diff options
Diffstat (limited to 'source4/dsdb')
| -rw-r--r-- | source4/dsdb/common/util_groups.c | 25 | ||||
| -rw-r--r-- | source4/dsdb/samdb/samdb.c | 31 |
2 files changed, 25 insertions, 31 deletions
diff --git a/source4/dsdb/common/util_groups.c b/source4/dsdb/common/util_groups.c index b5aecbafe9..6a96ce89d1 100644 --- a/source4/dsdb/common/util_groups.c +++ b/source4/dsdb/common/util_groups.c @@ -126,6 +126,31 @@ NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx, filter); } + /* + * We have the problem with the caller creating a <SID=S-....> + * DN for ForeignSecurityPrincipals as they also have + * duplicate objects with the SAME SID under CN=Configuration. + * This causes a SID= DN to fail with NO_SUCH_OBJECT on Samba + * and on Windows. So, we allow this to fail, and + * double-check if we can find it with a search in the main + * domain partition. + */ + if (ret == LDB_ERR_NO_SUCH_OBJECT && only_childs) { + char *sid_string = dom_sid_string(tmp_ctx, + &sid); + if (!sid_string) { + talloc_free(tmp_ctx); + return NT_STATUS_OK; + } + + ret = dsdb_search(sam_ctx, tmp_ctx, &res, + ldb_get_default_basedn(sam_ctx), + LDB_SCOPE_SUBTREE, + attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, + "(&(objectClass=foreignSecurityPrincipal)(objectSID=%s))", + sid_string); + } + if (ret == LDB_ERR_NO_SUCH_OBJECT) { talloc_free(tmp_ctx); return NT_STATUS_OK; diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 713448c4e8..361ece79f0 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -143,37 +143,6 @@ NTSTATUS security_token_create(TALLOC_CTX *mem_ctx, } } - /* - * Finally add the "standard" sids. - * The only difference between guest and "anonymous" - * is the addition of Authenticated_Users. - */ - - if (session_info_flags & AUTH_SESSION_INFO_DEFAULT_GROUPS) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 2); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - if (!dom_sid_parse(SID_WORLD, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - - if (!dom_sid_parse(SID_NT_NETWORK, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - } - - if (session_info_flags & AUTH_SESSION_INFO_AUTHENTICATED) { - ptoken->sids = talloc_realloc(ptoken, ptoken->sids, struct dom_sid, ptoken->num_sids + 1); - NT_STATUS_HAVE_NO_MEMORY(ptoken->sids); - - if (!dom_sid_parse(SID_NT_AUTHENTICATED_USERS, &ptoken->sids[ptoken->num_sids])) { - return NT_STATUS_INTERNAL_ERROR; - } - ptoken->num_sids++; - } - /* The caller may have requested simple privilages, for example if there isn't a local DB */ if (session_info_flags & AUTH_SESSION_INFO_SIMPLE_PRIVILEGES) { /* Shortcuts to prevent recursion and avoid lookups */ |