s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  1 08:06:44 UTC 2023 on atb-devel-224

diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
deleted file mode 100644 (file)
index b515400..0000000
--- a/selftest/knownfail.d/forceuser_trusteddomains
+++ /dev/null
@@ -1,2 +0,0 @@
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index c863f34e5b91c043c2f4f6922ed9fa218589eb65..abc5e959aabc41ed5c41b6be42193b01503470a2 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -21,6 +21,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+#include "dom_sid.h"
 #include "includes.h"
 #include "auth.h"
 #include "lib/util_unixsids.h"
@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
        struct dom_sid tmp_sid;
        struct auth_session_info *session_info = NULL;
        struct unixid *ids;
+       bool is_allowed = false;
 
        /* Ensure we can't possible take a code path leading to a
         * null deref. */
@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
                return NT_STATUS_LOGON_FAILURE;
        }
 
-       if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+       if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+               is_allowed = true;
+       }
+
+       /* Check if we have extra info about the user. */
+       if (dom_sid_in_domain(&global_sid_Unix_Users,
+                             &server_info->extra.user_sid) ||
+           dom_sid_in_domain(&global_sid_Unix_Groups,
+                             &server_info->extra.pgid_sid))
+       {
+               is_allowed = true;
+       }
+
+       if (!is_allowed) {
                DBG_NOTICE("Authentication failed for user [%s] "
                           "from firewalled domain [%s]\n",
                           server_info->info3->base.account_name.string,