find_forced_group can directly change the token in server_info

Now that we have a token that is correctly set up with gids already, this saves
manual translation of the SIDs to GIDs.
(This used to be commit 6136a6d9d7301c65f37e2bf485681138cddd8bd2)

1 files changed, 16 insertions, 72 deletions

diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 30e48018e9..267ca3c29f 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -743,7 +743,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
 		conn->force_user = true;
 	}
 
-
 	add_session_user(conn->server_info->unix_name);
 
 	safe_strcpy(conn->client_address,
@@ -780,13 +779,13 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
 	conn->read_only = lp_readonly(SNUM(conn));
 	conn->admin_user = False;
 
-	/*
-	 * If force user is true, then store the given userid and the gid of
-	 * the user we're forcing.
-	 * For auxiliary groups see below.
-	 */
-	
 	if (*lp_force_user(snum)) {
+
+		/*
+		 * Replace conn->server_info with a completely faked up one
+		 * from the username we are forced into :-)
+		 */
+
 		char *fuser;
 		struct auth_serversupplied_info *forced_serverinfo;
 
@@ -814,85 +813,30 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
 		DEBUG(3,("Forced user %s\n", fuser));
 	}
 
-	conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
-
-	conn->uid = conn->server_info->uid;
-	conn->gid = conn->server_info->gid;
-	string_set(&conn->user, conn->server_info->unix_name);
-
 	/*
 	 * If force group is true, then override
 	 * any groupid stored for the connecting user.
 	 */
-	
+
 	if (*lp_force_group(snum)) {
-		DOM_SID group_sid;
 
-		status = find_forced_group(conn->force_user, snum,
-					   conn->user,
-					   &group_sid, &conn->gid);
+		status = find_forced_group(
+			conn->force_user, snum, conn->user,
+			&conn->server_info->ptok->user_sids[1],
+			&conn->server_info->gid);
+
 		if (!NT_STATUS_IS_OK(status)) {
 			conn_free(conn);
 			*pstatus = status;
 			return NULL;
 		}
-
-		if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
-
-			/* Not force user and not security=share, but force
-			 * group. vuser has a token to copy */
-			
-			conn->nt_user_token = dup_nt_token(
-				NULL, vuser->server_info->ptok);
-			if (conn->nt_user_token == NULL) {
-				DEBUG(0, ("dup_nt_token failed\n"));
-				conn_free(conn);
-				*pstatus = NT_STATUS_NO_MEMORY;
-				return NULL;
-			}
-		}
-
-		/* If conn->nt_user_token is still NULL, we have
-		 * security=share. This means ignore the SID, as we had no
-		 * vuser to copy from */
-
-		if (conn->nt_user_token != NULL) {
-			/* Overwrite the primary group sid */
-			sid_copy(&conn->nt_user_token->user_sids[1],
-				 &group_sid);
-
-		}
 	}
 
-	if (conn->nt_user_token != NULL) {
-		size_t i;
-
-		/* We have a share-specific token from force [user|group].
-		 * This means we have to create the list of unix groups from
-		 * the list of sids. */
-
-		conn->ngroups = 0;
-		conn->groups = NULL;
-
-		for (i=0; i<conn->nt_user_token->num_sids; i++) {
-			gid_t gid;
-			DOM_SID *sid = &conn->nt_user_token->user_sids[i];
+	conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
 
-			if (!sid_to_gid(sid, &gid)) {
-				DEBUG(10, ("Could not convert SID %s to gid, "
-					   "ignoring it\n",
-					   sid_string_dbg(sid)));
-				continue;
-			}
-			if (!add_gid_to_array_unique(conn, gid, &conn->groups,
-						&conn->ngroups)) {
-				DEBUG(0, ("add_gid_to_array_unique failed\n"));
-				conn_free(conn);
-				*pstatus = NT_STATUS_NO_MEMORY;
-				return NULL;
-			}
-		}
-	}
+	conn->uid = conn->server_info->uid;
+	conn->gid = conn->server_info->gid;
+	string_set(&conn->user, conn->server_info->unix_name);
 
 	{
 		char *s = talloc_sub_advanced(talloc_tos(),