Attachment 7793 Details for Bug 9100 – git-am fix for 3.5.next

[patch] git-am fix for 3.5.next

0001-Fix-bug-9100-winbind-doesn-t-return-Domain-Local-gro.patch (text/plain), 4.34 KB, created by Jeremy Allison on 2012-08-17 20:52:57 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2012-08-17 20:52:57 UTC

Size: 4.34 KB

patch

obsolete

>From c3d52477b77d2c80b22d26ae8964fc70468a9728 Mon Sep 17 00:00:00 2001
>From: "Goldberg, Neil R" <ngoldber@mitre.org>
>Date: Fri, 17 Aug 2012 13:52:07 -0700
>Subject: [PATCH] Fix bug #9100 - winbind doesn't return "Domain Local" groups
> from own domain.
>
>Back-port of fix for 3.6.x from bug #9052.
>---
> source3/auth/auth_util.c         |    2 +-
> source3/include/proto.h          |    3 +--
> source3/lib/util_sid.c           |   22 ++++++++--------------
> source3/winbindd/winbindd_pam.c  |    2 +-
> source3/winbindd/winbindd_util.c |   12 +++++++++---
> 5 files changed, 20 insertions(+), 21 deletions(-)
>
>diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
>index 69d5c65..42e2747 100644
>--- a/source3/auth/auth_util.c
>+++ b/source3/auth/auth_util.c
>@@ -1826,7 +1826,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
> 	nt_status = sid_array_from_info3(result, info3,
> 					 &result->sids,
> 					 &result->num_sids,
>-					 false, false);
>+					 false);
> 	if (!NT_STATUS_IS_OK(nt_status)) {
> 		TALLOC_FREE(result);
> 		return nt_status;
>diff --git a/source3/include/proto.h b/source3/include/proto.h
>index 559a34e..785cc30 100644
>--- a/source3/include/proto.h
>+++ b/source3/include/proto.h
>@@ -1361,8 +1361,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
> 			      const struct netr_SamInfo3 *info3,
> 			      DOM_SID **user_sids,
> 			      size_t *num_user_sids,
>-			      bool include_user_group_rid,
>-			      bool skip_ressource_groups);
>+			      bool include_user_group_rid);
> 
> /* The following definitions come from lib/util_sock.c  */
> 
>diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
>index bea04d8..50bc4d7 100644
>--- a/source3/lib/util_sid.c
>+++ b/source3/lib/util_sid.c
>@@ -684,8 +684,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
> 			      const struct netr_SamInfo3 *info3,
> 			      DOM_SID **user_sids,
> 			      size_t *num_user_sids,
>-			      bool include_user_group_rid,
>-			      bool skip_ressource_groups)
>+			      bool include_user_group_rid)
> {
> 	NTSTATUS status;
> 	DOM_SID sid;
>@@ -738,19 +737,14 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
> 		}
> 	}
> 
>-	/* Copy 'other' sids.  We need to do sid filtering here to
>- 	   prevent possible elevation of privileges.  See:
>-
>-           http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
>-         */
>-
>+	/* SID filtering should only be handled by the domain controller on a
>+	   trust by trust basis, and is counter-indicated for forests. Since
>+	   native AD return all Domain Local groups as other SIDs, then this
>+	   must not filter them when parsing INFO3 responses such that the
>+	   list is identical to the tokenGroups LDAP query. 
>+	 */	   
>+	   
> 	for (i = 0; i < info3->sidcount; i++) {
>-
>-		if (skip_ressource_groups &&
>-		    (info3->sids[i].attributes & SE_GROUP_RESOURCE)) {
>-			continue;
>-		}
>-
> 		status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
> 				      &sid_array, &num_sids);
> 		if (!NT_STATUS_IS_OK(status)) {
>diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
>index c8910d6..50b6541 100644
>--- a/source3/winbindd/winbindd_pam.c
>+++ b/source3/winbindd/winbindd_pam.c
>@@ -298,7 +298,7 @@ NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3,
> 	status = sid_array_from_info3(talloc_tos(), info3,
> 				      &token->user_sids,
> 				      &token->num_sids,
>-				      true, false);
>+				      true);
> 	if (!NT_STATUS_IS_OK(status)) {
> 		TALLOC_FREE(frame);
> 		return status;
>diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
>index 15a3575..f4e2f56 100644
>--- a/source3/winbindd/winbindd_util.c
>+++ b/source3/winbindd/winbindd_util.c
>@@ -1166,12 +1166,18 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
> 		return NT_STATUS_UNSUCCESSFUL;
> 	}
> 
>-	/* Skip Domain local groups outside our domain.
>-	   We'll get these from the getsidaliases() RPC call. */
>+	/*
>+	 * Before bug #7843 the "Domain Local" groups were added with a
>+	 * lookupuseraliases call, but this isn't done anymore for our domain
>+	 * so we need to resolve resource groups here.
>+	 *
>+	 * When to use Resource Groups:
>+	 * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
>+	*/
> 	status = sid_array_from_info3(mem_ctx, info3,
> 				      user_sids,
> 				      &num_groups,
>-				      false, true);
>+				      false);
> 
> 	if (!NT_STATUS_IS_OK(status)) {
> 		TALLOC_FREE(info3);
>-- 
>1.7.7.3
>

Flags:

asn: review+

Actions: View

Attachments on bug 9100: 7787 | 7793