From 2cf62e85e5fec7e977779587ab6ae051fad009aa Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 31 Oct 2019 17:56:56 +0100
Subject: [PATCH] smbdotconf: mark "force group" with substitution="1"

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 docs-xml/smbdotconf/security/forcegroup.xml | 1 +
 source3/smbd/service.c                      | 8 ++++++--
 source3/smbd/uid.c                          | 4 +++-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/docs-xml/smbdotconf/security/forcegroup.xml b/docs-xml/smbdotconf/security/forcegroup.xml
index d101f1c1b86..646f5505981 100644
--- a/docs-xml/smbdotconf/security/forcegroup.xml
+++ b/docs-xml/smbdotconf/security/forcegroup.xml
@@ -1,6 +1,7 @@
 <samba:parameter name="force group"
                  context="S"
                  type="string"
+                 substitution="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <synonym>group</synonym>
 <description>
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 196d757ea71..a75c85fef63 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -270,13 +270,15 @@ static NTSTATUS find_forced_group(bool force_user,
 {
 	NTSTATUS result = NT_STATUS_NO_SUCH_GROUP;
 	TALLOC_CTX *frame = talloc_stackframe();
+	const struct loadparm_substitution *lp_sub =
+		loadparm_s3_global_substitution();
 	struct dom_sid group_sid;
 	enum lsa_SidType type;
 	char *groupname;
 	bool user_must_be_member = False;
 	gid_t gid;
 
-	groupname = lp_force_group(talloc_tos(), snum);
+	groupname = lp_force_group(talloc_tos(), lp_sub, snum);
 	if (groupname == NULL) {
 		DEBUG(1, ("talloc_strdup failed\n"));
 		result = NT_STATUS_NO_MEMORY;
@@ -405,6 +407,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
 
 NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 {
+	const struct loadparm_substitution *lp_sub =
+		loadparm_s3_global_substitution();
 	NTSTATUS status;
 
 	if (*lp_force_user(talloc_tos(), snum)) {
@@ -457,7 +461,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 	 * any groupid stored for the connecting user.
 	 */
 
-	if (*lp_force_group(talloc_tos(), snum)) {
+	if (*lp_force_group(talloc_tos(), lp_sub, snum)) {
 
 		status = find_forced_group(
 			conn->force_user, snum, conn->session_info->unix_info->unix_name,
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 304d3f818f7..afe7614096f 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -308,6 +308,8 @@ static bool change_to_user_impersonate(connection_struct *conn,
 				       const struct auth_session_info *session_info,
 				       uint64_t vuid)
 {
+	const struct loadparm_substitution *lp_sub =
+		loadparm_s3_global_substitution();
 	int snum;
 	gid_t gid;
 	uid_t uid;
@@ -350,7 +352,7 @@ static bool change_to_user_impersonate(connection_struct *conn,
 	 * See if we should force group for this service. If so this overrides
 	 * any group set in the force user code.
 	 */
-	force_group_name = lp_force_group(talloc_tos(), snum);
+	force_group_name = lp_force_group(talloc_tos(), lp_sub, snum);
 	group_c = *force_group_name;
 
 	if ((group_c != '\0') && (conn->force_group_gid == (gid_t)-1)) {