s3-pdb_ipa: Derive domain GUID from SID

Signed-off-by: Günther Deschner <gd@samba.org>

1 files changed, 23 insertions, 2 deletions

diff --git a/source3/passdb/pdb_ipa.c b/source3/passdb/pdb_ipa.c
index 02f7bb6888..bc27520c9d 100644
--- a/source3/passdb/pdb_ipa.c
+++ b/source3/passdb/pdb_ipa.c
@@ -23,6 +23,7 @@
 #include "libcli/security/dom_sid.h"
 #include "../librpc/ndr/libndr.h"
 #include "librpc/gen_ndr/samr.h"
+#include "secrets.h"
 
 #include "smbldap.h"
 
@@ -717,9 +718,11 @@ static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pd
 							  TALLOC_CTX *mem_ctx)
 {
 	struct pdb_domain_info *info;
-	NTSTATUS status;
 	struct ldapsam_privates *ldap_state =
 			(struct ldapsam_privates *)pdb_methods->private_data;
+	char sid_buf[24];
+	DATA_BLOB sid_blob;
+	NTSTATUS status;
 
 	info = talloc(mem_ctx, struct pdb_domain_info);
 	if (info == NULL) {
@@ -738,9 +741,27 @@ static struct pdb_domain_info *pdb_ipasam_get_domain_info(struct pdb_methods *pd
 	}
 	strlower_m(info->dns_domain);
 	info->dns_forest = talloc_strdup(info, info->dns_domain);
+
+	/* we expect a domain SID to have 4 sub IDs */
+	if (ldap_state->domain_sid.num_auths != 4) {
+		goto fail;
+	}
+
 	sid_copy(&info->sid, &ldap_state->domain_sid);
 
-	status = GUID_from_string("testguid", &info->guid);
+	if (!sid_linearize(sid_buf, sizeof(sid_buf), &info->sid)) {
+		goto fail;
+	}
+
+	/* the first 8 bytes of the linearized SID are not random,
+	 * so we skip them */
+	sid_blob.data = (uint8_t *) sid_buf + 8 ;
+	sid_blob.length = 16;
+
+	status = GUID_from_ndr_blob(&sid_blob, &info->guid);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto fail;
+	}
 
 	return info;