The Samba-Bugzilla – Attachment 11198 Details for
Bug 11362
GPO security filtering based on the groups in Kerberos PAC (but primary group is missing)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
0001-add-primary-group-to-groups-in-kerberos-pac.patch
0001-add-primary-group-to-groups-in-kerberos-pac.patch (text/plain), 2.44 KB, created by
Felix Botner
on 2015-06-25 11:16:39 UTC
(
hide
)
Description:
0001-add-primary-group-to-groups-in-kerberos-pac.patch
Filename:
MIME Type:
Creator:
Felix Botner
Created:
2015-06-25 11:16:39 UTC
Size:
2.44 KB
patch
obsolete
>From 140eede4287b7bdcae6a2b3e9e5e035bf13983de Mon Sep 17 00:00:00 2001 >From: Felix Botner <botner@univention.de> >Date: Thu, 25 Jun 2015 12:45:20 +0200 >Subject: [PATCH] add primary group to groups in kerberos pac > >GPO security filtering is based on the groups in the kerberos pac. >So the primary group should better be in this group list. > >Signed-off-by: Felix Botner <botner@univention.de> >--- > auth/auth_sam_reply.c | 20 +++++++++++++++++++- > 1 file changed, 19 insertions(+), 1 deletion(-) > >diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c >index 4ede02c..69ef627 100644 >--- a/auth/auth_sam_reply.c >+++ b/auth/auth_sam_reply.c >@@ -78,7 +78,7 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, > sam->groups.count = 0; > sam->groups.rids = NULL; > >- if (user_info_dc->num_sids > 2) { >+ if (user_info_dc->num_sids > 1) { > size_t i; > sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute, > user_info_dc->num_sids); >@@ -86,12 +86,22 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx, > if (sam->groups.rids == NULL) > return NT_STATUS_NO_MEMORY; > >+ /* Add the primary group here too, at least Windows 2012 PAC adds it here */ >+ sam->groups.rids[sam->groups.count].rid = sam->primary_gid; >+ sam->groups.rids[sam->groups.count].attributes = >+ SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED; >+ sam->groups.count += 1; >+ > for (i=2; i<user_info_dc->num_sids; i++) { > struct dom_sid *group_sid = &user_info_dc->sids[i]; > if (!dom_sid_in_domain(sam->domain_sid, group_sid)) { > /* We handle this elsewhere */ > continue; > } >+ /* ignore primary gid, already added above */ >+ if (group_sid->sub_auths[group_sid->num_auths-1] == sam->primary_gid) { >+ continue; >+ } > sam->groups.rids[sam->groups.count].rid = > group_sid->sub_auths[group_sid->num_auths-1]; > >@@ -326,6 +336,14 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, > } > > for (i = 0; i < base->groups.count; i++) { >+ >+ /* We added the primary_gid in auth_convert_user_info_dc_sambaseinfo() >+ * and base->groups may contain the primary_gid, so check and ignore >+ the primary_gid here */ >+ if (base->groups.rids[i].rid == base->primary_gid) { >+ continue; >+ } >+ > user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid; > if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], base->groups.rids[i].rid)) { > return NT_STATUS_INVALID_PARAMETER; >-- >1.7.9.5 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 11362
: 11198 |
11199
|
11200
|
15285
|
15286