NTSTATUS nt_status;
union netr_Validation validation;
struct auth_user_info_dc *user_info_dc;
+ const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL;
+ size_t sidcount;
+
+ rg = &pac_logon_info->resource_groups;
validation.sam3 = discard_const_p(struct netr_SamInfo3, &pac_logon_info->info3);
return nt_status;
}
- if (pac_logon_info->res_groups.count > 0) {
- size_t sidcount;
+ if (pac_logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) {
+ rg = &pac_logon_info->resource_groups;
+ }
+
+ if (rg == NULL) {
+ *_user_info_dc = user_info_dc;
+ return NT_STATUS_OK;
+ }
+
+ if (rg->groups.count > 0) {
/* The IDL layer would be a better place to check this, but to
* guard the integer addition below, we double-check */
- if (pac_logon_info->res_groups.count > 65535) {
+ if (rg->groups.count > 65535) {
talloc_free(user_info_dc);
return NT_STATUS_INVALID_PARAMETER;
}
trusted domains, and verify that the SID
matches.
*/
- if (!pac_logon_info->res_group_dom_sid) {
+ if (rg->domain_sid == NULL) {
+ talloc_free(user_info_dc);
DEBUG(0, ("Cannot operate on a PAC without a resource domain SID"));
return NT_STATUS_INVALID_PARAMETER;
}
- sidcount = user_info_dc->num_sids + pac_logon_info->res_groups.count;
+ sidcount = user_info_dc->num_sids + rg->groups.count;
user_info_dc->sids
= talloc_realloc(user_info_dc, user_info_dc->sids, struct dom_sid, sidcount);
if (user_info_dc->sids == NULL) {
return NT_STATUS_NO_MEMORY;
}
- for (i = 0; pac_logon_info->res_group_dom_sid && i < pac_logon_info->res_groups.count; i++) {
- user_info_dc->sids[user_info_dc->num_sids] = *pac_logon_info->res_group_dom_sid;
- if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
- pac_logon_info->res_groups.rids[i].rid)) {
+ for (i = 0; i < rg->groups.count; i++) {
+ bool ok;
+
+ user_info_dc->sids[user_info_dc->num_sids] = *rg->domain_sid;
+ ok = sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids],
+ rg->groups.rids[i].rid);
+ if (!ok) {
return NT_STATUS_INVALID_PARAMETER;
}
user_info_dc->num_sids++;
struct netr_SamInfo3 *info3)
{
uint32_t i = 0;
+ const struct PAC_DOMAIN_GROUP_MEMBERSHIP *rg = NULL;
- if (!(logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS)) {
+ if (logon_info->info3.base.user_flags & NETLOGON_RESOURCE_GROUPS) {
+ rg = &logon_info->resource_groups;
+ }
+
+ if (rg == NULL) {
return NT_STATUS_OK;
}
+ if (rg->domain_sid == NULL) {
+ DEBUG(10, ("Missing Resource Group Domain SID\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ /* The IDL layer would be a better place to check this, but to
+ * guard the integer addition below, we double-check */
+ if (rg->groups.count > 65535) {
+ DEBUG(10, ("Too much Resource Group RIDs %u\n",
+ (unsigned)rg->groups.count));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
/*
* If there are any resource groups (SID Compression) add
* them to the extra sids portion of the info3 in the PAC.
* Construct a SID for each RID in the list and then append it
* to the info3.
*/
- for (i = 0; i < logon_info->res_groups.count; i++) {
+ for (i = 0; i < rg->groups.count; i++) {
NTSTATUS status;
struct dom_sid new_sid;
- uint32_t attributes = logon_info->res_groups.rids[i].attributes;
+ uint32_t attributes = rg->groups.rids[i].attributes;
sid_compose(&new_sid,
- logon_info->res_group_dom_sid,
- logon_info->res_groups.rids[i].rid);
+ rg->domain_sid,
+ rg->groups.rids[i].rid);
DEBUG(10, ("Adding SID %s to extra SIDS\n",
sid_string_dbg(&new_sid)));
git.samba.org / obnox / samba / samba-obnox.git / commitdiff