r21881: Make sure we are very specific when testing whether a backand can handle a

particular SID. Make sure that the passdb backend will accept the same set
range of local SIDs that the idmap system sends it.

Simo, Jerry - this is a 3_0_25 candidate. Can you please review?
(This used to be commit 86a70adb6a2d277f235857451bbee7d530d15310)

2 files changed, 9 insertions, 2 deletions

diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 72c85a9c6a..b0529be4fb 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -599,12 +599,18 @@ struct winbindd_domain *find_domain_from_name(const char *domain_name)
 struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
 {
 	struct winbindd_domain *domain;
+	uint32 discard;
 
 	/* Search through list */
 
 	for (domain = domain_list(); domain != NULL; domain = domain->next) {
-		if (sid_compare_domain(sid, &domain->sid) == 0)
+		/* We need to use sid_peek_check_rid, because we want 
+		 * to make sure that the SIDs we send to the backends are
+		 * as specific as possible.
+		 */
+		if (sid_peek_check_rid(&domain->sid, sid, &discard) == 0) {
 			return domain;
+		}
 	}
 
 	/* Not found */
diff --git a/source3/passdb/pdb_interface.c b/source3/passdb/pdb_interface.c
index 976dfc1d08..e0b9086f9c 100644
--- a/source3/passdb/pdb_interface.c
+++ b/source3/passdb/pdb_interface.c
@@ -1305,7 +1305,8 @@ static BOOL pdb_default_sid_to_id(struct pdb_methods *methods,
 		goto done;
 	}
 
-	if (sid_peek_check_rid(&global_sid_Builtin, sid, &rid)) {
+	if (sid_check_is_in_builtin(sid) ||
+	    sid_check_is_in_wellknown_domain(sid)) {
 		/* Here we only have aliases */
 		GROUP_MAP map;
 		if (!NT_STATUS_IS_OK(methods->getgrsid(methods, &map, *sid))) {