diff options
-rw-r--r-- | source3/auth/auth_util.c | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 892e5c4ab7..05ab45da49 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -736,6 +736,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) { NTSTATUS status; size_t i; + struct dom_sid tmp_sid; /* * If winbind is not around, we can not make much use of the SIDs the @@ -788,7 +789,44 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info) &server_info->utok.ngroups); } + /* + * Add the "Unix Group" SID for each gid to catch mapped groups + * and their Unix equivalent. This is to solve the backwards + * compatibility problem of 'valid users = +ntadmin' where + * ntadmin has been paired with "Domain Admins" in the group + * mapping table. Otherwise smb.conf would need to be changed + * to 'valid user = "Domain Admins"'. --jerry + * + * For consistency we also add the "Unix User" SID, + * so that the complete unix token is represented within + * the nt token. + */ + + if (!uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid)) { + DEBUG(1,("create_local_token: Failed to create SID " + "for uid %d!\n", server_info->utok.uid)); + } + add_sid_to_array_unique(server_info->ptok, &tmp_sid, + &server_info->ptok->user_sids, + &server_info->ptok->num_sids); + + for ( i=0; i<server_info->utok.ngroups; i++ ) { + if (!gid_to_unix_groups_sid( server_info->utok.groups[i], &tmp_sid ) ) { + DEBUG(1,("create_local_token: Failed to create SID " + "for gid %d!\n", server_info->utok.groups[i])); + continue; + } + add_sid_to_array_unique(server_info->ptok, &tmp_sid, + &server_info->ptok->user_sids, + &server_info->ptok->num_sids); + } + debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok); + debug_unix_user_token(DBGC_AUTH, 10, + server_info->utok.uid, + server_info->utok.gid, + server_info->utok.ngroups, + server_info->utok.groups); status = log_nt_token(server_info->ptok); return status; |