The Samba-Bugzilla – Attachment 4435 Details for
Bug 6199
Handle nested groups and privileges
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Begin of a patch
transGroups.patch (text/plain), 5.15 KB, created by
Matthias Dieter Wallnöfer
on 2009-07-17 01:35:27 UTC
(
hide
)
Description:
Begin of a patch
Filename:
MIME Type:
Creator:
Matthias Dieter Wallnöfer
Created:
2009-07-17 01:35:27 UTC
Size:
5.15 KB
patch
obsolete
>diff --git a/source4/auth/sam.c b/source4/auth/sam.c >index c396662..288d982 100644 >--- a/source4/auth/sam.c >+++ b/source4/auth/sam.c >@@ -4,6 +4,7 @@ > Copyright (C) Andrew Bartlett <abartlet@samba.org> 2001-2004 > Copyright (C) Gerald Carter 2003 > Copyright (C) Stefan Metzmacher 2005 >+ Copyright (C) Matthias Dieter Wallnöfer 2009 > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by >@@ -252,7 +253,8 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, > return NT_STATUS_OK; > } > >-_PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, >+_PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, >+ struct ldb_context *sam_ctx, > const char *netbios_name, > const char *domain_name, > struct ldb_dn *domain_dn, >@@ -260,6 +262,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte > DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, > struct auth_serversupplied_info **_server_info) > { >+ NTSTATUS status; > struct auth_serversupplied_info *server_info; > int group_ret = 0; > /* find list of sids */ >@@ -274,16 +277,18 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte > > server_info = talloc(tmp_ctx, struct auth_serversupplied_info); > NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info, tmp_ctx); >- >+ >+/* > el = ldb_msg_find_element(msg, "memberOf"); > if (el != NULL) { > group_ret = el->num_values; > groupSIDs = talloc_array(server_info, struct dom_sid *, group_ret); > NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx); > } >- >+*/ > /* TODO Note: this is incomplete. We need to unroll some > * nested groups, but not aliases */ >+/* > for (i = 0; i < group_ret; i++) { > struct ldb_dn *dn; > const struct ldb_val *v; >@@ -305,10 +310,17 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte > return NT_STATUS_INTERNAL_DB_CORRUPTION; > } > } >- >+*/ > account_sid = samdb_result_dom_sid(server_info, msg, "objectSid"); > NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, tmp_ctx); > >+ status = calc_trans_clos_sid(sam_ctx, account_sid, server_info, >+ &groupSIDs, &group_ret); >+ if (!NT_STATUS_IS_OK(status)) { >+ talloc_free(tmp_ctx); >+ return status; >+ } >+ > primary_group_sid = dom_sid_dup(server_info, account_sid); > NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_sid, tmp_ctx); > >diff --git a/source4/dsdb/common/sidmap.c b/source4/dsdb/common/sidmap.c >index 5c20149..13f33ca 100644 >--- a/source4/dsdb/common/sidmap.c >+++ b/source4/dsdb/common/sidmap.c >@@ -4,6 +4,7 @@ > mapping routines for SID <-> unix uid/gid > > Copyright (C) Andrew Tridgell 2004 >+ Copyright (C) Matthias Dieter Wallnöfer 2009 > > This program is free software; you can redistribute it and/or modify > it under the terms of the GNU General Public License as published by >@@ -610,3 +611,85 @@ NTSTATUS sidmap_allocated_sid_lookup(struct sidmap_context *sidmap, > > return NT_STATUS_OK; > } >+ >+ >+/* This function tests if a SID structure "sids" contains the SID "sid" */ >+bool sids_contains_sid(const struct dom_sid **sids, const int num_sids, >+ const struct dom_sid *sid) >+{ >+ int i; >+ >+ for (i = 0; i < num_sids; i++) >+ if (dom_sid_equal(sids[i], sid)) >+ return true; >+ return false; >+} >+ >+/* >+ * This function generates the transitive closure of a given SID "sid". >+ * - If a SID is a user or a group we've always to consider the "memberOf" >+ * attribute. If the SID isn't located in the "res_sids" structure yet, >+ * we've to add it. >+ * - We also add each object's SID to "res_sids" >+ * At the beginning "res_sids" should be an empty pointer. >+ */ >+NTSTATUS calc_trans_clos_sid(struct ldb_context *sam_ctx, >+ const struct dom_sid *sid, TALLOC_CTX *res_sids_ctx, >+ struct dom_sid ***res_sids, int *num_res_sids) >+{ >+ const char *attrs[] = { "memberOf", NULL }; >+ int i, ret; >+ TALLOC_CTX *tmp_ctx; >+ struct ldb_message **res; >+ NTSTATUS status; >+ >+ if (*res_sids == NULL) >+ *num_res_sids = 0; >+ >+ if (sid == NULL || sids_contains_sid((const struct dom_sid**) *res_sids, >+ *num_res_sids, sid)) >+ return NT_STATUS_OK; >+ >+ *res_sids = talloc_realloc(res_sids_ctx, *res_sids, struct dom_sid *, >+ *num_res_sids + 1); >+ NT_STATUS_HAVE_NO_MEMORY(*res_sids); >+ *res_sids[*num_res_sids] = dom_sid_dup(res_sids_ctx, sid); >+ ++(*num_res_sids); >+ >+ tmp_ctx = talloc_new(sam_ctx); >+ >+ ret = gendb_search(sam_ctx, tmp_ctx, NULL, &res, attrs, >+ "objectSid=%s", ldap_encode_ndr_dom_sid(tmp_ctx, sid)); >+ if (ret != 1) { >+ talloc_free(tmp_ctx); >+ return NT_STATUS_INTERNAL_DB_CORRUPTION; >+ } >+ >+ for (i = 0; i < res[0]->elements[0].num_values; i++) { >+ status = calc_trans_clos_sid( >+ sam_ctx, >+ samdb_search_dom_sid( >+ sam_ctx, >+ tmp_ctx, >+ ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, >+ &res[0]->elements[0].values[i]), >+ "objectSid", >+ NULL >+ ), >+ res_sids_ctx, >+ res_sids, >+ num_res_sids >+ ); >+ if (!NT_STATUS_IS_OK(status)) { >+ talloc_free(res); >+ talloc_free(tmp_ctx); >+ return status; >+ } >+ } >+ >+ talloc_free(res); >+ talloc_free(tmp_ctx); >+ >+ return NT_STATUS_OK; >+} >+
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=4435">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 6199
:
4435