The Samba-Bugzilla – Attachment 11781 Details for
Bug 11677
unmappable S-1-18 should be skipped in token generation
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master
master.patch (text/plain), 7.25 KB, created by
Guenther Deschner
on 2016-01-15 15:10:23 UTC
(
hide
)
Description:
patch for master
Filename:
MIME Type:
Creator:
Guenther Deschner
Created:
2016-01-15 15:10:23 UTC
Size:
7.25 KB
patch
obsolete
>From 59bbf567a744bf0ec21eeef1e715a62884a9c92e Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 15 Jan 2016 14:46:07 +0100 >Subject: [PATCH 1/3] security: Add Asserted Identity sids (S-1-18) >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 > >definitions taken from [MS-DTYP]: Windows Data Types, >2.4.2.4 Well-Known SID Structures. > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >--- > libcli/security/dom_sid.h | 3 +++ > libcli/security/util_sid.c | 8 ++++++++ > librpc/idl/security.idl | 3 +++ > 3 files changed, 14 insertions(+) > >diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h >index 990a4c4..bdcec94 100644 >--- a/libcli/security/dom_sid.h >+++ b/libcli/security/dom_sid.h >@@ -36,6 +36,9 @@ extern const struct dom_sid global_sid_System; > extern const struct dom_sid global_sid_NULL; > extern const struct dom_sid global_sid_Authenticated_Users; > extern const struct dom_sid global_sid_Network; >+extern const struct dom_sid global_sid_Asserted_Identity; >+extern const struct dom_sid global_sid_Asserted_Identity_Service; >+extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority; > extern const struct dom_sid global_sid_Creator_Owner; > extern const struct dom_sid global_sid_Creator_Group; > extern const struct dom_sid global_sid_Owner_Rights; >diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c >index 3399801..ab3018a 100644 >--- a/libcli/security/util_sid.c >+++ b/libcli/security/util_sid.c >@@ -55,6 +55,14 @@ const struct dom_sid global_sid_Authenticated_Users = /* All authenticated rids > const struct dom_sid global_sid_Restriced = /* Restriced Code */ > { 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; > #endif >+ >+const struct dom_sid global_sid_Asserted_Identity = /* Asserted Identity */ >+{ 1, 0, {0,0,0,0,0,18}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; >+const struct dom_sid global_sid_Asserted_Identity_Service = /* Asserted Identity Service */ >+{ 1, 1, {0,0,0,0,0,18}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; >+const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority = /* Asserted Identity Authentication Authority */ >+{ 1, 1, {0,0,0,0,0,18}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; >+ > const struct dom_sid global_sid_Network = /* Network rids */ > { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; > >diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl >index b78307e..f412ffe 100644 >--- a/librpc/idl/security.idl >+++ b/librpc/idl/security.idl >@@ -285,6 +285,9 @@ interface security > const string SID_NT_TRUSTED_INSTALLER = > "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464"; > >+ const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1"; >+ const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2"; >+ > /* well-known domain RIDs */ > const int DOMAIN_RID_LOGON = 9; > const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498; >-- >2.5.0 > > >From 9cd4b4ded9558a9dd3f7501ae946ee22793ad153 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 15 Jan 2016 14:43:12 +0100 >Subject: [PATCH 2/3] s3-util: add helper functions to deal with the S-1-18 > domain. >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >--- > source3/include/proto.h | 5 +++++ > source3/lib/util_specialsids.c | 40 ++++++++++++++++++++++++++++++++++++++++ > source3/wscript_build | 1 + > 3 files changed, 46 insertions(+) > create mode 100644 source3/lib/util_specialsids.c > >diff --git a/source3/include/proto.h b/source3/include/proto.h >index a53aabd..809cb95 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -1174,6 +1174,11 @@ bool sid_check_is_in_unix_groups(const struct dom_sid *sid); > const char *unix_groups_domain_name(void); > bool lookup_unix_group_name(const char *name, struct dom_sid *sid); > >+/* The following definitions come from lib/util_specialsids.c */ >+bool sid_check_is_asserted_identity(const struct dom_sid *sid); >+bool sid_check_is_in_asserted_identity(const struct dom_sid *sid); >+const char *asserted_identity_domain_name(void); >+ > /* The following definitions come from lib/filename_util.c */ > > NTSTATUS get_full_smb_filename(TALLOC_CTX *ctx, const struct smb_filename *smb_fname, >diff --git a/source3/lib/util_specialsids.c b/source3/lib/util_specialsids.c >new file mode 100644 >index 0000000..4c402d6 >--- /dev/null >+++ b/source3/lib/util_specialsids.c >@@ -0,0 +1,40 @@ >+/* >+ Unix SMB/CIFS implementation. >+ Copyright (C) Guenther Deschner 2016 >+ >+ This program is free software; you can redistribute it and/or modify >+ it under the terms of the GNU General Public License as published by >+ the Free Software Foundation; either version 3 of the License, or >+ (at your option) any later version. >+ >+ This program is distributed in the hope that it will be useful, >+ but WITHOUT ANY WARRANTY; without even the implied warranty of >+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ GNU General Public License for more details. >+ >+ You should have received a copy of the GNU General Public License >+ along with this program. If not, see <http://www.gnu.org/licenses/>. >+*/ >+ >+#include "includes.h" >+#include "../libcli/security/security.h" >+ >+bool sid_check_is_asserted_identity(const struct dom_sid *sid) >+{ >+ return dom_sid_equal(sid, &global_sid_Asserted_Identity); >+} >+ >+bool sid_check_is_in_asserted_identity(const struct dom_sid *sid) >+{ >+ struct dom_sid dom_sid; >+ >+ sid_copy(&dom_sid, sid); >+ sid_split_rid(&dom_sid, NULL); >+ >+ return sid_check_is_asserted_identity(&dom_sid); >+} >+ >+const char *asserted_identity_domain_name(void) >+{ >+ return "Asserted Identity"; >+} >diff --git a/source3/wscript_build b/source3/wscript_build >index 9d5d0d0..b8eaeca 100755 >--- a/source3/wscript_build >+++ b/source3/wscript_build >@@ -253,6 +253,7 @@ bld.SAMBA3_SUBSYSTEM('samba3util', > lib/recvfile.c > lib/time.c > lib/util_sid.c >+ lib/util_specialsids.c > lib/util_file.c > lib/util.c > lib/util_path.c >-- >2.5.0 > > >From 941cf3a8ec57eb0971a8bad1b285b97749980100 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> >Date: Fri, 15 Jan 2016 14:43:48 +0100 >Subject: [PATCH 3/3] s3-util: skip S-1-18 sids in token generaion in > sid_array_from_info3(). >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 > >Guenther > >Signed-off-by: Günther Deschner <gd@samba.org> >--- > source3/lib/util_sid.c | 5 +++++ > 1 file changed, 5 insertions(+) > >diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c >index 4b6fb81..4d57a92 100644 >--- a/source3/lib/util_sid.c >+++ b/source3/lib/util_sid.c >@@ -185,6 +185,11 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, > */ > > for (i = 0; i < info3->sidcount; i++) { >+ >+ if (sid_check_is_in_asserted_identity(info3->sids[i].sid)) { >+ continue; >+ } >+ > status = add_sid_to_array(mem_ctx, info3->sids[i].sid, > &sid_array, &num_sids); > if (!NT_STATUS_IS_OK(status)) { >-- >2.5.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=11781">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 11677
: 11781