Lookup the user SID in external group as well

Currently only the group SIDs from a PAC are used to find out about the membership in local groups. This patch adds the user SID to the list. Fixes https://fedorahosted.org/freeipa/ticket/3257
author: Sumit Bose <sbose@redhat.com> 2012-11-14 14:22:15 +0100
committer: Rob Crittenden <rcritten@redhat.com> 2012-11-30 16:39:07 -0500
commit: c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf (patch)
tree: af651f50e08f811e7787a193a9c5ef63e1796d08 /daemons/ipa-kdb
parent: 5269458f552380759c86018cd1f30b64761be92e (diff)
download: freeipa-c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf.tar.gz
freeipa-c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf.tar.xz
freeipa-c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf.zip
1 files changed, 14 insertions, 5 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index efb4cb9b6..ed2c7fb8c 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -678,9 +678,9 @@ static char *gen_sid_string(TALLOC_CTX *memctx, struct dom_sid *dom_sid,
     return str;
 }
 
-static int get_group_sids(TALLOC_CTX *memctx,
-                          struct PAC_LOGON_INFO_CTR *logon_info,
-                          char ***_group_sids)
+static int get_user_and_group_sids(TALLOC_CTX *memctx,
+                                   struct PAC_LOGON_INFO_CTR *logon_info,
+                                   char ***_group_sids)
 {
     int ret;
     size_t c;
@@ -696,7 +696,7 @@ static int get_group_sids(TALLOC_CTX *memctx,
     }
 
     group_sids = talloc_array(memctx, char *,
-                                     2 +
+                                     3 +
                                      logon_info->info->info3.base.groups.count +
                                      logon_info->info->info3.sidcount);
     if (group_sids == NULL) {
@@ -706,6 +706,15 @@ static int get_group_sids(TALLOC_CTX *memctx,
     }
 
     group_sids[p] = gen_sid_string(memctx, domain_sid,
+                                  logon_info->info->info3.base.rid);
+    if (group_sids[p] == NULL) {
+        krb5_klog_syslog(LOG_ERR, "gen_sid_string failed");
+        ret = EINVAL;
+        goto done;
+    }
+    p++;
+
+    group_sids[p] = gen_sid_string(memctx, domain_sid,
                                   logon_info->info->info3.base.primary_gid);
     if (group_sids[p] == NULL) {
         krb5_klog_syslog(LOG_ERR, "gen_sid_string failed");
@@ -949,7 +958,7 @@ static krb5_error_code add_local_groups(krb5_context context,
     size_t ipa_group_sids_count = 0;
     struct dom_sid *ipa_group_sids = NULL;
 
-    ret = get_group_sids(memctx, info, &group_sids);
+    ret = get_user_and_group_sids(memctx, info, &group_sids);
     if (ret != 0) {
         return KRB5_KDB_INTERNAL_ERROR;
     }
author	Sumit Bose <sbose@redhat.com>	2012-11-14 14:22:15 +0100
committer	Rob Crittenden <rcritten@redhat.com>	2012-11-30 16:39:07 -0500
commit	c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf (patch)
tree	af651f50e08f811e7787a193a9c5ef63e1796d08 /daemons/ipa-kdb
parent	5269458f552380759c86018cd1f30b64761be92e (diff)
download	freeipa-c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf.tar.gz freeipa-c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf.tar.xz freeipa-c5e055ae00a2f4a41df4bdcbc95e81d771a4f8cf.zip