diff options
author | Uri Simchoni <uri@samba.org> | 2015-11-17 23:05:10 +0200 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2015-11-19 20:17:23 +0100 |
commit | d8717a038ef82caf05fff611c7cf92aecc436563 (patch) | |
tree | 1a991ce3313ece9c56423772f27ca7a4d21a5ca4 /source3/auth | |
parent | 42b7d48f76189b1e138f5cac6489a4d018598c87 (diff) | |
download | samba-d8717a038ef82caf05fff611c7cf92aecc436563.tar.gz |
auth: consistent handling of well-known alias as primary gid
When a local user has its primary group id mapped to a well-known
alias or a builtin group, smbd accepts logins of such a user, but
fails tree-connects to shares with a "force user" set to this user
with an error of NT_STATUS_INVALID_SID.
This fix causes the connect to succeed and the NT token to resemble
the token that would have been created in a login.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11608
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/server_info.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/source3/auth/server_info.c b/source3/auth/server_info.c index 4d046bbf17d..9194cbd534f 100644 --- a/source3/auth/server_info.c +++ b/source3/auth/server_info.c @@ -599,16 +599,27 @@ NTSTATUS passwd_to_SamInfo3(TALLOC_CTX *mem_ctx, * will be rejected by other Samba code. */ gid_to_sid(&group_sid, pwd->pw_gid); + } - /* - * If we are a unix group, set the group_sid to the - * 'Domain Users' RID of 513 which will always resolve to a - * name. - */ - if (sid_check_is_in_unix_groups(&group_sid)) { + /* + * If we are a unix group, or a wellknown/builtin alias, + * set the group_sid to the + * 'Domain Users' RID of 513 which will always resolve to a + * name. + */ + if (sid_check_is_in_unix_groups(&group_sid) || + sid_check_is_in_builtin(&group_sid) || + sid_check_is_in_wellknown_domain(&group_sid)) { + if (sid_check_is_in_unix_users(&user_sid)) { sid_compose(&group_sid, get_global_sam_sid(), DOMAIN_RID_USERS); + } else { + sid_copy(&domain_sid, &user_sid); + sid_split_rid(&domain_sid, NULL); + sid_compose(&group_sid, + &domain_sid, + DOMAIN_RID_USERS); } } |