const struct netr_SamInfo3 *info3,
DOM_SID **user_sids,
size_t *num_user_sids,
- bool include_user_group_rid,
- bool skip_ressource_groups);
+ bool include_user_group_rid);
/* The following definitions come from lib/util_sock.c */
const struct netr_SamInfo3 *info3,
DOM_SID **user_sids,
size_t *num_user_sids,
- bool include_user_group_rid,
- bool skip_ressource_groups)
+ bool include_user_group_rid)
{
NTSTATUS status;
DOM_SID sid;
}
}
- /* Copy 'other' sids. We need to do sid filtering here to
- prevent possible elevation of privileges. See:
-
- http://www.microsoft.com/windows2000/techinfo/administration/security/sidfilter.asp
- */
+ /* SID filtering should only be handled by the domain controller on a
+ trust by trust basis, and is counter-indicated for forests. Since
+ native AD return all Domain Local groups as other SIDs, then this
+ must not filter them when parsing INFO3 responses such that the
+ list is identical to the tokenGroups LDAP query.
+ */
for (i = 0; i < info3->sidcount; i++) {
-
- if (skip_ressource_groups &&
- (info3->sids[i].attributes & SE_GROUP_RESOURCE)) {
- continue;
- }
-
status = add_sid_to_array(mem_ctx, info3->sids[i].sid,
&sid_array, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
return NT_STATUS_UNSUCCESSFUL;
}
- /* Skip Domain local groups outside our domain.
- We'll get these from the getsidaliases() RPC call. */
+ /*
+ * Before bug #7843 the "Domain Local" groups were added with a
+ * lookupuseraliases call, but this isn't done anymore for our domain
+ * so we need to resolve resource groups here.
+ *
+ * When to use Resource Groups:
+ * http://technet.microsoft.com/en-us/library/cc753670%28v=WS.10%29.aspx
+ */
status = sid_array_from_info3(mem_ctx, info3,
user_sids,
&num_groups,
- false, true);
+ false);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(info3);
git.samba.org / samba.git / commitdiff