The branch, master has been updated
via 0d7ea9cfb60 s4:auth: let auth_user_info_dc_expand_sids() add This
Organization SID
via 86ed8753fa0 s4:dsdb/tests: let the token_group.py test work against
Windows 2025
from 864f3929456 vfs: Simplify DBGs
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0d7ea9cfb609bf9fe358279736b6a8d4d616218f
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 6 11:08:37 2025 +0100
s4:auth: let auth_user_info_dc_expand_sids() add This Organization SID
We do that unless the Other Organization SID is already there.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Thu Mar 6 17:35:50 UTC 2025 on atb-devel-224
commit 86ed8753fa01b715994269b11cb73809e1deb85e
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Mar 6 13:40:30 2025 +0100
s4:dsdb/tests: let the token_group.py test work against Windows 2025
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
source4/auth/session.c | 38 ++++++++++++++++++++++++++++++++
source4/dsdb/tests/python/token_group.py | 13 +++++++++--
2 files changed, 49 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 806f6eab03f..987bf4c68dd 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -66,6 +66,8 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX
*mem_ctx,
uint32_t num_sids = 0;
uint32_t i;
const char *filter = NULL;
+ bool has_other_organization = false;
+ bool add_this_organization = false;
sids = talloc_array(mem_ctx,
struct auth_SidAttr,
@@ -80,6 +82,21 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX
*mem_ctx,
for (i=0; i < user_info_dc->num_sids; i++) {
sids[i] = user_info_dc->sids[i];
+
+ if (!has_other_organization &&
+ dom_sid_equal(&sids[i].sid, &global_sid_Other_Organization))
+ {
+ has_other_organization = true;
+ continue;
+ }
+
+ if (dom_sid_equal(&sids[i].sid, &global_sid_This_Organization))
{
+ /*
+ * The caller should not pass this
+ */
+ TALLOC_FREE(frame);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
}
/*
@@ -126,6 +143,27 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX
*mem_ctx,
.attrs = SE_GROUP_DEFAULT_FLAGS,
};
num_sids++;
+
+ if (!has_other_organization) {
+ add_this_organization = true;
+ }
+ }
+
+ if (add_this_organization) {
+ sids = talloc_realloc(frame,
+ sids,
+ struct auth_SidAttr,
+ num_sids + 1);
+ if (sids == NULL) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ sids[num_sids] = (struct auth_SidAttr) {
+ .sid = global_sid_This_Organization,
+ .attrs = SE_GROUP_DEFAULT_FLAGS,
+ };
+ num_sids++;
}
if (session_info_flags & AUTH_SESSION_INFO_NTLM) {
diff --git a/source4/dsdb/tests/python/token_group.py
b/source4/dsdb/tests/python/token_group.py
index df45ee0f331..d802453e0bc 100755
--- a/source4/dsdb/tests/python/token_group.py
+++ b/source4/dsdb/tests/python/token_group.py
@@ -143,6 +143,7 @@ class StaticTokenTest(samba.tests.TestCase):
extra_sids.append(security.SID_WORLD)
extra_sids.append(security.SID_NT_NETWORK)
extra_sids.append(security.SID_NT_AUTHENTICATED_USERS)
+ extra_sids.append(security.SID_NT_THIS_ORGANIZATION)
extra_sids.append(security.SID_BUILTIN_PREW2K)
if creds.get_kerberos_state() == MUST_USE_KERBEROS:
extra_sids.append(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)
@@ -417,6 +418,7 @@ class DynamicTokenTest(samba.tests.TestCase):
extra_sids.append(security.SID_WORLD)
extra_sids.append(security.SID_NT_NETWORK)
extra_sids.append(security.SID_NT_AUTHENTICATED_USERS)
+ extra_sids.append(security.SID_NT_THIS_ORGANIZATION)
extra_sids.append(security.SID_BUILTIN_PREW2K)
if creds.get_kerberos_state() == MUST_USE_KERBEROS:
extra_sids.append(security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY)
@@ -644,7 +646,9 @@ class DynamicTokenTest(samba.tests.TestCase):
domain_sid)
user_handle = samr_conn.OpenUser(samr_domain,
security.SEC_FLAG_MAXIMUM_ALLOWED, user_rid)
rids = samr_conn.GetGroupsForUser(user_handle)
+ user_info = samr_conn.QueryUserInfo(user_handle, 1)
samr_dns = set()
+ found_primary_gid = False
for rid in rids.rids:
self.assertEqual(rid.attributes, security.SE_GROUP_DEFAULT_FLAGS)
sid = "%s-%d" % (domain_sid, rid.rid)
@@ -652,8 +656,13 @@ class DynamicTokenTest(samba.tests.TestCase):
attrs=[])
samr_dns.add(res[0].dn.get_casefold())
- user_info = samr_conn.QueryUserInfo(user_handle, 1)
- self.assertEqual(rids.rids[0].rid, user_info.primary_gid)
+ # Note Windows 2025 has the primary_group_rid as
+ # the last element in the rids array
+ if rid.rid == user_info.primary_gid:
+ self.assertFalse(found_primary_gid)
+ found_primary_gid = True
+
+ self.assertTrue(found_primary_gid)
tokenGroupsSet = set()
res = self.ldb.search(self.user_sid_dn, scope=ldb.SCOPE_BASE,
attrs=["tokenGroupsGlobalAndUniversal"])
--
Samba Shared Repository
