[SCM] Samba Shared Repository - branch v3-5-test updated

Karolin Seeger Thu, 23 Aug 2012 11:26:13 -0700

The branch, v3-5-test has been updated
       via  3844438 Fix bug #9100 - winbind doesn't return "Domain Local" 
groups from own domain.
      from  51c5f84 Fix bug #9098 - winbind does not refresh kerberos tickets.


http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit 38444389c39d5c5adca1c9f300bded47407fd0b5
Author: Goldberg, Neil R <ngold...@mitre.org>
Date:   Fri Aug 17 13:52:07 2012 -0700

    Fix bug #9100 - winbind doesn't return "Domain Local" groups from own 
domain.
    
    Back-port of fix for 3.6.x from bug #9052.

-----------------------------------------------------------------------

Summary of changes:
 source3/auth/auth_util.c         |    2 +-
 source3/include/proto.h          |    3 +--
 source3/lib/util_sid.c           |   20 +++++++-------------
 source3/winbindd/winbindd_pam.c  |    2 +-
 source3/winbindd/winbindd_util.c |   12 +++++++++---
 5 files changed, 19 insertions(+), 20 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 69d5c65..42e2747 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1826,7 +1826,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
        nt_status = sid_array_from_info3(result, info3,
                                         &result->sids,
                                         &result->num_sids,
-                                        false, false);
+                                        false);
        if (!NT_STATUS_IS_OK(nt_status)) {
                TALLOC_FREE(result);
                return nt_status;
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 559a34e..785cc30 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1361,8 +1361,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
                              const struct netr_SamInfo3 *info3,
                              DOM_SID **user_sids,
                              size_t *num_user_sids,
-                             bool include_user_group_rid,
-                             bool skip_ressource_groups);
+                             bool include_user_group_rid);
 
 /* The following definitions come from lib/util_sock.c  */
 
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index bea04d8..f918eba 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -684,8 +684,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
                              const struct netr_SamInfo3 *info3,
                              DOM_SID **user_sids,
                              size_t *num_user_sids,
-                             bool include_user_group_rid,
-                             bool skip_ressource_groups)
+                             bool include_user_group_rid)
 {
        NTSTATUS status;
        DOM_SID sid;
@@ -738,19 +737,14 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
                }
        }
 
-       /* Copy 'other' sids.  We need to do sid filtering here to
-          prevent possible elevation of privileges.  See:
-
-           
http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
-         */
+       /* SID filtering should only be handled by the domain controller on a
+          trust by trust basis, and is counter-indicated for forests. Since
+          native AD return all Domain Local groups as other SIDs, then this
+          must not filter them when parsing INFO3 responses such that the
+          list is identical to the tokenGroups LDAP query.
+        */
 
        for (i = 0; i < info3->sidcount; i++) {
-
-               if (skip_ressource_groups &&
-                   (info3->sids[i].attributes & SE_GROUP_RESOURCE)) {
-                       continue;
-               }
-
                status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
                                      &sid_array, &num_sids);
                if (!NT_STATUS_IS_OK(status)) {
diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 4cc181a..59a95b0 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -298,7 +298,7 @@ NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
        status = sid_array_from_info3(talloc_tos(), info3,
                                      &token->user_sids,
                                      &token->num_sids,
-                                     true, false);
+                                     true);
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(frame);
                return status;
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 15a3575..f4e2f56 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1166,12 +1166,18 @@ NTSTATUS lookup_usergroups_cached(struct 
winbindd_domain *domain,
                return NT_STATUS_UNSUCCESSFUL;
        }
 
-       /* Skip Domain local groups outside our domain.
-          We'll get these from the getsidaliases() RPC call. */
+       /*
+        * Before bug #7843 the "Domain Local" groups were added with a
+        * lookupuseraliases call, but this isn't done anymore for our domain
+        * so we need to resolve resource groups here.
+        *
+        * When to use Resource Groups:
+        * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
+       */
        status = sid_array_from_info3(mem_ctx, info3,
                                      user_sids,
                                      &num_groups,
-                                     false, true);
+                                     false);
 
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(info3);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch v3-5-test updated

Reply via email to