and so it begins....

* remove idmap_XX_to_XX calls from smbd.  Move back to the
  the winbind_XXX and local_XXX calls used in 2.2

* all uid/gid allocation must involve winbindd now

* move flags field around in winbindd_request struct

* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
  to prevent automatic allocation for unknown SIDs

* add 'winbind trusted domains only' parameter to force a domain member
  server to use matching users names from /etc/passwd for its domain
  (needed for domain member of a Samba domain)

* rename 'idmap only' to 'enable rid algorithm' for better clarity
  (defaults to "yes")

code has been tested on

  * domain member of native mode 2k domain
  * ads domain member of native mode 2k domain
  * domain member of NT4 domain
  * domain member of Samba domain
  * Samba PDC running winbindd with trusts

Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'

This will be a long week of changes.  The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4aedba12a33289ff32880037ce950a8)

2 files changed, 206 insertions, 6 deletions

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index de919ef6f9..4c50b05107 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -892,10 +892,6 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 
 /*************************************************************
  Change a password entry in the local smbpasswd file.
-
-It is currently being called by SWAT and by smbpasswd.
- 
- --jerry
  *************************************************************/
 
 BOOL local_password_change(const char *user_name, int local_flags,
@@ -1040,3 +1036,201 @@ BOOL local_password_change(const char *user_name, int local_flags,
 	pdb_free_sam(&sam_pass);
 	return True;
 }
+
+/****************************************************************************
+ Convert a uid to SID - locally.
+****************************************************************************/
+
+DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
+{
+	SAM_ACCOUNT *sampw = NULL;
+	struct passwd *unix_pw;
+	
+	
+	
+	winbind_off();
+	unix_pw = sys_getpwuid( uid );
+	winbind_on();
+
+	if ( !unix_pw ) {
+		DEBUG(4,("local_uid_to_sid: host has know idea of uid %d\n", uid));
+		return NULL;
+	}
+	
+	if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
+		DEBUG(0,("local_uid_to_sid: failed to allocate SAM_ACCOUTN object\n"));
+		return NULL;
+	}
+	
+	if ( !pdb_getsampwnam( sampw, unix_pw->pw_name ) ) {
+		DEBUG(4,("local_uid_to_sid: User %s [uid == %d] has no samba account\n",
+			unix_pw->pw_name, uid));
+		return NULL;
+	}
+	
+	sid_copy( psid, pdb_get_user_sid(sampw) );
+	
+	DEBUG(10,("local_uid_to_sid:  uid (%d) -> SID %s (%s).\n", 
+		(unsigned int)uid, sid_string_static(psid), unix_pw->pw_name));
+	
+	return psid;
+}
+
+/****************************************************************************
+ Convert a SID to uid - locally.
+****************************************************************************/
+
+BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
+{
+	DOM_SID dom_sid;
+	uint32 rid;
+	SAM_ACCOUNT *sampw = NULL;	
+	struct passwd *unix_pw;
+	const char *user_name;
+
+	*name_type = SID_NAME_UNKNOWN;
+
+	sid_copy(&dom_sid, psid);
+	sid_split_rid(&dom_sid, &rid);
+
+	/*
+	 * We can only convert to a uid if this is our local
+	 * Domain SID (ie. we are the controling authority).
+	 */
+	if ( !sid_equal(get_global_sam_sid(), &dom_sid) )
+		return False;
+
+
+	/* lookup the user account */
+	
+	if ( !NT_STATUS_IS_OK(pdb_init_sam(&sampw)) ) {
+		DEBUG(0,("local_sid_to_uid: Failed to allocate memory for SAM_ACCOUNT object\n"));
+		return False;
+	}
+		
+	if ( !pdb_getsampwsid(sampw, psid) ) {
+		DEBUG(8,("local_sid_to_uid: Could not find SID %s in passdb\n",
+			sid_string_static(psid)));
+		return False;
+	}
+	
+	user_name = pdb_get_username(sampw);
+
+	winbind_off();
+	unix_pw = sys_getpwnam( user_name );
+	winbind_on();
+
+	if ( !unix_pw ) {
+		DEBUG(0,("local_sid_to_uid: %s found in passdb but getpwnam() return NULL!\n",
+			user_name));
+		pdb_free_sam( &sampw );
+		return False;
+	}
+		
+	*puid = unix_pw->pw_uid;
+	
+	DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_string_static(psid),
+		(unsigned int)*puid, user_name ));
+
+	*name_type = SID_NAME_USER;
+	
+	return True;
+}
+
+/****************************************************************************
+ Convert a gid to SID - locally.
+****************************************************************************/
+
+DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
+{
+	GROUP_MAP group;
+	
+	/* we don't need to disable winbindd since the gid is stored in 
+	   the GROUP_MAP object */
+
+	if ( !pdb_getgrgid( &group, gid ) ) {
+
+		/* fallback to rid mapping if enabled */
+
+		if ( lp_enable_rid_algorithm() ) {
+			sid_copy(psid, get_global_sam_sid());
+			sid_append_rid(psid, pdb_gid_to_group_rid(gid));
+
+			DEBUG(10,("local_gid_to_sid: Fall back to algorithmic mapping: %u -> %s\n", 
+				(unsigned int)gid, sid_string_static(psid)));
+				
+			return psid;
+		}
+		else
+			return NULL;
+	}
+	
+	sid_copy( psid, &group.sid );
+	
+	DEBUG(10,("local_gid_to_sid:  gid (%d) -> SID %s.\n", 
+		(unsigned int)gid, sid_string_static(psid)));	
+	
+	return psid;
+}
+
+/****************************************************************************
+ Convert a SID to gid - locally.
+****************************************************************************/
+
+BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
+{
+	DOM_SID dom_sid;
+	uint32 rid;
+	GROUP_MAP group;
+
+	*name_type = SID_NAME_UNKNOWN;
+
+	/* This call can enumerate grou mappings for foreign sids as well.
+	   So don't check for a match against our domain SID */
+
+	/* we don't need to disable winbindd since the gid is stored in 
+	   the GROUP_MAP object */
+
+	if ( !pdb_getgrsid(&group, *psid) ) {
+
+		/* fallback to rid mapping if enabled */
+
+		if ( lp_enable_rid_algorithm() ) {
+			sid_copy(&dom_sid, psid);
+			sid_split_rid(&dom_sid, &rid);
+
+			if (!sid_equal(get_global_sam_sid(), &dom_sid) ) {
+				DEBUG(5,("local_sid_to_gid: RID algorithm only supported for our domain (not %s)\n",
+					sid_string_static(&dom_sid)));
+				return False;
+			}
+
+			if (!sid_peek_rid(psid, &rid)) {
+				DEBUG(10,("local_sid_to_uid: invalid SID!\n"));
+					return False;
+			}
+
+			DEBUG(10,("local_sid_to_gid: Fall back to algorithmic mapping\n"));
+
+			if (fallback_pdb_rid_is_user(rid)) {
+				DEBUG(3, ("local_sid_to_gid: SID %s is *NOT* a group\n", sid_string_static(psid)));
+				return False;
+			} else {
+				*pgid = pdb_group_rid_to_gid(rid);
+				DEBUG(10,("local_sid_to_gid: mapping: %s -> %u\n", sid_string_static(psid), (unsigned int)(*pgid)));
+				return True;
+			}
+		}
+		
+		return False;
+	}
+
+	*pgid = group.gid;
+
+	DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u)\n", sid_string_static(psid),
+		(unsigned int)*pgid));
+
+	return True;
+}
+
+
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 698365f42c..886fd809f3 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -2217,7 +2217,7 @@ static NTSTATUS ldapsam_getgroup(struct pdb_methods *methods,
 	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
 
 	if (count < 1) {
-		DEBUG(4, ("Did not find group for filter %s\n", filter));
+		DEBUG(4, ("Did not find group\n"));
 		return NT_STATUS_NO_SUCH_GROUP;
 	}
 
@@ -2327,6 +2327,7 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
 		(struct ldapsam_privates *)methods->private_data;
 	LDAPMessage *result = NULL;
 	LDAPMod **mods = NULL;
+	int count;
 
 	char *tmp;
 	pstring dn;
@@ -2347,7 +2348,12 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
 		return NT_STATUS_UNSUCCESSFUL;
 	}
 
-	if (ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result) != 1) {
+	count = ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
+
+	if ( count == 0 )
+		return NT_STATUS_UNSUCCESSFUL;
+
+	if (count > 1) {
 		DEBUG(2, ("Group %i must exist exactly once in LDAP\n",
 			  map->gid));
 		ldap_msgfree(result);