From f14e4d4e54f424c05147cb0e635c9b8930270262 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 11 Feb 2009 11:46:18 +0100
Subject: s3:auth: add S-1-22-X-Y sids to the local token

metze
---
 source3/auth/auth_util.c | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

(limited to 'source3/auth')

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 892e5c4ab7..05ab45da49 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -736,6 +736,7 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 {
 	NTSTATUS status;
 	size_t i;
+	struct dom_sid tmp_sid;
 
 	/*
 	 * If winbind is not around, we can not make much use of the SIDs the
@@ -788,7 +789,44 @@ NTSTATUS create_local_token(auth_serversupplied_info *server_info)
 					&server_info->utok.ngroups);
 	}
 
+	/*
+	 * Add the "Unix Group" SID for each gid to catch mapped groups
+	 * and their Unix equivalent.  This is to solve the backwards
+	 * compatibility problem of 'valid users = +ntadmin' where
+	 * ntadmin has been paired with "Domain Admins" in the group
+	 * mapping table.  Otherwise smb.conf would need to be changed
+	 * to 'valid user = "Domain Admins"'.  --jerry
+	 *
+	 * For consistency we also add the "Unix User" SID,
+	 * so that the complete unix token is represented within
+	 * the nt token.
+	 */
+
+	if (!uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid)) {
+		DEBUG(1,("create_local_token: Failed to create SID "
+			"for uid %d!\n", server_info->utok.uid));
+	}
+	add_sid_to_array_unique(server_info->ptok, &tmp_sid,
+				&server_info->ptok->user_sids,
+				&server_info->ptok->num_sids);
+
+	for ( i=0; i<server_info->utok.ngroups; i++ ) {
+		if (!gid_to_unix_groups_sid( server_info->utok.groups[i], &tmp_sid ) ) {
+			DEBUG(1,("create_local_token: Failed to create SID "
+				"for gid %d!\n", server_info->utok.groups[i]));
+			continue;
+		}
+		add_sid_to_array_unique(server_info->ptok, &tmp_sid,
+					&server_info->ptok->user_sids,
+					&server_info->ptok->num_sids);
+	}
+
 	debug_nt_user_token(DBGC_AUTH, 10, server_info->ptok);
+	debug_unix_user_token(DBGC_AUTH, 10,
+			      server_info->utok.uid,
+			      server_info->utok.gid,
+			      server_info->utok.ngroups,
+			      server_info->utok.groups);
 
 	status = log_nt_token(server_info->ptok);
 	return status;
-- 
cgit