r13545: A patch which I think it's time has come. VOlker, we can talk about

this more but it gets around the primary group issue.

* don't map a SID to a name from the group mapping code if
  the map doesn't have a valid gid.  This is only an issue
  in a tdb setup
* Always allow S-1-$DOMAIN-513 to resolve (just like Windows)
* if we cannot resolve a users primary GID to a SID, then set
  it to S-1-$DOMAIN-513
* Ignore the primary group SID inside pdb_enum_group_memberships().
  Only look at the Unix group membersip.

Jeremy, this fixes a fresh install startup for smbd as far as my tests
are concerned.
(This used to be commit f79f4dc4c58a6172bf69d37469fdd8de05a812df)

1 files changed, 11 insertions, 1 deletions

diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 71fb36e0d5..046e658d2b 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -571,10 +571,20 @@ BOOL pdb_set_user_sid_from_string (SAM_ACCOUNT *sampass, fstring u_sid, enum pdb
 
 BOOL pdb_set_group_sid (SAM_ACCOUNT *sampass, const DOM_SID *g_sid, enum pdb_value_state flag)
 {
+	gid_t gid;
+
 	if (!sampass || !g_sid)
 		return False;
 
-	sid_copy(&sampass->private_u.group_sid, g_sid);
+	/* if we cannot resolve the SID to gid, then just ignore it and 
+	   store DOMAIN_USERS as the primary groupSID */
+
+	if ( sid_to_gid( g_sid, &gid ) ) {
+		sid_copy(&sampass->private_u.group_sid, g_sid);
+	} else {
+		sid_copy( &sampass->private_u.group_sid, get_global_sam_sid() );
+		sid_append_rid( &sampass->private_u.group_sid, DOMAIN_GROUP_RID_USERS );
+	}
 
 	DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n", 
 		    sid_string_static(&sampass->private_u.group_sid)));