diff options
| -rw-r--r-- | source3/passdb/lookup_sid.c | 29 |
1 files changed, 24 insertions, 5 deletions
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 942d277178..751fa597c0 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -128,11 +128,30 @@ BOOL lookup_name(TALLOC_CTX *mem_ctx, * the expansion of group names coming in from smb.conf */ - if ((flags & LOOKUP_NAME_GROUP) && - (lookup_unix_group_name(name, &sid))) { - domain = talloc_strdup(tmp_ctx, unix_groups_domain_name()); - type = SID_NAME_DOM_GRP; - goto ok; + if (flags & LOOKUP_NAME_GROUP) { + struct group *grp; + + /* If we are using the smbpasswd backend, we need to use the + * algorithmic mapping for the unix group we find. This is + * necessary because when creating the NT token from the unix + * gid list we got from initgroups() we use gid_to_sid() that + * uses algorithmic mapping if pdb_rid_algorithm() is true. */ + + if (pdb_rid_algorithm() && ((grp = getgrnam(name)) != NULL) && + (grp->gr_gid < max_algorithmic_gid())) { + domain = talloc_strdup(tmp_ctx, get_global_sam_name()); + sid_compose(&sid, get_global_sam_sid(), + pdb_gid_to_group_rid(grp->gr_gid)); + type = SID_NAME_DOM_GRP; + goto ok; + } + + if (lookup_unix_group_name(name, &sid)) { + domain = talloc_strdup(tmp_ctx, + unix_groups_domain_name()); + type = SID_NAME_DOM_GRP; + goto ok; + } } /* Now the guesswork begins, we haven't been given an explicit |