s4:auth_winbind: make sure we expand group memberships of the local domain

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/selftest/knownfail.d/expand_trust_token b/selftest/knownfail.d/expand_trust_token
index 79d844899bd71f911f83fdd7d79a246966c24953..c0d44d78121bd6bc501f919ecbfbf812a057c3d6 100644 (file)
--- a/selftest/knownfail.d/expand_trust_token
+++ b/selftest/knownfail.d/expand_trust_token
@@ -1,2 +1 @@
 ^samba4.blackbox.trust_token.Test.token.with.kerberos
-^samba4.blackbox.trust_token.Test.token.with.NTLMSSP

diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index c627df77c7f2d6c2cc071ee9f27506e45cbfbfea..a3efde8b99e4f7d40f27db2146ac5feedafdab8d 100644 (file)
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -258,6 +258,18 @@ static void winbind_check_password_done(struct tevent_req *subreq)
                }
        }
 
+       /*
+        * We need to expand group memberships within our local domain,
+        * as the token might be generated by a trusted domain, unless we're
+        * an RODC.
+        */
+       status = authsam_update_user_info_dc(state->user_info_dc,
+                                            ctx->auth_ctx->sam_ctx,
+                                            state->user_info_dc);
+       if (tevent_req_nterror(req, status)) {
+               return;
+       }
+
        tevent_req_done(req);
 }