auth: Pass through entire PAC flags value in auth_user_info

Besides the NETLOGON_GUEST bit indicating whether the user has been
authenticated, we now carry all of the other bits as well. This lets us
match Windows' behaviour of simply passing these bits through to an
updated PAC when processing a TGS-REQ.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 7632d263650d970f12cfe8b98ef39b00d421ab9c..b9d06161cb12e18fafc8e17d91c64f2b683d2b21 100644 (file)
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -118,10 +118,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
                }
        }
 
-       sam->user_flags = 0; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
-       if (!user_info_dc->info->authenticated) {
-               sam->user_flags |= NETLOGON_GUEST;
-       }
+       sam->user_flags = info->user_flags; /* w2k3 uses NETLOGON_EXTRA_SIDS | NETLOGON_NTLMV2_ENABLED */
        sam->acct_flags = user_info_dc->info->acct_flags;
        sam->sub_auth_status = 0;
        sam->last_successful_logon = 0;
@@ -349,8 +346,14 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
        info->bad_password_count = base->bad_password_count;
        info->acct_flags = base->acct_flags;
 
-       /* Only set authenticated if both NETLOGON_GUEST is not set, and authenticated is set */
-       info->authenticated = (authenticated && (!(base->user_flags & NETLOGON_GUEST)));
+       info->user_flags = base->user_flags;
+       if (!authenticated) {
+               /*
+                * We only consider the user authenticated if NETLOGON_GUEST is
+                * not set, and authenticated is set
+                */
+               info->user_flags |= NETLOGON_GUEST;
+       }
 
        *_user_info = info;
        return NT_STATUS_OK;

diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
index 582587e062ff54875f3af2145d1373f58de4e7b4..a6b4a118be2fca7d5a9afcb4294001da9eba9b10 100644 (file)
--- a/librpc/idl/auth.idl
+++ b/librpc/idl/auth.idl
@@ -52,7 +52,11 @@ interface auth
 
                uint32 acct_flags;
 
-               uint8 authenticated;
+               /*
+                * The NETLOGON_GUEST flag being set indicates the user is not
+                * authenticated.
+                */
+               uint32 user_flags;
        } auth_user_info;
 
        /* This information is preserved only to assist torture tests */

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index dbe10d037708f21617a2525450047c193e0147a0..ecca1230ad79f69c3bc76d58c07e1d76aa15149e 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -154,7 +154,6 @@
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_domain_local_compression_as_req_to_service.ad_dc
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_removal_compression_tgs_req_to_service.ad_dc
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_universal_compression_as_req_to_service.ad_dc
-^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_claimed_given_tgs_req_to_krbtgt.ad_dc
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_compression_tgs_req_to_service.ad_dc
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_no_compression_tgs_req_to_service.ad_dc
 ^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_tgs_req_to_krbtgt.ad_dc

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 6d94356ef35c89ce0f2d3efb5db58e8ac5dd1bdd..3bc443156823ca354a31168368bf58f54e503172 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -952,7 +952,7 @@ static NTSTATUS auth3_session_info_create(
                }
        }
 
-       if (session_info->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
 

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index e678f703db58917b73936b03c5b4755c6a9b5fc8..1983bf182a217952c963bc2bf3c3eb888ad01f9c 100644 (file)
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -540,7 +540,7 @@ static NTSTATUS auth_generate_session_info_wrapper(struct auth4_context *auth_co
        NTSTATUS status;
        struct auth_user_info_dc *user_info_dc = talloc_get_type_abort(server_returned_info, struct auth_user_info_dc);
 
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
 
@@ -599,7 +599,7 @@ static NTSTATUS auth_generate_session_info_pac(struct auth4_context *auth_ctx,
                return status;
        }
 
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
 

diff --git a/source4/auth/ntlm/auth_developer.c b/source4/auth/ntlm/auth_developer.c
index 330bcde4d0267e8f59adb566fc94ed1d6dcac259..eb5826a313767e0390e0cf20ad60431958ac68bf 100644 (file)
--- a/source4/auth/ntlm/auth_developer.c
+++ b/source4/auth/ntlm/auth_developer.c
@@ -135,7 +135,7 @@ static NTSTATUS name_to_ntstatus_check_password(struct auth_method_context *ctx,
 
        info->acct_flags = ACB_NORMAL;
 
-       info->authenticated = true;
+       info->user_flags = 0;
 
        *_user_info_dc = user_info_dc;
 

diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 006e4d8279aebe024948508164939b5f7c5e9699..1a55a59f0dbbd4282a888a93140b72a69bb25bcf 100644 (file)
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -169,7 +169,7 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq)
        }
 
        flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
 

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 609d83e1420408f5769e1ca22852a15c5d338dcc..c8469738e81759e7465e6b1cc080112b3468fdb5 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -605,7 +605,7 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
                user_info_dc->num_sids++;
        }
 
-       info->authenticated = true;
+       info->user_flags = 0;
 
        talloc_free(tmp_ctx);
        *_user_info_dc = user_info_dc;

diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index da15f6bf0da948cadcce9479151ad54db28f1683..ea692e1670768647fd2429481d1172bf6ea296d3 100644 (file)
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -181,7 +181,7 @@ NTSTATUS auth_system_user_info_dc(TALLOC_CTX *mem_ctx, const char *netbios_name,
 
        info->acct_flags = ACB_NORMAL;
 
-       info->authenticated = true;
+       info->user_flags = 0;
 
        *_user_info_dc = user_info_dc;
 
@@ -284,7 +284,7 @@ static NTSTATUS auth_domain_admin_user_info_dc(TALLOC_CTX *mem_ctx,
 
        info->acct_flags = ACB_NORMAL;
 
-       info->authenticated = true;
+       info->user_flags = 0;
 
        *_user_info_dc = user_info_dc;
 
@@ -443,7 +443,8 @@ _PUBLIC_ NTSTATUS auth_anonymous_user_info_dc(TALLOC_CTX *mem_ctx,
 
        info->acct_flags = ACB_NORMAL;
 
-       info->authenticated = false;
+       /* The user is not authenticated. */
+       info->user_flags = NETLOGON_GUEST;
 
        *_user_info_dc = user_info_dc;
 

diff --git a/source4/dns_server/dlz_bind9.c b/source4/dns_server/dlz_bind9.c
index a13d3b316efda71be3bfe754eab3f883fce98f07..acd811f66eebe7d84f743ba08a89ddd9cd2ff805 100644 (file)
--- a/source4/dns_server/dlz_bind9.c
+++ b/source4/dns_server/dlz_bind9.c
@@ -589,7 +589,7 @@ static NTSTATUS b9_generate_session_info_pac(struct auth4_context *auth_context,
                return status;
        }
 
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
 

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 0707f0a68b3ded41cd1e0768465b372bb16d072a..457d7994bc43243d243d1eb0bd5677f8da438cf8 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3353,7 +3353,7 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
                goto out;
        }
 
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
 

diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c
index 07a7e7ea46cb8c336b04027919d62622abe733cc..f651c62244317d89397153c1daa2831c3a93b65f 100644 (file)
--- a/source4/smb_server/smb/sesssetup.c
+++ b/source4/smb_server/smb/sesssetup.c
@@ -111,7 +111,7 @@ static void sesssetup_old_send(struct tevent_req *subreq)
        if (!NT_STATUS_IS_OK(status)) goto failed;
 
        flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
        /* This references user_info_dc into session_info */
@@ -252,7 +252,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq)
        if (!NT_STATUS_IS_OK(status)) goto failed;
 
        flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
        /* This references user_info_dc into session_info */

diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
index f4e447399b5cfbdf20e7af35fd883cb8adc22eeb..8886a2f3bae29ae62840d16c1d3ce511458a2124 100644 (file)
--- a/source4/torture/krb5/kdc-canon-heimdal.c
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
@@ -123,7 +123,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
                return nt_status;
        }
 
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
 

diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c
index 67c523a51e23925dcb7373ec72242f1e17a641c4..28b9f1be52341e1e1d325ab5b39b06eb5ed14b95 100644 (file)
--- a/source4/torture/rpc/remote_pac.c
+++ b/source4/torture/rpc/remote_pac.c
@@ -109,7 +109,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
        talloc_steal(pac_data, pac_data->pac_srv_sig);
        talloc_steal(pac_data, pac_data->pac_kdc_sig);
 
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }
 

diff --git a/source4/torture/winbind/winbind.c b/source4/torture/winbind/winbind.c
index b09c2c23d3159dc5464f38bfab895f38c3e5c04f..b201534fc2c2f7ed7dab676b1a81169efa1024ff 100644 (file)
--- a/source4/torture/winbind/winbind.c
+++ b/source4/torture/winbind/winbind.c
@@ -77,7 +77,7 @@ static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx,
                return nt_status;
        }
 
-       if (user_info_dc->info->authenticated) {
+       if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) {
                session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
        }