r24696: Fix bug 4918 reported by Matthias Wallnöfer <mwallnoefer@yahoo.de>

with a patch from Andrew Kroeger <andrew@sprocks.gotdns.com>.

The changes to samldb_fill_foreignSecurityPrincipal_object() look much
larger then they are: We just skip all the objectSid generation if the
SID is supplied.

By providing a few more objects, standard dialogs on the clients are
better behaved, for these 'well known' users.

Andrew Bartlett
(This used to be commit 35ee4aee719e69983d650602d1c6422a31600001)

2 files changed, 277 insertions, 37 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index d4dc2b3d2b..d448e30b31 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -576,7 +576,7 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module
 	/* build the new msg */
 	msg2 = ldb_msg_copy(mem_ctx, msg);
 	if (!msg2) {
-		ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincpal_object: ldb_msg_copy failed!\n");
+		ldb_debug(module->ldb, LDB_DEBUG_FATAL, "samldb_fill_foreignSecurityPrincipal_object: ldb_msg_copy failed!\n");
 		talloc_free(mem_ctx);
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
@@ -601,47 +601,50 @@ static int samldb_fill_foreignSecurityPrincipal_object(struct ldb_module *module
 		return LDB_ERR_CONSTRAINT_VIOLATION;
 	}
 
-	/* Slightly different for the foreign sids.  We don't want
-	 * domain SIDs ending up there, it would cause all sorts of
-	 * pain */
-
-	sid = dom_sid_parse_talloc(msg2, (const char *)ldb_dn_get_rdn_val(msg2->dn)->data);
+	sid = samdb_result_dom_sid(msg2, msg, "objectSid");
 	if (!sid) {
-		ldb_set_errstring(module->ldb, "No valid found SID in ForeignSecurityPrincipal CN!");
-		talloc_free(mem_ctx);
-		return LDB_ERR_CONSTRAINT_VIOLATION;
-	}
+		/* Slightly different for the foreign sids.  We don't want
+		 * domain SIDs ending up there, it would cause all sorts of
+		 * pain */
 
-	if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
-		talloc_free(sid);
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
+		sid = dom_sid_parse_talloc(msg2, (const char *)ldb_dn_get_rdn_val(msg2->dn)->data);
+		if (!sid) {
+			ldb_set_errstring(module->ldb, "No valid found SID in ForeignSecurityPrincipal CN!");
+			talloc_free(mem_ctx);
+			return LDB_ERR_CONSTRAINT_VIOLATION;
+		}
 
-	dom_sid = dom_sid_dup(mem_ctx, sid);
-	if (!dom_sid) {
-		talloc_free(mem_ctx);
-		return LDB_ERR_OPERATIONS_ERROR;
-	}
-	/* get the domain component part of the provided SID */
-	dom_sid->num_auths--;
+		if ( ! samldb_msg_add_sid(module, msg2, "objectSid", sid)) {
+			talloc_free(sid);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
 
-	/* find the domain DN */
+		dom_sid = dom_sid_dup(mem_ctx, sid);
+		if (!dom_sid) {
+			talloc_free(mem_ctx);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
+		/* get the domain component part of the provided SID */
+		dom_sid->num_auths--;
 
-	ret = gendb_search(module->ldb,
-			   mem_ctx, NULL, &dom_msgs, dom_attrs,
-			   "(&(objectSid=%s)(objectclass=domain))",
-			   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
-	if (ret >= 1) {
-		/* We don't really like the idea of foreign sids that are not foreign, but it happens */
-		const char *name = samdb_result_string(dom_msgs[0], "name", NULL);
-		ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database", 
-			  dom_sid_string(mem_ctx, sid), name); 
-	} else if (ret == -1) {
-		ldb_asprintf_errstring(module->ldb,
-					"samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n", 
-					dom_sid_string(mem_ctx, dom_sid));
-		talloc_free(dom_msgs);
-		return LDB_ERR_OPERATIONS_ERROR;
+		/* find the domain DN */
+
+		ret = gendb_search(module->ldb,
+				   mem_ctx, NULL, &dom_msgs, dom_attrs,
+				   "(&(objectSid=%s)(objectclass=domain))",
+				   ldap_encode_ndr_dom_sid(mem_ctx, dom_sid));
+		if (ret >= 1) {
+			/* We don't really like the idea of foreign sids that are not foreign, but it happens */
+			const char *name = samdb_result_string(dom_msgs[0], "name", NULL);
+			ldb_debug(module->ldb, LDB_DEBUG_TRACE, "NOTE (strange but valid): Adding foreign SID record with SID %s, but this domian (%s) is already in the database", 
+				  dom_sid_string(mem_ctx, sid), name); 
+		} else if (ret == -1) {
+			ldb_asprintf_errstring(module->ldb,
+						"samldb_fill_foreignSecurityPrincipal_object: error searching for a domain with this sid: %s\n", 
+						dom_sid_string(mem_ctx, dom_sid));
+			talloc_free(dom_msgs);
+			return LDB_ERR_OPERATIONS_ERROR;
+		}
 	}
 
 	/* This isn't an operation on a domain we know about, so just
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index fa81784f1e..dcb9ef14fa 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -347,3 +347,240 @@ groupType: 2147483653
 isCriticalSystemObject: TRUE
 privilege: SeInteractiveLogonRight
 
+dn: CN=Pre-Windows 2000 Compatible Access,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Pre-Windows 2000 Compatible Access
+description: A backward compatibility group which allows read access on all users and groups in the domain
+objectSid: S-1-5-32-554
+sAMAccountName: Pre-Windows 2000 Compatible Access
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+privilege: SeRemoteInteractiveLogonRight
+privilege: SeChangeNotifyPrivilege
+
+dn: CN=Incoming Forest Trust Builders,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Incoming Forest Trust Builders
+description: Members of this group can create incoming, one-way trusts to this forest
+objectSid: S-1-5-32-557
+sAMAccountName: Incoming Forest Trust Builders
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+
+dn: CN=Windows Authorization Access Group,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Windows Authorization Access Group
+description: Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects
+objectSid: S-1-5-32-560
+sAMAccountName: Windows Authorization Access Group
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+
+dn: CN=Terminal Server License Servers,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Terminal Server License Servers
+description: Terminal Server License Servers
+objectSid: S-1-5-32-561
+sAMAccountName: Terminal Server License Servers
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+
+dn: CN=Distributed COM Users,CN=Builtin,${DOMAINDN}
+objectClass: top
+objectClass: group
+cn: Distributed COM Users
+description: Members are allowed to launch, activate and use Distributed COM objects on this machine.
+objectSid: S-1-5-32-562
+sAMAccountName: Distributed COM Users
+sAMAccountType: 536870912
+systemFlags: 2348810240
+groupType: 2147483653
+isCriticalSystemObject: TRUE
+
+dn: CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: container
+cn: WellKnown Security Principals
+systemFlags: 2147483648
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Anonymous Logon,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Anonymous Logon
+objectSid: S-1-5-7
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Authenticated Users,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Authenticated Users
+objectSid: S-1-5-11
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Batch,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Batch
+objectSid: S-1-5-3
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Creator Group,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Creator Group
+objectSid: S-1-3-1
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Creator Owner,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Creator Owner
+objectSid: S-1-3-0
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Dialup,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Dialup
+objectSid: S-1-5-1
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Digest Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Digest Authentication
+objectSid: S-1-5-64-21
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Enterprise Domain Controllers,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Enterprise Domain Controllers
+objectSid: S-1-5-9
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Everyone,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Everyone
+objectSid: S-1-1-0
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Interactive,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Interactive
+objectSid: S-1-5-4
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Local Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Local Service
+objectSid: S-1-5-19
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Network,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Network
+objectSid: S-1-5-2
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Network Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Network Service
+objectSid: S-1-5-20
+showInAdvancedViewOnly: TRUE
+
+dn: CN=NTLM Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: NTLM Authentication
+objectSid: S-1-5-64-10
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Other Organization,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Other Organization
+objectSid: S-1-5-1000
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Proxy,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Proxy
+objectSid: S-1-5-8
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Remote Interactive Logon,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Remote Interactive Logon
+objectSid: S-1-5-14
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Restricted,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Restricted
+objectSid: S-1-5-12
+showInAdvancedViewOnly: TRUE
+
+dn: CN=SChannel Authentication,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: SChannel Authentication
+objectSid: S-1-5-64-14
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Self,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Self
+objectSid: S-1-5-10
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Service,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Service
+objectSid: S-1-5-6
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Terminal Server User,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Terminal Server User
+objectSid: S-1-5-13
+showInAdvancedViewOnly: TRUE
+
+dn: CN=This Organization,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: This Organization
+objectSid: S-1-5-15
+showInAdvancedViewOnly: TRUE
+
+dn: CN=Well-Known-Security-Id-System,CN=WellKnown Security Principals,${CONFIGDN}
+objectClass: top
+objectClass: foreignSecurityPrincipal
+cn: Well-Known-Security-Id-System
+objectSid: S-1-5-18
+showInAdvancedViewOnly: TRUE
+