samba.git/libcli/security/util_sid.c, branch master Unnamed repository; edit this file 'description' to name the repository. libcli/security: simplify logic in add_sid_to_array_attrs() 2025-02-14T14:21:33+00:00 Stefan Metzmacher metze@samba.org 2025-01-29T08:43:44+00:00 bd7b769c20a116b5b0f168c2e668d02568d023ac (struct auth_SidAttr) {} makes sure we don't leave uninitialized memory in case struct auth_SidAttr will change (which will happen in the next commits). Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
(struct auth_SidAttr) {} makes sure we don't leave uninitialized
memory in case struct auth_SidAttr will change (which will happen in
the next commits).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
libcli/security: add some more global_sid_ values required for SID filtering 2025-02-14T14:21:32+00:00 Stefan Metzmacher metze@samba.org 2018-02-01T15:23:02+00:00 2921f025ec60687c2a6438d8442fb981a9e4f257 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
libcli/security: let dom_sid_lookup_predefined_sid() behave like Windows 2008R2 2025-01-29T01:14:40+00:00 Stefan Metzmacher metze@samba.org 2020-08-12T15:08:14+00:00 9f369c62317d74615834f99a088caababef685fc Windows 2008R2 (172.31.9.133) returns the following: #> rpcclient 172.31.9.133 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3' S-1-22-1 *unknown*\*unknown* (8) S-1-22-1-0 *unknown*\*unknown* (8) result was NT_STATUS_INVALID_SID S-1-3-0 \CREATOR OWNER (5) S-1-3-99 *unknown*\*unknown* (8) result was NT_STATUS_INVALID_SID While the current Samba (172.31.9.163) returns the following: #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3' result was NT_STATUS_INVALID_SID result was NT_STATUS_INVALID_SID S-1-3-0 \CREATOR OWNER (5) S-1-3-99 *unknown*\*unknown* (8) S-1-3 *unknown*\*unknown* (8) With this change also return the same as Windows 2008R2: #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3' S-1-22-1 *unknown*\*unknown* (8) S-1-22-1-0 *unknown*\*unknown* (8) result was NT_STATUS_INVALID_SID S-1-3-0 \CREATOR OWNER (5) S-1-3-99 *unknown*\*unknown* (8) result was NT_STATUS_INVALID_SID This is a minimal fix in order to avoid crashes in the Windows Explorer. The real fix needs more work and additional tests, as the behavior seems to be different in newer Windows releases. The following patch will let us behave like Windows 2022/2025... BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
Windows 2008R2 (172.31.9.133) returns the following:

 #> rpcclient 172.31.9.133 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 S-1-22-1 *unknown*\*unknown* (8)
 S-1-22-1-0 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID

While the current Samba (172.31.9.163) returns the following:

 #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 result was NT_STATUS_INVALID_SID
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 S-1-3 *unknown*\*unknown* (8)

With this change also return the same as Windows 2008R2:

 #> rpcclient 172.31.9.163 -Uadministrator%A1b2C3d4 -c 'lookupsids S-1-22-1 S-1-22-1-0;lookupsids S-1-22;lookupsids S-1-3-0 S-1-3-99;lookupsids S-1-3'
 S-1-22-1 *unknown*\*unknown* (8)
 S-1-22-1-0 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID
 S-1-3-0 \CREATOR OWNER (5)
 S-1-3-99 *unknown*\*unknown* (8)
 result was NT_STATUS_INVALID_SID

This is a minimal fix in order to avoid crashes in the Windows Explorer.
The real fix needs more work and additional tests, as the behavior seems
to be different in newer Windows releases.

The following patch will let us behave like Windows 2022/2025...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14213

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
lib: Fix Coverity ID 1636566 Untrusted loop bound 2024-12-17T12:30:31+00:00 Volker Lendecke vl@samba.org 2024-12-04T13:03:12+00:00 253e5f4a68939516d249e4f9e33c931226b828cf Sanitize num_auths to [0,15] in sid_copy() Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 
Sanitize num_auths to [0,15] in sid_copy()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
libcli/security: Add SID_FRESH_PUBLIC_KEY_IDENTITY 2024-02-28T03:44:37+00:00 Andrew Bartlett abartlet@samba.org 2024-02-26T22:09:38+00:00 724f403d8863bf3f29bff35bff0f274183621bb3 This allows an ACL level check (rather than only an all-or-nothing KDC configuration) that PKINIT freshness was used during the AS-REQ. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Jo Sutton <josutton@catalyst.net.nz> 
This allows an ACL level check (rather than only an all-or-nothing KDC configuration)
that PKINIT freshness was used during the AS-REQ.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
libcli/security: Add sid_attrs_contains_sid() 2023-11-01T20:10:45+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-30T02:03:04+00:00 76e27c3ab1349fb4b7a71d7420a4616275befa37 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: Make use of sids_contains_sid() 2023-11-01T20:10:45+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-30T01:52:42+00:00 69edfd7b11ab01ca321eaa85a80e5e44e4b2ff02 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: Add sids_contains_sid() 2023-11-01T20:10:45+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-30T01:51:17+00:00 04611d9ebc1c54c6ec6ee3a6a365035dd477283c Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: Make use of sids_contains_sid_attrs() 2023-11-01T20:10:45+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-30T01:35:12+00:00 ce3f04dca9a673517879998af60fd7b346201de3 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
libcli/security: Rename sids_contains_sid() to sids_contains_sid_attrs() 2023-11-01T20:10:45+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-30T01:48:23+00:00 5ff72d0e04e6c8d55c32ad9a73c9b79c4893f83a Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>