s4:auth: add authsam_update_user_info_dc() that implements SID expanding for the...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index f88489b6f6012401ce6a49b865a39ee77ecc3148..51895c9259f366e2d0a0d74c676943effd81ea1c 100644 (file)
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -136,6 +136,9 @@ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx, struct ldb_context *sam_
                                           struct ldb_message *msg,
                                           DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
                                  struct auth_user_info_dc **_user_info_dc);
+NTSTATUS authsam_update_user_info_dc(TALLOC_CTX *mem_ctx,
+                       struct ldb_context *sam_ctx,
+                       struct auth_user_info_dc *user_info_dc);
 NTSTATUS auth_system_session_info(TALLOC_CTX *parent_ctx,
                                           struct loadparm_context *lp_ctx,
                                           struct auth_session_info **_session_info) ;

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index bb64bd98a29f5e1776dcbf58e91c1b1784326faf..fb309f5100e1e80ef6652eb883d52986dcdb205b 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -589,6 +589,68 @@ _PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
        return NT_STATUS_OK;
 }
 
+_PUBLIC_ NTSTATUS authsam_update_user_info_dc(TALLOC_CTX *mem_ctx,
+                       struct ldb_context *sam_ctx,
+                       struct auth_user_info_dc *user_info_dc)
+{
+       char *filter = NULL;
+       NTSTATUS status;
+       uint32_t i;
+       uint32_t n = 0;
+
+       /*
+        * This function exists to expand group memberships
+        * in the local domain (forest), as the token
+        * may come from a different domain.
+        */
+
+       /*
+        * Filter out builtin groups from this token. We will search
+        * for builtin groups later.
+        */
+       status = authsam_domain_group_filter(mem_ctx, &filter);
+       if (!NT_STATUS_IS_OK(status)) {
+               TALLOC_FREE(user_info_dc);
+               return status;
+       }
+
+       /*
+        * We loop only over the existing number of
+        * sids.
+        */
+       n = user_info_dc->num_sids;
+       for (i = 0; i < n; i++) {
+               struct dom_sid *sid = &user_info_dc->sids[i];
+               char sid_buf[DOM_SID_STR_BUFLEN] = {0,};
+               char dn_str[DOM_SID_STR_BUFLEN*2] = {0,};
+               DATA_BLOB dn_blob = data_blob_null;
+               int len;
+
+               len = dom_sid_string_buf(sid, sid_buf, sizeof(sid_buf));
+               if (len+1 > sizeof(sid_buf)) {
+                       return NT_STATUS_INVALID_SID;
+               }
+               snprintf(dn_str, sizeof(dn_str), "<SID=%s>", sid_buf);
+               dn_blob = data_blob_string_const(dn_str);
+
+               /*
+                * We already have the SID in the token, so set
+                * 'only childs' flag to true and add all
+                * groups which match the filter.
+                */
+               status = dsdb_expand_nested_groups(sam_ctx, &dn_blob,
+                                                  true, filter,
+                                                  user_info_dc,
+                                                  &user_info_dc->sids,
+                                                  &user_info_dc->num_sids);
+               if (!NT_STATUS_IS_OK(status)) {
+                       return status;
+               }
+       }
+
+       return NT_STATUS_OK;
+}
+
 NTSTATUS sam_get_results_principal(struct ldb_context *sam_ctx,
                                   TALLOC_CTX *mem_ctx, const char *principal,
                                   const char **attrs,