s3: Don't fail authentication when one or some group of require-membership-of is...

Signed-off-by: Bo Yang <boyang@samba.org>
Fix bug #6826.

diff --git a/source/nsswitch/pam_winbind.c b/source/nsswitch/pam_winbind.c
index 0dcd084f33a324883945b877e7def2a498a5bd5e..3d0c5ef90e577f72c612e968b8db1c2e1ce8b427 100644 (file)
--- a/source/nsswitch/pam_winbind.c
+++ b/source/nsswitch/pam_winbind.c
@@ -1053,7 +1053,23 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
                                                current_name,
                                                sid_list_buffer,
                                                sid_list_buffer_size)) {
-                       goto out;
+                       /*
+                        * If one group name failed, we must not fail
+                        * the authentication totally, continue with
+                        * the following group names. If user belongs to
+                        * one of the valid groups, we must allow it
+                        * login. -- BoYang
+                        */
+
+                       _pam_log(ctx, LOG_INFO, "cannot convert group %s to sid, "
+                                "check if group %s is valid group.", current_name,
+                                current_name);
+                       _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
+                                       "to sid, please contact your administrator to see "
+                                       "if group %s is valid."), current_name, current_name);
+                       SAFE_FREE(current_name);
+                       search_location = comma + 1;
+                       continue;
                }
 
                SAFE_FREE(current_name);
@@ -1069,7 +1085,12 @@ static bool winbind_name_list_to_sid_string_list(struct pwb_context *ctx,
        if (!winbind_name_to_sid_string(ctx, user, search_location,
                                        sid_list_buffer,
                                        sid_list_buffer_size)) {
-               goto out;
+               _pam_log(ctx, LOG_INFO, "cannot convert group %s to sid, "
+                        "check if group %s is valid group.", search_location,
+                        search_location);
+               _make_remark_format(ctx, PAM_TEXT_INFO, _("Cannot convert group %s "
+                               "to sid, please contact your administrator to see "
+                               "if group %s is valid."), search_location, search_location);
        }
 
        result = true;