s4-auth: fixed the SID list for DCs in the PAC

the S-1-5-9 SID is added in the PAC by the KDC, not on the server that
receives the PAC

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Sun Sep 26 07:09:08 UTC 2010 on sn-devel-104

3 files changed, 16 insertions, 19 deletions

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index ce583c871c..2f0af027bc 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -46,7 +46,6 @@ struct loadparm_context;
 
 #define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
 #define AUTH_SESSION_INFO_AUTHENTICATED  0x02 /* Add the user to the 'authenticated users' group */
-#define AUTH_SESSION_INFO_ENTERPRISE_DC  0x04 /* Add the user to the 'enterprise DC' group */
 
 struct auth_serversupplied_info
 {
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 6bf1d5f9e3..bdbf6906a3 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -558,6 +558,22 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx,
 						  server_info);
 	}
 
+	if (server_info->acct_flags & ACB_SVRTRUST) {
+		/* the SID_NT_ENTERPRISE_DCS SID gets added into the
+		   PAC */
+		server_info->domain_groups = talloc_realloc(server_info,
+							    server_info->domain_groups,
+							    struct dom_sid *,
+							    server_info->n_domain_groups+1);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups, server_info);
+		server_info->domain_groups[server_info->n_domain_groups] =
+			dom_sid_parse_talloc(server_info->domain_groups,
+					     SID_NT_ENTERPRISE_DCS);
+		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(server_info->domain_groups[server_info->n_domain_groups],
+						  server_info);
+		server_info->n_domain_groups++;
+	}
+
 	server_info->authenticated = true;
 
 	talloc_free(tmp_ctx);
diff --git a/source4/auth/session.c b/source4/auth/session.c
index bd1be8eebb..68d03aeeec 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -91,24 +91,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 	} else if (dom_sid_equal(system_sid, server_info->account_sid)) {
 		/* Don't expand nested groups of system, anonymous etc*/
 	} else if (auth_context) {
-		if (server_info->acct_flags & ACB_SVRTRUST) {
-			dom_sid = samdb_domain_sid(auth_context->sam_ctx);
-			if (dom_sid) {
-				if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
-				session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
-				} else {
-					DEBUG(2, ("DC %s is not in our domain.  "
-						  "It will not have Enterprise Domain Controllers membership on this server",
-						  server_info->account_name));
-				}
-			} else {
-				DEBUG(2, ("Could not obtain local domain SID, "
-					  "so can not determine if DC %s is a DC of this domain.  "
-					  "It will not have Enterprise Domain Controllers membership",
-					  server_info->account_name));
-			}
-		}
-		
 		groupSIDs = talloc_array(tmp_ctx, struct dom_sid *, server_info->n_domain_groups);
 		NT_STATUS_HAVE_NO_MEMORY_AND_FREE(groupSIDs, tmp_ctx);
 		if (!groupSIDs) {