Added some extra fields to the auth_serversupplied_info structure.

To obtain the full group membership of a user (i.e nested groups on a
win2k native mode server) it is necessary to merge this list of groups
with the groups returned by winbindd when creating an nt access token.

This breaks winbindd linking while AB and I sync up our changes to the
authentication subsystem.
(This used to be commit 4eeb7bcd78)

source3/auth/auth.c

@@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 	auth_serversupplied_info server_info;
 	AUTH_STR ourdomain, theirdomain, unix_username, smb_username, 
                 wksta_name;
+        NTSTATUS result;
 		
 	ZERO_STRUCT(user_info);
 	ZERO_STRUCT(ourdomain);
@@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 
 	}
 
-	return check_password(&user_info, &server_info);
+	result = check_password(&user_info, &server_info);
+
+        free_serversupplied_info(&server_info); /* No info needed */
+
+        return result;
 }
 
 NTSTATUS pass_check_smb(char *smb_user, char *unix_user, 
@@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen)
 
 	return False;
 }
+
+/* Free a auth_serversupplied_info structure */
+
+void free_serversupplied_info(auth_serversupplied_info *server_info)
+{
+        SAFE_FREE(server_info->group_rids);
+}

source3/include/auth.h

@@ -90,6 +90,11 @@ typedef struct serversupplied_info
 	/* This groups info is needed for when we become_user() for this uid */
 	int n_groups;
 	gid_t *groups;
+
+        /* NT group information taken from the info3 structure */
+
+        int n_rids;
+        uint32 *group_rids;
 	
 	uchar session_key[16];
 	

source3/libsmb/domain_client_validate.c

@@ -326,6 +326,7 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
 
 	status = cli_nt_login_network(&cli, user_info, smb_uid_low, 
 				      &ctr, &info3);
+
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(0,("domain_client_validate: unable to validate password "
                          "for user %s in domain %s to Domain controller %s. "
@@ -335,8 +336,28 @@ NTSTATUS domain_client_validate(const auth_usersupplied_info *user_info,
 	}
 
 	/*
-	 * Here, if we really want it, we have lots of info about the user in info3.
-	 */
+	 * Here, if we really want it, we have lots of info about the user
+	 * in info3.  
+         */
+
+        /* Store the user group information in the server_info returned to
+           the caller. */
+
+        if ((server_info->group_rids = malloc(info3.num_groups2 *
+                                        sizeof(uint32))) == NULL) {
+                DEBUG(1, ("out of memory allocating rid group membership\n"));
+                status = NT_STATUS_NO_MEMORY;
+        } else {
+                int i;
+
+                server_info->n_rids = info3.num_groups2;
+                
+                for (i = 0; i < server_info->n_rids; i++) {
+                        server_info->group_rids[i] = info3.gids[i].g_rid;
+                        DEBUG(5, ("** adding group rid 0x%x\n",
+                                  info3.gids[i].g_rid));
+                }
+        }
 
 #if 0
 	/* 

source3/nsswitch/winbindd_group.c

@@ -107,7 +107,9 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
 		DEBUG(10, ("fill_grent_mem(): processing name %s\n", 
                            the_name));
 
-		/* Only add domain users */
+		/* FIXME: need to cope with groups within groups.  These
+                   occur in Universal groups on a Windows 2000 native mode
+                   server. */
 
 		if (name_types[i] != SID_NAME_USER) {
 			DEBUG(3, ("fill_grent_mem(): name %s isn't a domain "

source3/nsswitch/winbindd_pam.c

@@ -141,6 +141,8 @@ enum winbindd_result winbindd_pam_auth(struct winbindd_cli_state *state)
                                         auth_dc, trust_passwd, 
                                         last_change_time);
 
+        free_serversupplied_info(&server_info); /* No info needed */
+
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
 
@@ -218,6 +220,8 @@ enum winbindd_result winbindd_pam_auth_crap(struct winbindd_cli_state *state)
                                         auth_dc, trust_passwd,
                                         last_change_time);
 
+        free_serversupplied_info(&server_info); /* No info needed */        
+
 	return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
 }
 

source3/nsswitch/winbindd_util.c

@@ -344,6 +344,9 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain,
         NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
         uint32 i, total_names = 0;
 
+        /* Step #1: Get a list of user rids that are the members of the
+           group. */
+
         if (!(group_hnd = cm_get_sam_group_handle(domain->name, &domain->sid,
                                                   group_rid)))
                 goto done;
@@ -357,9 +360,10 @@ BOOL winbindd_lookup_groupmem(struct winbindd_domain *domain,
         if (!NT_STATUS_IS_OK(result))
                 goto done;
 
-        /* Convert list of rids into list of names.  Do this in bunches of
-           ~1000 to avoid crashing NT4.  It looks like there is a buffer
-           overflow or something like that lurking around somewhere. */
+        /* Step #2: Convert list of rids into list of usernames.  Do this
+           in bunches of ~1000 to avoid crashing NT4.  It looks like there
+           is a buffer overflow or something like that lurking around
+           somewhere. */
 
         if (!(dom_hnd = cm_get_sam_dom_handle(domain->name, &domain->sid)))
                 goto done;

source3/rpc_server/srv_netlog_nt.c

@@ -595,6 +595,8 @@ static NTSTATUS _net_logon_any(NET_ID_INFO_CTR *ctr, char *user, char *domain, c
 	DEBUG(5, ("_net_logon_any: exited with status %s\n", 
 		  get_nt_error_msg(nt_status)));
 
+        free_serversupplied_info(&server_info); /* No info needed */
+
 	return nt_status;
 }
 

source3/smbd/auth.c

@@ -129,6 +129,7 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 	auth_serversupplied_info server_info;
 	AUTH_STR ourdomain, theirdomain, unix_username, smb_username, 
                 wksta_name;
+        NTSTATUS result;
 		
 	ZERO_STRUCT(user_info);
 	ZERO_STRUCT(ourdomain);
@@ -203,7 +204,11 @@ NTSTATUS pass_check_smb_with_chal(char *smb_user, char *unix_user,
 
 	}
 
-	return check_password(&user_info, &server_info);
+	result = check_password(&user_info, &server_info);
+
+        free_serversupplied_info(&server_info); /* No info needed */
+
+        return result;
 }
 
 NTSTATUS pass_check_smb(char *smb_user, char *unix_user, 
@@ -255,3 +260,10 @@ BOOL password_ok(char *user, char *password, int pwlen)
 
 	return False;
 }
+
+/* Free a auth_serversupplied_info structure */
+
+void free_serversupplied_info(auth_serversupplied_info *server_info)
+{
+        SAFE_FREE(server_info->group_rids);
+}