The branch, master has been updated
via 63aeb64504c s4:kdc: Add device to Authenticated Users for
authentication policy evaluation
via eaffadb8286 s4:kdc: Add a flag indicating that the device should be
added to Authenticated Users
via c91d1618e33 s4:kdc: Add device to default groups for authentication
policy evaluation
via fc2f886441e s4:kdc: Add a flag indicating that the device should be
added to the default groups
via 7728a0622e0 s4:kdc: Make a copy of the device SIDs to be placed in
the security token
via eb21ac87776 tests/krb5: Test whether the device belongs to some
default groups
via 0f5033a1e76 tests/krb5: Work around Samba’s incorrect krbtgt
principal handling
via 4e8fb9706e2 tests/krb5: Remove unnecessary target_creds variables
from 4c291514a9e s4:kdc: Permit RODC‐issued evidence tickets for
constrained delegation
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 63aeb64504cf6b9cbb52ac338129b9930d65f6b3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Oct 20 15:01:30 2023 +1300
s4:kdc: Add device to Authenticated Users for authentication policy
evaluation
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Oct 24 01:59:32 UTC 2023 on atb-devel-224
commit eaffadb8286ef6d68d433f8c8f244f20ad00e9d3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Oct 20 15:00:12 2023 +1300
s4:kdc: Add a flag indicating that the device should be added to
Authenticated Users
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit c91d1618e339da1c29b371866d5ab243e3d3fad6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Oct 19 20:02:43 2023 +1300
s4:kdc: Add device to default groups for authentication policy evaluation
This means that expressions like ‘Device_Member_of(WD)’ will now work,
as they should.
It *also* means that expressions like ‘Device_Member_of(NU)’ will work,
even though they shouldn’t. This is because we consider SID_NT_NETWORK
to be a default group.
Our new behaviour may be wrong, but at least it’s now consistent with
the behaviour of user‐relative expressions like ‘Member_of(WD)’ and
‘Member_of(NU)’.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fc2f886441e2cd806c26712762a6813f6ce4f924
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Oct 19 20:02:32 2023 +1300
s4:kdc: Add a flag indicating that the device should be added to the
default groups
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7728a0622e0f7a7bf672131b757799e03b99d2dd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Oct 19 20:02:13 2023 +1300
s4:kdc: Make a copy of the device SIDs to be placed in the security token
We shall need to add extra SIDs on the end.
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit eb21ac87776d113e40070babadcf104f087c0b1d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Oct 19 17:11:41 2023 +1300
tests/krb5: Test whether the device belongs to some default groups
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 0f5033a1e76a0e079b6dc1859f2cb2d9110e1b1f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Oct 19 16:23:32 2023 +1300
tests/krb5: Work around Samba’s incorrect krbtgt principal handling
These tests fail only because they are using the ‘krbtgt@REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4e8fb9706e226fe4f44140c1df64c155c36f22f7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Oct 19 16:22:28 2023 +1300
tests/krb5: Remove unnecessary target_creds variables
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/common_auth.h | 2 +
python/samba/tests/krb5/conditional_ace_tests.py | 229 ++++++++++++++++++++---
python/samba/tests/krb5/kdc_tgs_tests.py | 8 +-
selftest/knownfail_heimdal_kdc | 8 +-
selftest/knownfail_mit_kdc | 9 +-
source4/auth/session.c | 59 +++++-
source4/kdc/authn_policy_util.c | 5 +
7 files changed, 280 insertions(+), 40 deletions(-)
Changeset truncated at 500 lines:
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 58fb2cd0b3d..1afb79eb5df 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -41,6 +41,8 @@ enum auth_password_state {
#define AUTH_SESSION_INFO_UNIX_TOKEN 0x08 /* The returned token must
have the unix_token and unix_info elements provided */
#define AUTH_SESSION_INFO_NTLM 0x10 /* The returned token must
have authenticated-with-NTLM flag set */
#define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION 0x20 /* The user
authenticated with a device. */
+#define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS 0x40 /* Add the device to
the default world and network groups */
+#define AUTH_SESSION_INFO_DEVICE_AUTHENTICATED 0x80 /* Add the device to
the 'authenticated users' group */
struct auth_usersupplied_info
{
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py
b/python/samba/tests/krb5/conditional_ace_tests.py
index c478dfe00a8..89ea8d4432e 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2924,11 +2924,9 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- target_creds = self.get_krbtgt_creds()
-
# Show that authentication fails.
self._armored_as_req(client_creds,
- target_creds,
+ self.get_krbtgt_creds(),
mach_tgt,
expected_error=KDC_ERR_POLICY)
@@ -2980,12 +2978,16 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- target_creds = self.get_krbtgt_creds()
+ # FIXME: we need to pass this parameter only because Samba doesn’t
+ # handle ‘krbtgt@REALM’ principals correctly (see
+ # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+ krbtgt_sname = self.get_krbtgt_sname()
# Show that authentication succeeds.
self._armored_as_req(client_creds,
- target_creds,
- mach_tgt)
+ self.get_krbtgt_creds(),
+ mach_tgt,
+ target_sname=krbtgt_sname)
self.check_as_log(client_creds,
armor_creds=mach_creds,
@@ -3031,11 +3033,9 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- target_creds = self.get_krbtgt_creds()
-
# Show that authentication fails.
self._armored_as_req(client_creds,
- target_creds,
+ self.get_krbtgt_creds(),
mach_tgt,
expected_error=KDC_ERR_POLICY)
@@ -3216,11 +3216,9 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- target_creds = self.get_krbtgt_creds()
-
# Show that authentication fails.
self._armored_as_req(client_creds,
- target_creds,
+ self.get_krbtgt_creds(),
mach_tgt,
expected_error=KDC_ERR_POLICY)
@@ -3315,11 +3313,9 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- target_creds = self.get_krbtgt_creds()
-
# Show that authentication fails.
self._armored_as_req(client_creds,
- target_creds,
+ self.get_krbtgt_creds(),
mach_tgt,
expected_error=KDC_ERR_POLICY)
@@ -3370,12 +3366,16 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- target_creds = self.get_krbtgt_creds()
+ # FIXME: we need to pass this parameter only because Samba doesn’t
+ # handle ‘krbtgt@REALM’ principals correctly (see
+ # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+ krbtgt_sname = self.get_krbtgt_sname()
# Show that authentication succeeds.
self._armored_as_req(client_creds,
- target_creds,
- mach_tgt)
+ self.get_krbtgt_creds(),
+ mach_tgt,
+ target_sname=krbtgt_sname)
self.check_as_log(client_creds,
armor_creds=mach_creds,
@@ -3426,11 +3426,9 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- target_creds = self.get_krbtgt_creds()
-
# Show that authentication fails.
self._armored_as_req(client_creds,
- target_creds,
+ self.get_krbtgt_creds(),
mach_tgt,
expected_error=KDC_ERR_POLICY)
@@ -3443,6 +3441,95 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
reason=AuditReason.ACCESS_DENIED,
status=ntstatus.NT_STATUS_INVALID_WORKSTATION)
+ def test_device_in_world_group(self):
+ self._check_device_in_group(security.SID_WORLD)
+
+ def test_device_in_network_group(self):
+ self._check_device_not_in_group(security.SID_NT_NETWORK)
+
+ def test_device_in_authenticated_users(self):
+ self._check_device_in_group(security.SID_NT_AUTHENTICATED_USERS)
+
+ def _check_device_in_group(self, group):
+ self._check_device_membership(group, expect_in_group=True)
+
+ def _check_device_not_in_group(self, group):
+ self._check_device_membership(group, expect_in_group=False)
+
+ def _check_device_membership(self, group, *, expect_in_group):
+ """Test that authentication succeeds or fails when the device is
+ required to belong to a certain group.
+ """
+
+ # Create a machine account with which to perform FAST.
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'id': 'device'})
+ mach_tgt = self.get_tgt(mach_creds)
+
+ # Create an authentication policy that requires the device to belong to
+ # a certain group.
+ in_group_sddl = self.allow_if(f'Member_of {{SID({group})}}')
+ in_group_policy = self.create_authn_policy(
+ enforced=True, user_allowed_from=in_group_sddl)
+
+ # Create a user account with the assigned policy.
+ client_creds = self._get_creds(account_type=self.AccountType.USER,
+ assigned_policy=in_group_policy)
+
+ krbtgt_creds = self.get_krbtgt_creds()
+
+ # FIXME: we need to pass this parameter only because Samba doesn’t
+ # handle ‘krbtgt@REALM’ principals correctly (see
+ # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+ krbtgt_sname = self.get_krbtgt_sname()
+
+ # Test whether authentication succeeds or fails.
+ self._armored_as_req(
+ client_creds,
+ krbtgt_creds,
+ mach_tgt,
+ target_sname=krbtgt_sname,
+ expected_error=0 if expect_in_group else KDC_ERR_POLICY)
+
+ policy_success_args = {}
+ policy_failure_args = {
+ 'client_policy_status':
ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ 'event': AuditEvent.KERBEROS_DEVICE_RESTRICTION,
+ 'reason': AuditReason.ACCESS_DENIED,
+ 'status': ntstatus.NT_STATUS_INVALID_WORKSTATION,
+ }
+
+ self.check_as_log(client_creds,
+ armor_creds=mach_creds,
+ client_policy=in_group_policy,
+ **(policy_success_args if expect_in_group
+ else policy_failure_args))
+
+ # Create an authentication policy that requires the device not to
belong
+ # to the group.
+ not_in_group_sddl = self.allow_if(f'Not_Member_of {{SID({group})}}')
+ not_in_group_policy = self.create_authn_policy(
+ enforced=True, user_allowed_from=not_in_group_sddl)
+
+ # Create a user account with the assigned policy.
+ client_creds = self._get_creds(account_type=self.AccountType.USER,
+ assigned_policy=not_in_group_policy)
+
+ # Test whether authentication succeeds or fails.
+ self._armored_as_req(
+ client_creds,
+ krbtgt_creds,
+ mach_tgt,
+ target_sname=krbtgt_sname,
+ expected_error=KDC_ERR_POLICY if expect_in_group else 0)
+
+ self.check_as_log(client_creds,
+ armor_creds=mach_creds,
+ client_policy=not_in_group_policy,
+ **(policy_failure_args if expect_in_group
+ else policy_success_args))
+
class TgsReqServicePolicyTests(ConditionalAceBaseTests):
def test_pac_groups_not_present(self):
@@ -4348,6 +4435,100 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
client_policy=client_policy,
server_policy=target_policy)
+ def test_device_in_world_group(self):
+ self._check_device_in_group(security.SID_WORLD)
+
+ def test_device_in_network_group(self):
+ self._check_device_not_in_group(security.SID_NT_NETWORK)
+
+ def test_device_in_authenticated_users(self):
+ self._check_device_in_group(security.SID_NT_AUTHENTICATED_USERS)
+
+ def _check_device_in_group(self, group):
+ self._check_device_membership(group, expect_in_group=True)
+
+ def _check_device_not_in_group(self, group):
+ self._check_device_membership(group, expect_in_group=False)
+
+ def _check_device_membership(self, group, *, expect_in_group):
+ """Test that authentication succeeds or fails when the device is
+ required to belong to a certain group.
+ """
+
+ # Create a machine account with which to perform FAST.
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'id': 'device'})
+ mach_tgt = self.get_tgt(mach_creds)
+
+ # Create an authentication policy that requires the device to belong to
+ # a certain group.
+ in_group_sddl = self.allow_if(f'Device_Member_of {{SID({group})}}')
+ in_group_policy = self.create_authn_policy(
+ enforced=True, computer_allowed_to=in_group_sddl)
+
+ # Create a user account.
+ client_creds = self._get_creds(account_type=self.AccountType.USER)
+ client_tgt = self.get_tgt(client_creds)
+
+ # Create a target account with the assigned policy.
+ target_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
+ assigned_policy=in_group_policy)
+
+ tgs_success_args = {}
+ tgs_failure_args = {
+ 'expect_edata': self.expect_padata_outer,
+ # We aren’t particular about whether or not we get an NTSTATUS.
+ 'expect_status': None,
+ 'expected_status':
ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ }
+
+ # Test whether authorization succeeds or fails.
+ self._tgs_req(client_tgt,
+ 0 if expect_in_group else KDC_ERR_POLICY,
+ client_creds,
+ target_creds,
+ armor_tgt=mach_tgt,
+ **(tgs_success_args if expect_in_group
+ else tgs_failure_args))
+
+ policy_success_args = {}
+ policy_failure_args = {
+ 'status': ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,
+ 'event': AuditEvent.KERBEROS_SERVER_RESTRICTION,
+ 'reason': AuditReason.ACCESS_DENIED,
+ }
+
+ self.check_tgs_log(client_creds, target_creds,
+ policy=in_group_policy,
+ **(policy_success_args if expect_in_group
+ else policy_failure_args))
+
+ # Create an authentication policy that requires the device not to
belong
+ # to the group.
+ not_in_group_sddl = self.allow_if(
+ f'Not_Device_Member_of {{SID({group})}}')
+ not_in_group_policy = self.create_authn_policy(
+ enforced=True, computer_allowed_to=not_in_group_sddl)
+
+ # Create a target account with the assigned policy.
+ target_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
+ assigned_policy=not_in_group_policy)
+
+ # Test whether authorization succeeds or fails.
+ self._tgs_req(client_tgt,
+ KDC_ERR_POLICY if expect_in_group else 0,
+ client_creds,
+ target_creds,
+ armor_tgt=mach_tgt,
+ **(tgs_failure_args if expect_in_group
+ else tgs_success_args))
+
+ self.check_tgs_log(client_creds, target_creds,
+ policy=not_in_group_policy,
+ **(policy_failure_args if expect_in_group
+ else policy_success_args))
+
def test_simple_as_req_client_policy_only(self):
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
@@ -4371,10 +4552,16 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
}
+ # FIXME: we need to pass this parameter only because Samba doesn’t
+ # handle ‘krbtgt@REALM’ principals correctly (see
+ # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+ krbtgt_sname = self.get_krbtgt_sname()
+
# Show that obtaining a service ticket with an AS‐REQ is allowed.
self._armored_as_req(client_creds,
self.get_krbtgt_creds(),
mach_tgt,
+ target_sname=krbtgt_sname,
expected_groups=expected_groups)
self.check_as_log(client_creds,
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py
b/python/samba/tests/krb5/kdc_tgs_tests.py
index 28654042f78..d1bed6fc74f 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -176,6 +176,7 @@ class KdcTgsBaseTests(KDCBaseTest):
target_creds,
armor_tgt,
*,
+ target_sname=None,
expected_error=0,
expected_sname=None,
expect_edata=None,
@@ -191,9 +192,10 @@ class KdcTgsBaseTests(KDCBaseTest):
client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[client_username])
- target_name = target_creds.get_username()
- target_sname = self.PrincipalName_create(
- name_type=NT_PRINCIPAL, names=[target_name])
+ if target_sname is None:
+ target_name = target_creds.get_username()
+ target_sname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL, names=[target_name])
target_realm = target_creds.get_realm()
target_decryption_key = self.TicketDecryptionKey_from_creds(
target_creds)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 986c2e9cc24..3792f7ea5b9 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -131,9 +131,5 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
-#
-# Conditional ACE device restrictions
-#
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\)
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
+^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 5f5a4fa45ec..5c051723914 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -4064,15 +4064,18 @@
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
#
# Conditional ACE device restrictions
#
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_authenticated_users\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_network_group\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_device_in_world_group\(ad_dc\)$
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_invalid\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_not_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_device_info\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_not_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_no_sid_compression\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_sid_compression\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_well_known_groups_not_present\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_authenticated_users\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_network_group\(ad_dc\)$
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_device_in_world_group\(ad_dc\)$
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_and_target_policy\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\)
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 46b833713ba..11cc287cd94 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -68,7 +68,7 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX
*mem_ctx,
uint32_t num_device_sids = 0;
const char *filter = NULL;
struct auth_SidAttr *sids = NULL;
- const struct auth_SidAttr *device_sids = NULL;
+ struct auth_SidAttr *device_sids = NULL;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
@@ -177,14 +177,59 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX
*mem_ctx,
}
if (device_info_dc != NULL) {
- device_sids = device_info_dc->sids;
+ /*
+ * Make a copy of the device SIDs in case we need to add extra
SIDs on
+ * the end. One can never have too much copying.
+ */
num_device_sids = device_info_dc->num_sids;
- }
+ device_sids = talloc_array(tmp_ctx,
+ struct auth_SidAttr,
+ num_device_sids);
+ if (device_sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
- /*
- * TODO: if we find out that we need to add default SIDs to the device
- * SIDs, as well as to the client SIDs, we’ll do that here.
- */
+ for (i = 0; i < num_device_sids; i++) {
+ device_sids[i] = device_info_dc->sids[i];
+ }
+
+ if (session_info_flags &
AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS) {
+ device_sids = talloc_realloc(tmp_ctx,
+ device_sids,
+ struct auth_SidAttr,
+ num_device_sids + 2);
+ if (device_sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ device_sids[num_device_sids++] = (struct auth_SidAttr) {
+ .sid = global_sid_World,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
+ device_sids[num_device_sids++] = (struct auth_SidAttr) {
+ .sid = global_sid_Network,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
+ }
+
+ if (session_info_flags &
AUTH_SESSION_INFO_DEVICE_AUTHENTICATED) {
+ device_sids = talloc_realloc(tmp_ctx,
+ device_sids,
+ struct auth_SidAttr,
+ num_device_sids + 1);
+ if (device_sids == NULL) {
+ TALLOC_FREE(tmp_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ device_sids[num_device_sids++] = (struct auth_SidAttr) {
+ .sid = global_sid_Authenticated_Users,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
+ }
+ }
nt_status = security_token_create(mem_ctx,
lp_ctx,
diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c
index a9f793889ef..60de61a27c2 100644
--- a/source4/kdc/authn_policy_util.c
+++ b/source4/kdc/authn_policy_util.c
@@ -574,6 +574,7 @@ static NTSTATUS _authn_policy_access_check(TALLOC_CTX
*mem_ctx,
struct security_token *security_token = NULL;
uint32_t session_info_flags =
AUTH_SESSION_INFO_DEFAULT_GROUPS |
+ AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS |
AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
const uint32_t access_desired = SEC_ADS_CONTROL_ACCESS;
uint32_t access_granted;
@@ -594,6 +595,10 @@ static NTSTATUS _authn_policy_access_check(TALLOC_CTX
*mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
}
+ if (device_info != NULL && !(device_info->info->user_flags &
NETLOGON_GUEST)) {
--
Samba Shared Repository
