From 31d644c7f9a8ac5c142aa08e2338e6b7fa23a54e Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 14 Jan 2011 10:41:47 +1100
Subject: s4-dsdb: fixed filtering of tokengroups

builtin groups are shown in user tokenGroups searches

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/samdb/ldb_modules/operational.c | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

(limited to 'source4/dsdb/samdb')

diff --git a/source4/dsdb/samdb/ldb_modules/operational.c b/source4/dsdb/samdb/ldb_modules/operational.c
index 8604a27b9f..a1b5a2e94b 100644
--- a/source4/dsdb/samdb/ldb_modules/operational.c
+++ b/source4/dsdb/samdb/ldb_modules/operational.c
@@ -186,11 +186,9 @@ static int construct_token_groups(struct ldb_module *module,
 		return ldb_oom(ldb);
 	}
 
-	/* Filter out builtin groups from this token.  We will search
-	 * for builtin groups later, and not include them in the
-	 * tokenGroups (and therefore the PAC or SamLogon validation
-	 * info) */
-	filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
+	/* only return security groups */
+	filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
+				 GROUP_TYPE_SECURITY_ENABLED);
 	if (!filter) {
 		talloc_free(tmp_ctx);
 		return ldb_oom(ldb);
-- 
cgit