diff options
| -rw-r--r-- | source3/auth/auth_util.c | 43 |
1 files changed, 30 insertions, 13 deletions
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index cb9c4b22fc..a93d44fe91 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1047,11 +1047,11 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, char *found_username = NULL; const char *nt_domain; const char *nt_username; - struct dom_sid user_sid; - struct dom_sid group_sid; bool username_was_mapped; struct passwd *pwd; struct auth_serversupplied_info *result; + struct dom_sid *group_sid; + struct netr_SamInfo3 *i3; /* Here is where we should check the list of @@ -1059,15 +1059,6 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, matches. */ - if (!sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid)) { - return NT_STATUS_INVALID_PARAMETER; - } - - if (!sid_compose(&group_sid, info3->base.domain_sid, - info3->base.primary_gid)) { - return NT_STATUS_INVALID_PARAMETER; - } - nt_username = talloc_strdup(mem_ctx, info3->base.account_name.string); if (!nt_username) { /* If the server didn't give us one, just use the one we sent @@ -1119,13 +1110,39 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, } /* copy in the info3 */ - result->info3 = copy_netr_SamInfo3(result, info3); + result->info3 = i3 = copy_netr_SamInfo3(result, info3); /* Fill in the unix info we found on the way */ - result->utok.uid = pwd->pw_uid; result->utok.gid = pwd->pw_gid; + /* We can't just trust that the primary group sid sent us is something + * we can really use. Obtain the useable sid, and store the original + * one as an additional group if it had to be replaced */ + nt_status = get_primary_group_sid(mem_ctx, found_username, + &pwd, &group_sid); + if (!NT_STATUS_IS_OK(nt_status)) { + TALLOC_FREE(result); + return nt_status; + } + + /* store and check if it is the same we got originally */ + sid_peek_rid(group_sid, &i3->base.primary_gid); + if (i3->base.primary_gid != info3->base.primary_gid) { + uint32_t n = i3->base.groups.count; + /* not the same, store the original as an additional group */ + i3->base.groups.rids = + talloc_realloc(i3, i3->base.groups.rids, + struct samr_RidWithAttribute, n + 1); + if (i3->base.groups.rids == NULL) { + TALLOC_FREE(result); + return NT_STATUS_NO_MEMORY; + } + i3->base.groups.rids[n].rid = info3->base.primary_gid; + i3->base.groups.rids[n].attributes = SE_GROUP_ENABLED; + i3->base.groups.count = n + 1; + } + /* ensure we are never given NULL session keys */ if (memcmp(info3->base.key.key, zeros, sizeof(zeros)) == 0) { |