From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Feb 2018 11:37:51 +0000 (+0100)
Subject: s4:auth_winbind: make sure we expand group memberships of the local domain
X-Git-Tag: talloc-2.1.12~59
X-Git-Url: http://git.samba.org/samba.git/?p=sfrench%2Fsamba-autobuild%2F.git;a=commitdiff_plain;h=0f9a09bd3552fe62a98ce40cab6aee2740eb35ce

s4:auth_winbind: make sure we expand group memberships of the local domain

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13300

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/selftest/knownfail.d/expand_trust_token b/selftest/knownfail.d/expand_trust_token
index 79d844899bd..c0d44d78121 100644
--- a/selftest/knownfail.d/expand_trust_token
+++ b/selftest/knownfail.d/expand_trust_token
@@ -1,2 +1 @@
 ^samba4.blackbox.trust_token.Test.token.with.kerberos
-^samba4.blackbox.trust_token.Test.token.with.NTLMSSP
diff --git a/source4/auth/ntlm/auth_winbind.c b/source4/auth/ntlm/auth_winbind.c
index c627df77c7f..a3efde8b99e 100644
--- a/source4/auth/ntlm/auth_winbind.c
+++ b/source4/auth/ntlm/auth_winbind.c
@@ -258,6 +258,18 @@ static void winbind_check_password_done(struct tevent_req *subreq)
 		}
 	}
 
+	/*
+	 * We need to expand group memberships within our local domain,
+	 * as the token might be generated by a trusted domain, unless we're
+	 * an RODC.
+	 */
+	status = authsam_update_user_info_dc(state->user_info_dc,
+					     ctx->auth_ctx->sam_ctx,
+					     state->user_info_dc);
+	if (tevent_req_nterror(req, status)) {
+		return;
+	}
+
 	tevent_req_done(req);
 }