The Samba-Bugzilla – Attachment 7793 Details for
Bug 9100
winbind doesn't return "Domain Local" groups from own domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
git-am fix for 3.5.next
0001-Fix-bug-9100-winbind-doesn-t-return-Domain-Local-gro.patch (text/plain), 4.34 KB, created by
Jeremy Allison
on 2012-08-17 20:52:57 UTC
(
hide
)
Description:
git-am fix for 3.5.next
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2012-08-17 20:52:57 UTC
Size:
4.34 KB
patch
obsolete
>From c3d52477b77d2c80b22d26ae8964fc70468a9728 Mon Sep 17 00:00:00 2001 >From: "Goldberg, Neil R" <ngoldber@mitre.org> >Date: Fri, 17 Aug 2012 13:52:07 -0700 >Subject: [PATCH] Fix bug #9100 - winbind doesn't return "Domain Local" groups > from own domain. > >Back-port of fix for 3.6.x from bug #9052. >--- > source3/auth/auth_util.c | 2 +- > source3/include/proto.h | 3 +-- > source3/lib/util_sid.c | 22 ++++++++-------------- > source3/winbindd/winbindd_pam.c | 2 +- > source3/winbindd/winbindd_util.c | 12 +++++++++--- > 5 files changed, 20 insertions(+), 21 deletions(-) > >diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c >index 69d5c65..42e2747 100644 >--- a/source3/auth/auth_util.c >+++ b/source3/auth/auth_util.c >@@ -1826,7 +1826,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx, > nt_status = sid_array_from_info3(result, info3, > &result->sids, > &result->num_sids, >- false, false); >+ false); > if (!NT_STATUS_IS_OK(nt_status)) { > TALLOC_FREE(result); > return nt_status; >diff --git a/source3/include/proto.h b/source3/include/proto.h >index 559a34e..785cc30 100644 >--- a/source3/include/proto.h >+++ b/source3/include/proto.h >@@ -1361,8 +1361,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, > const struct netr_SamInfo3 *info3, > DOM_SID **user_sids, > size_t *num_user_sids, >- bool include_user_group_rid, >- bool skip_ressource_groups); >+ bool include_user_group_rid); > > /* The following definitions come from lib/util_sock.c */ > >diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c >index bea04d8..50bc4d7 100644 >--- a/source3/lib/util_sid.c >+++ b/source3/lib/util_sid.c >@@ -684,8 +684,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, > const struct netr_SamInfo3 *info3, > DOM_SID **user_sids, > size_t *num_user_sids, >- bool include_user_group_rid, >- bool skip_ressource_groups) >+ bool include_user_group_rid) > { > NTSTATUS status; > DOM_SID sid; >@@ -738,19 +737,14 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx, > } > } > >- /* Copy 'other' sids. We need to do sid filtering here to >- prevent possible elevation of privileges. See: >- >- http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp >- */ >- >+ /* SID filtering should only be handled by the domain controller on a >+ trust by trust basis, and is counter-indicated for forests. Since >+ native AD return all Domain Local groups as other SIDs, then this >+ must not filter them when parsing INFO3 responses such that the >+ list is identical to the tokenGroups LDAP query. >+ */ >+ > for (i = 0; i < info3->sidcount; i++) { >- >- if (skip_ressource_groups && >- (info3->sids[i].attributes & SE_GROUP_RESOURCE)) { >- continue; >- } >- > status = add_sid_to_array(mem_ctx, info3->sids[i].sid, > &sid_array, &num_sids); > if (!NT_STATUS_IS_OK(status)) { >diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c >index c8910d6..50b6541 100644 >--- a/source3/winbindd/winbindd_pam.c >+++ b/source3/winbindd/winbindd_pam.c >@@ -298,7 +298,7 @@ NTSTATUS check_info3_in_group(struct netr_SamInfo3 *info3, > status = sid_array_from_info3(talloc_tos(), info3, > &token->user_sids, > &token->num_sids, >- true, false); >+ true); > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(frame); > return status; >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index 15a3575..f4e2f56 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -1166,12 +1166,18 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain, > return NT_STATUS_UNSUCCESSFUL; > } > >- /* Skip Domain local groups outside our domain. >- We'll get these from the getsidaliases() RPC call. */ >+ /* >+ * Before bug #7843 the "Domain Local" groups were added with a >+ * lookupuseraliases call, but this isn't done anymore for our domain >+ * so we need to resolve resource groups here. >+ * >+ * When to use Resource Groups: >+ * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx >+ */ > status = sid_array_from_info3(mem_ctx, info3, > user_sids, > &num_groups, >- false, true); >+ false); > > if (!NT_STATUS_IS_OK(status)) { > TALLOC_FREE(info3); >-- >1.7.7.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review+
Actions:
View
Attachments on
bug 9100
:
7787
| 7793