summaryrefslogtreecommitdiff
path: root/auth/auth_sam_reply.c
diff options
context:
space:
mode:
Diffstat (limited to 'auth/auth_sam_reply.c')
-rw-r--r--auth/auth_sam_reply.c31
1 files changed, 28 insertions, 3 deletions
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 552834a1bb0..8a68f045547 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -99,6 +99,13 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
for (i=PRIMARY_GROUP_SID_INDEX; i<user_info_dc->num_sids; i++) {
struct auth_SidAttr *group_sid = &user_info_dc->sids[i];
+ if (group_sid->attrs & SE_GROUP_RESOURCE) {
+ /*
+ * Resource groups don't belong in the base
+ * RIDs, they're handled elsewhere.
+ */
+ continue;
+ }
if (!dom_sid_in_domain(sam->domain_sid, &group_sid->sid)) {
/* We handle this elsewhere */
continue;
@@ -140,6 +147,7 @@ static NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
* the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo6 **_sam6)
{
NTSTATUS status;
@@ -168,7 +176,20 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
/* We don't put the user and group SIDs in there */
for (i=2; i<user_info_dc->num_sids; i++) {
- if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) {
+ if (user_info_dc->sids[i].attrs & SE_GROUP_RESOURCE) {
+ /*
+ * If it's a resource group, check whether it should be
+ * included or filtered out.
+ */
+ switch (group_inclusion) {
+ case AUTH_INCLUDE_RESOURCE_GROUPS:
+ /* Include it. */
+ break;
+ case AUTH_EXCLUDE_RESOURCE_GROUPS:
+ /* Ignore it. */
+ continue;
+ }
+ } else if (dom_sid_in_domain(sam6->base.domain_sid, &user_info_dc->sids[i].sid)) {
continue;
}
sam6->sids[sam6->sidcount].sid = dom_sid_dup(sam6->sids, &user_info_dc->sids[i].sid);
@@ -211,6 +232,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX *mem_ctx,
* the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo2 **_sam2)
{
NTSTATUS status;
@@ -222,7 +244,8 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc, &sam6);
+ status = auth_convert_user_info_dc_saminfo6(sam2, user_info_dc,
+ group_inclusion, &sam6);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam2);
return status;
@@ -237,6 +260,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo2(TALLOC_CTX *mem_ctx,
* the user_info_dc it was generated from */
NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
const struct auth_user_info_dc *user_info_dc,
+ enum auth_group_inclusion group_inclusion,
struct netr_SamInfo3 **_sam3)
{
NTSTATUS status;
@@ -248,7 +272,8 @@ NTSTATUS auth_convert_user_info_dc_saminfo3(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc, &sam6);
+ status = auth_convert_user_info_dc_saminfo6(sam3, user_info_dc,
+ group_inclusion, &sam6);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(sam3);
return status;
View Lorry Controller Status