fail authentication for single group name which cannot be converted to sid

furthermore if more than one name is supplied and no sid is converted
then also fail.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=8598

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Fri Nov 29 15:45:11 CET 2013 on sn-devel-104

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 9322971bd3fcc6c07a64a733ea90e2d5aeaf89d0..cd5e7ba206ee25c68bcb71fefde5e076da568b29 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -1172,6 +1172,12 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
                _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
                                "to sid, please contact your administrator to see "
                                "if group %s is valid."), search_location, search_location);
+
+               /* If no valid groups were converted we should fail outright */
+               if (name_list != NULL && strlen(sid_list_buffer) == 0) {
+                       result = false;
+                       goto out;
+               }
                /*
                 * The lookup of the last name failed..
                 * It results in require_member_of_sid ends with ','