From 4a5f0f25772cb9381352a149ee54f579fe4c38f6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 19 Dec 2024 18:30:49 +0100 Subject: [PATCH] auth: remember the origin of sids from the PAC So far the conversion from TGT PAC to struct auth_user_info_dc back to TGS PAC looses the information in what part of the PAC_LOGON_INFO a sid was stored. With this change we let make_user_info_dc_{netlogon_validation,pac}() remember this, so that auth_convert_user_info_dc_sam{baseinfo,info6}() can rebuild the information into the desired parts of the PAC_LOGON_INFO. This was found and fixed for sid filter related tests, but it turns out that it already fixes a few tests from samba.tests.krb5.device_tests. All other places get an implicit AUTH_SID_ORIGIN_UNKNOWN (=0), which means we use the same logic as before. Signed-off-by: Stefan Metzmacher Reviewed-by: Jennifer Sutton --- auth/auth_sam_reply.c | 23 +++++++++++++++++++- librpc/idl/auth.idl | 8 +++++++ selftest/knownfail_heimdal_kdc.d/device-info | 4 ---- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index d198fc9c9f6..2123094bf0a 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -29,6 +29,14 @@ static bool is_base_sid(const struct auth_SidAttr *sid, const struct dom_sid *domain_sid) { + if (sid->origin == AUTH_SID_ORIGIN_BASE) { + goto check_domain; + } + + if (sid->origin != AUTH_SID_ORIGIN_UNKNOWN) { + return false; + } + if (sid->attrs & SE_GROUP_RESOURCE) { /* * Resource groups don't belong in the base @@ -37,6 +45,7 @@ static bool is_base_sid(const struct auth_SidAttr *sid, return false; } +check_domain: /* * This SID belongs in the base structure only if it's in the account's * domain. @@ -145,6 +154,13 @@ static NTSTATUS store_sid(struct netr_SidAttr *sids, const uint32_t allocated_resource_groups, const enum auth_group_inclusion group_inclusion) { + if (sid->origin == AUTH_SID_ORIGIN_BASE) { + return NT_STATUS_OK; + } + if (sid->origin == AUTH_SID_ORIGIN_EXTRA) { + goto store_in_extra; + } + /* See if it's a resource SID. */ if (sid->attrs & SE_GROUP_RESOURCE) { /* @@ -176,7 +192,7 @@ static NTSTATUS store_sid(struct netr_SidAttr *sids, return NT_STATUS_INVALID_PARAMETER; } } - +store_in_extra: /* Just store the SID in Extra SIDs. */ return store_extra_sid(sids, sidcount, @@ -734,6 +750,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, user_info_dc->sids[PRIMARY_USER_SID_INDEX] = (struct auth_SidAttr) { .sid = tmpsid, .attrs = SE_GROUP_DEFAULT_FLAGS, + .origin = AUTH_SID_ORIGIN_BASE, }; tmpsid = *base->domain_sid; @@ -750,6 +767,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = (struct auth_SidAttr) { .sid = tmpsid, .attrs = SE_GROUP_DEFAULT_FLAGS, + .origin = AUTH_SID_ORIGIN_BASE, }; user_info_dc->num_sids = PRIMARY_SIDS_COUNT; @@ -765,6 +783,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, bgrps[user_info_dc->num_sids] = (struct auth_SidAttr) { .sid = tmpsid, .attrs = base->groups.rids[i].attributes, + .origin = AUTH_SID_ORIGIN_BASE, }; user_info_dc->num_sids++; } @@ -779,6 +798,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx, dgrps[user_info_dc->num_sids] = (struct auth_SidAttr) { .sid = *sids[i].sid, .attrs = sids[i].attributes, + .origin = AUTH_SID_ORIGIN_EXTRA, }; user_info_dc->num_sids++; } @@ -921,6 +941,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, rgrps[user_info_dc->num_sids] = (struct auth_SidAttr) { .sid = tmpsid, .attrs = rg->groups.rids[i].attributes, + .origin = AUTH_SID_ORIGIN_RESOURCE, }; user_info_dc->num_sids++; } diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl index 214f48185f2..f2998b2b7d6 100644 --- a/librpc/idl/auth.idl +++ b/librpc/idl/auth.idl @@ -116,9 +116,17 @@ interface auth AUTH_EXCLUDE_RESOURCE_GROUPS = 4 } auth_group_inclusion; + typedef [nopush,nopull] enum { + AUTH_SID_ORIGIN_UNKNOWN = 0, + AUTH_SID_ORIGIN_BASE = 1, + AUTH_SID_ORIGIN_EXTRA = 2, + AUTH_SID_ORIGIN_RESOURCE = 3 + } auth_sid_origin; + typedef [nopush,nopull] struct { dom_sid sid; security_GroupAttrs attrs; + auth_sid_origin origin; } auth_SidAttr; /* This is the interim product of the auth subsystem, before diff --git a/selftest/knownfail_heimdal_kdc.d/device-info b/selftest/knownfail_heimdal_kdc.d/device-info index 46e403dd786..8582c9cc61a 100644 --- a/selftest/knownfail_heimdal_kdc.d/device-info +++ b/selftest/knownfail_heimdal_kdc.d/device-info @@ -3,7 +3,3 @@ # ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_compressed.ad_dc ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_uncompressed.ad_dc -^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_krbtgt.ad_dc -^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc -^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc -^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc -- 2.47.2