[Freeipa-devel] [PATCH] Lookup the user SID in external group as well

Sumit Bose sbose at redhat.com
Wed Nov 14 17:26:16 UTC 2012 

Hi,

Jakub found that currently only group SIDs are used to find group
memberships of users from trusted domain. The attached patch adds the
user SID as well.

Fixes https://fedorahosted.org/freeipa/ticket/3257 .

bye,
Sumit
-------------- next part --------------
From 9525242dc9912a62b89dc65633917ab660df1704 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose at redhat.com>
Date: Wed, 14 Nov 2012 14:22:15 +0100
Subject: [PATCH] Lookup the user SID in external group as well

Currently only the group SIDs from a PAC are used to find out about the
membership in local groups. This patch adds the user SID to the list.

Fixes https://fedorahosted.org/freeipa/ticket/3257
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 19 ++++++++++++++-----
 1 Datei ge?ndert, 14 Zeilen hinzugef?gt(+), 5 Zeilen entfernt(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 881a7a7124b3f6651c44bc393b6899d093f8dfc6..072dd0db8ee0a214ad062282e9459941022535e5 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -660,9 +660,9 @@ static char *gen_sid_string(TALLOC_CTX *memctx, struct dom_sid *dom_sid,
     return str;
 }
 
-static int get_group_sids(TALLOC_CTX *memctx,
-                          struct PAC_LOGON_INFO_CTR *logon_info,
-                          char ***_group_sids)
+static int get_user_and_group_sids(TALLOC_CTX *memctx,
+                                   struct PAC_LOGON_INFO_CTR *logon_info,
+                                   char ***_group_sids)
 {
     int ret;
     size_t c;
@@ -678,7 +678,7 @@ static int get_group_sids(TALLOC_CTX *memctx,
     }
 
     group_sids = talloc_array(memctx, char *,
-                                     2 +
+                                     3 +
                                      logon_info->info->info3.base.groups.count +
                                      logon_info->info->info3.sidcount);
     if (group_sids == NULL) {
@@ -688,6 +688,15 @@ static int get_group_sids(TALLOC_CTX *memctx,
     }
 
     group_sids[p] = gen_sid_string(memctx, domain_sid,
+                                  logon_info->info->info3.base.rid);
+    if (group_sids[p] == NULL) {
+        krb5_klog_syslog(LOG_ERR, "gen_sid_string failed");
+        ret = EINVAL;
+        goto done;
+    }
+    p++;
+
+    group_sids[p] = gen_sid_string(memctx, domain_sid,
                                   logon_info->info->info3.base.primary_gid);
     if (group_sids[p] == NULL) {
         krb5_klog_syslog(LOG_ERR, "gen_sid_string failed");
@@ -931,7 +940,7 @@ static krb5_error_code add_local_groups(krb5_context context,
     size_t ipa_group_sids_count = 0;
     struct dom_sid *ipa_group_sids = NULL;
 
-    ret = get_group_sids(memctx, info, &group_sids);
+    ret = get_user_and_group_sids(memctx, info, &group_sids);
     if (ret != 0) {
         return KRB5_KDB_INTERNAL_ERROR;
     }
-- 
1.7.11.4

More information about the Freeipa-devel mailing list