auth: remember the origin of sids from the PAC

So far the conversion from TGT PAC to
struct auth_user_info_dc back to TGS PAC
looses the information in what part of
the PAC_LOGON_INFO a sid was stored.

With this change we let
make_user_info_dc_{netlogon_validation,pac}()
remember this, so that
auth_convert_user_info_dc_sam{baseinfo,info6}()
can rebuild the information into the desired
parts of the PAC_LOGON_INFO.

This was found and fixed for sid filter related
tests, but it turns out that it already
fixes a few tests from samba.tests.krb5.device_tests.

All other places get an implicit AUTH_SID_ORIGIN_UNKNOWN (=0),
which means we use the same logic as before.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index d198fc9c9f632ff4493c019537fdbd97265f4ee1..2123094bf0a779573b4f3299982e77aa1f49199a 100644 (file)
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -29,6 +29,14 @@
 static bool is_base_sid(const struct auth_SidAttr *sid,
                        const struct dom_sid *domain_sid)
 {
+       if (sid->origin == AUTH_SID_ORIGIN_BASE) {
+               goto check_domain;
+       }
+
+       if (sid->origin != AUTH_SID_ORIGIN_UNKNOWN) {
+               return false;
+       }
+
        if (sid->attrs & SE_GROUP_RESOURCE) {
                /*
                 * Resource groups don't belong in the base
@@ -37,6 +45,7 @@ static bool is_base_sid(const struct auth_SidAttr *sid,
                return false;
        }
 
+check_domain:
        /*
         * This SID belongs in the base structure only if it's in the account's
         * domain.
@@ -145,6 +154,13 @@ static NTSTATUS store_sid(struct netr_SidAttr *sids,
                          const uint32_t allocated_resource_groups,
                          const enum auth_group_inclusion group_inclusion)
 {
+       if (sid->origin == AUTH_SID_ORIGIN_BASE) {
+               return NT_STATUS_OK;
+       }
+       if (sid->origin == AUTH_SID_ORIGIN_EXTRA) {
+               goto store_in_extra;
+       }
+
        /* See if it's a resource SID. */
        if (sid->attrs & SE_GROUP_RESOURCE) {
                /*
@@ -176,7 +192,7 @@ static NTSTATUS store_sid(struct netr_SidAttr *sids,
                        return NT_STATUS_INVALID_PARAMETER;
                }
        }
-
+store_in_extra:
        /* Just store the SID in Extra SIDs. */
        return store_extra_sid(sids,
                               sidcount,
@@ -734,6 +750,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
        user_info_dc->sids[PRIMARY_USER_SID_INDEX] = (struct auth_SidAttr) {
                .sid = tmpsid,
                .attrs = SE_GROUP_DEFAULT_FLAGS,
+               .origin = AUTH_SID_ORIGIN_BASE,
        };
 
        tmpsid = *base->domain_sid;
@@ -750,6 +767,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
        user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = (struct auth_SidAttr) {
                .sid = tmpsid,
                .attrs = SE_GROUP_DEFAULT_FLAGS,
+               .origin = AUTH_SID_ORIGIN_BASE,
        };
 
        user_info_dc->num_sids = PRIMARY_SIDS_COUNT;
@@ -765,6 +783,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
                bgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
                        .sid = tmpsid,
                        .attrs = base->groups.rids[i].attributes,
+                       .origin = AUTH_SID_ORIGIN_BASE,
                };
                user_info_dc->num_sids++;
        }
@@ -779,6 +798,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
                dgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
                        .sid = *sids[i].sid,
                        .attrs = sids[i].attributes,
+                       .origin = AUTH_SID_ORIGIN_EXTRA,
                };
                user_info_dc->num_sids++;
        }
@@ -921,6 +941,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
                        rgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
                                .sid = tmpsid,
                                .attrs = rg->groups.rids[i].attributes,
+                               .origin = AUTH_SID_ORIGIN_RESOURCE,
                        };
                        user_info_dc->num_sids++;
                }

diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
index 214f48185f29f95686a45477fa220cc8e621777f..f2998b2b7d6613e302e2c68029487da03736a666 100644 (file)
--- a/librpc/idl/auth.idl
+++ b/librpc/idl/auth.idl
@@ -116,9 +116,17 @@ interface auth
                AUTH_EXCLUDE_RESOURCE_GROUPS = 4
        } auth_group_inclusion;
 
+       typedef [nopush,nopull] enum {
+               AUTH_SID_ORIGIN_UNKNOWN = 0,
+               AUTH_SID_ORIGIN_BASE = 1,
+               AUTH_SID_ORIGIN_EXTRA = 2,
+               AUTH_SID_ORIGIN_RESOURCE = 3
+       } auth_sid_origin;
+
        typedef [nopush,nopull] struct {
                dom_sid sid;
                security_GroupAttrs attrs;
+               auth_sid_origin origin;
        } auth_SidAttr;
 
        /* This is the interim product of the auth subsystem, before

diff --git a/selftest/knownfail_heimdal_kdc.d/device-info b/selftest/knownfail_heimdal_kdc.d/device-info
index 46e403dd786a9280567b206b1d01961cf611e944..8582c9cc61a85ff5933d7d65063148710df6ac24 100644 (file)
--- a/selftest/knownfail_heimdal_kdc.d/device-info
+++ b/selftest/knownfail_heimdal_kdc.d/device-info
@@ -3,7 +3,3 @@
 #
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_compressed.ad_dc
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_uncompressed.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_krbtgt.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc