s4:auth handle addition of nested aliases of domain groups.

The challenge here is that we are asked not to add the domain groups
again, but we need to search inside them for any aliases that we need
to add.  So, we can't short-circuit the operation just because we found
the domain group.

Andrew Bartlett

1 files changed, 8 insertions, 8 deletions

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 244ebc732e9..d5dc4ded12b 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -332,23 +332,23 @@ NTSTATUS authsam_expand_nested_groups(struct ldb_context *sam_ctx,
 	}
 	v = ldb_dn_get_extended_component(dn, "SID");
 
-	ndr_err = ndr_pull_struct_blob(v, sid, NULL, sid,
+	ndr_err = ndr_pull_struct_blob(v, sid, sid,
 				       (ndr_pull_flags_fn_t)ndr_pull_dom_sid);
 	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}
 
-	/* This is an O(n^2) linear search */
-	already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
-					  *num_res_sids, sid);
-	if (already_there) {
-		return NT_STATUS_OK;
-	}
-
 	if (only_childs) {
 		ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, NULL);
 	} else {
+		/* This is an O(n^2) linear search */
+		already_there = sids_contains_sid((const struct dom_sid**) *res_sids,
+						  *num_res_sids, sid);
+		if (already_there) {
+			return NT_STATUS_OK;
+		}
+
 		ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s", filter);
 	}