CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping()

We always require a running winbindd on a domain member, so
we should better fail a request instead of silently alter
the behaviour, which results in a different unix token, just
because winbindd might be restarted.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d81313a0495e1c7f5d5e17f0fc88bef34f4a6afc..065b525500f96168d964b382cd1be42488c3ba2d 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -576,13 +576,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
        }
 
        /*
-        * If winbind is not around, we can not make much use of the SIDs the
-        * domain controller provided us with. Likewise if the user name was
-        * mapped to some local unix user.
+        * If the user name was mapped to some local unix user,
+        * we can not make much use of the SIDs the
+        * domain controller provided us with.
         */
-
-       if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) ||
-           (server_info->nss_token)) {
+       if (server_info->nss_token) {
                char *found_username = NULL;
                status = create_token_from_username(session_info,
                                                    server_info->unix_name,