From aa7d44c0d998e642d7b5b001834797d38faebfde Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 3 Aug 2005 23:14:38 +0000
Subject: r9022: One more step in the game of whack-a-mole with the PAC.

This makes the PAC we generate match (closely) the PAC generated by my
test win2k3 DC.

Andrew Bartlett
(This used to be commit 6172b1868020ac8e828c375f17f4c33fc40eaca4)
---
 source4/auth/auth_sam_reply.c | 34 +++++++++++++++++++++++++++-------
 1 file changed, 27 insertions(+), 7 deletions(-)

(limited to 'source4/auth')

diff --git a/source4/auth/auth_sam_reply.c b/source4/auth/auth_sam_reply.c
index 6b16d3e610..85a54979ce 100644
--- a/source4/auth/auth_sam_reply.c
+++ b/source4/auth/auth_sam_reply.c
@@ -117,6 +117,10 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
 
 	sam = &sam3->base;
 
+	sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid);
+	NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid);
+	sam->domain_sid->num_auths--;
+
 	sam->last_logon = server_info->last_logon;
 	sam->last_logoff = server_info->last_logoff;
 	sam->acct_expiry = server_info->acct_expiry;
@@ -139,6 +143,26 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
 	sam->groups.count = 0;
 	sam->groups.rids = NULL;
 
+	if (server_info->n_domain_groups > 0) {
+		int i;
+		sam->groups.rids = talloc_array(sam, struct samr_RidWithAttribute,
+						server_info->n_domain_groups);
+		NT_STATUS_HAVE_NO_MEMORY(sam->groups.rids);
+
+		for (i=0; i<server_info->n_domain_groups; i++) {
+			struct dom_sid *group_sid = server_info->domain_groups[i];
+
+			if (!dom_sid_in_domain(sam->domain_sid, group_sid)) {
+				continue;
+			}
+
+			sam->groups.rids[sam->groups.count].rid = group_sid->sub_auths[group_sid->num_auths-1];
+			sam->groups.rids[sam->groups.count].attributes = 
+				SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED;
+			sam->groups.count += 1;
+		}
+	}
+
 	sam->user_flags = 0x20; /* TODO: w2k3 uses 0x120.  We know 0x20
 			      * as extra sids (PAC doc) but what is
 			      * 0x100? */
@@ -146,10 +170,6 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
 	sam->logon_server.string = lp_netbios_name();
 	sam->domain.string = server_info->domain_name;
 
-	sam->domain_sid = dom_sid_dup(mem_ctx, server_info->account_sid);
-	NT_STATUS_HAVE_NO_MEMORY(sam->domain_sid);
-	sam->domain_sid->num_auths--;
-
 	ZERO_STRUCT(sam->unknown);
 
 	ZERO_STRUCT(sam->key);
@@ -165,7 +185,7 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
 
 	sam3->sidcount	= 0;
 	sam3->sids	= NULL;
-
+#if 0
 	if (server_info->n_domain_groups > 0) {
 		int i;
 		sam3->sids = talloc_array(sam, struct netr_SidAttr,
@@ -173,7 +193,7 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
 		NT_STATUS_HAVE_NO_MEMORY(sam3->sids);
 
 		for (i=0; i<server_info->n_domain_groups; i++) {
-			if (!dom_sid_in_domain(sam->domain_sid, server_info->domain_groups[i])) {
+			if (dom_sid_in_domain(sam->domain_sid, server_info->domain_groups[i])) {
 				continue;
 			}
 			sam3->sids[sam3->sidcount].sid = talloc_reference(sam3->sids,server_info->domain_groups[i]);
@@ -182,7 +202,7 @@ NTSTATUS auth_convert_server_info_saminfo3(TALLOC_CTX *mem_ctx,
 			sam3->sidcount += 1;
 		}
 	}
-
+#endif
 	*_sam3 = sam3;
 
 	return NT_STATUS_OK;
-- 
cgit