r988: When adding local aliases' gids to the user token, don't do a idmap_sid_to_gid
authorVolker Lendecke <vlendec@samba.org>
Thu, 3 Jun 2004 08:31:57 +0000 (08:31 +0000)
committerGerald (Jerry) Carter <jerry@samba.org>
Wed, 10 Oct 2007 15:51:52 +0000 (10:51 -0500)
on the user sid. This might lead to a user SID entered as a GID in the idmap.

Volker

source/nsswitch/winbindd_group.c

index 7b4529144e270172dfa8bb0781a35d6bbaf023f4..0e6c98e5d365b02da1926056221c60b2522d7e30 100644 (file)
@@ -942,16 +942,14 @@ static void add_gid_to_array_unique(gid_t gid, gid_t **gids, int *num)
        *num += 1;
 }
 
-static void add_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)
+static void add_local_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)
 {
        gid_t gid;
        DOM_SID *aliases;
        int j, num_aliases;
 
-       DEBUG(10, ("Adding gids from SID: %s\n", sid_string_static(sid)));
-
-       if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0)))
-               add_gid_to_array_unique(gid, gids, num);
+       DEBUG(10, ("Adding local gids from SID: %s\n",
+                  sid_string_static(sid)));
 
        /* Don't expand aliases if not explicitly activated -- for now
           -- jerry */
@@ -974,6 +972,27 @@ static void add_gids_from_sid(DOM_SID *sid, gid_t **gids, int *num)
        SAFE_FREE(aliases);
 }
 
+static void add_gids_from_user_sid(DOM_SID *sid, gid_t **gids, int *num)
+{
+       DEBUG(10, ("Adding gids from user SID: %s\n",
+                  sid_string_static(sid)));
+
+       add_local_gids_from_sid(sid, gids, num);
+}
+
+static void add_gids_from_group_sid(DOM_SID *sid, gid_t **gids, int *num)
+{
+       gid_t gid;
+
+       DEBUG(10, ("Adding gids from group SID: %s\n",
+                  sid_string_static(sid)));
+
+       if (NT_STATUS_IS_OK(idmap_sid_to_gid(sid, &gid, 0)))
+               add_gid_to_array_unique(gid, gids, num);
+
+       add_local_gids_from_sid(sid, gids, num);
+}
+
 /* Get user supplementary groups.  This is much quicker than trying to
    invert the groups database.  We merge the groups from the gids and
    other_sids info3 fields as trusted domain, universal group
@@ -1039,7 +1058,7 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
                goto done;
        }
 
-       add_gids_from_sid(&user_sid, &gid_list, &num_gids);
+       add_gids_from_user_sid(&user_sid, &gid_list, &num_gids);
 
        /* Treat the info3 cache as authoritative as the
           lookup_usergroups() function may return cached data. */
@@ -1083,8 +1102,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
                                continue;
                        }
 
-                       add_gids_from_sid(&info3->other_sids[i].sid,
-                                         &gid_list, &num_gids);
+                       add_gids_from_group_sid(&info3->other_sids[i].sid,
+                                               &gid_list, &num_gids);
 
                        if (gid_list == NULL)
                                goto done;
@@ -1097,7 +1116,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
                        sid_copy( &group_sid, &domain->sid );
                        sid_append_rid( &group_sid, info3->gids[i].g_rid );
 
-                       add_gids_from_sid(&group_sid, &gid_list, &num_gids);
+                       add_gids_from_group_sid(&group_sid, &gid_list,
+                                               &num_gids);
 
                        if (gid_list == NULL)
                                goto done;
@@ -1116,8 +1136,8 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
                        goto done;
 
                for (i = 0; i < num_groups; i++) {
-                       add_gids_from_sid(user_grpsids[i],
-                                         &gid_list, &num_gids);
+                       add_gids_from_group_sid(user_grpsids[i],
+                                               &gid_list, &num_gids);
 
                        if (gid_list == NULL)
                                goto done;