s3:auth: Allow 'Unix Users' and 'Unix Groups' to create a local token

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15469

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Dec  1 08:06:44 UTC 2023 on atb-devel-224

selftest/knownfail.d/forceuser_trusteddomains

@@ -1,2 +0,0 @@
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_unixonly.as.user.simpleserver
-samba3.blackbox.smbclient_auth.plain.local_creds.smbclient...LOCALSHARE4.forceuser_wkngroup.as.user.simpleserver

source3/auth/auth_util.c

@@ -21,6 +21,7 @@
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
+#include "dom_sid.h"
 #include "includes.h"
 #include "auth.h"
 #include "lib/util_unixsids.h"
@@ -478,6 +479,7 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 	struct dom_sid tmp_sid;
 	struct auth_session_info *session_info = NULL;
 	struct unixid *ids;
+	bool is_allowed = false;
 
 	/* Ensure we can't possible take a code path leading to a
 	 * null deref. */
@@ -485,7 +487,20 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_LOGON_FAILURE;
 	}
 
-	if (!is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+	if (is_allowed_domain(server_info->info3->base.logon_domain.string)) {
+		is_allowed = true;
+	}
+
+	/* Check if we have extra info about the user. */
+	if (dom_sid_in_domain(&global_sid_Unix_Users,
+			      &server_info->extra.user_sid) ||
+	    dom_sid_in_domain(&global_sid_Unix_Groups,
+			      &server_info->extra.pgid_sid))
+	{
+		is_allowed = true;
+	}
+
+	if (!is_allowed) {
 		DBG_NOTICE("Authentication failed for user [%s] "
 			   "from firewalled domain [%s]\n",
 			   server_info->info3->base.account_name.string,