s4:dsdb: Add session info flag to indicate authentication with a device

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 24b7b14f51a0a0b44bf97bb521079acbfd1c292e..58fb2cd0b3d3888e94342fb73cb6cc28b4f908d9 100644 (file)
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -40,6 +40,7 @@ enum auth_password_state {
 #define AUTH_SESSION_INFO_SIMPLE_PRIVILEGES  0x04 /* Use a trivial map between users and privileges, rather than a DB */
 #define AUTH_SESSION_INFO_UNIX_TOKEN         0x08 /* The returned token must have the unix_token and unix_info elements provided */
 #define AUTH_SESSION_INFO_NTLM               0x10 /* The returned token must have authenticated-with-NTLM flag set */
+#define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION  0x20 /* The user authenticated with a device. */
 
 struct auth_usersupplied_info
 {

diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 33cad4b1746edd45619816f10c689c7c397d5d99..81576829a7506bac782a74c539dd536900073e0f 100644 (file)
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -178,7 +178,7 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx,
        enum claims_evaluation_control evaluate_claims;
        bool sids_are_valid = false;
        bool device_sids_are_valid = false;
-       bool authentication_was_compounded = false;
+       bool authentication_was_compounded = session_info_flags & AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION;
 
        /*
         * Some special-case callers can't supply the lp_ctx, but do