From a256d61c505ab10710c7d7152bab4f018cfdcd74 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 20 Jul 2012 17:12:09 -0700
Subject: s3-winbind: Fix bug #9052 resolving our own "Domain Local" groups.

We don't resolve our own "Domain Local" groups since bug #7843 has been
fixed. So we need to add the add resource groups to the sid list too.

Before bug #7843 the "Domain Local" groups were added with a
lookupuseraliases call, but this isn't done anymore for our domain
so we need to resolve resource groups here.

When to use Resource Groups:
http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx

Signed-off-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Jul 23 22:12:30 CEST 2012 on sn-devel-104
---
 source3/winbindd/winbindd_pam.c  |  2 +-
 source3/winbindd/winbindd_util.c | 12 +++++++++---
 2 files changed, 10 insertions(+), 4 deletions(-)

(limited to 'source3/winbindd')

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 96956d071e..a64cc5692c 100644
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -308,7 +308,7 @@ static NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
 	status = sid_array_from_info3(talloc_tos(), info3,
 				      &token->sids,
 				      &token->num_sids,
-				      true, false);
+				      true);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(frame);
 		return status;
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 162cdf22e1..52ce1e3056 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -1033,12 +1033,18 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	/* Skip Domain local groups outside our domain.
-	   We'll get these from the getsidaliases() RPC call. */
+	/*
+	 * Before bug #7843 the "Domain Local" groups were added with a
+	 * lookupuseraliases call, but this isn't done anymore for our domain
+	 * so we need to resolve resource groups here.
+	 *
+	 * When to use Resource Groups:
+	 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
+	 */
 	status = sid_array_from_info3(mem_ctx, info3,
 				      user_sids,
 				      &num_groups,
-				      false, true);
+				      false);
 
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(info3);
-- 
cgit