r936: Fix a rather weird error that crippled my site, when we upgraded to

Samba 3.0.4.

If we fail a query for the members of the 'administrators' group (and we may well just have the IDL wrong), this destroys later parts of the domain logon process.

For reasons I can't understand, the client-side 'heck, what happened'
bailout causes the connection to the DC to be dropped, and causes the
mandetory profile not to be loaded.  (This also only occours after a reboot)

Return the members of 'administrators', and it all works fine.

The reason we hit this is because we run winbindd (to support
pam_winbind) on our DC, and the winbindd lookup in sid_to_gid was
messing things up.  As we don't care what type of thing this is,
provided it exists in the group mapping db, we should not bother
winbindd here.

Andrew Bartlett
(This used to be commit d626b5c6d401e72296cf570e50f324c145fd70e0)

1 files changed, 4 insertions, 7 deletions

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 842db8de5d..d536383ef3 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -445,14 +445,11 @@ NTSTATUS sid_to_gid(const DOM_SID *psid, gid_t *pgid)
 	 * Group mapping can deal with foreign SIDs
 	 */
 
+	if ( local_sid_to_gid(pgid, psid, &name_type) )
+		goto success;
+	
 	if (!winbind_lookup_sid(psid, dom_name, name, &name_type)) {
-		DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed - trying local.\n",
-			sid_to_string(sid_str, psid) ));
-
-		if ( local_sid_to_gid(pgid, psid, &name_type) )
-			goto success;
-			
-		DEBUG(10,("sid_to_gid: no one knows this SID\n"));
+		DEBUG(10,("sid_to_gid: no one knows the SID %s (tried local, then winbind)\n", sid_to_string(sid_str, psid)));
 		
 		return NT_STATUS_UNSUCCESSFUL;
 	}