r16471: Bug reported by Vitaly Protsko <villy@sft.ru> in 3.0.23rc1.

Add missing automatic add of the Administrators SID in the absence
of winbindd and precense of Domain Admins SID in the user's token.

diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index d721b893c7b49721bac12e4cf03e2213f65a0d1f..3b7d3c9c9d74e78323e797f1ace80aa428a9d3c1 100644 (file)
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -688,6 +688,31 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
 
 static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token )
 {
+       DOM_SID domadm;
+
+       /* nothing to do if we aren't in a domain */
+       
+       if ( !(IS_DC || lp_server_role()==ROLE_DOMAIN_MEMBER) ) {
+               return NT_STATUS_OK;
+       }
+       
+       /* Find the Domain Admins SID */
+       
+       if ( IS_DC ) {
+               sid_copy( &domadm, get_global_sam_sid() );
+       } else {
+               if ( !secrets_fetch_domain_sid( lp_workgroup(), &domadm ) )
+                       return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
+       }
+       sid_append_rid( &domadm, DOMAIN_GROUP_RID_ADMINS );
+       
+       /* Add Administrators if the user beloongs to Domain Admins */
+       
+       if ( nt_token_check_sid( &domadm, token ) ) {
+               add_sid_to_array(token, &global_sid_Builtin_Administrators,
+                                &token->user_sids, &token->num_sids);
+       }
+       
        return NT_STATUS_OK;
 }