s4-auth: fixed the SID list for DCs in the PAC

the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104

1 files changed, 16 insertions, 0 deletions

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 6bf1d5f9e3..bdbf6906a3 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -558,6 +558,22 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
 						  server_info);
 	}
 
+	if (server_info->acct_flags & ACB_SVRTRUST) {
+		/* the SID_NT_ENTERPRISE_DCS SID gets added into the
+		   PAC */
+		server_info->domain_groups = talloc_realloc(server_info,
+							    server_info->domain_groups,
+							    struct dom_sid *,
+							    server_info->n_domain_groups+1);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
+		server_info->domain_groups[server_info->n_domain_groups] =
+			dom_sid_parse_talloc(server_info->domain_groups,
+					     SID_NT_ENTERPRISE_DCS);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
+						  server_info);
+		server_info->n_domain_groups++;
+	}
+
 	server_info->authenticated = true;
 
 	talloc_free(tmp_ctx);