348688d93785 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 22 17:48:26 2022 +1300 named_pipe_auth: Bump info5 to info6 In the next commit, we shall replace the 'authenticated' field of named_pipe_auth_req_info.info5.session_info.session_info.info with a more general 'user_flags' field. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5043bbed9993cc08ee752a3fe44f835aedbbc129 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 10:28:45 2022 +1300 s4:torture: Make use of torture_assert_sid_equal() This macro produces a slightly more useful message if the assertion fails. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 61e4ad691b9b01890b2c29fdd395c59225344451 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 11:20:18 2022 +1300 tests/krb5: Add tests of NETLOGON_RESOURCE_GROUPS flag handling This lets us test what happens in TGS-REQ exchanges to the KDC, when the flags and resource groups are simply passed through into the new PAC, regardless of what value the flags hold. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9a362f99e0e657f4d63e987ce5b0a6a1e4a177f5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 11:08:28 2022 +1300 tests/krb5: Allow setting or resetting PAC flags This lets us test what happens when the flags in the PAC, such as NETLOGON_RESOURCE_GROUPS, are given "interesting" values. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0245a588f4f06f9dd2f8b3eff56d6bef102f4879 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 11:20:53 2022 +1300 tests/krb5: Add group tests simulating PACs from a trusted domain Crucially, in these tests the user's domain and its SID are different from our domain and its SID. These tests will assert that in such a case resource groups are added to the PAC and handled correctly. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bd4af42130c40fff5bcbab938da0f99e1b3ea4de Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 11:05:05 2022 +1300 tests/krb5: Allow changing the SID of a user's PAC This lets us simulate a ticket of a user from another domain. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 11aa940fb347e9541754f7ab365f6d09bba20395 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 11:17:19 2022 +1300 tests/krb5: Add some more test cases for PAC group handling Change some of the attributes in TGS-REQ PACs to ensure they are handled correctly. Add a test of a PAC containing resource SIDs for a service without resource SID compression support, ensuring the SIDs are correctly removed. Add a Samba 4.17 compatibility test for a service with resource SID compression support. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7831634be3765cc3958003ebfd031c7b96d381dd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 11:02:29 2022 +1300 tests/krb5: Improve assertion failure message Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4ec34d297d077ccb7b41770d1c6cb22cdbaee712 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 10:57:42 2022 +1300 tests/krb5: Remove tests of KDCs without resource SID compression support As part of mitigations of CVE-2022-37966, we no longer regard the msDS-SupportedEncryptionTypes attribute of the KDC when determining its supported encryption types. Thus, these tests that try to disable SID compression support by setting this attribute run to no purpose. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c21d5bf6740d246a5d887f696f21940cf7cf4079 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 7 14:14:18 2022 +1300 s4: Add 'const' to some parameters Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c00fe707937f7f19cb9107d8459ae614f1baa8aa Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 7 14:23:26 2022 +1300 s4-dsdb: Make sid_list_match() static It's not used anywhere other than this file. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6dab2ecddf6b9ebc10d1ed3cfcb5f8f4f2236f1c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 7 14:32:23 2022 +1300 s4-dsdb: Check for talloc failure in dsdb_expand_nested_groups() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3d846db42db15465d47f2c5e285d3e958bdf5f98 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 7 19:27:24 2022 +1300 auth: Only process resource groups if NETLOGON_RESOURCE_GROUPS flag is set MS-PAC section 2.5 states that if the resource_groups member is non-NULL, or resource_groups.groups.count is not zero, the NETLOGON_RESOURCE_GROUPS flag MUST be set. Thus, there's no need to process resource groups if the flag is not set. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c7b76764dc10fd2479f51ddf3fb4f1eb20790371 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 7 19:37:12 2022 +1300 auth: Remove early return from make_user_info_dc_pac() 'rg' is never NULL, so this codepath is never taken. But if it were, we would return early and entirely neglect filling in the UPN_DNS_INFO from the 'pac_upn_dns_info' parameter. So remove the early return. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 94cda2dfd58a4f3d3e0011b67fa0be7d11570cb6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Sep 27 14:51:54 2022 +1300 auth: Exclude resource groups from a TGT Resource group SIDs should only be placed into a service ticket, but we were including them in all tickets. Now that we have access to the group attributes, we'll filter out any groups with SE_GROUP_RESOURCE set if we're creating a TGT. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 673ee782d97c19bf240e37d4714e8a51fbf80457 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 8 13:34:14 2022 +1300 s4:torture: Assert that group attributes match Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7050e05742956bb75c4b27f39f97adc4d544e0f1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Sep 27 15:13:12 2022 +1300 auth: Store group attributes in auth_user_info_dc Group expansion, performed in dsdb_expand_nested_groups(), now incorporates a check of the type of each group. Those that are resource groups receive the SE_GROUP_RESOURCE bit in the attributes which are now carried alongside each group SID. Whereas before, in auth_convert_user_info_dc_sambaseinfo() and auth_convert_user_info_dc_saminfo6(), we invariantly used the flag combination SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED to set attributes in the PAC, we now take the correct attributes from user_info_dc. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 53d72c87e6362e24eb922a5a9040e5d631c7fce4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 7 14:28:21 2022 +1300 s4-dsdb: Add samdb_result_dom_sid_attrs() This function is modelled on samdb_result_dom_sid(). It allocates, rather than a dom_sid, an auth_SidAttr object, which we can pass to other functions accepting an auth_SidAttr. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8ef6e7dba7f243310db3d9769f3fb4a3ad4d6daa Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Sep 27 15:12:52 2022 +1300 libcli/security: Add auth_SidAttr utility functions These functions are modelled on add_sid_to_array() and add_sid_to_array_unique(). They differ in that they operate not on an array of dom_sid, but of auth_SidAttr, and take an additional 'attrs' parameter of type uint32_t. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c0011bcdc8dbe6495180268a13b95d1f5b64f525 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Sep 27 15:12:19 2022 +1300 auth.idl: Add auth_SidAttr type This type incorporates, alongside a SID, a group attributes member, through which attributes from a PAC or the AD database can be conveyed into the completed PAC. A useful benefit this provides is the ability to distinguish and exclude domain-local groups, which only belong in service tickets, from the PAC of a TGT. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2debc39400118754eaf402def73dd4e9008f0f21 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 8 13:34:07 2022 +1300 s4:torture: Skip over asserted identity SIDs when comparing groups We've already tested for the existence of these SIDs, and the assumption that they are always the last element in a PAC is false. We must check all the SIDs in each array, skipping over ones that were found to be asserted identity SIDS. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c7104fd8ecf8572304e16ef554961e3cdc55c0ff Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 8 13:33:25 2022 +1300 s4:torture: Zero-initialise netr_NetworkInfo structure This ensures that no members contain garbage data. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 449163b21d314186460b09178e2c6656bae80f51 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Dec 12 11:01:20 2022 +1300 tests/krb5: Declare supported encryption types of service account If SID compression support is disabled for a created account, msDS-SupportedEncryptionTypes will be set to a value that includes the RESOURCE_SID_COMPRESSION_DISABLED bit, but no actual encryption type bits. Since stricter encryption type handling was introduced to address CVE-2022-37966, this combination has been interpreted as an expression of no encryption type support, and trying to make a Kerberos request to a service with such a combination of bits will fail with ERR_ETYPE_NOSUPP. To allow us to make Kerberos requests to test service accounts again, we must set some actual encryption type bits. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/auth_log.c | 4 +- auth/auth_sam_reply.c | 381 +++++-- auth/auth_sam_reply.h | 10 +- auth/wbc_auth_util.c | 16 +- lib/afs/afs_funcs.c | 2 +- libcli/named_pipe_auth/npa_tstream.c | 114 +-- libcli/named_pipe_auth/npa_tstream.h | 4 +- libcli/security/dom_sid.h | 7 + libcli/security/security_token.h | 2 + libcli/security/util_sid.c | 68 ++ libgpo/gpo_reg.c | 10 +- librpc/idl/auth.idl | 32 +- librpc/idl/named_pipe_auth.idl | 8 +- librpc/idl/netlogon.idl | 1 + librpc/idl/security.idl | 5 + librpc/rpc/dcesrv_handles.c | 8 +- python/samba/tests/krb5/as_req_tests.py | 20 +- python/samba/tests/krb5/group_tests.py | 1178 ++++++++++++++++++++-- python/samba/tests/krb5/kdc_base_test.py | 120 ++- python/samba/tests/krb5/protected_users_tests.py | 92 +- python/samba/tests/krb5/raw_testcase.py | 53 +- python/samba/tests/krb5/s4u_tests.py | 4 +- selftest/knownfail_heimdal_kdc | 21 - selftest/knownfail_mit_kdc | 36 - selftest/knownfail_mit_kdc_1_20 | 14 + source3/auth/auth_ntlmssp.c | 2 +- source3/auth/auth_samba4.c | 4 +- source3/auth/auth_util.c | 41 +- source3/auth/server_info.c | 4 +- source3/lib/util_sid.c | 3 - source3/librpc/idl/rpc_host.idl | 2 +- source3/passdb/pdb_ldap.c | 147 +-- source3/passdb/pdb_samba_dsdb.c | 8 +- source3/rpc_client/local_np.c | 44 +- source3/rpc_server/rpc_host.c | 66 +- source3/rpc_server/rpc_worker.c | 50 +- source3/rpc_server/samr/srv_samr_nt.c | 11 +- source3/winbindd/idmap_ldap.c | 3 +- source3/winbindd/winbindd_ads.c | 11 +- source4/auth/auth.h | 2 +- source4/auth/kerberos/kerberos.h | 1 + source4/auth/kerberos/kerberos_pac.c | 34 +- source4/auth/ntlm/auth.c | 6 +- source4/auth/ntlm/auth_developer.c | 7 +- source4/auth/ntlm/auth_simple.c | 2 +- source4/auth/sam.c | 98 +- source4/auth/session.c | 32 +- source4/auth/system_session.c | 57 +- source4/auth/unix_token.c | 26 +- source4/dns_server/dlz_bind9.c | 2 +- source4/dsdb/common/rodc_helper.c | 20 +- source4/dsdb/common/util.c | 41 +- source4/dsdb/common/util_groups.c | 60 +- source4/dsdb/samdb/cracknames.c | 4 +- source4/dsdb/samdb/ldb_modules/audit_util.c | 4 +- source4/dsdb/samdb/ldb_modules/operational.c | 49 +- source4/dsdb/samdb/ldb_modules/samldb.c | 14 +- source4/dsdb/samdb/samdb.c | 6 +- source4/dsdb/samdb/samdb.h | 1 + source4/dsdb/tests/python/token_group.py | 4 +- source4/kdc/db-glue.c | 12 +- source4/kdc/db-glue.h | 2 +- source4/kdc/mit_samba.c | 20 +- source4/kdc/pac-glue.c | 148 ++- source4/kdc/pac-glue.h | 12 +- source4/kdc/wdc-samba4.c | 19 +- source4/rpc_server/drsuapi/dcesrv_drsuapi.c | 2 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 +- source4/rpc_server/samr/dcesrv_samr.c | 20 +- source4/setup/tests/blackbox_group.sh | 3 +- source4/smb_server/smb/sesssetup.c | 4 +- source4/torture/auth/pac.c | 24 +- source4/torture/krb5/kdc-canon-heimdal.c | 2 +- source4/torture/rpc/remote_pac.c | 50 +- source4/torture/winbind/winbind.c | 38 +- 75 files changed, 2568 insertions(+), 871 deletions(-) Changeset truncated at 500 lines: diff --git a/auth/auth_log.c b/auth/auth_log.c index dc1cea12390..787a9ec6b42 100644 --- a/auth/auth_log.c +++ b/auth/auth_log.c @@ -407,7 +407,7 @@ static void log_successful_authz_event_json( goto failure; } rc = json_add_sid( - &authorization, "sid", &session_info->security_token->sids[0]); + &authorization, "sid", &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]); if (rc != 0) { goto failure; } @@ -758,7 +758,7 @@ static void log_successful_authz_event_human_readable( auth_type, log_escape(frame, session_info->info->domain_name), log_escape(frame, session_info->info->account_name), - dom_sid_str_buf(&session_info->security_token->sids[0], + dom_sid_str_buf(&session_info->security_token->sids[PRIMARY_USER_SID_INDEX], &sid_buf), ts, remote_str, diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 173a5132964..2a35723e355 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -25,6 +25,165 @@ #include "libcli/security/security.h" #include "auth/auth_sam_reply.h" +/* Returns true if this SID belongs in SamBaseInfo, otherwise false. */ +static bool is_base_sid(const struct auth_SidAttr *sid, + const struct dom_sid *domain_sid) +{ + if (sid->attrs & SE_GROUP_RESOURCE) { + /* + * Resource groups don't belong in the base + * RIDs, they're handled elsewhere. + */ + return false; + } + + /* + * This SID belongs in the base structure only if it's in the account's + * domain. + */ + return dom_sid_in_domain(domain_sid, &sid->sid); +} + +/* Stores a SID in a previously allocated array. */ +static NTSTATUS store_extra_sid(struct netr_SidAttr *sids, + uint32_t *sidcount, + const uint32_t allocated_sids, + const struct auth_SidAttr *sid) +{ + /* Check we aren't about to overflow our allocation. */ + if (*sidcount >= allocated_sids) { + return NT_STATUS_INVALID_PARAMETER; + } + + sids[*sidcount].sid = dom_sid_dup(sids, &sid->sid); + if (sids[*sidcount].sid == NULL) { + return NT_STATUS_NO_MEMORY; + } + sids[*sidcount].attributes = sid->attrs; + *sidcount += 1; + + return NT_STATUS_OK; +} + +/* + * Stores a resource SID in a previously allocated array, either Extra SIDs or + * Resource SIDs. Any SID within the domain of the first SID so added is stored + * there, while remaining SIDs are stored in Extra SIDs. + */ +static NTSTATUS store_resource_sid(struct netr_SidAttr *sids, + uint32_t *sidcount, + const uint32_t allocated_sids, + const struct auth_SidAttr *sid, + struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups, + const uint32_t allocated_resource_groups) +{ + NTSTATUS status; + + struct dom_sid *resource_domain = NULL; + uint32_t rid; + + if (resource_groups == NULL) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* Split the SID into domain and RID. */ + status = dom_sid_split_rid(resource_groups, &sid->sid, &resource_domain, &rid); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (resource_groups->domain_sid == NULL) { + /* + * There is no domain SID set. Set it to the domain of this SID. + */ + resource_groups->domain_sid = resource_domain; + } else { + /* + * A domain SID has already been set. Check whether this SID's + * domain matches. + * + * Assuming that resource SIDs have been obtained with + * dsdb_expand_nested_groups(), they should all be within the + * same domain (ours), so unless something has gone horribly + * wrong, we should always find that they match. + */ + bool match = dom_sid_equal(resource_groups->domain_sid, resource_domain); + talloc_free(resource_domain); + if (!match) { + /* + * It doesn't match, so we can't store this SID here. It + * will have to go in Extra SIDs. + */ + return store_extra_sid(sids, sidcount, allocated_sids, sid); + } + } + + /* Store the SID in Resource SIDs. */ + + /* Check we aren't about to overflow our allocation. */ + if (resource_groups->groups.count >= allocated_resource_groups) { + return NT_STATUS_INVALID_PARAMETER; + } + + resource_groups->groups.rids[resource_groups->groups.count].rid = rid; + resource_groups->groups.rids[resource_groups->groups.count].attributes = sid->attrs; + resource_groups->groups.count++; + + return NT_STATUS_OK; +} + +/* + * Stores a SID in a previously allocated array, or excludes it if we are not + * storing resource groups. It will be placed in either Extra SIDs or Resource + * SIDs, depending on which is appropriate. + */ +static NTSTATUS store_sid(struct netr_SidAttr *sids, + uint32_t *sidcount, + const uint32_t allocated_sids, + const struct auth_SidAttr *sid, + struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups, + const uint32_t allocated_resource_groups, + const enum auth_group_inclusion group_inclusion) +{ + /* See if it's a resource SID. */ + if (sid->attrs & SE_GROUP_RESOURCE) { + /* + * If this is the SID of a resource group, determine whether it + * should be included or filtered out. + */ + switch (group_inclusion) { + case AUTH_INCLUDE_RESOURCE_GROUPS: + /* Include this SID in Extra SIDs. */ + break; + case AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED: + /* + * Try to include this SID in Resource Groups. If this + * can't be arranged, we shall fall back to Extra + * SIDs. + */ + return store_resource_sid(sids, + sidcount, + allocated_sids, + sid, + resource_groups, + allocated_resource_groups); + case AUTH_EXCLUDE_RESOURCE_GROUPS: + /* Ignore this SID. */ + return NT_STATUS_OK; + default: + /* This means we have a bug. */ + DBG_ERR("invalid group inclusion parameter: %u\n", group_inclusion); + return NT_STATUS_INVALID_PARAMETER; + } + } + + /* Just store the SID in Extra SIDs. */ + return store_extra_sid(sids, + sidcount, + allocated_sids, + sid); +} + static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, struct netr_SamBaseInfo *sam) @@ -35,7 +194,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, ZERO_STRUCTP(sam); if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX) { - status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX], + status = dom_sid_split_rid(sam, &user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, &sam->domain_sid, &sam->rid); if (!NT_STATUS_IS_OK(status)) { return status; @@ -45,7 +204,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, } if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) { - status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], + status = dom_sid_split_rid(NULL, &user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, NULL, &sam->primary_gid); if (!NT_STATUS_IS_OK(status)) { return status; @@ -89,7 +248,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, sam->groups.count = 0; sam->groups.rids = NULL; - if (user_info_dc->num_sids > PRIMARY_GROUP_SID_INDEX) { + if (user_info_dc->num_sids > REMAINING_SIDS_INDEX) { size_t i; sam->groups.rids = talloc_array(mem_ctx, struct samr_RidWithAttribute, user_info_dc->num_sids); @@ -97,25 +256,27 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, if (sam->groups.rids == NULL) return NT_STATUS_NO_MEMORY; - for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) { - struct dom_sid *group_sid = &user_info_dc->sids[i]; - if (!dom_sid_in_domain(sam->domain_sid, group_sid)) { + for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) { + struct auth_SidAttr *group_sid = &user_info_dc->sids[i]; + + bool belongs_in_base = is_base_sid(group_sid, sam->domain_sid); + if (!belongs_in_base) { /* We handle this elsewhere */ continue; } sam->groups.rids[sam->groups.count].rid = - group_sid->sub_auths[group_sid->num_auths-1]; + group_sid->sid.sub_auths[group_sid->sid.num_auths-1]; - sam->groups.rids[sam->groups.count].attributes = - SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; + sam->groups.rids[sam->groups.count].attributes = group_sid->attrs; sam->groups.count += 1; } - } - sam->user_flags = 0; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */ - if (!user_info_dc->info->authenticated) { - sam->user_flags |= NETLOGON_GUEST; + if (sam->groups.count == 0) { + TALLOC_FREE(sam->groups.rids); + } } + + sam->user_flags = info->user_flags; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */ sam->acct_flags = user_info_dc->info->acct_flags; sam->sub_auth_status = 0; sam->last_successful_logon = 0; @@ -137,54 +298,108 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, return NT_STATUS_OK; } -/* Note that the validity of the _sam6 structure is only as long as - * the user_info_dc it was generated from */ +/* Note that the validity of the _sam6 and resource_groups structures is only as + * long as the user_info_dc it was generated from */ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, - struct netr_SamInfo6 **_sam6) + enum auth_group_inclusion group_inclusion, + struct netr_SamInfo6 **_sam6, + struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups) { NTSTATUS status; struct netr_SamInfo6 *sam6 = NULL; + struct PAC_DOMAIN_GROUP_MEMBERSHIP *resource_groups = NULL; size_t i; + const uint32_t allocated_sids = user_info_dc->num_sids; + uint32_t allocated_resource_groups = 0; + sam6 = talloc_zero(mem_ctx, struct netr_SamInfo6); if (sam6 == NULL) { return NT_STATUS_NO_MEMORY; } + if (_resource_groups == NULL) { + if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) { + DBG_ERR("_resource_groups parameter not provided to receive resource groups!\n"); + TALLOC_FREE(sam6); + return NT_STATUS_INVALID_PARAMETER; + } + } else if (group_inclusion == AUTH_INCLUDE_RESOURCE_GROUPS_COMPRESSED) { + *_resource_groups = NULL; + + /* Allocate resource groups structure. */ + resource_groups = talloc_zero(mem_ctx, struct PAC_DOMAIN_GROUP_MEMBERSHIP); + if (resource_groups == NULL) { + TALLOC_FREE(sam6); + return NT_STATUS_NO_MEMORY; + } + + /* + * Allocate enough space to store user_info_dc->num_sids + * RIDs in the worst case. + */ + allocated_resource_groups = user_info_dc->num_sids; + resource_groups->groups.rids = talloc_zero_array(resource_groups, + struct samr_RidWithAttribute, + allocated_resource_groups); + if (resource_groups->groups.rids == NULL) { + TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); + return NT_STATUS_NO_MEMORY; + } + } else { + /* No resource groups will be provided. */ + *_resource_groups = NULL; + } + status = auth_convert_user_info_dc_sambaseinfo(sam6, user_info_dc, &sam6->base); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); return status; } - sam6->sids = talloc_array(sam6, struct netr_SidAttr, - user_info_dc->num_sids); + /* + * Allocate enough space to store user_info_dc->num_sids SIDs in the + * worst case. + */ + sam6->sids = talloc_zero_array(sam6, struct netr_SidAttr, + allocated_sids); if (sam6->sids == NULL) { TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); return NT_STATUS_NO_MEMORY; } /* We don't put the user and group SIDs in there */ - for (i=2; i<user_info_dc->num_sids; i++) { - if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i])) { + for (i=REMAINING_SIDS_INDEX; i<user_info_dc->num_sids; i++) { + struct auth_SidAttr *group_sid = &user_info_dc->sids[i]; + bool belongs_in_base = is_base_sid(group_sid, sam6->base.domain_sid); + if (belongs_in_base) { + /* We already handled this in the base. */ continue; } - sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i]); - if (sam6->sids[sam6->sidcount].sid == NULL) { + + status = store_sid(sam6->sids, + &sam6->sidcount, + allocated_sids, + group_sid, + resource_groups, + allocated_resource_groups, + group_inclusion); + if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sam6); - return NT_STATUS_NO_MEMORY; + TALLOC_FREE(resource_groups); + return status; } - sam6->sids[sam6->sidcount].attributes = - SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; - sam6->sidcount += 1; } if (sam6->sidcount) { sam6->base.user_flags |= NETLOGON_EXTRA_SIDS; } else { - sam6->sids = NULL; + TALLOC_FREE(sam6->sids); } if (user_info_dc->info->dns_domain_name != NULL) { @@ -192,6 +407,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, user_info_dc->info->dns_domain_name); if (sam6->dns_domainname.string == NULL) { TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); return NT_STATUS_NO_MEMORY; } } @@ -201,11 +417,19 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, user_info_dc->info->user_principal_name); if (sam6->principal_name.string == NULL) { TALLOC_FREE(sam6); + TALLOC_FREE(resource_groups); return NT_STATUS_NO_MEMORY; } } *_sam6 = sam6; + if (resource_groups != NULL) { + if (resource_groups->groups.count > 0) { + *_resource_groups = resource_groups; + } else { + TALLOC_FREE(resource_groups); + } + } return NT_STATUS_OK; } @@ -213,6 +437,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx, * the user_info_dc it was generated from */ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, + enum auth_group_inclusion group_inclusion, struct netr_SamInfo2 **_sam2) { NTSTATUS status; @@ -224,12 +449,20 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, &sam6); + status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, + group_inclusion, &sam6, + NULL); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sam2); return status; } sam2->base = sam6->base; + /* + * We have nowhere to put sam6->sids, so we follow Windows here and drop + * it. Any resource groups it happened to be contain are lost. + */ + sam2->base.user_flags &= ~NETLOGON_EXTRA_SIDS; + TALLOC_FREE(sam6->sids); *_sam2 = sam2; return NT_STATUS_OK; @@ -239,7 +472,9 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx, * the user_info_dc it was generated from */ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, const struct auth_user_info_dc *user_info_dc, - struct netr_SamInfo3 **_sam3) + enum auth_group_inclusion group_inclusion, + struct netr_SamInfo3 **_sam3, + struct PAC_DOMAIN_GROUP_MEMBERSHIP **_resource_groups) { NTSTATUS status; struct netr_SamInfo6 *sam6 = NULL; @@ -250,7 +485,9 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx, return NT_STATUS_NO_MEMORY; } - status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, &sam6); + status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, + group_inclusion, &sam6, + _resource_groups); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(sam3); return status; @@ -326,8 +563,14 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx, info->bad_password_count = base->bad_password_count; info->acct_flags = base->acct_flags; - /* Only set authenticated if both NETLOGON_GUEST is not set, and authenticated is set */ - info->authenticated = (authenticated && (!(base->user_flags & NETLOGON_GUEST))); + info->user_flags = base->user_flags; + if (!authenticated) { + /* + * We only consider the user authenticated if NETLOGON_GUEST is + * not set, and authenticated is set + */ + info->user_flags |= NETLOGON_GUEST; + } *_user_info = info; return NT_STATUS_OK; @@ -435,30 +678,35 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, return NT_STATUS_INVALID_PARAMETER; } - user_info_dc->num_sids = 2; + user_info_dc->num_sids = PRIMARY_SIDS_COUNT; - user_info_dc->sids = talloc_array(user_info_dc, struct dom_sid, user_info_dc->num_sids + base->groups.count); + user_info_dc->sids = talloc_array(user_info_dc, struct auth_SidAttr, user_info_dc->num_sids + base->groups.count); NT_STATUS_HAVE_NO_MEMORY(user_info_dc->sids); - user_info_dc->sids[PRIMARY_USER_SID_INDEX] = *base->domain_sid; - if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX], base->rid)) { + user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[PRIMARY_USER_SID_INDEX].sid, base->rid)) { return NT_STATUS_INVALID_PARAMETER; } + user_info_dc->sids[PRIMARY_USER_SID_INDEX].attrs = SE_GROUP_DEFAULT_FLAGS; - user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = *base->domain_sid; - if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX], base->primary_gid)) { + user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid = *base->domain_sid; + if (!sid_append_rid(&user_info_dc->sids[PRIMARY_GROUP_SID_INDEX].sid, base->primary_gid)) { -- Samba Shared Repository