From 0f9a09bd3552fe62a98ce40cab6aee2740eb35ce Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Feb 2018 12:37:51 +0100 Subject: [PATCH] s4:auth_winbind: make sure we expand group memberships of the local domain BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- selftest/knownfail.d/expand_trust_token | 1 - source4/auth/ntlm/auth_winbind.c | 12 ++++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/selftest/knownfail.d/expand_trust_token b/selftest/knownfail.d/expand_trust_token index 79d844899bd..c0d44d78121 100644 --- a/selftest/knownfail.d/expand_trust_token +++ b/selftest/knownfail.d/expand_trust_token @@ -1,2 +1 @@ ^samba4.blackbox.trust_token.Test.token.with.kerberos -^samba4.blackbox.trust_token.Test.token.with.NTLMSSP diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c index c627df77c7f..a3efde8b99e 100644 --- a/source4/auth/ntlm/auth_winbind.c +++ b/source4/auth/ntlm/auth_winbind.c @@ -258,6 +258,18 @@ static void winbind_check_password_done(struct tevent_req *subreq) } } + /* + * We need to expand group memberships within our local domain, + * as the token might be generated by a trusted domain, unless we're + * an RODC. + */ + status = authsam_update_user_info_dc(state->user_info_dc, + ctx->auth_ctx->sam_ctx, + state->user_info_dc); + if (tevent_req_nterror(req, status)) { + return; + } + tevent_req_done(req); } -- 2.34.1