As discussed on samba-technical - move to 'primaryGroupSid' insted of

primaryGroupID (rid). This is consistant with the move from 'rid' to ntSid for the primary user identifier. Also cope with legacy installations where primaryGroupID might have been stored as 0. Andrew Bartlett (This used to be commit 0e432817cb927b41af7b49fb0b5081ffdb46f85e)
author: Andrew Bartlett <abartlet@samba.org> 2003-05-11 05:59:34 +0000
committer: Andrew Bartlett <abartlet@samba.org> 2003-05-11 05:59:34 +0000
commit: 2735fb0119c5c938e236db406c74f914a0360151 (patch)
tree: a535c610eba7bd5bf78de240196decd8bb6d9309
parent: 00583954447ec7af9dbbde183bba12a8711e61d0 (diff)
download: samba-2735fb0119c5c938e236db406c74f914a0360151.tar.gz
samba-2735fb0119c5c938e236db406c74f914a0360151.tar.bz2
samba-2735fb0119c5c938e236db406c74f914a0360151.zip
2 files changed, 56 insertions, 18 deletions
diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema
index f9475f07ea..3a620b9a59 100644
--- a/examples/LDAP/samba.schema
+++ b/examples/LDAP/samba.schema
@@ -119,6 +119,16 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'ntSid'
 	EQUALITY caseIgnoreIA5Match
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
 
+
+##
+## Primary group SID, compatible with ntSid
+##
+
+attributetype ( 1.3.6.1.4.1.7165.2.1.23 NAME 'primaryGroupSID'
+	DESC 'Primary Group Security ID'
+	EQUALITY caseIgnoreIA5Match
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
+
 ##
 ## group mapping attributes
 ##
@@ -168,7 +178,7 @@ objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaAccount' SUP top AUXILIARY
 	MAY  ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
                logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $ 
                displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
-               description $ userWorkstations $ primaryGroupID $ domain ))
+               description $ userWorkstations $ primaryGroupSID $ domain ))
 
 ############################################################################
 ##
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index e9c6093e26..53fefd6336 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -164,7 +164,7 @@ static const char *attr[] = {"uid", "pwdLastSet", "logonTime",
 			     "smbHome", "scriptPath",
 			     "profilePath", "description",
 			     "userWorkstations", "rid", "ntSid",
-			     "primaryGroupID", "lmPassword",
+			     "primaryGroupID", "primaryGroupSid", "lmPassword",
 			     "ntPassword", "acctFlags",
 			     "domain", "objectClass", 
 			     "uidNumber", "gidNumber", 
@@ -1667,11 +1667,31 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
 		if (get_single_attribute(ldap_state->ldap_struct, entry, "ntSid", temp)) {
 			pdb_set_user_sid_from_string(sampass, temp, PDB_SET);
 		}
+		if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupSid", temp)) {
+			pdb_set_group_sid_from_string(sampass, temp, PDB_SET);
+		} else {
+			pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+		}
 	} else {
 		if (get_single_attribute(ldap_state->ldap_struct, entry, "rid", temp)) {
 			user_rid = (uint32)atol(temp);
 			pdb_set_user_sid_from_rid(sampass, user_rid, PDB_SET);
 		}
+		if (get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
+			uint32 group_rid;
+			group_rid = (uint32)atol(temp);
+
+			if (group_rid > 0) {
+				/* for some reason, we often have 0 as a primary group RID.
+				   Make sure that we treat this just as a 'default' value
+				*/
+				pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
+			} else {
+				pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+			}
+		} else {
+			pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
+		}
 	}
 
 	if (pdb_get_init_flags(sampass,PDB_USERSID) == PDB_DEFAULT) {
@@ -1679,14 +1699,6 @@ static BOOL init_sam_from_ldap (struct ldapsam_privates *ldap_state,
 		return False;
 	}
 
-	if (!get_single_attribute(ldap_state->ldap_struct, entry, "primaryGroupID", temp)) {
-		pdb_set_group_sid_from_rid(sampass, DOMAIN_GROUP_RID_USERS, PDB_DEFAULT);
-	} else {
-		uint32 group_rid;
-		group_rid = (uint32)atol(temp);
-		pdb_set_group_sid_from_rid(sampass, group_rid, PDB_SET);
-	}
-
 	/* 
 	 * If so configured, try and get the values from LDAP 
 	 */
@@ -1952,15 +1964,16 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
 	if (need_update(sampass, PDB_USERSID)) {
 		fstring sid_string;
 		fstring dom_sid_string;
-		const DOM_SID *user_sid;
-		user_sid = pdb_get_user_sid(sampass);
+		const DOM_SID *user_sid = pdb_get_user_sid(sampass);
 		
 		if (ldap_state->use_ntsid) {
 			make_ldap_mod(ldap_state->ldap_struct, existing, mods,
 				      "ntSid", sid_to_string(sid_string, user_sid));
 		} else {
 			if (!sid_peek_check_rid(get_global_sam_sid(), user_sid, &rid)) {
-				DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", sid_to_string(sid_string, user_sid), sid_to_string(dom_sid_string, get_global_sam_sid())));
+				DEBUG(1, ("User's SID (%s) is not for this domain (%s), cannot add to LDAP!\n", 
+					  sid_to_string(sid_string, user_sid), 
+					  sid_to_string(dom_sid_string, get_global_sam_sid())));
 				return False;
 			}
 			slprintf(temp, sizeof(temp) - 1, "%i", rid);
@@ -1974,10 +1987,24 @@ static BOOL init_ldap_from_sam (struct ldapsam_privates *ldap_state,
 	   'free' to hang off the unix primary group makes life easier */
 
 	if (need_update(sampass, PDB_GROUPSID)) {
-		rid = pdb_get_group_rid(sampass);
-		slprintf(temp, sizeof(temp) - 1, "%i", rid);
-		make_ldap_mod(ldap_state->ldap_struct, existing, mods,
-			      "primaryGroupID", temp);
+		fstring sid_string;
+		fstring dom_sid_string;
+		const DOM_SID *group_sid = pdb_get_group_sid(sampass);
+		
+		if (ldap_state->use_ntsid) {
+			make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+				      "primaryGroupSid", sid_to_string(sid_string, group_sid));
+		} else {
+			if (!sid_peek_check_rid(get_global_sam_sid(), group_sid, &rid)) {
+				DEBUG(1, ("User's Primary Group SID (%s) is not for this domain (%s), cannot add to LDAP!\n", 
+					  sid_to_string(sid_string, group_sid), 
+					  sid_to_string(dom_sid_string, get_global_sam_sid())));
+				return False;
+			}
+			slprintf(temp, sizeof(temp) - 1, "%i", rid);
+			make_ldap_mod(ldap_state->ldap_struct, existing, mods,
+				      "primaryGroupID", temp);
+		}
 	}
 
 	/* displayName, cn, and gecos should all be the same
@@ -2389,7 +2416,8 @@ static NTSTATUS ldapsam_delete_sam_account(struct pdb_methods *my_methods, SAM_A
 	{ "lmPassword", "ntPassword", "pwdLastSet", "logonTime", "logoffTime",
 	  "kickoffTime", "pwdCanChange", "pwdMustChange", "acctFlags",
 	  "displayName", "smbHome", "homeDrive", "scriptPath", "profilePath",
-	  "userWorkstations", "primaryGroupID", "domain", "rid", "ntSid", NULL };
+	  "userWorkstations", "primaryGroupID", "primaryGroupSid", "domain", 
+	  "rid", "ntSid", NULL };
 
 	if (!sam_acct) {
 		DEBUG(0, ("sam_acct was NULL!\n"));
author	Andrew Bartlett <abartlet@samba.org>	2003-05-11 05:59:34 +0000
committer	Andrew Bartlett <abartlet@samba.org>	2003-05-11 05:59:34 +0000
commit	2735fb0119c5c938e236db406c74f914a0360151 (patch)
tree	a535c610eba7bd5bf78de240196decd8bb6d9309
parent	00583954447ec7af9dbbde183bba12a8711e61d0 (diff)
download	samba-2735fb0119c5c938e236db406c74f914a0360151.tar.gz samba-2735fb0119c5c938e236db406c74f914a0360151.tar.bz2 samba-2735fb0119c5c938e236db406c74f914a0360151.zip