auth: consistent handling of well-known alias as primary gid

When a local user has its primary group id mapped to a well-known
alias or a builtin group, smbd accepts logins of such a user, but
fails tree-connects to shares with a "force user" set to this user
with an error of NT_STATUS_INVALID_SID.

This fix causes the connect to succeed and the NT token to resemble
the token that would have been created in a login.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608

Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

1 files changed, 17 insertions, 6 deletions

diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c
index 4d046bbf17d..9194cbd534f 100644
--- a/source3/auth/server_info.c
+++ b/source3/auth/server_info.c
@@ -599,16 +599,27 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx,
 		 * will be rejected by other Samba code.
 		 */
 		gid_to_sid(&group_sid, pwd->pw_gid);
+	}
 
-		/*
-		 * If we are a unix group, set the group_sid to the
-		 * 'Domain Users' RID of 513 which will always resolve to a
-		 * name.
-		 */
-		if (sid_check_is_in_unix_groups(&group_sid)) {
+	/*
+	 * If we are a unix group, or a wellknown/builtin alias,
+	 * set the group_sid to the
+	 * 'Domain Users' RID of 513 which will always resolve to a
+	 * name.
+	 */
+	if (sid_check_is_in_unix_groups(&group_sid) ||
+	    sid_check_is_in_builtin(&group_sid) ||
+	    sid_check_is_in_wellknown_domain(&group_sid)) {
+		if (sid_check_is_in_unix_users(&user_sid)) {
 			sid_compose(&group_sid,
 				    get_global_sam_sid(),
 				    DOMAIN_RID_USERS);
+		} else {
+			sid_copy(&domain_sid, &user_sid);
+			sid_split_rid(&domain_sid, NULL);
+			sid_compose(&group_sid,
+				    &domain_sid,
+				    DOMAIN_RID_USERS);
 		}
 	}