]>
Commit | Line | Data |
---|---|---|
1d13e637 AF |
1 | From ed26d110b814e2cf0413bd9665bd08bda271ba01 Mon Sep 17 00:00:00 2001 |
2 | From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | |
3 | Date: Fri, 15 Jan 2016 14:46:07 +0100 | |
4 | Subject: [PATCH 1/3] security: Add Asserted Identity sids (S-1-18) | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 | |
10 | ||
11 | definitions taken from [MS-DTYP]: Windows Data Types, | |
12 | 2.4.2.4 Well-Known SID Structures. | |
13 | ||
14 | Guenther | |
15 | ||
16 | Signed-off-by: Günther Deschner <gd@samba.org> | |
17 | --- | |
18 | libcli/security/dom_sid.h | 3 +++ | |
19 | libcli/security/util_sid.c | 8 ++++++++ | |
20 | librpc/idl/security.idl | 3 +++ | |
21 | 3 files changed, 14 insertions(+) | |
22 | ||
23 | diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h | |
24 | index 04571c2..503b621 100644 | |
25 | --- a/libcli/security/dom_sid.h | |
26 | +++ b/libcli/security/dom_sid.h | |
27 | @@ -35,6 +35,9 @@ extern const struct dom_sid global_sid_System; | |
28 | extern const struct dom_sid global_sid_NULL; | |
29 | extern const struct dom_sid global_sid_Authenticated_Users; | |
30 | extern const struct dom_sid global_sid_Network; | |
31 | +extern const struct dom_sid global_sid_Asserted_Identity; | |
32 | +extern const struct dom_sid global_sid_Asserted_Identity_Service; | |
33 | +extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority; | |
34 | extern const struct dom_sid global_sid_Creator_Owner; | |
35 | extern const struct dom_sid global_sid_Creator_Group; | |
36 | extern const struct dom_sid global_sid_Anonymous; | |
37 | diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c | |
38 | index cf1f7f3..5a41ef7 100644 | |
39 | --- a/libcli/security/util_sid.c | |
40 | +++ b/libcli/security/util_sid.c | |
41 | @@ -53,6 +53,14 @@ const struct dom_sid global_sid_Authenticated_Users = /* All authenticated rids | |
42 | const struct dom_sid global_sid_Restriced = /* Restriced Code */ | |
43 | { 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; | |
44 | #endif | |
45 | + | |
46 | +const struct dom_sid global_sid_Asserted_Identity = /* Asserted Identity */ | |
47 | +{ 1, 0, {0,0,0,0,0,18}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; | |
48 | +const struct dom_sid global_sid_Asserted_Identity_Service = /* Asserted Identity Service */ | |
49 | +{ 1, 1, {0,0,0,0,0,18}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; | |
50 | +const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority = /* Asserted Identity Authentication Authority */ | |
51 | +{ 1, 1, {0,0,0,0,0,18}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; | |
52 | + | |
53 | const struct dom_sid global_sid_Network = /* Network rids */ | |
54 | { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}}; | |
55 | ||
56 | diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl | |
57 | index 0ea79a3..7df773e 100644 | |
58 | --- a/librpc/idl/security.idl | |
59 | +++ b/librpc/idl/security.idl | |
60 | @@ -277,6 +277,9 @@ interface security | |
61 | const string SID_NT_TRUSTED_INSTALLER = | |
62 | "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464"; | |
63 | ||
64 | + const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1"; | |
65 | + const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2"; | |
66 | + | |
67 | /* well-known domain RIDs */ | |
68 | const int DOMAIN_RID_LOGON = 9; | |
69 | const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498; | |
70 | -- | |
71 | 2.5.0 | |
72 | ||
73 | ||
74 | From be247c05146c45bcea5c06a38ff07e8f0c934ab6 Mon Sep 17 00:00:00 2001 | |
75 | From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | |
76 | Date: Fri, 15 Jan 2016 14:43:12 +0100 | |
77 | Subject: [PATCH 2/3] s3-util: add helper functions to deal with the S-1-18 | |
78 | domain. | |
79 | MIME-Version: 1.0 | |
80 | Content-Type: text/plain; charset=UTF-8 | |
81 | Content-Transfer-Encoding: 8bit | |
82 | ||
83 | Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 | |
84 | ||
85 | Guenther | |
86 | ||
87 | Signed-off-by: Günther Deschner <gd@samba.org> | |
88 | --- | |
89 | source3/Makefile.in | 2 +- | |
90 | source3/include/proto.h | 5 +++++ | |
91 | source3/lib/util_specialsids.c | 40 ++++++++++++++++++++++++++++++++++++++++ | |
92 | source3/wscript_build | 1 + | |
93 | 4 files changed, 47 insertions(+), 1 deletion(-) | |
94 | create mode 100644 source3/lib/util_specialsids.c | |
95 | ||
96 | diff --git a/source3/Makefile.in b/source3/Makefile.in | |
97 | index 9e8e03d..8df2bff 100644 | |
98 | --- a/source3/Makefile.in | |
99 | +++ b/source3/Makefile.in | |
100 | @@ -456,7 +456,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \ | |
101 | lib/access.o lib/smbrun.o \ | |
102 | lib/bitmap.o lib/dprintf.o $(UTIL_REG_OBJ) \ | |
103 | lib/wins_srv.o \ | |
104 | - lib/util_str.o lib/clobber.o lib/util_sid.o \ | |
105 | + lib/util_str.o lib/clobber.o lib/util_sid.o lib/util_specialsids.o \ | |
106 | lib/util_unistr.o ../lib/util/charset/codepoints.o lib/util_file.o \ | |
107 | lib/util.o lib/util_cmdline.o lib/util_names.o \ | |
108 | lib/util_sock.o lib/sock_exec.o lib/util_sec.o \ | |
109 | diff --git a/source3/include/proto.h b/source3/include/proto.h | |
110 | index 7303e76..8cd162b 100644 | |
111 | --- a/source3/include/proto.h | |
112 | +++ b/source3/include/proto.h | |
113 | @@ -1937,6 +1937,11 @@ bool sid_check_is_in_unix_groups(const struct dom_sid *sid); | |
114 | const char *unix_groups_domain_name(void); | |
115 | bool lookup_unix_group_name(const char *name, struct dom_sid *sid); | |
116 | ||
117 | +/* The following definitions come from lib/util_specialsids.c */ | |
118 | +bool sid_check_is_asserted_identity(const struct dom_sid *sid); | |
119 | +bool sid_check_is_in_asserted_identity(const struct dom_sid *sid); | |
120 | +const char *asserted_identity_domain_name(void); | |
121 | + | |
122 | /* The following definitions come from lib/filename_util.c */ | |
123 | ||
124 | NTSTATUS get_full_smb_filename(TALLOC_CTX *ctx, const struct smb_filename *smb_fname, | |
125 | diff --git a/source3/lib/util_specialsids.c b/source3/lib/util_specialsids.c | |
126 | new file mode 100644 | |
127 | index 0000000..4c402d6 | |
128 | --- /dev/null | |
129 | +++ b/source3/lib/util_specialsids.c | |
130 | @@ -0,0 +1,40 @@ | |
131 | +/* | |
132 | + Unix SMB/CIFS implementation. | |
133 | + Copyright (C) Guenther Deschner 2016 | |
134 | + | |
135 | + This program is free software; you can redistribute it and/or modify | |
136 | + it under the terms of the GNU General Public License as published by | |
137 | + the Free Software Foundation; either version 3 of the License, or | |
138 | + (at your option) any later version. | |
139 | + | |
140 | + This program is distributed in the hope that it will be useful, | |
141 | + but WITHOUT ANY WARRANTY; without even the implied warranty of | |
142 | + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
143 | + GNU General Public License for more details. | |
144 | + | |
145 | + You should have received a copy of the GNU General Public License | |
146 | + along with this program. If not, see <http://www.gnu.org/licenses/>. | |
147 | +*/ | |
148 | + | |
149 | +#include "includes.h" | |
150 | +#include "../libcli/security/security.h" | |
151 | + | |
152 | +bool sid_check_is_asserted_identity(const struct dom_sid *sid) | |
153 | +{ | |
154 | + return dom_sid_equal(sid, &global_sid_Asserted_Identity); | |
155 | +} | |
156 | + | |
157 | +bool sid_check_is_in_asserted_identity(const struct dom_sid *sid) | |
158 | +{ | |
159 | + struct dom_sid dom_sid; | |
160 | + | |
161 | + sid_copy(&dom_sid, sid); | |
162 | + sid_split_rid(&dom_sid, NULL); | |
163 | + | |
164 | + return sid_check_is_asserted_identity(&dom_sid); | |
165 | +} | |
166 | + | |
167 | +const char *asserted_identity_domain_name(void) | |
168 | +{ | |
169 | + return "Asserted Identity"; | |
170 | +} | |
171 | diff --git a/source3/wscript_build b/source3/wscript_build | |
172 | index 40935d1..ceccbb5 100755 | |
173 | --- a/source3/wscript_build | |
174 | +++ b/source3/wscript_build | |
175 | @@ -74,6 +74,7 @@ LIB_SRC = ''' | |
176 | lib/bitmap.c lib/dprintf.c | |
177 | lib/wins_srv.c | |
178 | lib/clobber.c lib/util_sid.c | |
179 | + lib/util_specialsids.c | |
180 | lib/util_file.c | |
181 | lib/util.c lib/util_cmdline.c lib/util_names.c | |
182 | lib/util_sock.c lib/sock_exec.c lib/util_sec.c | |
183 | -- | |
184 | 2.5.0 | |
185 | ||
186 | ||
187 | From bb5c28c8d45be8e26abe37e4873c4b1c59fff782 Mon Sep 17 00:00:00 2001 | |
188 | From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org> | |
189 | Date: Fri, 15 Jan 2016 14:43:48 +0100 | |
190 | Subject: [PATCH 3/3] s3-util: skip S-1-18 sids in token generaion in | |
191 | sid_array_from_info3(). | |
192 | MIME-Version: 1.0 | |
193 | Content-Type: text/plain; charset=UTF-8 | |
194 | Content-Transfer-Encoding: 8bit | |
195 | ||
196 | Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677 | |
197 | ||
198 | Guenther | |
199 | ||
200 | Signed-off-by: Günther Deschner <gd@samba.org> | |
201 | --- | |
202 | source3/lib/util_sid.c | 5 +++++ | |
203 | 1 file changed, 5 insertions(+) | |
204 | ||
205 | diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c | |
206 | index f051b7a..92fbc76 100644 | |
207 | --- a/source3/lib/util_sid.c | |
208 | +++ b/source3/lib/util_sid.c | |
209 | @@ -190,6 +190,11 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, | |
210 | */ | |
211 | ||
212 | for (i = 0; i < info3->sidcount; i++) { | |
213 | + | |
214 | + if (sid_check_is_in_asserted_identity(info3->sids[i].sid)) { | |
215 | + continue; | |
216 | + } | |
217 | + | |
218 | status = add_sid_to_array(mem_ctx, info3->sids[i].sid, | |
219 | &sid_array, &num_sids); | |
220 | if (!NT_STATUS_IS_OK(status)) { | |
221 | -- | |
222 | 2.5.0 | |
223 |