From 140eede4287b7bdcae6a2b3e9e5e035bf13983de Mon Sep 17 00:00:00 2001
From: Felix Botner <botner@univention.de>
Date: Thu, 25 Jun 2015 12:45:20 +0200
Subject: [PATCH] add primary group to groups in kerberos pac

GPO security filtering is based on the groups in the kerberos pac.
So the primary group should better be in this group list.

Signed-off-by: Felix Botner <botner@univention.de>
---
 auth/auth_sam_reply.c |   20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 4ede02c..69ef627 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -78,7 +78,7 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
 	sam->groups.count = 0;
 	sam->groups.rids = NULL;
 
-	if (user_info_dc->num_sids > 2) {
+	if (user_info_dc->num_sids > 1) {
 		size_t i;
 		sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute,
 						user_info_dc->num_sids);
@@ -86,12 +86,22 @@ NTSTATUS auth_convert_user_info_dc_sambaseinfo(TALLOC_CTX *mem_ctx,
 		if (sam->groups.rids == NULL)
 			return NT_STATUS_NO_MEMORY;
 
+		/* Add the primary group here too, at least Windows 2012 PAC adds it here */
+		sam->groups.rids[sam->groups.count].rid = sam->primary_gid;
+		sam->groups.rids[sam->groups.count].attributes =
+				SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+		sam->groups.count += 1;
+
 		for (i=2; i<user_info_dc->num_sids; i++) {
 			struct dom_sid *group_sid = &user_info_dc->sids[i];
 			if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
 				/* We handle this elsewhere */
 				continue;
 			}
+			/* ignore primary gid, already added above */
+			if (group_sid->sub_auths[group_sid->num_auths-1] == sam->primary_gid) {
+				continue;
+			}
 			sam->groups.rids[sam->groups.count].rid =
 				group_sid->sub_auths[group_sid->num_auths-1];
 
@@ -326,6 +336,14 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX *mem_ctx,
 	}
 
 	for (i = 0; i < base->groups.count; i++) {
+
+		/* We added the primary_gid in auth_convert_user_info_dc_sambaseinfo()
+		 * and base->groups may contain the primary_gid, so check and ignore
+		   the primary_gid here */
+		if (base->groups.rids[i].rid == base->primary_gid) {
+			continue;
+		}
+
 		user_info_dc->sids[user_info_dc->num_sids] = *base->domain_sid;
 		if (!sid_append_rid(&user_info_dc->sids[user_info_dc->num_sids], base->groups.rids[i].rid)) {
 			return NT_STATUS_INVALID_PARAMETER;
-- 
1.7.9.5