From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 6 Mar 2025 10:08:37 +0000 (+0100)
Subject: s4:auth: let auth_user_info_dc_expand_sids() add This Organization SID
X-Git-Tag: tevent-0.17.0~585
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d7ea9cfb609bf9fe358279736b6a8d4d616218f;p=thirdparty%2Fsamba.git

s4:auth: let auth_user_info_dc_expand_sids() add This Organization SID

We do that unless the Other Organization SID is already there.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Mar  6 17:35:50 UTC 2025 on atb-devel-224
---

diff --git a/selftest/knownfail.d/samba4.tokengroups b/selftest/knownfail.d/samba4.tokengroups
deleted file mode 100644
index 2aecef243e3..00000000000
--- a/selftest/knownfail.d/samba4.tokengroups
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.tokengroups.*.test_dn_tokenGroups
diff --git a/source4/auth/session.c b/source4/auth/session.c
index 806f6eab03f..987bf4c68dd 100644
--- a/source4/auth/session.c
+++ b/source4/auth/session.c
@@ -66,6 +66,8 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX *mem_ctx,
 	uint32_t num_sids = 0;
 	uint32_t i;
 	const char *filter = NULL;
+	bool has_other_organization = false;
+	bool add_this_organization = false;
 
 	sids = talloc_array(mem_ctx,
 			    struct auth_SidAttr,
@@ -80,6 +82,21 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX *mem_ctx,
 
 	for (i=0; i < user_info_dc->num_sids; i++) {
 		sids[i] = user_info_dc->sids[i];
+
+		if (!has_other_organization &&
+		    dom_sid_equal(&sids[i].sid, &global_sid_Other_Organization))
+		{
+			has_other_organization = true;
+			continue;
+		}
+
+		if (dom_sid_equal(&sids[i].sid, &global_sid_This_Organization)) {
+			/*
+			 * The caller should not pass this
+			 */
+			TALLOC_FREE(frame);
+			return NT_STATUS_INTERNAL_ERROR;
+		}
 	}
 
 	/*
@@ -126,6 +143,27 @@ static NTSTATUS auth_user_info_dc_expand_sids(TALLOC_CTX *mem_ctx,
 			.attrs = SE_GROUP_DEFAULT_FLAGS,
 		};
 		num_sids++;
+
+		if (!has_other_organization) {
+			add_this_organization = true;
+		}
+	}
+
+	if (add_this_organization) {
+		sids = talloc_realloc(frame,
+				      sids,
+				      struct auth_SidAttr,
+				      num_sids + 1);
+		if (sids == NULL) {
+			TALLOC_FREE(frame);
+			return NT_STATUS_NO_MEMORY;
+		}
+
+		sids[num_sids] = (struct auth_SidAttr) {
+			.sid = global_sid_This_Organization,
+			.attrs = SE_GROUP_DEFAULT_FLAGS,
+		};
+		num_sids++;
 	}
 
 	if (session_info_flags & AUTH_SESSION_INFO_NTLM) {