From 00034d022896f879bf91bb78eb9e2972162c99ce Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 30 Nov 2023 10:54:07 +0100
Subject: [PATCH] s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a
 local token

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  1 08:06:44 UTC 2023 on atb-devel-224
---
 selftest/knownfail.d/forceuser_trusteddomains |  2 --
 source3/auth/auth_util.c                      | 17 ++++++++++++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)
 delete mode 100644 selftest/knownfail.d/forceuser_trusteddomains

diff --git a/selftest/knownfail.d/forceuser_trusteddomains b/selftest/knownfail.d/forceuser_trusteddomains
deleted file mode 100644
index b515400cd90..00000000000
--- a/selftest/knownfail.d/forceuser_trusteddomains
+++ /dev/null
@@ -1,2 +0,0 @@
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index c863f34e5b9..abc5e959aab 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -21,6 +21,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+#include "dom_sid.h"
 #include "includes.h"
 #include "auth.h"
 #include "lib/util_unixsids.h"
@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 	struct dom_sid tmp_sid;
 	struct auth_session_info *session_info = NULL;
 	struct unixid *ids;
+	bool is_allowed = false;
 
 	/* Ensure we can't possible take a code path leading to a
 	 * null deref. */
@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
-	if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+	if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+		is_allowed = true;
+	}
+
+	/* Check if we have extra info about the user. */
+	if (dom_sid_in_domain(&global_sid_Unix_Users,
+			      &server_info->extra.user_sid) ||
+	    dom_sid_in_domain(&global_sid_Unix_Groups,
+			      &server_info->extra.pgid_sid))
+	{
+		is_allowed = true;
+	}
+
+	if (!is_allowed) {
 		DBG_NOTICE("Authentication failed for user [%s] "
 			   "from firewalled domain [%s]\n",
 			   server_info->info3->base.account_name.string,
-- 
2.47.3