From c3d52477b77d2c80b22d26ae8964fc70468a9728 Mon Sep 17 00:00:00 2001 From: "Goldberg, Neil R" Date: Fri, 17 Aug 2012 13:52:07 -0700 Subject: [PATCH] Fix bug #9100 - winbind doesn't return "Domain Local" groups from own domain. Back-port of fix for 3.6.x from bug #9052. --- source3/auth/auth_util.c | 2 +- source3/include/proto.h | 3 +-- source3/lib/util_sid.c | 22 ++++++++-------------- source3/winbindd/winbindd_pam.c | 2 +- source3/winbindd/winbindd_util.c | 12 +++++++++--- 5 files changed, 20 insertions(+), 21 deletions(-) diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 69d5c65..42e2747 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1826,7 +1826,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, nt_status = sid_array_from_info3(result, info3, &result->sids, &result->num_sids, - false, false); + false); if (!NT_STATUS_IS_OK(nt_status)) { TALLOC_FREE(result); return nt_status; diff --git a/source3/include/proto.h b/source3/include/proto.h index 559a34e..785cc30 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1361,8 +1361,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, - bool include_user_group_rid, - bool skip_ressource_groups); + bool include_user_group_rid); /* The following definitions come from lib/util_sock.c */ diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c index bea04d8..50bc4d7 100644 --- a/source3/lib/util_sid.c +++ b/source3/lib/util_sid.c @@ -684,8 +684,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, const struct netr_SamInfo3 *info3, DOM_SID **user_sids, size_t *num_user_sids, - bool include_user_group_rid, - bool skip_ressource_groups) + bool include_user_group_rid) { NTSTATUS status; DOM_SID sid; @@ -738,19 +737,14 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, } } - /* Copy 'other' sids. We need to do sid filtering here to - prevent possible elevation of privileges. See: - - http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp - */ - + /* SID filtering should only be handled by the domain controller on a + trust by trust basis, and is counter-indicated for forests. Since + native AD return all Domain Local groups as other SIDs, then this + must not filter them when parsing INFO3 responses such that the + list is identical to the tokenGroups LDAP query. + */ + for (i = 0; i < info3->sidcount; i++) { - - if (skip_ressource_groups && - (info3->sids[i].attributes & SE_GROUP_RESOURCE)) { - continue; - } - status = add_sid_to_array(mem_ctx, info3->sids[i].sid, &sid_array, &num_sids); if (!NT_STATUS_IS_OK(status)) { diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index c8910d6..50b6541 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -298,7 +298,7 @@ NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3, status = sid_array_from_info3(talloc_tos(), info3, &token->user_sids, &token->num_sids, - true, false); + true); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(frame); return status; diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 15a3575..f4e2f56 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -1166,12 +1166,18 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain, return NT_STATUS_UNSUCCESSFUL; } - /* Skip Domain local groups outside our domain. - We'll get these from the getsidaliases() RPC call. */ + /* + * Before bug #7843 the "Domain Local" groups were added with a + * lookupuseraliases call, but this isn't done anymore for our domain + * so we need to resolve resource groups here. + * + * When to use Resource Groups: + * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx + */ status = sid_array_from_info3(mem_ctx, info3, user_sids, &num_groups, - false, true); + false); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(info3); -- 1.7.7.3