r12174: Simple patch to work around the current lack of BUILTIN

nested group support.  Always add the BUILTIN\Administrators
SID to a Domain Admins token.

This solves the extra steps of establishing a group map for
the local Administrators SID in order to control services.
Windows also tends to expect the Administrators group to be
usable when setting up security permissions on shares.

Volker's work will probably fix this long term, but this
gets us past some of the setup hurdles for 3.0.21.
(This used to be commit 170b6a68bcbd66bae322c5b1b8c8501ca96acab2)

1 files changed, 53 insertions, 3 deletions

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index ce1ce31d08..497f16adf2 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -471,9 +471,12 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
 	NT_USER_TOKEN *ptoken;
 	int i;
 	int sid_ndx;
+	DOM_SID domadm;
+	BOOL is_domain_admin = False;
+	BOOL domain_mode = False;
 	
 	if ((ptoken = SMB_MALLOC_P(NT_USER_TOKEN)) == NULL) {
-		DEBUG(0, ("create_nt_token: Out of memory allocating token\n"));
+		DEBUG(0, ("create_nt_user_token: Out of memory allocating token\n"));
 		nt_status = NT_STATUS_NO_MEMORY;
 		return nt_status;
 	}
@@ -483,7 +486,7 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
 	ptoken->num_sids = n_groupSIDs + 5;
 
 	if ((ptoken->user_sids = SMB_MALLOC_ARRAY( DOM_SID, ptoken->num_sids )) == NULL) {
-		DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n"));
+		DEBUG(0, ("create_nt_user_token: Out of memory allocating SIDs\n"));
 		nt_status = NT_STATUS_NO_MEMORY;
 		return nt_status;
 	}
@@ -517,6 +520,27 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
 	
 	sid_ndx = 5; /* next available spot */
 
+	/* this is where we construct the domain admins SID if we can
+	   so that we can add the BUILTIN\Administrators SID to the token */
+
+	ZERO_STRUCT( domadm );
+	if ( IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER ) {
+		domain_mode = True;
+
+		if ( IS_DC ) 
+			sid_copy( &domadm, get_global_sam_sid() );
+		else {
+			/* if we a re a member server and cannot find
+			   out domain SID then reset the domain_mode flag */
+			if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
+				domain_mode = False;
+		}
+
+		sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
+	}
+	
+	/* add the group SIDs to teh token */
+	
 	for (i = 0; i < n_groupSIDs; i++) {
 		size_t check_sid_idx;
 		for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
@@ -531,6 +555,30 @@ static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *gro
 		} else {
 			ptoken->num_sids--;
 		}
+		
+		/* here we check if the user is a domain admin and add the
+		   BUILTIN\Administrators SID to the token the group membership
+		   check succeeds. */
+
+		if ( domain_mode ) {
+			if ( sid_equal( &domadm, &groupSIDs[i] ) )
+				is_domain_admin = True;
+		}
+		
+	}
+
+	/* finally realloc the SID array and add the BUILTIN\Administrators 
+	   SID if necessary */
+
+	if ( is_domain_admin ) {
+		DOM_SID *sids;
+
+		if ( !(sids = SMB_REALLOC_ARRAY( ptoken->user_sids, DOM_SID, ptoken->num_sids+1 )) ) 
+			DEBUG(0,("create_nt_user_token: Failed to realloc SID arry of size %d\n", ptoken->num_sids+1));
+		else  {
+			ptoken->user_sids = sids;
+			sid_copy( &(ptoken->user_sids)[ptoken->num_sids++], &global_sid_Builtin_Administrators );
+		}
 	}
 
 	/* add privileges assigned to this user */
@@ -602,6 +650,8 @@ NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups,
 		return NULL;
 	}
 
+	/* convert the Unix group ids to SIDS */
+
 	for (i = 0; i < ngroups; i++) {
 		if (!NT_STATUS_IS_OK(gid_to_sid(&(group_sids)[i], (groups)[i]))) {
 			DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i]));
@@ -640,7 +690,7 @@ NT_USER_TOKEN *get_root_nt_token( void )
 		return token;
 		
 	if ( !(pw = getpwnam( "root" )) ) {
-		DEBUG(0,("create_root_nt_token: getpwnam\"root\") failed!\n"));
+		DEBUG(0,("get_root_nt_token: getpwnam\"root\") failed!\n"));
 		return NULL;
 	}