summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2006-04-30 14:34:30 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:16:37 -0500
commitbe8e338ef7d1bbcb33f9be449b8deb86fe23df1b (patch)
treef3a904d5bcf156b6656346856db8eaca7b745669
parent23b2f27a5448d74e456b9bb53f4d487f35d0d210 (diff)
downloadsamba-be8e338ef7d1bbcb33f9be449b8deb86fe23df1b.tar.gz
samba-be8e338ef7d1bbcb33f9be449b8deb86fe23df1b.tar.bz2
samba-be8e338ef7d1bbcb33f9be449b8deb86fe23df1b.zip
r15360: Fix bug # 3741. One more place where the algorithmic mapping needs to stay.
Volker (This used to be commit 898948d65409e5b63937fbd8050be04ac81df05d)
-rw-r--r--source3/passdb/lookup_sid.c29
1 files changed, 24 insertions, 5 deletions
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 942d277178..751fa597c0 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -128,11 +128,30 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx,
* the expansion of group names coming in from smb.conf
*/
- if ((flags & LOOKUP_NAME_GROUP) &&
- (lookup_unix_group_name(name, &sid))) {
- domain = talloc_strdup(tmp_ctx, unix_groups_domain_name());
- type = SID_NAME_DOM_GRP;
- goto ok;
+ if (flags & LOOKUP_NAME_GROUP) {
+ struct group *grp;
+
+ /* If we are using the smbpasswd backend, we need to use the
+ * algorithmic mapping for the unix group we find. This is
+ * necessary because when creating the NT token from the unix
+ * gid list we got from initgroups() we use gid_to_sid() that
+ * uses algorithmic mapping if pdb_rid_algorithm() is true. */
+
+ if (pdb_rid_algorithm() && ((grp = getgrnam(name)) != NULL) &&
+ (grp->gr_gid < max_algorithmic_gid())) {
+ domain = talloc_strdup(tmp_ctx, get_global_sam_name());
+ sid_compose(&sid, get_global_sam_sid(),
+ pdb_gid_to_group_rid(grp->gr_gid));
+ type = SID_NAME_DOM_GRP;
+ goto ok;
+ }
+
+ if (lookup_unix_group_name(name, &sid)) {
+ domain = talloc_strdup(tmp_ctx,
+ unix_groups_domain_name());
+ type = SID_NAME_DOM_GRP;
+ goto ok;
+ }
}
/* Now the guesswork begins, we haven't been given an explicit