8 files changed, 70 insertions, 8 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index e76324213e..4bdbdf5555 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 	auth_serversupplied_info server_info;
 	AUTH_STR ourdomain, theirdomain, unix_username, smb_username, 
                 wksta_name;
+        NTSTATUS result;
 		
 	ZERO_STRUCT(user_info);
 	ZERO_STRUCT(ourdomain);
@@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 
 	}
 
-	return check_password(&user_info, &server_info);
+	result = check_password(&user_info, &server_info);
+
+        free_serversupplied_info(&server_info); /* No info needed */
+
+        return result;
 }
 
 NTSTATUS pass_check_smb(char *smb_user, char *unix_user, 
@@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen)
 
 	return False;
 }
+
+/* Free a auth_serversupplied_info structure */
+
+void free_serversupplied_info(auth_serversupplied_info *server_info)
+{
+        SAFE_FREE(server_info->group_rids);
+}
diff --git a/source3/include/auth.h b/source3/include/auth.h
index 91230e4b6e..9e99600e98 100644
--- a/source3/include/auth.h
+++ b/source3/include/auth.h
@@ -90,6 +90,11 @@ typedef struct serversupplied_info
 	/* This groups info is needed for when we become_user() for this uid */
 	int n_groups;
 	gid_t *groups;
+
+        /* NT group information taken from the info3 structure */
+
+        int n_rids;
+        uint32 *group_rids;
 	
 	uchar session_key[16];
 	
diff --git a/source3/libsmb/domain_client_validate.c b/source3/libsmb/domain_client_validate.c
index 26f53f0297..26a727b1f1 100644
--- a/source3/libsmb/domain_client_validate.c
+++ b/source3/libsmb/domain_client_validate.c
@@ -326,6 +326,7 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
 
 	status = cli_nt_login_network(&cli, user_info, smb_uid_low, 
 				      &ctr, &info3);
+
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("domain_client_validate: unable to validate password "
                          "for user %s in domain %s to Domain controller %s. "
@@ -335,8 +336,28 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
 	}
 
 	/*
-	 * Here, if we really want it, we have lots of info about the user in info3.
-	 */
+	 * Here, if we really want it, we have lots of info about the user
+	 * in info3.  
+         */
+
+        /* Store the user group information in the server_info returned to
+           the caller. */
+
+        if ((server_info->group_rids = malloc(info3.num_groups2 *
+                                        sizeof(uint32))) == NULL) {
+                DEBUG(1, ("out of memory allocating rid group membership\n"));
+                status = NT_STATUS_NO_MEMORY;
+        } else {
+                int i;
+
+                server_info->n_rids = info3.num_groups2;
+                
+                for (i = 0; i < server_info->n_rids; i++) {
+                        server_info->group_rids[i] = info3.gids[i].g_rid;
+                        DEBUG(5, ("** adding group rid 0x%x\n",
+                                  info3.gids[i].g_rid));
+                }
+        }
 
 #if 0
 	/* 
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 092651c9a7..e1e4443442 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -107,7 +107,9 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
 		DEBUG(10, ("fill_grent_mem(): processing name %s\n", 
                            the_name));
 
-		/* Only add domain users */
+		/* FIXME: need to cope with groups within groups.  These
+                   occur in Universal groups on a Windows 2000 native mode
+                   server. */
 
 		if (name_types[i] != SID_NAME_USER) {
 			DEBUG(3, ("fill_grent_mem(): name %s isn't a domain "
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 406b12c9f6..5cf819a19d 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -141,6 +141,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
                                         auth_dc, trust_passwd, 
                                         last_change_time);
 
+        free_serversupplied_info(&server_info); /* No info needed */
+
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
 
@@ -218,6 +220,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
                                         auth_dc, trust_passwd,
                                         last_change_time);
 
+        free_serversupplied_info(&server_info); /* No info needed */        
+
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
 
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 614198673b..6a0a5389ef 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -344,6 +344,9 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain,
         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
         uint32 i, total_names = 0;
 
+        /* Step #1: Get a list of user rids that are the members of the
+           group. */
+
         if (!(group_hnd = cm_get_sam_group_handle(domain->name, &domain->sid,
                                                   group_rid)))
                 goto done;
@@ -357,9 +360,10 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain,
         if (!NT_STATUS_IS_OK(result))
                 goto done;
 
-        /* Convert list of rids into list of names.  Do this in bunches of
-           ~1000 to avoid crashing NT4.  It looks like there is a buffer
-           overflow or something like that lurking around somewhere. */
+        /* Step #2: Convert list of rids into list of usernames.  Do this
+           in bunches of ~1000 to avoid crashing NT4.  It looks like there
+           is a buffer overflow or something like that lurking around
+           somewhere. */
 
         if (!(dom_hnd = cm_get_sam_dom_handle(domain->name, &domain->sid)))
                 goto done;
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index cb54d726b3..0f2b672d38 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -595,6 +595,8 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c
 	DEBUG(5, ("_net_logon_any: exited with status %s\n", 
 		  get_nt_error_msg(nt_status)));
 
+        free_serversupplied_info(&server_info); /* No info needed */
+
 	return nt_status;
 }
 
diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c
index e76324213e..4bdbdf5555 100644
--- a/source3/smbd/auth.c
+++ b/source3/smbd/auth.c
@@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 	auth_serversupplied_info server_info;
 	AUTH_STR ourdomain, theirdomain, unix_username, smb_username, 
                 wksta_name;
+        NTSTATUS result;
 		
 	ZERO_STRUCT(user_info);
 	ZERO_STRUCT(ourdomain);
@@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 
 	}
 
-	return check_password(&user_info, &server_info);
+	result = check_password(&user_info, &server_info);
+
+        free_serversupplied_info(&server_info); /* No info needed */
+
+        return result;
 }
 
 NTSTATUS pass_check_smb(char *smb_user, char *unix_user, 
@@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen)
 
 	return False;
 }
+
+/* Free a auth_serversupplied_info structure */
+
+void free_serversupplied_info(auth_serversupplied_info *server_info)
+{
+        SAFE_FREE(server_info->group_rids);
+}