>From 1b37299213a518c572df95833befb84f430c1011 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Sat, 22 Mar 2014 21:23:48 -0700
Subject: [PATCH] s3: smbd: Factor out code that calls getgroups_unix_user()
 into a separate function.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This code needs to special-case the guest user, as
this token has the token_sid[0] set to the Guest
SID, not the mapping of UNIX uid -> SID.

Other users that may have a well-known SID
set in token_sid[0] (like SYSTEM) are usually
not mappable to UNIX users to can be ignored
when adding local groups from /etc/group.

Found by Günter Kukkukk <linux@kukkukk.com>.

Second part of the bugfix for:

https://bugzilla.samba.org/show_bug.cgi?id=10508

Signed-off-by: Jeremy Allison <jra@samba.org>
---
 source3/auth/token_util.c |  142 +++++++++++++++++++++++++++++----------------
 1 file changed, 91 insertions(+), 51 deletions(-)

diff --git a/source3/auth/token_util.c b/source3/auth/token_util.c
index bccf1db..5c469ae 100644
--- a/source3/auth/token_util.c
+++ b/source3/auth/token_util.c
@@ -389,72 +389,112 @@ struct security_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 	return result;
 }
 
-static NTSTATUS finalize_local_nt_token(struct security_token *result,
-					bool is_guest)
+/***************************************************
+ Merge in any groups from /etc/group.
+***************************************************/
+
+static NTSTATUS add_local_groups(struct security_token *result,
+				 bool is_guest)
 {
-	struct dom_sid dom_sid;
-	gid_t gid;
-	uid_t uid;
-	NTSTATUS status;
+	gid_t *gids = NULL;
+	uint32_t getgroups_num_group_sids = 0;
+	struct passwd *pass = NULL;
+	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+	int i;
 
-	/* result->sids[0] is always the user sid. */
-	if (sid_to_uid(&result->sids[0], &uid)) {
+	if (is_guest) {
 		/*
-		 * Now we must get any groups this user has been
-		 * added to in /etc/group and merge them in.
-		 * This has to be done in every code path
-		 * that creates an NT token, as remote users
-		 * may have been added to the local /etc/group
-		 * database. Tokens created merely from the
-		 * info3 structs (via the DC or via the krb5 PAC)
-		 * won't have these local groups. Note the
-		 * groups added here will only be UNIX groups
-		 * (S-1-22-2-XXXX groups) as getgroups_unix_user()
-		 * turns off winbindd before calling getgroups().
-		 *
-		 * NB. This is duplicating work already
-		 * done in the 'unix_user:' case of
-		 * create_token_from_sid() but won't
-		 * do anything other than be inefficient
-		 * in that case.
+		 * Guest is a special case. It's always
+		 * a user that can be looked up, but
+		 * result->sids[0] is set to DOMAIN\Guest.
+		 * Lookup by account name instead.
 		 */
-		struct passwd *pass = NULL;
-		gid_t *gids = NULL;
-		uint32_t getgroups_num_group_sids = 0;
-		int i;
-		TALLOC_CTX *tmp_ctx = talloc_stackframe();
+		pass = Get_Pwnam_alloc(tmp_ctx, lp_guest_account());
+	} else {
+		uid_t uid;
+
+		/* For non-guest result->sids[0] is always the user sid. */
+		if (!sid_to_uid(&result->sids[0], &uid)) {
+			/*
+			 * Non-mappable SID like SYSTEM.
+			 * Can't be in any /etc/group groups.
+			 */
+			TALLOC_FREE(tmp_ctx);
+			return NT_STATUS_UNSUCCESSFUL;
+		}
 
 		pass = getpwuid_alloc(tmp_ctx, uid);
 		if (pass == NULL) {
 			DEBUG(1, ("getpwuid(%u) failed\n",
 				(unsigned int)uid));
-			TALLOC_FREE(tmp_ctx);
-			return NT_STATUS_UNSUCCESSFUL;
 		}
+	}
 
-		if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
-				&gids, &getgroups_num_group_sids)) {
-			DEBUG(1, ("getgroups_unix_user for user %s failed\n",
-				pass->pw_name));
+	if (!pass) {
+		TALLOC_FREE(tmp_ctx);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	/*
+	 * Now we must get any groups this user has been
+	 * added to in /etc/group and merge them in.
+	 * This has to be done in every code path
+	 * that creates an NT token, as remote users
+	 * may have been added to the local /etc/group
+	 * database. Tokens created merely from the
+	 * info3 structs (via the DC or via the krb5 PAC)
+	 * won't have these local groups. Note the
+	 * groups added here will only be UNIX groups
+	 * (S-1-22-2-XXXX groups) as getgroups_unix_user()
+	 * turns off winbindd before calling getgroups().
+	 *
+	 * NB. This is duplicating work already
+	 * done in the 'unix_user:' case of
+	 * create_token_from_sid() but won't
+	 * do anything other than be inefficient
+	 * in that case.
+	 */
+
+	if (!getgroups_unix_user(tmp_ctx, pass->pw_name, pass->pw_gid,
+			&gids, &getgroups_num_group_sids)) {
+		DEBUG(1, ("getgroups_unix_user for user %s failed\n",
+			pass->pw_name));
+		TALLOC_FREE(tmp_ctx);
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	for (i=0; i<getgroups_num_group_sids; i++) {
+		NTSTATUS status;
+		struct dom_sid grp_sid;
+		gid_to_sid(&grp_sid, gids[i]);
+
+		status = add_sid_to_array_unique(result,
+					 &grp_sid,
+					 &result->sids,
+					 &result->num_sids);
+		if (!NT_STATUS_IS_OK(status)) {
+			DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
 			TALLOC_FREE(tmp_ctx);
-			return NT_STATUS_UNSUCCESSFUL;
+			return status;
 		}
+	}
+	TALLOC_FREE(tmp_ctx);
+	return NT_STATUS_OK;
+}
 
-		for (i=0; i<getgroups_num_group_sids; i++) {
-			struct dom_sid grp_sid;
-			gid_to_sid(&grp_sid, gids[i]);
 
-			status = add_sid_to_array_unique(result,
-						 &grp_sid,
-						 &result->sids,
-						 &result->num_sids);
-			if (!NT_STATUS_IS_OK(status)) {
-				DEBUG(3, ("Failed to add UNIX SID to nt token\n"));
-				TALLOC_FREE(tmp_ctx);
-				return status;
-			}
-		}
-		TALLOC_FREE(tmp_ctx);
+static NTSTATUS finalize_local_nt_token(struct security_token *result,
+					bool is_guest)
+{
+	struct dom_sid dom_sid;
+	gid_t gid;
+	NTSTATUS status;
+
+	/* Add any local groups. */
+
+	status = add_local_groups(result, is_guest);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
 	}
 
 	/* Add in BUILTIN sids */
-- 
1.7.9.5