s4:auth handle addition of nested aliases of domain groups.

The challenge here is that we are asked not to add the domain groups
again, but we need to search inside them for any aliases that we need
to add.  So, we can't short-circuit the operation just because we found
the domain group.

Andrew Bartlett

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 244ebc732e94fca50c4fc198b98a67219247717e..d5dc4ded12b264d69663cf885b8b9452b5ee7678 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -332,23 +332,23 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
        }
        v = ldb_dn_get_extended_component(dn, "SID");
 
-       ndr_err = ndr_pull_struct_blob(v, sid, NULL, sid,
+       ndr_err = ndr_pull_struct_blob(v, sid, sid,
                                       (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
        if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
                talloc_free(tmp_ctx);
                return NT_STATUS_INTERNAL_DB_CORRUPTION;
        }
 
-       /* This is an O(n^2) linear search */
-       already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
-                                         *num_res_sids, sid);
-       if (already_there) {
-               return NT_STATUS_OK;
-       }
-
        if (only_childs) {
                ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
        } else {
+               /* This is an O(n^2) linear search */
+               already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
+                                                 *num_res_sids, sid);
+               if (already_there) {
+                       return NT_STATUS_OK;
+               }
+
                ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s", filter);
        }