s3:auth: ignore create_builtin_guests() failing without a valid idmap configuration

This happens on standalone servers, where winbindd is automatically
started by init scripts if it's installed. But it's not really
used and may not have a valid idmap configuration (
"idmap config * : range" has no default!)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13697

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>

1 files changed, 17 insertions, 1 deletions

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index c95d54db671..21ccb0d1fe7 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -743,7 +743,23 @@ NTSTATUS finalize_local_nt_token(struct security_token *result,
 		status = create_builtin_guests(domain_sid);
 		unbecome_root();
 
-		if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE)) {
+		/*
+		 * NT_STATUS_PROTOCOL_UNREACHABLE:
+		 * => winbindd is not running.
+		 *
+		 * NT_STATUS_ACCESS_DENIED:
+		 * => no idmap config at all
+		 * and wbint_AllocateGid()/winbind_allocate_gid()
+		 * failed.
+		 *
+		 * NT_STATUS_NO_SUCH_GROUP:
+		 * => no idmap config at all and
+		 * "tdbsam:map builtin = no" means
+		 * wbint_Sids2UnixIDs() fails.
+		 */
+		if (NT_STATUS_EQUAL(status, NT_STATUS_PROTOCOL_UNREACHABLE) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) ||
+		    NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_GROUP)) {
 			/*
 			 * Add BUILTIN\Guests directly to token.
 			 * But only if the token already indicates