Fix up a security issue with the way we handle domain groups retuned on the

info3.  These are RIDs, and it only makes sense to combine them with the domain
SID returned with them.  This is important for trusted domains, where that sid
might be other than the one we currently reterive from the secrets.tdb.

Also remove the become_root()/unbecome_root() wrapper from around both
remaining TDB users:  Both are now initialised at smbd startup.

Andrew Bartlett
(This used to be commit 554842e0a55155193f25aefca6480b89d5c512ca)

3 files changed, 20 insertions, 25 deletions

diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index e84d4e4724..704f600c66 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -324,7 +324,6 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 	/* Store the user group information in the server_info returned to the caller. */
 	
 	if (NT_STATUS_IS_OK(nt_status) && (info3.num_groups2 != 0)) {
-		DOM_SID domain_sid;
 		int i;
 		NT_USER_TOKEN *ptok;
 		auth_serversupplied_info *pserver_info = *server_info;
@@ -346,21 +345,12 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 			goto done;
 		}
  
-		if (!secrets_fetch_domain_sid(lp_workgroup(), &domain_sid)) {
-			DEBUG(0, ("domain_client_validate: unable to fetch domain sid.\n"));
-			nt_status = NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
-			free_server_info(server_info);
-			goto done;
-		}
- 
 		for (i = 0; i < ptok->num_sids; i++) {
-			sid_copy(&ptok->user_sids[i], &domain_sid);
+			sid_copy(&ptok->user_sids[i], &info3.dom_sid.sid);
 			sid_append_rid(&ptok->user_sids[i], info3.gids[i].g_rid);
 		}
 		
-		become_root();
 		uni_group_cache_store_netlogon(mem_ctx, &info3);
-		unbecome_root();
 	}
 
 #if 0
@@ -423,10 +413,9 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
-	become_root();
-
 	/*
 	 * Get the machine account password for our primary domain
+	 * No need to become_root() as secrets_init() is done at startup.
 	 */
 
 	if (!secrets_fetch_trust_account_password(domain, trust_passwd, &last_change_time))
@@ -436,8 +425,6 @@ static NTSTATUS check_ntdomain_security(const struct auth_context *auth_context,
 		return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
 	}
 
-	unbecome_root();
-
 	/* Test if machine password is expired and need to be changed */
 	if (time(NULL) > last_change_time + lp_machine_password_timeout())
 	{
@@ -470,4 +457,3 @@ BOOL auth_init_ntdomain(struct auth_context *auth_context, auth_methods **auth_m
 	(*auth_method)->auth = check_ntdomain_security;
 	return True;
 }
-
diff --git a/source3/libsmb/netlogon_unigrp.c b/source3/libsmb/netlogon_unigrp.c
index 317a5bc3d0..d4063242f6 100644
--- a/source3/libsmb/netlogon_unigrp.c
+++ b/source3/libsmb/netlogon_unigrp.c
@@ -37,18 +37,24 @@ static TDB_CONTEXT *netlogon_unigrp_tdb = NULL;
     array of uint32 where array[0] is number of elements
     and elements are array[1] ... array[array[0]]
 */
+
+BOOL uni_group_cache_init(void)
+{
+	if (!netlogon_unigrp_tdb) {
+		netlogon_unigrp_tdb = tdb_open_log(lock_path("netlogon_unigrp.tdb"), 0,
+						   TDB_NOLOCK, O_RDWR | O_CREAT, 0644);
+	}
+
+	return (netlogon_unigrp_tdb != NULL);
+}
+
 void uni_group_cache_store_netlogon(TALLOC_CTX *mem_ctx, NET_USER_INFO_3 *user)
 {
 	TDB_DATA key,data;
         fstring keystr;
         int i;
-	
-	if (!netlogon_unigrp_tdb) {
-		netlogon_unigrp_tdb = tdb_open_log(lock_path("netlogon_unigrp.tdb"), 0,
-                				    TDB_NOLOCK, O_RDWR | O_CREAT, 0644);
-	}
 
-	if (!netlogon_unigrp_tdb) {
+	if (!uni_group_cache_init()) {
 		DEBUG(0,("uni_group_cache_store_netlogon: cannot open netlogon_unigrp.tdb for write!\n"));
 		return;
 	}
@@ -145,8 +151,8 @@ uint32* uni_group_cache_fetch(DOM_SID *domain, uint32 user_rid,
 /* Shutdown netlogon_unigrp database */
 void uni_group_cache_shutdown(void)
 {
-    if(netlogon_unigrp_tdb) {
-	tdb_close(netlogon_unigrp_tdb);
-    }
+	if(netlogon_unigrp_tdb) {
+		tdb_close(netlogon_unigrp_tdb);
+	}
 }
 
diff --git a/source3/smbd/server.c b/source3/smbd/server.c
index 492632e7ac..44002bfc94 100644
--- a/source3/smbd/server.c
+++ b/source3/smbd/server.c
@@ -556,6 +556,7 @@ static void init_structs(void )
 	init_dptrs();
 
 	secrets_init();
+
 }
 
 /****************************************************************************
@@ -841,6 +842,8 @@ static void usage(char *pname)
 	if(!initialize_password_db(False))
 		exit(1);
 
+	uni_group_cache_init(); /* Non-critical */
+	
 	/* possibly reload the services file. */
 	reload_services(True);