s4:auth: let auth_user_info_dc_expand_sids() add This Organization SID

We do that unless the Other Organization SID is already there.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar  6 17:35:50 UTC 2025 on atb-devel-224

diff --git a/selftest/knownfail.d/samba4.tokengroups b/selftest/knownfail.d/samba4.tokengroups
deleted file mode 100644 (file)
index 2aecef2..0000000
--- a/selftest/knownfail.d/samba4.tokengroups
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.tokengroups.*.test_dn_tokenGroups

diff --git a/source4/auth/session.c b/source4/auth/session.c
index 806f6eab03fc285668f0b3f68c3279133452d67e..987bf4c68dda3f478055f8794b8aab082c7aba5e 100644 (file)
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -66,6 +66,8 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX *mem_ctx,
        uint32_t num_sids = 0;
        uint32_t i;
        const char *filter = NULL;
+       bool has_other_organization = false;
+       bool add_this_organization = false;
 
        sids = talloc_array(mem_ctx,
                            struct auth_SidAttr,
@@ -80,6 +82,21 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX *mem_ctx,
 
        for (i=0; i < user_info_dc->num_sids; i++) {
                sids[i] = user_info_dc->sids[i];
+
+               if (!has_other_organization &&
+                   dom_sid_equal(&sids[i].sid, &global_sid_Other_Organization))
+               {
+                       has_other_organization = true;
+                       continue;
+               }
+
+               if (dom_sid_equal(&sids[i].sid, &global_sid_This_Organization)) {
+                       /*
+                        * The caller should not pass this
+                        */
+                       TALLOC_FREE(frame);
+                       return NT_STATUS_INTERNAL_ERROR;
+               }
        }
 
        /*
@@ -126,6 +143,27 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX *mem_ctx,
                        .attrs = SE_GROUP_DEFAULT_FLAGS,
                };
                num_sids++;
+
+               if (!has_other_organization) {
+                       add_this_organization = true;
+               }
+       }
+
+       if (add_this_organization) {
+               sids = talloc_realloc(frame,
+                                     sids,
+                                     struct auth_SidAttr,
+                                     num_sids + 1);
+               if (sids == NULL) {
+                       TALLOC_FREE(frame);
+                       return NT_STATUS_NO_MEMORY;
+               }
+
+               sids[num_sids] = (struct auth_SidAttr) {
+                       .sid = global_sid_This_Organization,
+                       .attrs = SE_GROUP_DEFAULT_FLAGS,
+               };
+               num_sids++;
        }
 
        if (session_info_flags & AUTH_SESSION_INFO_NTLM) {