dsdb: Ensure "authenticated users" is processed for group memberships
commit8f078cdf247476fad511bb6d7e00c8654fd26e85
authorAndrew Bartlett <abartlet@samba.org>
Sat, 29 Dec 2012 04:13:54 +0000 (29 15:13 +1100)
committerStefan Metzmacher <metze@samba.org>
Mon, 21 Jan 2013 15:12:45 +0000 (21 16:12 +0100)
tree224841e3e6b0531d20de16e336b84a32cdb085e7
parentd36c03056fb85dfedbafd3a59497e35db63ade17
dsdb: Ensure "authenticated users" is processed for group memberships

This change moves the addition of "Authenticated Users" from the very end of the
token processing to the start.  The reason is that we need to see if
"Authenticated Users" is a member of other builtin groups, just as we
would for any other SID.  This picks up the "Pre-Windows 2000 Compatible Access"
group, which is in turn often used in ACLs on LDAP objects.

Without this change, the eventual token does not contain S-1-5-32-554
and users other than "Administrator" are unable to read uidNumber
(in particular).

Andrew Bartlett

Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
source4/auth/session.c
source4/dsdb/common/util_groups.c
source4/dsdb/samdb/samdb.c