r14403: * modifies create_local_nt_token() to create a BUILTIN\Administrators

  group IFF sid_to_gid(S-1-5-32-544) fails and 'winbind nested groups = yes'

* Add a SID domain to the group mapping enumeration passdb call
  to fix the checks for local and builtin groups.  The SID can be
  NULL if you want the old semantics for internal maintenance.
  I only updated the tdb group mapping code.

* remove any group mapping from the tdb that have a
  gid of -1 for better consistency with pdb_ldap.c.
  The fixes the problem with calling add_group_map() in
  the tdb code for unmapped groups which might have had
  a record present.

* Ensure that we distinguish between groups in the
  BUILTIN and local machine domains via getgrnam()
  Other wise BUILTIN\Administrators & SERVER\Administrators
  would resolve to the same gid.

* Doesn't strip the global_sam_name() from groups in the
  local machine's domain (this is required to work with
  'winbind default domain' code)

Still todo.

* Fix fallback Administrators membership for root and domain Admins
  if nested groups = no or winbindd is not running

* issues with "su - user -c 'groups'" command

* There are a few outstanding issues with BUILTIN\Users that
  Windows apparently tends to assume.  I worked around this
  presently with a manual group mapping but I do not think
  this is a good solution.  So I'll probably add some similar
  as I did for Administrators.
(This used to be commit 612979476aef62e8e8eef632fa6be7d30282bb83)

6 files changed, 29 insertions, 18 deletions

diff --git a/source3/nsswitch/winbindd_dual.c b/source3/nsswitch/winbindd_dual.c
index d1ad3330d4..14e0ef4ce2 100644
--- a/source3/nsswitch/winbindd_dual.c
+++ b/source3/nsswitch/winbindd_dual.c
@@ -559,7 +559,6 @@ static void child_msg_offline(int msg_type, struct process_id src, void *buf, si
 static void child_msg_online(int msg_type, struct process_id src, void *buf, size_t len)
 {
 	struct winbindd_domain *domain;
-	int ret;
 
 	DEBUG(5,("child_msg_online received.\n"));
 
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 38d47ca3d7..6e7a242379 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -41,8 +41,8 @@ static BOOL fill_grent(struct winbindd_gr *gr, const char *dom_name,
 		       const char *gr_name, gid_t unix_gid)
 {
 	fstring full_group_name;
-	/* Fill in uid/gid */
-	fill_domain_username(full_group_name, dom_name, gr_name);
+
+	fill_domain_username( full_group_name, dom_name, gr_name, False);
 
 	gr->gr_gid = unix_gid;
     
@@ -146,7 +146,7 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
 
 		/* Append domain name */
 
-		fill_domain_username(name, domain->name, the_name);
+		fill_domain_username(name, domain->name, the_name, False);
 
 		len = strlen(name);
 		
@@ -201,7 +201,8 @@ done:
 
 void winbindd_getgrnam(struct winbindd_cli_state *state)
 {
-	DOM_SID group_sid;
+	DOM_SID group_sid, tmp_sid;
+	uint32 grp_rid;
 	struct winbindd_domain *domain;
 	enum SID_NAME_USE name_type;
 	fstring name_domain, name_group;
@@ -270,6 +271,20 @@ void winbindd_getgrnam(struct winbindd_cli_state *state)
 		return;
 	}
 
+	/* Make sure that the group SID is within the domain of the
+	   original domain */
+
+	sid_copy( &tmp_sid, &group_sid );
+	sid_split_rid( &tmp_sid, &grp_rid );
+	if ( !sid_equal( &tmp_sid, &domain->sid ) ) {
+		DEBUG(3,("winbindd_getgrnam: group %s resolves to a SID in the wrong domain [%s]\n", 
+			state->request.data.groupname, sid_string_static(&group_sid)));
+		request_error(state);
+		return;
+	}
+
+	
+
 	/* Try to get the GID */
 
 	status = idmap_sid_to_gid(&group_sid, &gid, 0);
@@ -731,7 +746,7 @@ void winbindd_getgrent(struct winbindd_cli_state *state)
 		/* Fill in group entry */
 
 		fill_domain_username(domain_group_name, ent->domain_name, 
-			 name_list[ent->sam_entry_index].acct_name);
+			 name_list[ent->sam_entry_index].acct_name, False);
 
 		result = fill_grent(&group_list[group_list_ndx], 
 				    ent->domain_name,
@@ -905,7 +920,7 @@ void winbindd_list_groups(struct winbindd_cli_state *state)
 					    groups.sam_entries)[i].acct_name; 
 			fstring name;
 
-			fill_domain_username(name, domain->name, group_name);
+			fill_domain_username(name, domain->name, group_name, False);
 			/* Append to extra data */			
 			memcpy(&extra_data[extra_data_len], name, 
                                strlen(name));
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 3e30d70522..d460c14769 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -1515,7 +1515,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 				nt_domain = name_domain;
 			}
 
-			fill_domain_username(username_out, nt_domain, nt_username);
+			fill_domain_username(username_out, nt_domain, nt_username, True);
 
 			DEBUG(5, ("Setting unix username to [%s]\n", username_out));
 
diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
index 96a85a4f3a..73020cd6bc 100644
--- a/source3/nsswitch/winbindd_passdb.c
+++ b/source3/nsswitch/winbindd_passdb.c
@@ -33,7 +33,7 @@ static void add_member(const char *domain, const char *user,
 {
 	fstring name;
 
-	fill_domain_username(name, domain, user);
+	fill_domain_username(name, domain, user, True);
 	safe_strcat(name, ",", sizeof(name)-1);
 	string_append(pp_members, name);
 	*p_num_members += 1;
@@ -248,10 +248,7 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain,
 	if (!pdb_find_alias(name, sid))
 		return NT_STATUS_NONE_MAPPED;
 
-	if (sid_check_is_in_builtin(sid))
-		*type = SID_NAME_WKN_GRP;
-	else
-		*type = SID_NAME_ALIAS;
+	*type = SID_NAME_ALIAS;
 
 	return NT_STATUS_OK;
 }
diff --git a/source3/nsswitch/winbindd_user.c b/source3/nsswitch/winbindd_user.c
index b48284a031..9b0796fb67 100644
--- a/source3/nsswitch/winbindd_user.c
+++ b/source3/nsswitch/winbindd_user.c
@@ -97,7 +97,7 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
 
 	/* Username */
 
-	fill_domain_username(output_username, dom_name, user_name); 
+	fill_domain_username(output_username, dom_name, user_name, True); 
 
 	safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
 	
@@ -289,7 +289,7 @@ static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid)
 	pw = &s->state->response.data.pw;
 	pw->pw_uid = s->uid;
 	pw->pw_gid = s->gid;
-	fill_domain_username(output_username, s->domain->name, s->username); 
+	fill_domain_username(output_username, s->domain->name, s->username, True); 
 	safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
 	safe_strcpy(pw->pw_gecos, s->fullname, sizeof(pw->pw_gecos) - 1);
 
@@ -781,7 +781,7 @@ void winbindd_list_users(struct winbindd_cli_state *state)
 				fstrcpy(acct_name, info[i].acct_name);
 			}
 			
-			fill_domain_username(name, domain->name, acct_name);
+			fill_domain_username(name, domain->name, acct_name, True);
 			
 				/* Append to extra data */
 			memcpy(&extra_data[extra_data_len], name, 
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 0678376e8f..64b4dd27a3 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -877,14 +877,14 @@ BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
     username is then unqualified in unix
 	 
 */
-void fill_domain_username(fstring name, const char *domain, const char *user)
+void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
 {
 	fstring tmp_user;
 
 	fstrcpy(tmp_user, user);
 	strlower_m(tmp_user);
 
-	if (assume_domain(domain)) {
+	if (can_assume && assume_domain(domain)) {
 		strlcpy(name, user, sizeof(fstring));
 	} else {
 		slprintf(name, sizeof(fstring) - 1, "%s%c%s",