6 files changed, 29 insertions, 12 deletions

diff --git a/source4/auth/auth.h b/source4/auth/auth.h
index 0e32c504dd..9ce338c8ae 100644
--- a/source4/auth/auth.h
+++ b/source4/auth/auth.h
@@ -48,6 +48,10 @@ struct loadparm_context;
 #define USER_INFO_DONT_CHECK_UNIX_ACCOUNT   0x04 /* don't check unix account status */
 #define USER_INFO_INTERACTIVE_LOGON         0x08 /* don't check unix account status */
 
+#define AUTH_SESSION_INFO_DEFAULT_GROUPS 0x01 /* Add the user to the default world and network groups */
+#define AUTH_SESSION_INFO_AUTHENTICATED  0x02 /* Add the user to the 'authenticated users' group */
+#define AUTH_SESSION_INFO_ENTERPRISE_DC  0x04 /* Add the user to the 'enterprise DC' group */
+
 enum auth_password_state {
 	AUTH_PASSWORD_RESPONSE,
 	AUTH_PASSWORD_HASH,
@@ -211,6 +215,7 @@ struct auth_context {
 	NTSTATUS (*generate_session_info)(TALLOC_CTX *mem_ctx,
 					  struct auth_context *auth_context,
 					  struct auth_serversupplied_info *server_info,
+					  uint32_t session_info_flags,
 					  struct auth_session_info **session_info);
 };
 
diff --git a/source4/auth/gensec/gensec.c b/source4/auth/gensec/gensec.c
index c19d5ff5d5..b166d238de 100644
--- a/source4/auth/gensec/gensec.c
+++ b/source4/auth/gensec/gensec.c
@@ -1327,8 +1327,14 @@ NTSTATUS gensec_generate_session_info(TALLOC_CTX *mem_ctx,
 {
 	NTSTATUS nt_status;
 	if (gensec_security->auth_context) {
+		uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+		if (server_info->authenticated) {
+			flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+		}
 		nt_status = gensec_security->auth_context->generate_session_info(mem_ctx, gensec_security->auth_context,
-										 server_info, session_info);
+										 server_info,
+										 flags,
+										 session_info);
 	} else {
 		nt_status = auth_generate_simple_session_info(mem_ctx,
 							      server_info, session_info);
diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c
index 7f972ac296..9c8f7f64ac 100644
--- a/source4/auth/ntlm/auth_simple.c
+++ b/source4/auth/ntlm/auth_simple.c
@@ -87,8 +87,14 @@ _PUBLIC_ NTSTATUS authenticate_username_pw(TALLOC_CTX *mem_ctx,
 	}
 
 	if (session_info) {
+		uint32_t flags = AUTH_SESSION_INFO_DEFAULT_GROUPS;
+		if (server_info->authenticated) {
+			flags |= AUTH_SESSION_INFO_AUTHENTICATED;
+		}
 		nt_status = auth_context->generate_session_info(tmp_ctx, auth_context,
-								server_info, session_info);
+								server_info,
+								flags,
+								session_info);
 
 		if (NT_STATUS_IS_OK(nt_status)) {
 			talloc_steal(mem_ctx, *session_info);
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 7817195727..a21fbcf451 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -45,6 +45,7 @@ _PUBLIC_ struct auth_session_info *anonymous_session(TALLOC_CTX *mem_ctx,
 _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 					     struct auth_context *auth_context,
 					     struct auth_serversupplied_info *server_info,
+					     uint32_t session_info_flags,
 					     struct auth_session_info **_session_info)
 {
 	struct auth_session_info *session_info;
@@ -61,7 +62,6 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 
 	struct dom_sid **groupSIDs = NULL;
 	const struct dom_sid *dom_sid;
-	bool is_enterprise_dc = false;
 
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
 	NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -82,7 +82,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 		dom_sid = samdb_domain_sid(auth_context->sam_ctx);
 		if (dom_sid) {
 			if (dom_sid_in_domain(dom_sid, server_info->account_sid)) {
-				is_enterprise_dc = true;
+				session_info_flags |= AUTH_SESSION_INFO_ENTERPRISE_DC;
 			} else {
 				DEBUG(2, ("DC %s is not in our domain.  "
 					  "It will not have Enterprise Domain Controllers membership on this server",
@@ -201,8 +201,7 @@ _PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 					  server_info->primary_group_sid,
 					  num_groupSIDs,
 					  groupSIDs,
-					  server_info->authenticated,
-					  is_enterprise_dc,
+					  session_info_flags,
 					  &session_info->security_token);
 	NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);
 
diff --git a/source4/auth/session.h b/source4/auth/session.h
index 574b76946e..8e22cc0576 100644
--- a/source4/auth/session.h
+++ b/source4/auth/session.h
@@ -50,6 +50,7 @@ NTSTATUS auth_anonymous_server_info(TALLOC_CTX *mem_ctx,
 NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
 				    struct auth_context *auth_context,
 				    struct auth_serversupplied_info *server_info, 
+				    uint32_t session_info_flags,
 				    struct auth_session_info **_session_info);
 
 NTSTATUS auth_anonymous_session_info(TALLOC_CTX *parent_ctx, 
diff --git a/source4/auth/system_session.c b/source4/auth/system_session.c
index c6df082f69..2835a20e34 100644
--- a/source4/auth/system_session.c
+++ b/source4/auth/system_session.c
@@ -36,12 +36,12 @@
  * @note Specialised version for system sessions that doesn't use the SAM.
  */
 static NTSTATUS create_token(TALLOC_CTX *mem_ctx, 
-			       struct dom_sid *user_sid,
-			       struct dom_sid *group_sid, 
-			       unsigned int n_groupSIDs,
-			       struct dom_sid **groupSIDs, 
-			       bool is_authenticated,
-			       struct security_token **token)
+			     struct dom_sid *user_sid,
+			     struct dom_sid *group_sid,
+			     unsigned int n_groupSIDs,
+			     struct dom_sid **groupSIDs,
+			     bool is_authenticated,
+			     struct security_token **token)
 {
 	struct security_token *ptoken;
 	unsigned int i;