Commit b24835c1 authored by Volker Lendecke's avatar Volker Lendecke Committed by Gerald (Jerry) Carter
Browse files

r988: When adding local aliases' gids to the user token, don't do a idmap_sid_to_gid 

on the user sid. This might lead to a user SID entered as a GID in the idmap.

Volker
(This used to be commit 98e10d149710d9b70404e77a4bc0560c2e48aeaf)
parent ac5f0785

source3/nsswitch/winbindd_group.c

+31 −11
Original line number Diff line number Diff line
@@ -942,16 +942,14 @@ static void add_gid_to_array_unique(gid_t gid, gid_t **gids, int *num) 
	*num += 1;

}



static void add_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)

static void add_local_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)

{

	gid_t gid;

	DOM_SID *aliases;

	int j, num_aliases;



	DEBUG(10, ("Adding gids from SID: %s\n", sid_string_static(sid)));



	if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0)))

		add_gid_to_array_unique(gid, gids, num);

	DEBUG(10, ("Adding local gids from SID: %s\n",

		   sid_string_static(sid)));



	/* Don't expand aliases if not explicitly activated -- for now

	   -- jerry */
@@ -974,6 +972,27 @@ static void add_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num) 
	SAFE_FREE(aliases);

}



static void add_gids_from_user_sid(DOM_SID *sid, gid_t **gids, int *num)

{

	DEBUG(10, ("Adding gids from user SID: %s\n",

		   sid_string_static(sid)));



	add_local_gids_from_sid(sid, gids, num);

}



static void add_gids_from_group_sid(DOM_SID *sid, gid_t **gids, int *num)

{

	gid_t gid;



	DEBUG(10, ("Adding gids from group SID: %s\n",

		   sid_string_static(sid)));



	if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0)))

		add_gid_to_array_unique(gid, gids, num);



	add_local_gids_from_sid(sid, gids, num);

}



/* Get user supplementary groups.  This is much quicker than trying to

   invert the groups database.  We merge the groups from the gids and

   other_sids info3 fields as trusted domain, universal group
@@ -1039,7 +1058,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) 
		goto done;

	}



	add_gids_from_sid(&user_sid, &gid_list, &num_gids);

	add_gids_from_user_sid(&user_sid, &gid_list, &num_gids);



	/* Treat the info3 cache as authoritative as the

	   lookup_usergroups() function may return cached data. */
@@ -1083,7 +1102,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) 
				continue;

			}



			add_gids_from_sid(&info3->other_sids[i].sid,

			add_gids_from_group_sid(&info3->other_sids[i].sid,

						&gid_list, &num_gids);



			if (gid_list == NULL)
@@ -1097,7 +1116,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) 
			sid_copy( &group_sid, &domain->sid );

			sid_append_rid( &group_sid, info3->gids[i].g_rid );



			add_gids_from_sid(&group_sid, &gid_list, &num_gids);

			add_gids_from_group_sid(&group_sid, &gid_list,

						&num_gids);



			if (gid_list == NULL)

				goto done;
@@ -1116,7 +1136,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state) 
			goto done;



		for (i = 0; i < num_groups; i++) {

			add_gids_from_sid(user_grpsids[i],

			add_gids_from_group_sid(user_grpsids[i],

						&gid_list, &num_gids);



			if (gid_list == NULL)