From 87b2b16cbf211675a23c4f4282f026098d7334ed Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 4 Aug 2006 00:00:15 +0000
Subject: r17392: Commit Volker's fix for the valid users problem. Let's look
 at the build farm now... :-). Jeremy. (This used to be commit
 6d822b85676f033a1a2e422e2d5ac92aaf566aef)

---
 source3/auth/auth_util.c | 52 ++++++++++++++++++++----------------------------
 1 file changed, 22 insertions(+), 30 deletions(-)

(limited to 'source3/auth')

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d59c6b40cc..89792bca94 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -29,7 +29,6 @@
 
 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 						   const DOM_SID *user_sid,
-						   const DOM_SID *group_sid,
 						   BOOL is_guest,
 						   int num_groupsids,
 						   const DOM_SID *groupsids);
@@ -509,7 +508,7 @@ NT_USER_TOKEN *get_root_nt_token( void )
 	uid_to_sid(&u_sid, pw->pw_uid);
 	gid_to_sid(&g_sid, pw->pw_gid);
 
-	token = create_local_nt_token(NULL, &u_sid, &g_sid, False,
+	token = create_local_nt_token(NULL, &u_sid, False,
 				      1, &global_sid_Builtin_Administrators);
 	return token;
 }
@@ -811,7 +810,6 @@ static NTSTATUS create_builtin_administrators( void )
 
 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 						   const DOM_SID *user_sid,
-						   const DOM_SID *group_sid,
 						   BOOL is_guest,
 						   int num_groupsids,
 						   const DOM_SID *groupsids)
@@ -830,7 +828,9 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 
 	add_sid_to_array(result, user_sid,
 			 &result->user_sids, &result->num_sids);
-	add_sid_to_array(result, group_sid,
+
+	SMB_ASSERT(num_groupsids > 0);
+	add_sid_to_array(result, &groupsids[0],
 			 &result->user_sids, &result->num_sids);
 			 
 	/* Add in BUILTIN sids */
@@ -850,9 +850,11 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 	
 	/* Now the SIDs we got from authentication. These are the ones from
 	 * the info3 struct or from the pdb_enum_group_memberships, depending
-	 * on who authenticated the user. */
+	 * on who authenticated the user.
+	 * Note that we start the for loop at "1" here, we already added the
+	 * first group sid as primary above. */
 
-	for (i=0; i<num_groupsids; i++) {
+	for (i=1; i<num_groupsids; i++) {
 		add_sid_to_array_unique(result, &groupsids[i],
 					&result->user_sids, &result->num_sids);
 	}
@@ -956,8 +958,8 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 	 * mapped to some local unix user.
 	 */
 
-	if ((lp_server_role() == ROLE_DOMAIN_MEMBER) && 
-			(server_info->was_mapped || !winbind_ping())) {
+	if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
+	    (server_info->was_mapped)) {
 		status = create_token_from_username(server_info,
 						    server_info->unix_name,
 						    server_info->guest,
@@ -970,7 +972,6 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 		server_info->ptok = create_local_nt_token(
 			server_info,
 			pdb_get_user_sid(server_info->sam_account),
-			pdb_get_group_sid(server_info->sam_account),
 			server_info->guest,
 			server_info->num_sids, server_info->sids);
 		status = server_info->ptok ?
@@ -1073,7 +1074,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		/* This is a passdb user, so ask passdb */
 
 		struct samu *sam_acct = NULL;
-		const DOM_SID *gr_sid = NULL;
 
 		if ( !(sam_acct = samu_new( tmp_ctx )) ) {
 			result = NT_STATUS_NO_MEMORY;
@@ -1087,20 +1087,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 			goto unix_user;
 		}
 
-		gr_sid = pdb_get_group_sid(sam_acct);
-		if (!gr_sid) {
-			goto unix_user;
-		}
-
-		sid_copy(&primary_group_sid, gr_sid);
-
-		if (!sid_to_gid(&primary_group_sid, gid)) {
-			DEBUG(1, ("sid_to_gid(%s) failed\n",
-				  sid_string_static(&primary_group_sid)));
-			DEBUGADD(1, ("Fall back to unix user %s\n", username));
-			goto unix_user;
-		}
-
 		result = pdb_enum_group_memberships(tmp_ctx, sam_acct,
 						    &group_sids, &gids,
 						    &num_group_sids);
@@ -1111,6 +1097,10 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 			goto unix_user;
 		}
 
+		/* see the smb_panic() in pdb_default_enum_group_memberships */
+		SMB_ASSERT(num_group_sids > 0); 
+
+		*gid = gids[0];
 		*found_username = talloc_strdup(mem_ctx,
 						pdb_get_username(sam_acct));
 
@@ -1139,9 +1129,6 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 			goto done;
 		}
 
-		*gid = pass->pw_gid;
-		gid_to_sid(&primary_group_sid, pass->pw_gid);
-
 		if (!getgroups_unix_user(tmp_ctx, username, pass->pw_gid,
 					 &gids, &num_group_sids)) {
 			DEBUG(1, ("getgroups_unix_user for user %s failed\n",
@@ -1159,6 +1146,11 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 		for (i=0; i<num_group_sids; i++) {
 			gid_to_sid(&group_sids[i], gids[i]);
 		}
+
+		/* In getgroups_unix_user we always set the primary gid */
+		SMB_ASSERT(num_group_sids > 0); 
+
+		*gid = gids[0];
 		*found_username = talloc_strdup(mem_ctx, pass->pw_name);
 
 	} else {
@@ -1182,13 +1174,13 @@ NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
 			goto done;
 		}
 
-		num_group_sids = 0;
-		group_sids = NULL;
+		num_group_sids = 1;
+		group_sids = &primary_group_sid;
 
 		*found_username = talloc_strdup(mem_ctx, username);
 	}
 
-	*token = create_local_nt_token(mem_ctx, &user_sid, &primary_group_sid,
+	*token = create_local_nt_token(mem_ctx, &user_sid,
 				       is_guest, num_group_sids, group_sids);
 
 	if ((*token == NULL) || (*found_username == NULL)) {
-- 
cgit