Fix bug #9100 - winbind doesn't return "Domain Local" groups from own domain.

Back-port of fix for 3.6.x from bug #9052.

5 files changed, 19 insertions, 20 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 69d5c652948..42e27478d46 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1826,7 +1826,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 	nt_status = sid_array_from_info3(result, info3,
 					 &result->sids,
 					 &result->num_sids,
-					 false, false);
+					 false);
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		TALLOC_FREE(result);
 		return nt_status;
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 559a34ebb57..785cc303877 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1361,8 +1361,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
 			      const struct netr_SamInfo3 *info3,
 			      DOM_SID **user_sids,
 			      size_t *num_user_sids,
-			      bool include_user_group_rid,
-			      bool skip_ressource_groups);
+			      bool include_user_group_rid);
 
 /* The following definitions come from lib/util_sock.c  */
 
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index bea04d8c6ee..f918eba7deb 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -684,8 +684,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
 			      const struct netr_SamInfo3 *info3,
 			      DOM_SID **user_sids,
 			      size_t *num_user_sids,
-			      bool include_user_group_rid,
-			      bool skip_ressource_groups)
+			      bool include_user_group_rid)
 {
 	NTSTATUS status;
 	DOM_SID sid;
@@ -738,19 +737,14 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
 		}
 	}
 
-	/* Copy 'other' sids.  We need to do sid filtering here to
- 	   prevent possible elevation of privileges.  See:
-
-           http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
-         */
+	/* SID filtering should only be handled by the domain controller on a
+	   trust by trust basis, and is counter-indicated for forests. Since
+	   native AD return all Domain Local groups as other SIDs, then this
+	   must not filter them when parsing INFO3 responses such that the
+	   list is identical to the tokenGroups LDAP query.
+	 */
 
 	for (i = 0; i < info3->sidcount; i++) {
-
-		if (skip_ressource_groups &&
-		    (info3->sids[i].attributes & SE_GROUP_RESOURCE)) {
-			continue;
-		}
-
 		status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
 				      &sid_array, &num_sids);
 		if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 4cc181a7eaf..59a95b02f10 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -298,7 +298,7 @@ NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
 	status = sid_array_from_info3(talloc_tos(), info3,
 				      &token->user_sids,
 				      &token->num_sids,
-				      true, false);
+				      true);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(frame);
 		return status;
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 15a357519a2..f4e2f5668a1 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1166,12 +1166,18 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	/* Skip Domain local groups outside our domain.
-	   We'll get these from the getsidaliases() RPC call. */
+	/*
+	 * Before bug #7843 the "Domain Local" groups were added with a
+	 * lookupuseraliases call, but this isn't done anymore for our domain
+	 * so we need to resolve resource groups here.
+	 *
+	 * When to use Resource Groups:
+	 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
+	*/
 	status = sid_array_from_info3(mem_ctx, info3,
 				      user_sids,
 				      &num_groups,
-				      false, true);
+				      false);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(info3);