The Samba-Bugzilla – Attachment 7787 Details for
Bug 9100
winbind doesn't return "Domain Local" groups from own domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Removes the SID filtering behavior
samba-3.5.17-remove_sid_filtering.patch (text/plain), 4.03 KB, created by
pr0ntab
on 2012-08-17 02:50:56 UTC
(
hide
)
Description:
Removes the SID filtering behavior
Filename:
MIME Type:
Creator:
pr0ntab
Created:
2012-08-17 02:50:56 UTC
Size:
4.03 KB
patch
obsolete
>diff -c -r samba-3.5.17/source3/auth/auth_util.c samba-3.5.17-patch/source3/auth/auth_util.c >*** samba-3.5.17/source3/auth/auth_util.c 2012-08-02 13:27:59.000000000 -0400 >--- samba-3.5.17-patch/source3/auth/auth_util.c 2012-08-16 22:45:20.000000000 -0400 >*************** >*** 1826,1832 **** > nt_status = sid_array_from_info3(result, info3, > &result->sids, > &result->num_sids, >! false, false); > if (!NT_STATUS_IS_OK(nt_status)) { > TALLOC_FREE(result); > return nt_status; >--- 1826,1832 ---- > nt_status = sid_array_from_info3(result, info3, > &result->sids, > &result->num_sids, >! false); > if (!NT_STATUS_IS_OK(nt_status)) { > TALLOC_FREE(result); > return nt_status; >diff -c -r samba-3.5.17/source3/include/proto.h samba-3.5.17-patch/source3/include/proto.h >*** samba-3.5.17/source3/include/proto.h 2012-08-02 13:27:59.000000000 -0400 >--- samba-3.5.17-patch/source3/include/proto.h 2012-08-16 22:45:20.000000000 -0400 >*************** >*** 1361,1368 **** > const struct netr_SamInfo3 *info3, > DOM_SID **user_sids, > size_t *num_user_sids, >! bool include_user_group_rid, >! bool skip_ressource_groups); > > /* The following definitions come from lib/util_sock.c */ > >--- 1361,1367 ---- > const struct netr_SamInfo3 *info3, > DOM_SID **user_sids, > size_t *num_user_sids, >! bool include_user_group_rid); > > /* The following definitions come from lib/util_sock.c */ > >diff -c -r samba-3.5.17/source3/lib/util_sid.c samba-3.5.17-patch/source3/lib/util_sid.c >*** samba-3.5.17/source3/lib/util_sid.c 2012-08-02 13:27:59.000000000 -0400 >--- samba-3.5.17-patch/source3/lib/util_sid.c 2012-08-16 22:45:20.000000000 -0400 >*************** >*** 684,691 **** > const struct netr_SamInfo3 *info3, > DOM_SID **user_sids, > size_t *num_user_sids, >! bool include_user_group_rid, >! bool skip_ressource_groups) > { > NTSTATUS status; > DOM_SID sid; >--- 684,690 ---- > const struct netr_SamInfo3 *info3, > DOM_SID **user_sids, > size_t *num_user_sids, >! bool include_user_group_rid) > { > NTSTATUS status; > DOM_SID sid; >*************** >*** 738,756 **** > } > } > >! /* Copy 'other' sids. We need to do sid filtering here to >! prevent possible elevation of privileges. See: >! >! http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp >! */ >! > for (i = 0; i < info3->sidcount; i++) { >- >- if (skip_ressource_groups && >- (info3->sids[i].attributes & SE_GROUP_RESOURCE)) { >- continue; >- } >- > status = add_sid_to_array(mem_ctx, info3->sids[i].sid, > &sid_array, &num_sids); > if (!NT_STATUS_IS_OK(status)) { >--- 737,750 ---- > } > } > >! /* SID filtering should only be handled by the domain controller on a >! trust by trust basis, and is counter-indicated for forests. Since >! native AD return all Domain Local groups as other SIDs, then this >! must not filter them when parsing INFO3 responses such that the >! list is identical to the tokenGroups LDAP query. >! */ >! > for (i = 0; i < info3->sidcount; i++) { > status = add_sid_to_array(mem_ctx, info3->sids[i].sid, > &sid_array, &num_sids); > if (!NT_STATUS_IS_OK(status)) { >diff -c -r samba-3.5.17/source3/winbindd/winbindd_pam.c samba-3.5.17-patch/source3/winbindd/winbindd_pam.c >*** samba-3.5.17/source3/winbindd/winbindd_pam.c 2012-08-02 13:27:59.000000000 -0400 >--- samba-3.5.17-patch/source3/winbindd/winbindd_pam.c 2012-08-16 22:45:20.000000000 -0400 >*************** >*** 298,304 **** > status = sid_array_from_info3(talloc_tos(), info3, > &token->user_sids, > &token->num_sids, >! true, false); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(frame); > return status; >--- 298,304 ---- > status = sid_array_from_info3(talloc_tos(), info3, > &token->user_sids, > &token->num_sids, >! true); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(frame); > return status;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 9100
:
7787
|
7793