From: Joseph Sutton Date: Thu, 19 Oct 2023 07:02:43 +0000 (+1300) Subject: s4:kdc: Add device to default groups for authentication policy evaluation X-Git-Tag: talloc-2.4.2~1199 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c91d1618e339da1c29b371866d5ab243e3d3fad6;p=thirdparty%2Fsamba.git s4:kdc: Add device to default groups for authentication policy evaluation This means that expressions like ‘Device_Member_of(WD)’ will now work, as they should. It *also* means that expressions like ‘Device_Member_of(NU)’ will work, even though they shouldn’t. This is because we consider SID_NT_NETWORK to be a default group. Our new behaviour may be wrong, but at least it’s now consistent with the behaviour of user‐relative expressions like ‘Member_of(WD)’ and ‘Member_of(NU)’. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 8a35b13062b..dcda95954ba 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -133,4 +133,4 @@ ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\) ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$ ^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_authenticated_users\(ad_dc\)$ -^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_world_group\(ad_dc\)$ +^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$ diff --git a/source4/kdc/authn_policy_util.c b/source4/kdc/authn_policy_util.c index a9f793889ef..46d1aa352a4 100644 --- a/source4/kdc/authn_policy_util.c +++ b/source4/kdc/authn_policy_util.c @@ -574,6 +574,7 @@ static NTSTATUS _authn_policy_access_check(TALLOC_CTX *mem_ctx, struct security_token *security_token = NULL; uint32_t session_info_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS | + AUTH_SESSION_INFO_DEVICE_DEFAULT_GROUPS | AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; const uint32_t access_desired = SEC_ADS_CONTROL_ACCESS; uint32_t access_granted;