diff options
author | Goldberg, Neil R <ngoldber@mitre.org> | 2012-08-17 13:52:07 -0700 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2012-08-23 20:26:01 +0200 |
commit | 38444389c39d5c5adca1c9f300bded47407fd0b5 (patch) | |
tree | d111b55a09e116b3dc1f7b4e1c8cb933ba84a961 | |
parent | 51c5f84d2496b5117a2fe6afc061594cf33b5fc1 (diff) | |
download | samba-38444389c39d5c5adca1c9f300bded47407fd0b5.tar.gz |
Fix bug #9100 - winbind doesn't return "Domain Local" groups from own domain.
Back-port of fix for 3.6.x from bug #9052.
-rw-r--r-- | source3/auth/auth_util.c | 2 | ||||
-rw-r--r-- | source3/include/proto.h | 3 | ||||
-rw-r--r-- | source3/lib/util_sid.c | 20 | ||||
-rw-r--r-- | source3/winbindd/winbindd_pam.c | 2 | ||||
-rw-r--r-- | source3/winbindd/winbindd_util.c | 12 |
5 files changed, 19 insertions, 20 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 69d5c652948..42e27478d46 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1826,7 +1826,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = sid_array_from_info3(result, info3, &result->sids, &result->num_sids, - false, false); + false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(result); return nt_status; diff --git a/source3/include/proto.h b/source3/include/proto.h index 559a34ebb57..785cc303877 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1361,8 +1361,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, - bool include_user_group_rid, - bool skip_ressource_groups); + bool include_user_group_rid); /* The following definitions come from lib/util_sock.c */ diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index bea04d8c6ee..f918eba7deb 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -684,8 +684,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, - bool include_user_group_rid, - bool skip_ressource_groups) + bool include_user_group_rid) { NTSTATUS status; DOM_SID sid; @@ -738,19 +737,14 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, } } - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ + /* SID filtering should only be handled by the domain controller on a + trust by trust basis, and is counter-indicated for forests. Since + native AD return all Domain Local groups as other SIDs, then this + must not filter them when parsing INFO3 responses such that the + list is identical to the tokenGroups LDAP query. + */ for (i = 0; i < info3->sidcount; i++) { - - if (skip_ressource_groups && - (info3->sids[i].attributes & SE_GROUP_RESOURCE)) { - continue; - } - status = add_sid_to_array(mem_ctx, info3->sids[i].sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 4cc181a7eaf..59a95b02f10 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -298,7 +298,7 @@ NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3, status = sid_array_from_info3(talloc_tos(), info3, &token->user_sids, &token->num_sids, - true, false); + true); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 15a357519a2..f4e2f5668a1 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1166,12 +1166,18 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain, return NT_STATUS_UNSUCCESSFUL; } - /* Skip Domain local groups outside our domain. - We'll get these from the getsidaliases() RPC call. */ + /* + * Before bug #7843 the "Domain Local" groups were added with a + * lookupuseraliases call, but this isn't done anymore for our domain + * so we need to resolve resource groups here. + * + * When to use Resource Groups: + * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx + */ status = sid_array_from_info3(mem_ctx, info3, user_sids, &num_groups, - false, true); + false); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(info3); |