Merging upstream version 2:4.20.1+dfsg.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 7 insertions, 4 deletions

diff --git a/source3/winbindd/winbindd_ads.c b/source3/winbindd/winbindd_ads.c
index 7e572e5..7d63240 100644
--- a/source3/winbindd/winbindd_ads.c
+++ b/source3/winbindd/winbindd_ads.c
@@ -1039,7 +1039,7 @@ static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
 }
 
 static NTSTATUS add_primary_group_members(
-	ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid,
+	ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, uint32_t rid, const char *domname,
 	char ***all_members, size_t *num_all_members)
 {
 	char *filter;
@@ -1051,10 +1051,13 @@ static NTSTATUS add_primary_group_members(
 	char **members;
 	size_t num_members;
 	ads_control args;
+	bool all_groupmem = idmap_config_bool(domname, "all_groupmem", false);
 
 	filter = talloc_asprintf(
-		mem_ctx, "(&(objectCategory=user)(primaryGroupID=%u))",
-		(unsigned)rid);
+		mem_ctx,
+		"(&(objectCategory=user)(primaryGroupID=%u)%s)",
+		(unsigned)rid,
+		all_groupmem ? "" : "(uidNumber=*)(!(uidNumber=0))");
 	if (filter == NULL) {
 		goto done;
 	}
@@ -1206,7 +1209,7 @@ static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
 
 	DEBUG(10, ("ads lookup_groupmem: got %d sids via extended dn call\n", (int)num_members));
 
-	status = add_primary_group_members(ads, mem_ctx, rid,
+	status = add_primary_group_members(ads, mem_ctx, rid, domain->name,
 					   &members, &num_members);
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(10, ("%s: add_primary_group_members failed: %s\n",