auth: remember the origin of sids from the PAC

metze-samba · metze-samba · commit 4a5f0f25772c · 2025-02-14T14:21:33.000Z
So far the conversion from TGT PAC to
struct auth_user_info_dc back to TGS PAC
looses the information in what part of
the PAC_LOGON_INFO a sid was stored.

With this change we let
make_user_info_dc_{netlogon_validation,pac}()
remember this, so that
auth_convert_user_info_dc_sam{baseinfo,info6}()
can rebuild the information into the desired
parts of the PAC_LOGON_INFO.

This was found and fixed for sid filter related
tests, but it turns out that it already
fixes a few tests from samba.tests.krb5.device_tests.

All other places get an implicit AUTH_SID_ORIGIN_UNKNOWN (=0),
which means we use the same logic as before.

Signed-off-by: Stefan Metzmacher &lt;metze@samba.org&gt;
Reviewed-by: Jennifer Sutton &lt;jennifersutton@catalyst.net.nz&gt;
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
@@ -29,6 +29,14 @@
 static bool is_base_sid(const struct auth_SidAttr *sid,
 			const struct dom_sid *domain_sid)
 {
+	if (sid->origin == AUTH_SID_ORIGIN_BASE) {
+		goto check_domain;
+	}
+
+	if (sid->origin != AUTH_SID_ORIGIN_UNKNOWN) {
+		return false;
+	}
+
 	if (sid->attrs & SE_GROUP_RESOURCE) {
 		/*
 		 * Resource groups don't belong in the base
@@ -37,6 +45,7 @@ static bool is_base_sid(const struct auth_SidAttr *sid,
 		return false;
 	}
 
+check_domain:
 	/*
 	 * This SID belongs in the base structure only if it's in the account's
 	 * domain.
@@ -145,6 +154,13 @@ static NTSTATUS store_sid(struct netr_SidAttr *sids,
 			  const uint32_t allocated_resource_groups,
 			  const enum auth_group_inclusion group_inclusion)
 {
+	if (sid->origin == AUTH_SID_ORIGIN_BASE) {
+		return NT_STATUS_OK;
+	}
+	if (sid->origin == AUTH_SID_ORIGIN_EXTRA) {
+		goto store_in_extra;
+	}
+
 	/* See if it's a resource SID. */
 	if (sid->attrs & SE_GROUP_RESOURCE) {
 		/*
@@ -176,7 +192,7 @@ static NTSTATUS store_sid(struct netr_SidAttr *sids,
 			return NT_STATUS_INVALID_PARAMETER;
 		}
 	}
-
+store_in_extra:
 	/* Just store the SID in Extra SIDs. */
 	return store_extra_sid(sids,
 			       sidcount,
@@ -734,6 +750,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 	user_info_dc->sids[PRIMARY_USER_SID_INDEX] = (struct auth_SidAttr) {
 		.sid = tmpsid,
 		.attrs = SE_GROUP_DEFAULT_FLAGS,
+		.origin = AUTH_SID_ORIGIN_BASE,
 	};
 
 	tmpsid = *base->domain_sid;
@@ -750,6 +767,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 	user_info_dc->sids[PRIMARY_GROUP_SID_INDEX] = (struct auth_SidAttr) {
 		.sid = tmpsid,
 		.attrs = SE_GROUP_DEFAULT_FLAGS,
+		.origin = AUTH_SID_ORIGIN_BASE,
 	};
 
 	user_info_dc->num_sids = PRIMARY_SIDS_COUNT;
@@ -765,6 +783,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 		bgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
 			.sid = tmpsid,
 			.attrs = base->groups.rids[i].attributes,
+			.origin = AUTH_SID_ORIGIN_BASE,
 		};
 		user_info_dc->num_sids++;
 	}
@@ -779,6 +798,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 		dgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
 			.sid = *sids[i].sid,
 			.attrs = sids[i].attributes,
+			.origin = AUTH_SID_ORIGIN_EXTRA,
 		};
 		user_info_dc->num_sids++;
 	}
@@ -921,6 +941,7 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx,
 			rgrps[user_info_dc->num_sids] = (struct auth_SidAttr) {
 				.sid = tmpsid,
 				.attrs = rg->groups.rids[i].attributes,
+				.origin = AUTH_SID_ORIGIN_RESOURCE,
 			};
 			user_info_dc->num_sids++;
 		}
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
@@ -116,9 +116,17 @@ interface auth
 		AUTH_EXCLUDE_RESOURCE_GROUPS = 4
 	} auth_group_inclusion;
 
+	typedef [nopush,nopull] enum {
+		AUTH_SID_ORIGIN_UNKNOWN = 0,
+		AUTH_SID_ORIGIN_BASE = 1,
+		AUTH_SID_ORIGIN_EXTRA = 2,
+		AUTH_SID_ORIGIN_RESOURCE = 3
+	} auth_sid_origin;
+
 	typedef [nopush,nopull] struct {
 		dom_sid sid;
 		security_GroupAttrs attrs;
+		auth_sid_origin origin;
 	} auth_SidAttr;
 
 	/* This is the interim product of the auth subsystem, before
diff --git a/selftest/knownfail_heimdal_kdc.d/device-info b/selftest/knownfail_heimdal_kdc.d/device-info
@@ -3,7 +3,3 @@
 #
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_compressed.ad_dc
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_uncompressed.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_krbtgt.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc
-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,3 @@`
`3`	`3`	`#`
`4`	`4`	`^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_compressed.ad_dc`
`5`	`5`	`^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_add_transitive_domain_local_groups_to_service_uncompressed.ad_dc`
`6`		`-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_krbtgt.ad_dc`
`7`		`-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc`
`8`		`-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc`
`9`		`-^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc`