I think the problem with these functions is that lookup_usergroups
authorHerb Lewis <hlewis@panasas.com>
Fri, 15 Aug 2008 22:28:23 +0000 (15:28 -0700)
committerJeremy Allison <jra@samba.org>
Fri, 15 Aug 2008 22:28:23 +0000 (15:28 -0700)
should never include the user SID.
The comment for the function in winbindd/winbindd_ads.c says
/* Lookup groups a user is a member of. */
The following patch makes the wbinfo calls return the correct data
before and after a login.
wbinfo --user-domgroups and --user-sids
(This used to be commit 7849938906a9c859805cbaeca66fae9d3c515aad)

source3/lib/util_sid.c
source3/winbindd/winbindd_util.c

index 6b83f9ce6553ea09808538f53b105ca0e4712473..53614ed1ac21d16d0bd899e3d3a50bb9c53d8ce9 100644 (file)
@@ -678,9 +678,7 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
        int i;
 
        if (include_user_group_rid) {
        int i;
 
        if (include_user_group_rid) {
-
-               if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid))
-               {
+               if (!sid_compose(&sid, info3->base.domain_sid, info3->base.rid)) {
                        DEBUG(3, ("could not compose user SID from rid 0x%x\n",
                                  info3->base.rid));
                        return NT_STATUS_INVALID_PARAMETER;
                        DEBUG(3, ("could not compose user SID from rid 0x%x\n",
                                  info3->base.rid));
                        return NT_STATUS_INVALID_PARAMETER;
@@ -691,25 +689,27 @@ NTSTATUS sid_array_from_info3(TALLOC_CTX *mem_ctx,
                                  info3->base.rid));
                        return status;
                }
                                  info3->base.rid));
                        return status;
                }
+       }
 
 
-               if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid))
-               {
-                       DEBUG(3, ("could not compose group SID from rid 0x%x\n",
-                                 info3->base.primary_gid));
-                       return NT_STATUS_INVALID_PARAMETER;
-               }
-               status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
-               if (!NT_STATUS_IS_OK(status)) {
-                       DEBUG(3, ("could not append group SID from rid 0x%x\n",
-                                 info3->base.rid));
-                       return status;
-               }
+       if (!sid_compose(&sid, info3->base.domain_sid, info3->base.primary_gid)) {
+               DEBUG(3, ("could not compose group SID from rid 0x%x\n",
+                         info3->base.primary_gid));
+               return NT_STATUS_INVALID_PARAMETER;
+       }
+       status = add_sid_to_array(mem_ctx, &sid, &sid_array, &num_sids);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(3, ("could not append group SID from rid 0x%x\n",
+                         info3->base.rid));
+               return status;
        }
 
        for (i = 0; i < info3->base.groups.count; i++) {
        }
 
        for (i = 0; i < info3->base.groups.count; i++) {
+               /* Don't add the primary group sid twice. */
+               if (info3->base.primary_gid == info3->base.groups.rids[i].rid) {
+                       continue;
+               }
                if (!sid_compose(&sid, info3->base.domain_sid,
                if (!sid_compose(&sid, info3->base.domain_sid,
-                                info3->base.groups.rids[i].rid))
-               {
+                                info3->base.groups.rids[i].rid)) {
                        DEBUG(3, ("could not compose SID from additional group "
                                  "rid 0x%x\n", info3->base.groups.rids[i].rid));
                        return NT_STATUS_INVALID_PARAMETER;
                        DEBUG(3, ("could not compose SID from additional group "
                                  "rid 0x%x\n", info3->base.groups.rids[i].rid));
                        return NT_STATUS_INVALID_PARAMETER;
index f1da5780aae222b5f9f2e3e9344a7f09d2bf3b7d..77b17787c999d7f6032fb71f53e96a18c324e71d 100644 (file)
@@ -1333,7 +1333,7 @@ NTSTATUS lookup_usergroups_cached(struct winbindd_domain *domain,
        status = sid_array_from_info3(mem_ctx, info3,
                                      user_sids,
                                      &num_groups,
        status = sid_array_from_info3(mem_ctx, info3,
                                      user_sids,
                                      &num_groups,
-                                     true, true);
+                                     false, true);
 
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(info3);
 
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(info3);