r23921: Remove GPO_SID_TOKEN struct and use nt_user_token instead, that already has

S-1-5-11 in the token.

Guenther
(This used to be commit 83c734690ab09a0fe103ee9fdb855fbdd31db39c)

diff --git a/source3/Makefile.in b/source3/Makefile.in
index f26afb117910b733e29183715ccdb9ef95a21509..17f5ad4a4937d0b9ccf88cdc648c00f37df43361 100644 (file)
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -697,7 +697,7 @@ NET_OBJ1 = utils/net.o utils/net_ads.o utils/net_domain.o utils/net_help.o \
           utils/netlookup.o utils/net_sam.o utils/net_rpc_shell.o \
           utils/net_util.o utils/net_rpc_sh_acct.o utils/net_rpc_audit.o \
           $(PASSWD_UTIL_OBJ) utils/net_dns.o utils/net_ads_gpo.o \
-          utils/net_conf.o
+          utils/net_conf.o auth/token_util.o
 
 NET_OBJ = $(NET_OBJ1) $(PARAM_WITHOUT_REG_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \
          $(RPC_PARSE_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ) \

diff --git a/source3/include/gpo.h b/source3/include/gpo.h
index 073dad0a112bff5637620e288fbb7490372660f4..85a0b82d6571ec14acb0f1d891df5ff0b4b31258 100644 (file)
--- a/source3/include/gpo.h
+++ b/source3/include/gpo.h
@@ -93,10 +93,3 @@ struct GP_EXT {
 
 #define GPO_CACHE_DIR "gpo_cache"
 #define GPT_INI "GPT.INI"
-
-struct GPO_SID_TOKEN {
-       DOM_SID object_sid;
-       DOM_SID primary_group_sid;
-       size_t num_token_sids;
-       DOM_SID *token_sids;
-};

diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c
index 07b453d63709e988538f6665b729850ea838ec4a..4f983b261d8158bff7f3e136f41dde328af69bb5 100644 (file)
--- a/source3/libgpo/gpo_ldap.c
+++ b/source3/libgpo/gpo_ldap.c
@@ -1,7 +1,7 @@
 /* 
  *  Unix SMB/CIFS implementation.
  *  Group Policy Object Support
- *  Copyright (C) Guenther Deschner 2005
+ *  Copyright (C) Guenther Deschner 2005,2007
  *  
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -427,7 +427,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
                return ADS_ERROR(LDAP_NO_MEMORY);
        }
 
-       /* sure ??? */
        if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
                return ADS_ERROR(LDAP_NO_MEMORY);
        }
@@ -441,7 +440,6 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
        gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
        ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
 
-       /* ???, this is optional to have and what does it depend on, the 'flags' ?) */
        gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
        gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
 
@@ -536,7 +534,7 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
                                         struct GP_LINK *gp_link,
                                         enum GPO_LINK_TYPE link_type,
                                         BOOL only_add_forced_gpos,
-                                        struct GPO_SID_TOKEN *token)
+                                        const struct nt_user_token *token)
 {
        ADS_STATUS status;
        int i;
@@ -592,10 +590,10 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
 /****************************************************************
 ****************************************************************/
 
-static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
-                                       TALLOC_CTX *mem_ctx,
-                                       const char *dn,
-                                       struct GPO_SID_TOKEN **token)
+ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
+                            TALLOC_CTX *mem_ctx,
+                            const char *dn,
+                            struct nt_user_token **token)
 {
        ADS_STATUS status;
        DOM_SID object_sid;
@@ -604,12 +602,9 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
        size_t num_ad_token_sids = 0;
        DOM_SID *token_sids;
        size_t num_token_sids = 0;
-       struct GPO_SID_TOKEN *new_token = NULL;
+       struct nt_user_token *new_token = NULL;
        int i;
 
-       new_token = TALLOC_ZERO_P(mem_ctx, struct GPO_SID_TOKEN);
-       ADS_ERROR_HAVE_NO_MEMORY(new_token);
-
        status = ads_get_tokensids(ads, mem_ctx, dn, 
                                   &object_sid, &primary_group_sid,
                                   &ad_token_sids, &num_ad_token_sids);
@@ -617,12 +612,14 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
                return status;
        }
 
-       new_token->object_sid = object_sid;
-       new_token->primary_group_sid = primary_group_sid;
-
        token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
        ADS_ERROR_HAVE_NO_MEMORY(token_sids);
 
+       if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids, 
+                                    &num_token_sids)) {
+               return ADS_ERROR(LDAP_NO_MEMORY);
+       }
+
        for (i = 0; i < num_ad_token_sids; i++) {
                
                if (sid_check_is_in_builtin(&ad_token_sids[i])) {
@@ -635,22 +632,17 @@ static ADS_STATUS ads_get_gpo_sid_token(ADS_STRUCT *ads,
                }
        }
 
-       /* Add S-1-5-11 to token */
-       if (!add_sid_to_array_unique(mem_ctx, &global_sid_Authenticated_Users,
-                                    &token_sids, &num_token_sids)) {
-               return ADS_ERROR(LDAP_NO_MEMORY);
-       }
-
-
-       new_token->token_sids = token_sids;
-       new_token->num_token_sids = num_token_sids;
+       new_token = create_local_nt_token(mem_ctx, &object_sid, False, 
+                                         num_token_sids, token_sids);
+       ADS_ERROR_HAVE_NO_MEMORY(new_token);
 
        *token = new_token;
 
+       debug_nt_user_token(DBGC_CLASS, 5, *token);
+
        return ADS_ERROR_LDAP(LDAP_SUCCESS);
 }
 
-
 /****************************************************************
  get the full list of GROUP_POLICY_OBJECTs for a given dn
 ****************************************************************/
@@ -665,15 +657,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
        
        ADS_STATUS status;
        struct GP_LINK gp_link;
-       struct GPO_SID_TOKEN *token = NULL;
+       struct nt_user_token *token = NULL;
        const char *parent_dn, *site_dn, *tmp_dn;
        BOOL add_only_forced_gpos = False;
 
        ZERO_STRUCTP(gpo_list);
 
+       if (!dn) {
+               return ADS_ERROR(LDAP_PARAM_ERROR);
+       }
+
        DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
 
-       status = ads_get_gpo_sid_token(ads, mem_ctx, dn, &token);
+       status = ads_get_sid_token(ads, mem_ctx, dn, &token);
        if (!ADS_ERR_OK(status)) {
                return status;
        }

diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c
index abdcd17378d4a752f3f65ad72f9aa4ae940724dc..5286da57deea6a9e676d106aab6959a214dfe5c3 100644 (file)
--- a/source3/libgpo/gpo_sec.c
+++ b/source3/libgpo/gpo_sec.c
@@ -43,7 +43,7 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
                                       &ext_right_apg_guid)) {
                                return True;
                        }
-               case  SEC_ACE_OBJECT_INHERITED_PRESENT:
+               case SEC_ACE_OBJECT_INHERITED_PRESENT:
                        if (GUID_equal(&object->inherited_type.inherited_type,
                                       &ext_right_apg_guid)) {
                                return True;
@@ -60,11 +60,11 @@ static BOOL gpo_sd_check_agp_object_guid(const struct security_ace_object *objec
 
 static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
 {
-       if (sec_ace_object(ace->type)) {
-               return gpo_sd_check_agp_object_guid(&ace->object.object);
+       if (!sec_ace_object(ace->type)) {
+               return False;
        }
 
-       return False;
+       return gpo_sd_check_agp_object_guid(&ace->object.object);
 }
 
 /****************************************************************
@@ -92,21 +92,13 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
 /****************************************************************
 ****************************************************************/
 
-static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee, 
-                                             const struct GPO_SID_TOKEN *token)
+static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
+                                             const struct nt_user_token *token)
 {
        int i;
 
-       if (sid_equal(trustee, &token->object_sid)) {
-               return True;
-       }
-
-       if (sid_equal(trustee, &token->primary_group_sid)) {
-               return True;
-       }
-
-       for (i = 0; i < token->num_token_sids; i++) {
-               if (sid_equal(trustee, &token->token_sids[i])) {
+       for (i = 0; i < token->num_sids; i++) {
+               if (sid_equal(trustee, &token->user_sids[i])) {
                        return True;
                }
        }
@@ -118,7 +110,7 @@ static BOOL gpo_sd_check_trustee_in_sid_token(const DOM_SID *trustee,
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, 
-                                              const struct GPO_SID_TOKEN *token) 
+                                              const struct nt_user_token *token) 
 {
        if (gpo_sd_check_agp_object(ace) &&
            gpo_sd_check_agp_access_bits(ace->access_mask) &&
@@ -135,7 +127,7 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, 
-                                               const struct GPO_SID_TOKEN *token) 
+                                               const struct nt_user_token *token) 
 {
        if (gpo_sd_check_agp_object(ace) &&
            gpo_sd_check_agp_access_bits(ace->access_mask) && 
@@ -152,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
 ****************************************************************/
 
 static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, 
-                                const struct GPO_SID_TOKEN *token) 
+                                const struct nt_user_token *token) 
 {
        switch (ace->type) {
                case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
@@ -168,7 +160,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
 ****************************************************************/
 
 NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, 
-                                     const struct GPO_SID_TOKEN *token)
+                                     const struct nt_user_token *token)
 {
        SEC_DESC *sd = gpo->security_descriptor;
        SEC_ACL *dacl = NULL;