return NT_STATUS_OK;
}
-static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
- struct netr_SamInfo3 *info3,
- const char *group_sid)
+static NTSTATUS check_info3_in_groups(TALLOC_CTX *mem_ctx,
+ struct netr_SamInfo3 *info3,
+ uint32_t num_require_membership_of_sids,
+ struct dom_sid *require_membership_of_sids)
/**
* Check whether a user belongs to a group or list of groups.
*
* or other NT_STATUS_IS_ERR(status) for other kinds of failure.
*/
{
- DOM_SID *require_membership_of_sid;
- size_t num_require_membership_of_sid;
- char *req_sid;
- const char *p;
- DOM_SID sid;
size_t i;
struct nt_user_token *token;
- TALLOC_CTX *frame = NULL;
NTSTATUS status;
/* Parse the 'required group' SID */
- if (!group_sid || !group_sid[0]) {
+ if (num_require_membership_of_sids == 0) {
/* NO sid supplied, all users may access */
return NT_STATUS_OK;
}
return NT_STATUS_NO_MEMORY;
}
- num_require_membership_of_sid = 0;
- require_membership_of_sid = NULL;
-
- p = group_sid;
-
- frame = talloc_stackframe();
- while (next_token_talloc(frame, &p, &req_sid, ",")) {
- if (!string_to_sid(&sid, req_sid)) {
- DEBUG(0, ("check_info3_in_group: could not parse %s "
- "as a SID!", req_sid));
- TALLOC_FREE(frame);
- return NT_STATUS_INVALID_PARAMETER;
- }
-
- status = add_sid_to_array(mem_ctx, &sid,
- &require_membership_of_sid,
- &num_require_membership_of_sid);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(0, ("add_sid_to_array failed\n"));
- TALLOC_FREE(frame);
- return status;
- }
- }
-
- TALLOC_FREE(frame);
-
status = sid_array_from_info3(mem_ctx, info3,
&token->user_sids,
&token->num_sids,
debug_nt_user_token(DBGC_CLASS, 10, token);
- for (i=0; i<num_require_membership_of_sid; i++) {
+ for (i=0; i<num_require_membership_of_sids; i++) {
DEBUG(10, ("Checking SID %s\n", sid_string_dbg(
- &require_membership_of_sid[i])));
- if (nt_token_check_sid(&require_membership_of_sid[i],
+ &require_membership_of_sids[i])));
+ if (nt_token_check_sid(&require_membership_of_sids[i],
token)) {
DEBUG(10, ("Access ok\n"));
return NT_STATUS_OK;
return NT_STATUS_LOGON_FAILURE;
}
+static NTSTATUS check_info3_in_group(TALLOC_CTX *mem_ctx,
+ struct netr_SamInfo3 *info3,
+ const char *group_sid)
+/**
+ * Check whether a user belongs to a group or list of groups.
+ *
+ * @param mem_ctx talloc memory context.
+ * @param info3 user information, including group membership info.
+ * @param group_sid One or more groups , separated by commas.
+ *
+ * @return NT_STATUS_OK on success,
+ * NT_STATUS_LOGON_FAILURE if the user does not belong,
+ * or other NT_STATUS_IS_ERR(status) for other kinds of failure.
+ */
+{
+ DOM_SID *require_membership_of_sid;
+ size_t num_require_membership_of_sid;
+ char *req_sid;
+ const char *p;
+ DOM_SID sid;
+ TALLOC_CTX *frame = NULL;
+ NTSTATUS status;
+
+ /* Parse the 'required group' SID */
+
+ if (!group_sid || !group_sid[0]) {
+ /* NO sid supplied, all users may access */
+ return NT_STATUS_OK;
+ }
+
+ num_require_membership_of_sid = 0;
+ require_membership_of_sid = NULL;
+
+ p = group_sid;
+
+ frame = talloc_stackframe();
+ while (next_token_talloc(frame, &p, &req_sid, ",")) {
+ if (!string_to_sid(&sid, req_sid)) {
+ DEBUG(0, ("check_info3_in_group: could not parse %s "
+ "as a SID!", req_sid));
+ TALLOC_FREE(frame);
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ status = add_sid_to_array(mem_ctx, &sid,
+ &require_membership_of_sid,
+ &num_require_membership_of_sid);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("add_sid_to_array failed\n"));
+ TALLOC_FREE(frame);
+ return status;
+ }
+ }
+
+ TALLOC_FREE(frame);
+
+ return check_info3_in_groups(mem_ctx, info3,
+ num_require_membership_of_sid,
+ require_membership_of_sid);
+}
+
struct winbindd_domain *find_auth_domain(struct winbindd_cli_state *state,
const char *domain_name)
{