Ok, getting a bit more ambitious. Stop me, if this is wrong. ;-)

When creating a group you have to take care of the fact that the
underlying unix might not like the group name. This change gets around
that problem by giving the add group script the chance to invent a
group name. It then must only return the newly created numerical gid.

Volker
(This used to be commit b959419ed38e66a12b63cad3e5fbfa849f952acc)

4 files changed, 46 insertions, 10 deletions

diff --git a/docs/manpages/smb.conf.5 b/docs/manpages/smb.conf.5
index 990ba027ab..8967134481 100644
--- a/docs/manpages/smb.conf.5
+++ b/docs/manpages/smb.conf.5
@@ -1616,8 +1616,13 @@ Example: \fBadd user script = /usr/local/samba/bin/add_user
 %u\fR
 .TP
 \fBadd group script (G)\fR
-This is the full pathname to a script that will 
-be run \fBAS ROOT\fR by smbd(8) when a new group is requested. It will expand any \fI%g\fR to the group name passed.  This script is only useful for installations using the Windows NT domain administration tools.
+This is the full pathname to a script that will be run \fBAS ROOT\fR
+by smbd(8) when a new group is requested. It will expand any \fI%g\fR
+to the group name passed.  This script is only useful for
+installations using the Windows NT domain administration tools. The
+script is free to create a group with an arbitrary name to circumvent
+unix group name restrictions. In that case the script must print the
+numeric gid of the created group on stdout.
 .TP
 \fBadmin users (S)\fR
 This is a list of users who will be granted 
diff --git a/source3/groupdb/mapping.c b/source3/groupdb/mapping.c
index 2c9c7f47ea..5641431246 100644
--- a/source3/groupdb/mapping.c
+++ b/source3/groupdb/mapping.c
@@ -1156,16 +1156,42 @@ BOOL get_uid_list_of_group(gid_t gid, uid_t **uid, int *num_uids)
  Create a UNIX group on demand.
 ****************************************************************************/
 
-int smb_create_group(char *unix_group)
+int smb_create_group(char *unix_group, gid_t *new_gid)
 {
 	pstring add_script;
 	int ret;
+	int fd = 0;
 
 	pstrcpy(add_script, lp_addgroup_script());
 	if (! *add_script) return -1;
 	pstring_sub(add_script, "%g", unix_group);
-	ret = smbrun(add_script,NULL);
+	ret = smbrun(add_script, (new_gid!=NULL) ? &fd : NULL);
 	DEBUG(3,("smb_create_group: Running the command `%s' gave %d\n",add_script,ret));
+	if (ret != 0)
+		return ret;
+
+	if (fd != 0) {
+		fstring output;
+
+		*new_gid = 0;
+		if (read(fd, output, sizeof(output)) > 0) {
+			*new_gid = (gid_t)strtoul(output, NULL, 10);
+		}
+		close(fd);
+
+		if (*new_gid == 0) {
+			/* The output was garbage. We assume nobody
+                           will create group 0 via smbd. Now we try to
+                           get the group via getgrnam. */
+
+			struct group *grp = getgrnam(unix_group);
+			if (grp != NULL)
+				*new_gid = grp->gr_gid;
+			else
+				return 1;
+		}
+	}
+
 	return ret;
 }
 
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index fd1111d5dc..ea631838da 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -3857,6 +3857,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S
 	struct samr_info *info;
 	PRIVILEGE_SET priv_set;
 	uint32 acc_granted;
+	gid_t gid;
 
 	init_privilege(&priv_set);
 
@@ -3880,10 +3881,11 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S
 		return NT_STATUS_GROUP_EXISTS;
 
 	/* we can create the UNIX group */
-	smb_create_group(name);
+	if (smb_create_group(name, &gid) != 0)
+		return NT_STATUS_ACCESS_DENIED;
 
 	/* check if the group has been successfully created */
-	if ((grp=getgrnam(name)) == NULL)
+	if ((grp=getgrgid(gid)) == NULL)
 		return NT_STATUS_ACCESS_DENIED;
 
 	r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
@@ -3920,6 +3922,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S
 	struct samr_info *info;
 	PRIVILEGE_SET priv_set;
 	uint32 acc_granted;
+	gid_t gid;
 
 	init_privilege(&priv_set);
 
@@ -3943,10 +3946,11 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S
 		return NT_STATUS_GROUP_EXISTS;
 
 	/* we can create the UNIX group */
-	smb_create_group(name);
+	if (smb_create_group(name, &gid) != 0)
+		return NT_STATUS_ACCESS_DENIED;
 
 	/* check if the group has been successfully created */
-	if ((grp=getgrnam(name)) == NULL)
+	if ((grp=getgrgid(gid)) == NULL)
 		return NT_STATUS_ACCESS_DENIED;
 
 	r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index 9d54a771fc..95a813dcfd 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -323,14 +323,15 @@ fetch_group_info(uint32 rid, SAM_GROUP_INFO *delta)
 	fstring sid_string;
 	GROUP_MAP map;
 	int flag = TDB_INSERT;
+	gid_t gid;
 
 	unistr2_to_ascii(name, &delta->uni_grp_name, sizeof(name)-1);
 	unistr2_to_ascii(comment, &delta->uni_grp_desc, sizeof(comment)-1);
 
 	if ((grp = getgrnam(name)) == NULL)
-		smb_create_group(name);
+		smb_create_group(name, &gid);
 
-	if ((grp = getgrnam(name)) == NULL)
+	if ((grp = getgrgid(gid)) == NULL)
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* add the group to the mapping table */