sorting out difference between aliases and groups in the cases where

unix groups are not explicitly mapped.

i.e as a PDC or BDC you can have domain groups, as a member of a domain
you cannot.

as a member of a domain, unmapped unix groups are assumed to be aliases,
and as a PDC or BDC, unmapped unix groups are assumed to be unix groups.

there is _one_ other check needed with aliases to be added: unmapped unix
groups that have the same name as an NT group on the PDC (for which i will
need to write an LsaLookupNames call) should be assumed to be domain groups
on the PDC.
(This used to be commit 53b49b44e13a4ca9818ebc947372b1374831b568)

3 files changed, 55 insertions, 21 deletions

diff --git a/source3/groupdb/aliasunix.c b/source3/groupdb/aliasunix.c
index cda53570f5..7d6cafd386 100644
--- a/source3/groupdb/aliasunix.c
+++ b/source3/groupdb/aliasunix.c
@@ -66,7 +66,7 @@ static BOOL setalsunixpwpos(void *vp, SMB_BIG_UINT tok)
 }
 
 /*************************************************************************
- maps a unix alias to a rid, domain sid and an nt alias name.  
+ maps a unix group to a rid, domain sid and an nt alias name.  
 *************************************************************************/
 static void map_unix_als_to_nt_als(struct group *unix_als, char *nt_name, DOM_SID *sid, uint32 *rid)
 {
@@ -74,7 +74,7 @@ static void map_unix_als_to_nt_als(struct group *unix_als, char *nt_name, DOM_SI
 	{
 		/*
 		 * find the NT name represented by this UNIX gid.
-		 * then, only accept NT aliass that are in our domain
+		 * then, only accept NT aliases that are in our domain
 		 */
 
 		sid_split_rid(sid, rid);
@@ -150,6 +150,18 @@ BOOL get_unixalias_members(struct group *als,
 
 /*************************************************************************
  Routine to return the next entry in the domain alias list.
+
+ when we are a PDC or BDC, then unix groups that are explicitly NOT mapped
+ to aliases (map_alias_gid) are treated as DOMAIN groups (see groupunix.c).
+
+ when we are a member of a domain (not a PDC or BDC) then unix groups
+ that are explicitly NOT mapped to aliases (map_alias_gid) are treated
+ as LOCAL groups.
+
+ the reasoning behind this is to make it as simple as possible (not an easy
+ task) for people to set up a domain-aware samba server, in each role that
+ the server can take.
+
  *************************************************************************/
 static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem)
 {
@@ -157,13 +169,11 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
 	static LOCAL_GRP gp_buf;
 	struct group *unix_grp;
 
-	if (lp_server_role() == ROLE_DOMAIN_NONE || 
-	    lp_server_role() == ROLE_DOMAIN_MEMBER)
+	if (lp_server_role() == ROLE_DOMAIN_NONE)
 	{
 		/*
-		 * only PDC and BDC have domain aliass in the SAM.
-		 * (however as member of domain you can have LOCAL aliass,
-		 * but that's dealt with in the aliasdb...)
+		 * no domain role, no domain aliases (or domain groups,
+		 * but that's dealt with by groupdb...).
 		 */
 
 		return NULL;
@@ -173,7 +183,7 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
 
 	fstrcpy(gp_buf.comment, "");
 
-	/* cycle through unix aliass */
+	/* cycle through unix groups */
 	while ((unix_grp = getgrent()) != NULL)
 	{
 		DOM_SID sid;
@@ -181,7 +191,7 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
 		{
 			/*
 			 * find the NT name represented by this UNIX gid.
-			 * then, only accept NT aliass that are in our domain
+			 * then, only accept NT aliases that are in our domain
 			 */
 
 			sid_split_rid(&sid, &gp_buf.rid);
@@ -190,9 +200,10 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
 				break; /* hooray. */
 			}
 		}
-		else
+		else if (lp_server_role() == ROLE_DOMAIN_MEMBER)
 		{
 			/*
+			 * if we are a member of a domain,
 			 * assume that the UNIX alias is an NT alias with
 			 * the same name.  convert gid to a alias rid.
 			 */
@@ -207,7 +218,7 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
 		return NULL;
 	}
 
-	/* get the user's domain aliass.  there are a maximum of 32 */
+	/* get the user's domain aliases.  there are a maximum of 32 */
 
 	if (mem != NULL && num_mem != NULL)
 	{
@@ -217,13 +228,11 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
 		get_unixalias_members(unix_grp, num_mem, mem);
 	}
 
-#if 0
 	{
 		pstring linebuf;
 		make_alias_line(linebuf, sizeof(linebuf), &gp_buf, mem, num_mem);
 		DEBUG(10,("line: '%s'\n", linebuf));
 	}
-#endif
 
 	return &gp_buf;
 }
@@ -232,9 +241,9 @@ static LOCAL_GRP *getalsunixpwent(void *vp, LOCAL_GRP_MEMBER **mem, int *num_mem
  Routine to add an entry to the alspasswd file.
 *************************************************************************/
 
-static BOOL add_alsunixals_entry(LOCAL_GRP *newals)
+static BOOL add_alsunixgrp_entry(LOCAL_GRP *newals)
 {
-	DEBUG(0, ("add_alsunixals_entry: NOT IMPLEMENTED\n"));
+	DEBUG(0, ("add_alsunixgrp_entry: NOT IMPLEMENTED\n"));
 	return False;
 }
 
@@ -247,9 +256,9 @@ static BOOL add_alsunixals_entry(LOCAL_GRP *newals)
  override = True, override XXXXXXXX'd out alias or NO PASS
 ************************************************************************/
 
-static BOOL mod_alsunixals_entry(LOCAL_GRP* als)
+static BOOL mod_alsunixgrp_entry(LOCAL_GRP* als)
 {
-	DEBUG(0, ("mod_alsunixals_entry: NOT IMPLEMENTED\n"));
+	DEBUG(0, ("mod_alsunixgrp_entry: NOT IMPLEMENTED\n"));
 	return False;
 }
 
@@ -266,8 +275,8 @@ static struct aliasdb_ops unix_ops =
 	iterate_getaliasrid,          /* In aliasdb.c */
 	getalsunixpwent,
 
-	add_alsunixals_entry,
-	mod_alsunixals_entry,
+	add_alsunixgrp_entry,
+	mod_alsunixgrp_entry,
 
 	iterate_getuseraliasnam      /* in aliasdb.c */
 };
diff --git a/source3/groupdb/groupunix.c b/source3/groupdb/groupunix.c
index 0f850f347c..89406fe139 100644
--- a/source3/groupdb/groupunix.c
+++ b/source3/groupdb/groupunix.c
@@ -154,6 +154,14 @@ BOOL get_unixgroup_members(struct group *grp,
 
 /*************************************************************************
  Routine to return the next entry in the domain group list.
+
+ if we are not a PDC or BDC, then we do NOT support Domain groups, only
+ aliases.  try running MUSRMGR.EXE or running USRMGR.EXE selected on a
+ workstation, you will find that no Domain groups are listed: only aliases.
+
+ so, as a PDC or BDC, all unix groups not explicitly mapped using
+ map_group_gid() are treated as Domain groups.
+
  *************************************************************************/
 static DOMAIN_GRP *getgrpunixpwent(void *vp, DOMAIN_GRP_MEMBER **mem, int *num_mem)
 {
@@ -182,8 +190,17 @@ static DOMAIN_GRP *getgrpunixpwent(void *vp, DOMAIN_GRP_MEMBER **mem, int *num_m
 	while ((unix_grp = getgrent()) != NULL)
 	{
 		DOM_SID sid;
+		BOOL is_alias;
+
 		DEBUG(10,("getgrpunixpwent: enum unix group entry %s\n",
 		           unix_grp->gr_name));
+		is_alias = map_alias_gid(unix_grp->gr_gid, &sid, NULL, NULL);
+		if (is_alias)
+		{
+			sid_split_rid(&sid, NULL);
+			is_alias = sid_equal(&sid, &global_sam_sid);
+		}
+
 		if (map_group_gid(unix_grp->gr_gid, &sid, gp_buf.name, NULL))
 		{
 			/*
@@ -194,7 +211,12 @@ static DOMAIN_GRP *getgrpunixpwent(void *vp, DOMAIN_GRP_MEMBER **mem, int *num_m
 			sid_split_rid(&sid, &gp_buf.rid);
 			if (sid_equal(&sid, &global_sam_sid))
 			{
-				break; /* hooray. */
+				if (!is_alias)
+				{
+					break; /* hooray. */
+				}
+				DEBUG(0,("configuration mistake: unix group %s is mapped to both an NT alias and an NT group\n",
+				          gp_buf.name));
 			}
 		}
 		else
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index cce360f4c1..a483f85b84 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -134,7 +134,10 @@ BOOL sid_split_rid(DOM_SID *sid, uint32 *rid)
 	if (sid->num_auths > 0)
 	{
 		sid->num_auths--;
-		(*rid) = sid->sub_auths[sid->num_auths];
+		if (rid != NULL)
+		{
+			(*rid) = sid->sub_auths[sid->num_auths];
+		}
 		return True;
 	}
 	return False;