s4:kdc: Add a flag indicating that the device should be added to the default groups

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/auth/common_auth.h b/auth/common_auth.h
index 58fb2cd0b3d3888e94342fb73cb6cc28b4f908d9..806f4330ccacd5be8d21fed9581910d5568d1da5 100644 (file)
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -41,6 +41,7 @@ enum auth_password_state {
 #define AUTH_SESSION_INFO_UNIX_TOKEN         0x08 /* The returned token must have the unix_token and unix_info elements provided */
 #define AUTH_SESSION_INFO_NTLM               0x10 /* The returned token must have authenticated-with-NTLM flag set */
 #define AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION  0x20 /* The user authenticated with a device. */
+#define AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS     0x40 /* Add the device to the default world and network groups */
 
 struct auth_usersupplied_info
 {

diff --git a/source4/auth/session.c b/source4/auth/session.c
index ad094d207c0261279925527b4fb317c7109fc5a3..3d0f2b588d31b57f442627b10b8138dbb0e9561c 100644 (file)
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -190,10 +190,29 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx,
                        return NT_STATUS_NO_MEMORY;
                }
 
-               /*
-                * TODO: if we find out that we need to add default SIDs to the device
-                * SIDs, as well as to the client SIDs, we’ll do that here.
-                */
+               for (i = 0; i < num_device_sids; i++) {
+                       device_sids[i] = device_info_dc->sids[i];
+               }
+
+               if (session_info_flags & AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS) {
+                       device_sids = talloc_realloc(tmp_ctx,
+                                                    device_sids,
+                                                    struct auth_SidAttr,
+                                                    num_device_sids + 2);
+                       if (device_sids == NULL) {
+                               TALLOC_FREE(tmp_ctx);
+                               return NT_STATUS_NO_MEMORY;
+                       }
+
+                       device_sids[num_device_sids++] = (struct auth_SidAttr) {
+                               .sid = global_sid_World,
+                               .attrs = SE_GROUP_DEFAULT_FLAGS,
+                       };
+                       device_sids[num_device_sids++] = (struct auth_SidAttr) {
+                               .sid = global_sid_Network,
+                               .attrs = SE_GROUP_DEFAULT_FLAGS,
+                       };
+               }
        }
 
        nt_status = security_token_create(mem_ctx,