r14855: Various fixes:

* depreacte 'acl group control' after discussion with Jeremy
  and implement functionality as part of 'dos filemode'
* fix winbindd on a non-member server to expand local groups
* prevent code previously only used by smbd from blindly
  turning _NO_WINBINDD back on
(This used to be commit 4ab372f4cab22225716b5c9a9a08f0c1dbc9928d)

4 files changed, 45 insertions, 25 deletions

diff --git a/source3/nsswitch/wb_common.c b/source3/nsswitch/wb_common.c
index dfefeb9f75..05f080e73a 100644
--- a/source3/nsswitch/wb_common.c
+++ b/source3/nsswitch/wb_common.c
@@ -618,16 +618,15 @@ NSS_STATUS winbindd_request_response(int req_type,
 /* Use putenv() instead of setenv() in these functions as not all
    environments have the latter. */
 
-BOOL winbind_off( void )
+BOOL winbind_putenv( const char *s )
 {
-	static char *s = CONST_DISCARD(char *, WINBINDD_DONT_ENV "=1");
+	fstring env;
 
-	return putenv(s) != -1;
-}
+	if ( !s ) {
+		return False;
+	}
 
-BOOL winbind_on( void )
-{
-	static char *s = CONST_DISCARD(char *, WINBINDD_DONT_ENV "=0");
+	snprintf( env, sizeof(env), "%s=%s", WINBINDD_DONT_ENV, s );
 
-	return putenv(s) != -1;
+	return putenv(env) != -1;
 }
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 72dd39373b..51a7c1f6b0 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -945,7 +945,10 @@ int main(int argc, char **argv)
 	/* Set environment variable so we don't recursively call ourselves.
 	   This may also be useful interactively. */
 
-	setenv(WINBINDD_DONT_ENV, "1", 1);
+	if ( !winbind_putenv("0") ) {
+		DEBUG(0,("Failed to disable recusive winbindd calls.  Exiting.\n"));
+		exit(1);
+	}
 
 	/* Initialise samba/rpc client stuff */
 
diff --git a/source3/nsswitch/winbindd_passdb.c b/source3/nsswitch/winbindd_passdb.c
index 6c8dafa118..64d811464b 100644
--- a/source3/nsswitch/winbindd_passdb.c
+++ b/source3/nsswitch/winbindd_passdb.c
@@ -301,7 +301,28 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 				  const DOM_SID *user_sid,
 				  uint32 *num_groups, DOM_SID **user_gids)
 {
-	return NT_STATUS_NO_SUCH_USER;
+	NTSTATUS result;
+	DOM_SID *groups = NULL;
+	gid_t *gids = NULL;
+	size_t ngroups = 0;
+	struct samu *user;
+
+	if ( (user = samu_new(mem_ctx)) == NULL ) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if ( !pdb_getsampwsid( user, user_sid ) ) {
+		return NT_STATUS_NO_SUCH_USER;
+	}
+
+	result = pdb_enum_group_memberships( mem_ctx, user, &groups, &gids, &ngroups );
+
+	TALLOC_FREE( user );
+
+	*num_groups = (uint32)ngroups;
+	*user_gids = groups;
+
+	return result;
 }
 
 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
diff --git a/source3/nsswitch/winbindd_util.c b/source3/nsswitch/winbindd_util.c
index 367f319987..16fab6d7e5 100644
--- a/source3/nsswitch/winbindd_util.c
+++ b/source3/nsswitch/winbindd_util.c
@@ -504,18 +504,14 @@ BOOL init_domain_list(void)
 	extern struct winbindd_methods cache_methods;
 	extern struct winbindd_methods passdb_methods;
 	struct winbindd_domain *domain;
+	int role = lp_server_role();
 
 	/* Free existing list */
 	free_domain_list();
 
 	/* Add ourselves as the first entry. */
 
-	if (IS_DC) {
-		domain = add_trusted_domain(get_global_sam_name(), NULL,
-					    &passdb_methods,
-					    get_global_sam_sid());
-	} else {
-
+	if ( role == ROLE_DOMAIN_MEMBER ) {
 		DOM_SID our_sid;
 
 		if (!secrets_fetch_domain_sid(lp_workgroup(), &our_sid)) {
@@ -525,24 +521,25 @@ BOOL init_domain_list(void)
 	
 		domain = add_trusted_domain( lp_workgroup(), lp_realm(),
 					     &cache_methods, &our_sid);
+		domain->primary = True;
+		setup_domain_child(domain, &domain->child, NULL);
 	}
 
-	domain->primary = True;
+	/* Local SAM */
+
+	domain = add_trusted_domain(get_global_sam_name(), NULL,
+				    &passdb_methods, get_global_sam_sid());
+	if ( role != ROLE_DOMAIN_MEMBER ) {
+		domain->primary = True;
+	}
 	setup_domain_child(domain, &domain->child, NULL);
 
-	/* Add our local SAM domains */
+	/* BUILTIN domain */
 
 	domain = add_trusted_domain("BUILTIN", NULL, &passdb_methods,
 				    &global_sid_Builtin);
 	setup_domain_child(domain, &domain->child, NULL);
 
-	if (!IS_DC) {
-		domain = add_trusted_domain(get_global_sam_name(), NULL,
-					    &passdb_methods,
-					    get_global_sam_sid());
-		setup_domain_child(domain, &domain->child, NULL);
-	}
-
 	return True;
 }