git.samba.org - metze/samba/wip.git/commit

author	Stefan Metzmacher <metze@samba.org>
	Tue, 6 Mar 2018 23:21:13 +0000 (00:21 +0100)
committer	Ralph Boehme <slow@samba.org>
	Thu, 15 Mar 2018 20:54:17 +0000 (21:54 +0100)
commit	af4bc135e486e17164da0ea918281fbf689892c3
tree	529bf6740d9c7cea13baf08d13792bbdd058058c	tree
parent	6ff891195855403bc485725aef8d43d4e3cabacb	commit \| diff

s3:auth: add auth3_user_info_dc_add_hints() and auth3_session_info_create()

These functions make it possible to construct a full auth_session_info
from the information available from an auth_user_info_dc structure.

This has all the logic from create_local_token() that is used
to transform a auth_serversupplied_info to a full auth_session_info.

In order to workarround the restriction that auth_user_info_dc
doesn't contain hints for the unix token/name, we use
the special S-1-5-88 (Unix_NFS) sids:

- S-1-5-88-1-Y gives the uid=Y
- S-1-5-88-2-Y gives the gid=Y
- S-1-5-88-3-Y gives flags=Y AUTH3_UNIX_HINT_*

The currently implemented flags are:

- AUTH3_UNIX_HINT_QUALIFIED_NAME
  unix_name = DOMAIN+ACCOUNT

- AUTH3_UNIX_HINT_ISLOLATED_NAME
  unix_name = ACCOUNT

- AUTH3_UNIX_HINT_DONT_TRANSLATE_FROM_SIDS
  Don't translate the nt token SIDS into uid/gids
  using sid mapping.

- AUTH3_UNIX_HINT_DONT_TRANSLATE_TO_SIDS
  Don't translate the unix token uid/gids to S-1-22-X-Y SIDS

- AUTH3_UNIX_HINT_DONT_EXPAND_UNIX_GROUPS
  The unix token won't get expanded gid values
  from getgroups_unix_user()

By using the hints it is possible to keep the current logic
where an authentication backend provides uid/gid values and
the unix name.

Note the S-1-5-88-* SIDS never appear in the final security_token.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

source3/auth/auth_util.c		diff \| blob \| history
source3/auth/proto.h		diff \| blob \| history