From: Joseph Sutton Date: Wed, 27 Sep 2023 02:16:21 +0000 (+1300) Subject: s4:auth: Add parameters for claims and device info to auth_generate_security_token() X-Git-Tag: tevent-0.16.0~278 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8a5921d9747929a306b41fbfbe2d860da9d8a164;p=thirdparty%2Fsamba.git s4:auth: Add parameters for claims and device info to auth_generate_security_token() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/source4/auth/session.c b/source4/auth/session.c index 7d03dc77403..818fdf583df 100644 --- a/source4/auth/session.c +++ b/source4/auth/session.c @@ -56,6 +56,8 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ const struct auth_user_info_dc *user_info_dc, + const struct auth_user_info_dc *device_info_dc, + const struct auth_claims auth_claims, uint32_t session_info_flags, struct security_token **_security_token) { @@ -63,8 +65,10 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, NTSTATUS nt_status; uint32_t i; uint32_t num_sids = 0; + uint32_t num_device_sids = 0; const char *filter = NULL; struct auth_SidAttr *sids = NULL; + const struct auth_SidAttr *device_sids = NULL; TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx); if (tmp_ctx == NULL) { @@ -172,13 +176,23 @@ _PUBLIC_ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, } } + if (device_info_dc != NULL) { + device_sids = device_info_dc->sids; + num_device_sids = device_info_dc->num_sids; + } + + /* + * TODO: if we find out that we need to add default SIDs to the device + * SIDs, as well as to the client SIDs, we’ll do that here. + */ + nt_status = security_token_create(mem_ctx, lp_ctx, num_sids, sids, - 0 /* num_device_sids */, - NULL /* device_sids */, - (struct auth_claims) {}, + num_device_sids, + device_sids, + auth_claims, session_info_flags, &security_token); if (!NT_STATUS_IS_OK(nt_status)) { @@ -241,6 +255,8 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, lp_ctx, sam_ctx, user_info_dc, + NULL /*device_info_dc */, + (struct auth_claims) {}, session_info_flags, &session_info->security_token); if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source4/auth/session.h b/source4/auth/session.h index 813fb2c11a9..391fcc34bf7 100644 --- a/source4/auth/session.h +++ b/source4/auth/session.h @@ -68,6 +68,8 @@ NTSTATUS auth_generate_security_token(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, /* Optional, if you don't want privileges */ struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */ const struct auth_user_info_dc *user_info_dc, + const struct auth_user_info_dc *device_info_dc, + const struct auth_claims auth_claims, uint32_t session_info_flags, struct security_token **_security_token); NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx, diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c index f3e86833058..13d56e2685b 100644 --- a/source4/kdc/authn_policy_util.c +++ b/source4/kdc/authn_policy_util.c @@ -621,6 +621,8 @@ static NTSTATUS _authn_policy_access_check(TALLOC_CTX *mem_ctx, lp_ctx, samdb, client_info, + NULL /*device_info_dc */, + (struct auth_claims) {}, session_info_flags, &security_token); if (!NT_STATUS_IS_OK(status)) { diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index a9d8bc557db..0e984e4bddc 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -3471,6 +3471,8 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( kdc_db_ctx->lp_ctx, kdc_db_ctx->samdb, user_info_dc, + NULL /*device_info_dc */, + (struct auth_claims) {}, session_info_flags, &security_token); if (!NT_STATUS_IS_OK(nt_status)) {