more access fixes for group enumeration in LDAP; bug 281

(This used to be commit c4ce92e80688fe7fd4b2fde2c31e94baf3e4dca0)

3 files changed, 24 insertions, 8 deletions

diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index db5c8c83b0..8785cce789 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -845,6 +845,7 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
 	int num_entries=0;
 	LSA_SID_ENUM *sids=&r_u->sids;
 	int i=0,j=0;
+	BOOL ret;
 
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&handle))
 		return NT_STATUS_INVALID_HANDLE;
@@ -858,8 +859,14 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* get the list of mapped groups (domain, local, builtin) */
-	if(!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
+	become_root();
+	ret = pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED);
+	unbecome_root();
+	if( !ret ) {
+		DEBUG(3,("_lsa_enum_accounts: enumeration of groups failed!\n"));
 		return NT_STATUS_OK;
+	}
+	
 
 	if (q_u->enum_context >= num_entries)
 		return NT_STATUS_NO_MORE_ENTRIES;
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 6cd5da4892..d3da830991 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -292,6 +292,7 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
 	uint32 group_entries = 0;
 	uint32 i;
 	TALLOC_CTX *mem_ctx = info->mem_ctx;
+	BOOL ret;
 
 	DEBUG(10,("load_group_domain_entries\n"));
 
@@ -303,13 +304,14 @@ static NTSTATUS load_group_domain_entries(struct samr_info *info, DOM_SID *sid)
 	
 
 	become_root();
-
-	if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED)) {
+	ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, (int *)&group_entries, ENUM_ONLY_MAPPED); 
+	unbecome_root();
+	
+	if ( !ret ) {
 		DEBUG(1, ("load_group_domain_entries: pdb_enum_group_mapping() failed!\n"));
 		return NT_STATUS_NO_MEMORY;
 	}
 	
-	unbecome_root();
 
 	info->disp_info.num_group_account=group_entries;
 
diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c
index 632d381503..d5b87b7c10 100644
--- a/source3/rpc_server/srv_util.c
+++ b/source3/rpc_server/srv_util.c
@@ -281,6 +281,7 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA
 	fstring user_name;
 	uint32 grid;
 	uint32 tmp_rid;
+	BOOL ret;
 
 	*numgroups= 0;
 
@@ -290,15 +291,21 @@ BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SA
 	DEBUG(10,("get_domain_user_groups: searching domain groups [%s] is a member of\n", user_name));
 
 	/* we must wrap this is become/unbecome root for ldap backends */
+	
 	become_root();
-
 	/* first get the list of the domain groups */
-	if (!pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED))
+	ret = pdb_enum_group_mapping(SID_NAME_DOM_GRP, &map, &num_entries, ENUM_ONLY_MAPPED);
+	
+	unbecome_root();
+
+	/* end wrapper for group enumeration */
+
+	
+	if ( !ret )
 		return False;
+		
 	DEBUG(10,("get_domain_user_groups: there are %d mapped groups\n", num_entries));
 
-	unbecome_root();
-	/* end wrapper for group enumeration */
 
 	/* 
 	 * alloc memory. In the worse case, we alloc memory for nothing.