idmap_hash: don't return ID_REQUIRE_TYPE if the domain is known in the netsamlogon cache

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15319

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ee820553fd2c6ada966a0160cbb0240049f9d9f7)

1 files changed, 16 insertions, 0 deletions

diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c
index fb900617ec3..a3430350625 100644
--- a/source3/winbindd/idmap_hash/idmap_hash.c
+++ b/source3/winbindd/idmap_hash/idmap_hash.c
@@ -25,6 +25,7 @@
 #include "ads.h"
 #include "nss_info.h"
 #include "../libcli/security/dom_sid.h"
+#include "libsmb/samlogon_cache.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_IDMAP
@@ -287,6 +288,21 @@ static NTSTATUS idmap_hash_sid_to_id(struct sid_hash_table *hashed_domains,
 		goto return_mapping;
 	}
 
+	/*
+	 * Check of last resort: A domain is valid if a user from that
+	 * domain has recently logged in. The samlogon_cache these
+	 * days also stores the domain sid.
+	 */
+	if (netsamlogon_cache_have(&sid)) {
+		/*
+		 * We keep the legacy behavior and
+		 * just return the mapping, but
+		 * the reverse mapping would not
+		 * still not work.
+		 */
+		goto return_mapping;
+	}
+
 	if (id->xid.type == ID_TYPE_NOT_SPECIFIED) {
 		/*
 		 * idmap_hash used to bounce back the requested type,