1 From ed26d110b814e2cf0413bd9665bd08bda271ba01 Mon Sep 17 00:00:00 2001
2 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
3 Date: Fri, 15 Jan 2016 14:46:07 +0100
4 Subject: [PATCH 1/3] security: Add Asserted Identity sids (S-1-18)
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
9 Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677
11 definitions taken from [MS-DTYP]: Windows Data Types,
12 2.4.2.4 Well-Known SID Structures.
16 Signed-off-by: Günther Deschner <gd@samba.org>
18 libcli/security/dom_sid.h | 3 +++
19 libcli/security/util_sid.c | 8 ++++++++
20 librpc/idl/security.idl | 3 +++
21 3 files changed, 14 insertions(+)
23 diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
24 index 04571c2..503b621 100644
25 --- a/libcli/security/dom_sid.h
26 +++ b/libcli/security/dom_sid.h
27 @@ -35,6 +35,9 @@ extern const struct dom_sid global_sid_System;
28 extern const struct dom_sid global_sid_NULL;
29 extern const struct dom_sid global_sid_Authenticated_Users;
30 extern const struct dom_sid global_sid_Network;
31 +extern const struct dom_sid global_sid_Asserted_Identity;
32 +extern const struct dom_sid global_sid_Asserted_Identity_Service;
33 +extern const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority;
34 extern const struct dom_sid global_sid_Creator_Owner;
35 extern const struct dom_sid global_sid_Creator_Group;
36 extern const struct dom_sid global_sid_Anonymous;
37 diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
38 index cf1f7f3..5a41ef7 100644
39 --- a/libcli/security/util_sid.c
40 +++ b/libcli/security/util_sid.c
41 @@ -53,6 +53,14 @@ const struct dom_sid global_sid_Authenticated_Users = /* All authenticated rids
42 const struct dom_sid global_sid_Restriced = /* Restriced Code */
43 { 1, 1, {0,0,0,0,0,5}, {12,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
46 +const struct dom_sid global_sid_Asserted_Identity = /* Asserted Identity */
47 +{ 1, 0, {0,0,0,0,0,18}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
48 +const struct dom_sid global_sid_Asserted_Identity_Service = /* Asserted Identity Service */
49 +{ 1, 1, {0,0,0,0,0,18}, {1,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
50 +const struct dom_sid global_sid_Asserted_Identity_Authentication_Authority = /* Asserted Identity Authentication Authority */
51 +{ 1, 1, {0,0,0,0,0,18}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
53 const struct dom_sid global_sid_Network = /* Network rids */
54 { 1, 1, {0,0,0,0,0,5}, {2,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
56 diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
57 index 0ea79a3..7df773e 100644
58 --- a/librpc/idl/security.idl
59 +++ b/librpc/idl/security.idl
60 @@ -277,6 +277,9 @@ interface security
61 const string SID_NT_TRUSTED_INSTALLER =
62 "S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464";
64 + const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
65 + const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
67 /* well-known domain RIDs */
68 const int DOMAIN_RID_LOGON = 9;
69 const int DOMAIN_RID_ENTERPRISE_READONLY_DCS = 498;
74 From be247c05146c45bcea5c06a38ff07e8f0c934ab6 Mon Sep 17 00:00:00 2001
75 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
76 Date: Fri, 15 Jan 2016 14:43:12 +0100
77 Subject: [PATCH 2/3] s3-util: add helper functions to deal with the S-1-18
80 Content-Type: text/plain; charset=UTF-8
81 Content-Transfer-Encoding: 8bit
83 Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677
87 Signed-off-by: Günther Deschner <gd@samba.org>
89 source3/Makefile.in | 2 +-
90 source3/include/proto.h | 5 +++++
91 source3/lib/util_specialsids.c | 40 ++++++++++++++++++++++++++++++++++++++++
92 source3/wscript_build | 1 +
93 4 files changed, 47 insertions(+), 1 deletion(-)
94 create mode 100644 source3/lib/util_specialsids.c
96 diff --git a/source3/Makefile.in b/source3/Makefile.in
97 index 9e8e03d..8df2bff 100644
98 --- a/source3/Makefile.in
99 +++ b/source3/Makefile.in
100 @@ -456,7 +456,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) \
101 lib/access.o lib/smbrun.o \
102 lib/bitmap.o lib/dprintf.o $(UTIL_REG_OBJ) \
104 - lib/util_str.o lib/clobber.o lib/util_sid.o \
105 + lib/util_str.o lib/clobber.o lib/util_sid.o lib/util_specialsids.o \
106 lib/util_unistr.o ../lib/util/charset/codepoints.o lib/util_file.o \
107 lib/util.o lib/util_cmdline.o lib/util_names.o \
108 lib/util_sock.o lib/sock_exec.o lib/util_sec.o \
109 diff --git a/source3/include/proto.h b/source3/include/proto.h
110 index 7303e76..8cd162b 100644
111 --- a/source3/include/proto.h
112 +++ b/source3/include/proto.h
113 @@ -1937,6 +1937,11 @@ bool sid_check_is_in_unix_groups(const struct dom_sid *sid);
114 const char *unix_groups_domain_name(void);
115 bool lookup_unix_group_name(const char *name, struct dom_sid *sid);
117 +/* The following definitions come from lib/util_specialsids.c */
118 +bool sid_check_is_asserted_identity(const struct dom_sid *sid);
119 +bool sid_check_is_in_asserted_identity(const struct dom_sid *sid);
120 +const char *asserted_identity_domain_name(void);
122 /* The following definitions come from lib/filename_util.c */
124 NTSTATUS get_full_smb_filename(TALLOC_CTX *ctx, const struct smb_filename *smb_fname,
125 diff --git a/source3/lib/util_specialsids.c b/source3/lib/util_specialsids.c
127 index 0000000..4c402d6
129 +++ b/source3/lib/util_specialsids.c
132 + Unix SMB/CIFS implementation.
133 + Copyright (C) Guenther Deschner 2016
135 + This program is free software; you can redistribute it and/or modify
136 + it under the terms of the GNU General Public License as published by
137 + the Free Software Foundation; either version 3 of the License, or
138 + (at your option) any later version.
140 + This program is distributed in the hope that it will be useful,
141 + but WITHOUT ANY WARRANTY; without even the implied warranty of
142 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
143 + GNU General Public License for more details.
145 + You should have received a copy of the GNU General Public License
146 + along with this program. If not, see <http://www.gnu.org/licenses/>.
149 +#include "includes.h"
150 +#include "../libcli/security/security.h"
152 +bool sid_check_is_asserted_identity(const struct dom_sid *sid)
154 + return dom_sid_equal(sid, &global_sid_Asserted_Identity);
157 +bool sid_check_is_in_asserted_identity(const struct dom_sid *sid)
159 + struct dom_sid dom_sid;
161 + sid_copy(&dom_sid, sid);
162 + sid_split_rid(&dom_sid, NULL);
164 + return sid_check_is_asserted_identity(&dom_sid);
167 +const char *asserted_identity_domain_name(void)
169 + return "Asserted Identity";
171 diff --git a/source3/wscript_build b/source3/wscript_build
172 index 40935d1..ceccbb5 100755
173 --- a/source3/wscript_build
174 +++ b/source3/wscript_build
175 @@ -74,6 +74,7 @@ LIB_SRC = '''
176 lib/bitmap.c lib/dprintf.c
178 lib/clobber.c lib/util_sid.c
179 + lib/util_specialsids.c
181 lib/util.c lib/util_cmdline.c lib/util_names.c
182 lib/util_sock.c lib/sock_exec.c lib/util_sec.c
187 From bb5c28c8d45be8e26abe37e4873c4b1c59fff782 Mon Sep 17 00:00:00 2001
188 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= <gd@samba.org>
189 Date: Fri, 15 Jan 2016 14:43:48 +0100
190 Subject: [PATCH 3/3] s3-util: skip S-1-18 sids in token generaion in
191 sid_array_from_info3().
193 Content-Type: text/plain; charset=UTF-8
194 Content-Transfer-Encoding: 8bit
196 Bug: https://bugzilla.samba.org/show_bug.cgi?id=11677
200 Signed-off-by: Günther Deschner <gd@samba.org>
202 source3/lib/util_sid.c | 5 +++++
203 1 file changed, 5 insertions(+)
205 diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
206 index f051b7a..92fbc76 100644
207 --- a/source3/lib/util_sid.c
208 +++ b/source3/lib/util_sid.c
209 @@ -190,6 +190,11 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
212 for (i = 0; i < info3->sidcount; i++) {
214 + if (sid_check_is_in_asserted_identity(info3->sids[i].sid)) {
218 status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
219 &sid_array, &num_sids);
220 if (!NT_STATUS_IS_OK(status)) {
projects / ipfire-2.x.git / blob