diff -c -r samba-3.5.17/source3/auth/auth_util.c samba-3.5.17-patch/source3/auth/auth_util.c *** samba-3.5.17/source3/auth/auth_util.c 2012-08-02 13:27:59.000000000 -0400 --- samba-3.5.17-patch/source3/auth/auth_util.c 2012-08-16 22:45:20.000000000 -0400 *************** *** 1826,1832 **** nt_status = sid_array_from_info3(result, info3, &result->sids, &result->num_sids, ! false, false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(result); return nt_status; --- 1826,1832 ---- nt_status = sid_array_from_info3(result, info3, &result->sids, &result->num_sids, ! false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(result); return nt_status; diff -c -r samba-3.5.17/source3/include/proto.h samba-3.5.17-patch/source3/include/proto.h *** samba-3.5.17/source3/include/proto.h 2012-08-02 13:27:59.000000000 -0400 --- samba-3.5.17-patch/source3/include/proto.h 2012-08-16 22:45:20.000000000 -0400 *************** *** 1361,1368 **** const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, ! bool include_user_group_rid, ! bool skip_ressource_groups); /* The following definitions come from lib/util_sock.c */ --- 1361,1367 ---- const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, ! bool include_user_group_rid); /* The following definitions come from lib/util_sock.c */ diff -c -r samba-3.5.17/source3/lib/util_sid.c samba-3.5.17-patch/source3/lib/util_sid.c *** samba-3.5.17/source3/lib/util_sid.c 2012-08-02 13:27:59.000000000 -0400 --- samba-3.5.17-patch/source3/lib/util_sid.c 2012-08-16 22:45:20.000000000 -0400 *************** *** 684,691 **** const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, ! bool include_user_group_rid, ! bool skip_ressource_groups) { NTSTATUS status; DOM_SID sid; --- 684,690 ---- const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, ! bool include_user_group_rid) { NTSTATUS status; DOM_SID sid; *************** *** 738,756 **** } } ! /* Copy 'other' sids. We need to do sid filtering here to ! prevent possible elevation of privileges. See: ! ! http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp ! */ ! for (i = 0; i < info3->sidcount; i++) { - - if (skip_ressource_groups && - (info3->sids[i].attributes & SE_GROUP_RESOURCE)) { - continue; - } - status = add_sid_to_array(mem_ctx, info3->sids[i].sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { --- 737,750 ---- } } ! /* SID filtering should only be handled by the domain controller on a ! trust by trust basis, and is counter-indicated for forests. Since ! native AD return all Domain Local groups as other SIDs, then this ! must not filter them when parsing INFO3 responses such that the ! list is identical to the tokenGroups LDAP query. ! */ ! for (i = 0; i < info3->sidcount; i++) { status = add_sid_to_array(mem_ctx, info3->sids[i].sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { diff -c -r samba-3.5.17/source3/winbindd/winbindd_pam.c samba-3.5.17-patch/source3/winbindd/winbindd_pam.c *** samba-3.5.17/source3/winbindd/winbindd_pam.c 2012-08-02 13:27:59.000000000 -0400 --- samba-3.5.17-patch/source3/winbindd/winbindd_pam.c 2012-08-16 22:45:20.000000000 -0400 *************** *** 298,304 **** status = sid_array_from_info3(talloc_tos(), info3, &token->user_sids, &token->num_sids, ! true, false); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; --- 298,304 ---- status = sid_array_from_info3(talloc_tos(), info3, &token->user_sids, &token->num_sids, ! true); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status;