} sec_desc_buf;
typedef [public] struct {
- dom_sid *user_sid;
- dom_sid *group_sid;
uint32 num_sids;
[size_is(num_sids)] dom_sid *sids[*];
udlong privilege_mask;
ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 5);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->user_sid = talloc_reference(ptoken, user_sid);
- ptoken->group_sid = talloc_reference(ptoken, group_sid);
+ ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
+ ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
ptoken->privilege_mask = 0;
- ptoken->sids[0] = ptoken->user_sid;
- ptoken->sids[1] = ptoken->group_sid;
-
/*
* Finally add the "standard" SIDs.
* The only difference between guest and "anonymous"
*token = ptoken;
/* Shortcuts to prevent recursion and avoid lookups */
- if (ptoken->user_sid == NULL) {
+ if (ptoken->sids == NULL) {
ptoken->privilege_mask = 0;
return NT_STATUS_OK;
}
ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 3);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->user_sid = talloc_reference(ptoken, user_sid);
- ptoken->group_sid = talloc_reference(ptoken, group_sid);
ptoken->privilege_mask = 0;
+ ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
+ ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
- ptoken->sids[0] = ptoken->user_sid;
- ptoken->sids[1] = ptoken->group_sid;
ptoken->sids[2] = dom_sid_parse_talloc(ptoken->sids, SID_NT_AUTHENTICATED_USERS);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids[2]);
ptoken->num_sids = 3;
return LDB_SUCCESS;
}
/* if we are adding/deleting ourselves, check for self membership */
- ret = dsdb_find_dn_by_sid(ldb, mem_ctx, acl_user_token(module)->user_sid, &user_dn);
+ ret = dsdb_find_dn_by_sid(ldb, mem_ctx,
+ acl_user_token(module)->sids[PRIMARY_USER_SID_INDEX],
+ &user_dn);
if (ret != LDB_SUCCESS) {
return ret;
}
ptoken = security_token_initialise(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(ptoken);
- ptoken->user_sid = talloc_reference(ptoken, user_sid);
- ptoken->group_sid = talloc_reference(ptoken, group_sid);
ptoken->privilege_mask = 0;
ptoken->sids = talloc_array(ptoken, struct dom_sid *, n_groupSIDs + 6 /* over-allocate */);
ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid *, ptoken->num_sids + 1);
NT_STATUS_HAVE_NO_MEMORY(ptoken->sids);
- ptoken->sids[0] = ptoken->user_sid;
- ptoken->sids[1] = ptoken->group_sid;
+ ptoken->sids[PRIMARY_USER_SID_INDEX] = talloc_reference(ptoken, user_sid);
+ ptoken->sids[PRIMARY_GROUP_SID_INDEX] = talloc_reference(ptoken, group_sid);
ptoken->num_sids++;
/*
NTSTATUS status;
/* Shortcuts to prevent recursion and avoid lookups */
- if (token->user_sid == NULL) {
+ if (token->sids == NULL) {
token->privilege_mask = 0;
return NT_STATUS_OK;
}
DEBUG(3, ("Changing password of %s\\%s (%s)\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
- dom_sid_string(mem_ctx, session_info->security_token->user_sid)));
+ dom_sid_string(mem_ctx, session_info->security_token->sids[PRIMARY_USER_SID_INDEX])));
/* Performs the password change */
status = samdb_set_password_sid(samdb, mem_ctx,
- session_info->security_token->user_sid,
+ session_info->security_token->sids[PRIMARY_USER_SID_INDEX],
password, NULL, NULL,
oldLmHash, oldNtHash, /* this is a user password change */
&reject_reason,
DEBUG(3, ("%s\\%s (%s) is changing password of %s\n",
session_info->server_info->domain_name,
session_info->server_info->account_name,
- dom_sid_string(mem_ctx, session_info->security_token->user_sid),
+ dom_sid_string(mem_ctx, session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
set_password_on_princ));
ret = ldb_transaction_start(samdb);
if (ret != LDB_SUCCESS) {
mem_ctx = talloc_new(gp_ctx);
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
- sid = dom_sid_string(mem_ctx, token->user_sid);
+ sid = dom_sid_string(mem_ctx, token->sids[PRIMARY_USER_SID_INDEX]);
/* Find the user DN and objectclass via the sid from the security token */
rv = ldb_search(gp_ctx->ldb_ctx,
if ((inherit_flags & SEC_OWNER_FROM_PARENT) && parent_sd) {
new_owner = parent_sd->owner_sid;
} else if (!default_owner) {
- new_owner = token->user_sid;
+ new_owner = token->sids[PRIMARY_USER_SID_INDEX];
} else {
new_owner = default_owner;
new_sd->type |= SEC_DESC_OWNER_DEFAULTED;
if (!creator_sd || !creator_sd->group_sid){
if ((inherit_flags & SEC_GROUP_FROM_PARENT) && parent_sd) {
new_group = parent_sd->group_sid;
+ } else if (!default_group && token->sids[PRIMARY_GROUP_SID_INDEX]) {
+ new_group = token->sids[PRIMARY_GROUP_SID_INDEX];
} else if (!default_group) {
- new_group = token->group_sid;
+ /* This will happen only for anonymous, which has no other groups */
+ new_group = token->sids[PRIMARY_USER_SID_INDEX];
} else {
new_group = default_group;
new_sd->type |= SEC_DESC_GROUP_DEFAULTED;
return NULL;
}
- st->user_sid = NULL;
- st->group_sid = NULL;
st->num_sids = 0;
st->sids = NULL;
st->privilege_mask = 0;
return;
}
- DEBUG(dbg_lev, ("Security token of user %s\n",
- dom_sid_string(mem_ctx, token->user_sid) ));
- DEBUGADD(dbg_lev, (" SIDs (%lu):\n",
+ DEBUG(dbg_lev, ("Security token SIDs (%lu):\n",
(unsigned long)token->num_sids));
for (i = 0; i < token->num_sids; i++) {
DEBUGADD(dbg_lev, (" SID[%3lu]: %s\n", (unsigned long)i,
bool security_token_is_sid(const struct security_token *token, const struct dom_sid *sid)
{
- if (dom_sid_equal(token->user_sid, sid)) {
+ if (token->sids && dom_sid_equal(token->sids[PRIMARY_USER_SID_INDEX], sid)) {
return true;
}
return false;
(req8->replica_flags & DRSUAPI_DRS_WRIT_REP)) {
DEBUG(3,(__location__ ": Removing WRIT_REP flag for replication by RODC %s\n",
dom_sid_string(mem_ctx,
- dce_call->conn->auth_state.session_info->security_token->user_sid)));
+ dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX])));
req8->replica_flags &= ~DRSUAPI_DRS_WRIT_REP;
}
/* check that they are using an DSA objectGUID that they own */
ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
&req->dest_dsa_guid,
- dce_call->conn->auth_state.session_info->security_token->user_sid);
+ dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
if (ret != LDB_SUCCESS) {
DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
dom_sid_string(mem_ctx,
- dce_call->conn->auth_state.session_info->security_token->user_sid),
+ dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
GUID_string(mem_ctx, &req->dest_dsa_guid)));
return WERR_DS_DRA_ACCESS_DENIED;
}
#include "includes.h"
#include "../lib/util/dlinklist.h"
#include "rpc_server/dcerpc_server.h"
-#include "libcli/security/dom_sid.h"
+#include "libcli/security/security.h"
#include "auth/session.h"
/*
struct dcesrv_handle *h;
struct dom_sid *sid;
- sid = context->conn->auth_state.session_info->security_token->user_sid;
+ sid = context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
h = talloc(context->assoc_group, struct dcesrv_handle);
if (!h) {
struct dcesrv_handle *h;
struct dom_sid *sid;
- sid = context->conn->auth_state.session_info->security_token->user_sid;
+ sid = context->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
if (policy_handle_empty(p)) {
/* TODO: we should probably return a NULL handle here */
DCESRV_PULL_HANDLE(h, r->in.handle, DCESRV_HANDLE_ANY);
- sid = dce_call->conn->auth_state.session_info->security_token->user_sid;
+ sid = dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
if (h->wire_handle.handle_type == LSA_HANDLE_POLICY) {
status = dcesrv_build_lsa_sd(mem_ctx, &sd, sid, 0);