added mapping of primary gid to rid thru the group mapping code.

and cleanup and comments in passdb/passdb.c


	J.F.
(This used to be commit 6533339887832ca6dd42d99385c615db7bee3d43)

5 files changed, 143 insertions, 29 deletions

diff --git a/source3/passdb/nispass.c b/source3/passdb/nispass.c
index 79465982ec..0f41b47549 100644
--- a/source3/passdb/nispass.c
+++ b/source3/passdb/nispass.c
@@ -302,9 +302,20 @@ static BOOL make_sam_from_nisp_object(struct sam_passwd *pw_buf, nis_object *obj
 	  sam_logon_in_ssb = True;
 	  
 	  get_single_attribute(obj, NPF_GROUP_RID, temp, sizeof(pstring));
-	  pw_buf->group_rid = (strlen(temp) > 0) ?
-	    strtol(temp, NULL, 16) : pdb_gid_to_group_rid (pw_buf->smb_grpid);
 	  
+	  if (strlen(temp) > 0)
+	  	pw_buf->group_rid = strtol(temp, NULL, 16);
+	  else {
+	  	GROUP_MAP map;
+		
+		if (get_group_map_from_gid(pw_buf->smb_grpid, &map)) {
+			free_privileges(&map.priv_set);
+			pw_buf->group_rid = map.rid;
+		}
+		else
+			pw_buf->group_rid = pdb_gid_to_group_rid(pw_buf->smb_grpid);
+	  }
+
 	  get_single_attribute(obj, NPF_FULL_NAME, full_name, sizeof(pstring));
 #if 1
 	  /* It seems correct to use the global values - but in that case why
diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index b07dec7c0d..8555186826 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -119,6 +119,8 @@ BOOL pdb_init_sam(SAM_ACCOUNT **user)
 BOOL pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
 {
 	pstring str;
+	GROUP_MAP map;
+	uint32 rid;
 	extern BOOL sam_logon_in_ssb;
 	extern pstring samlogon_user;
 
@@ -139,7 +141,14 @@ BOOL pdb_init_sam_pw(SAM_ACCOUNT **new_sam_acct, const struct passwd *pwd)
 	pdb_set_gid(*new_sam_acct, &pwd->pw_gid);
 
 	pdb_set_user_rid(*new_sam_acct, pdb_uid_to_user_rid(pwd->pw_uid));
-	pdb_set_group_rid(*new_sam_acct, pdb_gid_to_group_rid(pwd->pw_gid));
+
+	/* call the mapping code here */
+	if(get_group_map_from_gid(pwd->pw_gid, &map)) {
+		free_privilege(&map.priv_set);
+		sid_peek_rid(&map.sid, &rid);
+	} else
+		rid=pdb_gid_to_group_rid(pwd->pw_gid);
+	pdb_set_group_rid(*new_sam_acct, rid);
 
 	/* UGLY, UGLY HACK!!! */
 	pstrcpy(samlogon_user, pwd->pw_name);
@@ -379,6 +388,7 @@ BOOL pdb_gethexpwd(const char *p, unsigned char *pwd)
 
 BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
 {
+	GROUP_MAP map;
 	struct passwd *pw = Get_Pwnam(user_name);
 
 	if (u_rid == NULL || g_rid == NULL || user_name == NULL)
@@ -394,7 +404,12 @@ BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
 	*u_rid = pdb_uid_to_user_rid(pw->pw_uid);
 
 	/* absolutely no idea what to do about the unix GID to Domain RID mapping */
-	*g_rid = pdb_gid_to_group_rid(pw->pw_gid);
+	/* map it ! */
+	if (get_group_map_from_gid(pw->pw_gid, &map)) {
+		free_privilege(&map.priv_set);
+		sid_peek_rid(&map.sid, g_rid);
+	} else 
+		*g_rid = pdb_gid_to_group_rid(pw->pw_gid);
 
 	return True;
 }
@@ -408,14 +423,6 @@ uid_t pdb_user_rid_to_uid(uint32 user_rid)
 	return (uid_t)(((user_rid & (~USER_RID_TYPE))- 1000)/RID_MULTIPLIER);
 }
 
-/*******************************************************************
- Converts NT user RID to a UNIX gid.
- ********************************************************************/
-
-gid_t pdb_user_rid_to_gid(uint32 user_rid)
-{
-	return (uid_t)(((user_rid & (~GROUP_RID_TYPE))- 1000)/RID_MULTIPLIER);
-}
 
 /*******************************************************************
  Converts NT group RID to a UNIX gid.
@@ -437,6 +444,10 @@ uint32 pdb_uid_to_user_rid(uid_t uid)
 
 /*******************************************************************
  converts NT Group RID to a UNIX uid.
+ 
+ warning: you must not call that function only
+ you must do a call to the group mapping first.
+ there is not anymore a direct link between the gid and the rid.
  ********************************************************************/
 
 uint32 pdb_gid_to_group_rid(gid_t gid)
@@ -560,7 +571,7 @@ BOOL local_lookup_rid(uint32 rid, char *name, enum SID_NAME_USE *psid_name_use)
 			}
 		}
 		
-		gid = pdb_user_rid_to_gid(rid);
+		gid = pdb_group_rid_to_gid(rid);
 		gr = getgrgid(gid);
 
 		*psid_name_use = SID_NAME_ALIAS;
@@ -643,11 +654,32 @@ BOOL local_lookup_name(const char *c_domain, const char *c_user, DOM_SID *psid,
 				sid_copy(&local_sid, &map.sid);
 				*psid_name_use = map.sid_name_use;
 			}
+			else
+				/* it's a correct name but not mapped so it points to nothing*/
+				return False;
 		} else {
+			/* it's not a mapped group */
 			grp = getgrnam(user);
 			if(!grp)
 				return False;
 
+			/* 
+			 *check if it's mapped, if it is reply it doesn't exist
+			 *
+			 * that's to prevent this case:
+			 *
+			 * unix group ug is mapped to nt group ng
+			 * someone does a lookup on ug
+			 * we must not reply as it doesn't "exist" anymore
+			 * for NT. For NT only ng exists.
+			 * JFM, 30/11/2001
+			 */
+			
+			if(get_group_map_from_gid(grp->gr_gid, &map)){
+				free_privilege(&map.priv_set);
+				return False;
+			}
+
 			sid_append_rid( &local_sid, pdb_gid_to_group_rid(grp->gr_gid));
 			*psid_name_use = SID_NAME_ALIAS;
 		}
@@ -722,10 +754,18 @@ BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 
 DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
 {
-    extern DOM_SID global_sam_sid;
+	extern DOM_SID global_sam_sid;
+	GROUP_MAP map;
 
 	sid_copy(psid, &global_sam_sid);
-	sid_append_rid(psid, pdb_gid_to_group_rid(gid));
+	
+	if (get_group_map_from_gid(gid, &map)) {
+		free_privilege(&map.priv_set);
+		sid_copy(psid, &map.sid);
+	}
+	else {
+		sid_append_rid(psid, pdb_gid_to_group_rid(gid));
+	}
 
 	return psid;
 }
@@ -736,11 +776,12 @@ DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
 
 BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 {
-    extern DOM_SID global_sam_sid;
+	extern DOM_SID global_sam_sid;
 	DOM_SID dom_sid;
 	uint32 rid;
 	fstring str;
 	struct group *grp;
+	GROUP_MAP map;
 
 	*name_type = SID_NAME_UNKNOWN;
 
@@ -750,6 +791,8 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 	/*
 	 * We can only convert to a gid if this is our local
 	 * Domain SID (ie. we are the controling authority).
+	 *
+	 * Or in the Builtin SID too. JFM, 11/30/2001
 	 */
 
 	if (!sid_equal(&global_sam_sid, &dom_sid))
@@ -758,7 +801,19 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 	if (pdb_rid_is_user(rid))
 		return False;
 
-	*pgid = pdb_user_rid_to_gid(rid);
+	if (get_group_map_from_sid(*psid, &map)) {
+		free_privilege(&map.priv_set);
+
+		/* the SID is in the mapping table but not mapped */
+		if (map.gid==-1)
+			return False;
+
+		sid_peek_rid(&map.sid, pgid);
+		*name_type = map.sid_name_use;
+	} else {
+		*pgid = pdb_group_rid_to_gid(rid);
+		*name_type = SID_NAME_ALIAS;
+	}
 
 	/*
 	 * Ensure this gid really does exist.
@@ -770,8 +825,6 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 	DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u) (%s).\n", sid_to_string( str, psid),
 		(unsigned int)*pgid, grp->gr_name ));
 
-	*name_type = SID_NAME_ALIAS;
-
 	return True;
 }
 
@@ -918,7 +971,8 @@ account without a valid local system user.\n", user_name);
 		}
 
 		/* set account flags. Note that the default is non-expiring accounts */
-		if (!pdb_set_acct_ctrl(sam_pass,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL|ACB_PWNOEXP) )) {
+		/*if (!pdb_set_acct_ctrl(sam_pass,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL|ACB_PWNOEXP) )) {*/
+		if (!pdb_set_acct_ctrl(sam_pass,((local_flags & LOCAL_TRUST_ACCOUNT) ? ACB_WSTRUST : ACB_NORMAL) )) {
 			slprintf(err_str, err_str_len-1, "Failed to set 'trust account' flags for user %s.\n", user_name);
 			pdb_free_sam(&sam_pass);
 			return False;
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index 62c3a1b4a2..d0eebbed89 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -577,13 +577,22 @@ static BOOL init_ldap_from_sam (LDAPMod *** mods, int ldap_state, const SAM_ACCO
 	make_a_mod(mods, ldap_state, "description", pdb_get_acct_desc(sampass));
 	make_a_mod(mods, ldap_state, "userWorkstations", pdb_get_workstations(sampass));
 
-       if ( !sampass->user_rid)
+	if ( !sampass->user_rid)
                sampass->user_rid = pdb_uid_to_user_rid(pdb_get_uid(sampass));
 	slprintf(temp, sizeof(temp) - 1, "%i", sampass->user_rid);
 	make_a_mod(mods, ldap_state, "rid", temp);
 
-       if ( !sampass->group_rid)
-               sampass->group_rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
+	if ( !sampass->group_rid) {
+		GROUP_MAP map;
+	
+		if (get_group_map_from_gid(pdb_get_gid(sampass), &map)) {
+			free_privilege(&map.priv_set);
+			sid_peek_rid(&map.sid, &sampass->group_rid);
+		}
+		else 
+			sampass->group_rid = pdb_gid_to_group_rid(pdb_get_gid(sampass));
+	}
+
 	slprintf(temp, sizeof(temp) - 1, "%i", sampass->group_rid);
 	make_a_mod(mods, ldap_state, "primaryGroupID", temp);
 
diff --git a/source3/passdb/pdb_nisplus.c b/source3/passdb/pdb_nisplus.c
index 6a97bd02b8..aff0870a8d 100644
--- a/source3/passdb/pdb_nisplus.c
+++ b/source3/passdb/pdb_nisplus.c
@@ -493,9 +493,24 @@ static BOOL init_nisp_from_sam(nis_object *obj, const SAM_ACCOUNT *sampass,
 	   pdb_get_user_rid(sampass)? pdb_get_user_rid(sampass):
 	   pdb_uid_to_user_rid(pdb_get_uid(sampass))); 
   slprintf(gid, sizeof(gid)-1, "%u", pdb_get_gid(sampass));
-  slprintf(group_rid, sizeof(group_rid)-1, "%u",
-	   pdb_get_group_rid(sampass)? pdb_get_group_rid(sampass):
-	   pdb_gid_to_group_rid(pdb_get_gid(sampass)));
+
+	{
+		uint32 rid;
+		GROUP_MAP map;
+	
+		rid=pdb_get_group_rid(sampass);
+
+		if (rid==0) {
+			if (get_group_map_from_gid(pdb_get_gid(sampass), &map)) {
+				free_privilege(&map.priv_set);
+				sid_peek_rid(&map.sid, &rid);
+			} else 
+				rid=pdb_gid_to_group_rid(pdb_get_gid(sampass));
+		}
+
+  		slprintf(group_rid, sizeof(group_rid)-1, "%u", rid);
+	}
+	 
   acb = pdb_encode_acct_ctrl(pdb_get_acct_ctrl(sampass),
 			     NEW_PW_FORMAT_SPACE_PADDED_LEN);
   pdb_sethexpwd (smb_passwd, pdb_get_lanman_passwd(sampass),
diff --git a/source3/passdb/pdb_smbpasswd.c b/source3/passdb/pdb_smbpasswd.c
index fa2a2a82e7..c189d9a9b7 100644
--- a/source3/passdb/pdb_smbpasswd.c
+++ b/source3/passdb/pdb_smbpasswd.c
@@ -1164,10 +1164,24 @@ static BOOL build_smb_pass (struct smb_passwd *smb_pw, const SAM_ACCOUNT *sampas
 		return False;
 	}
 
+#if 0
+	/*
+	 * ifdef'out by JFM on 11/29/2001.
+	 * this assertion is no longer valid
+	 * and I don't understand the goal 
+	 * and doing the same thing with the group mapping code
+	 * is hairy !
+	 *
+	 * We just have the RID, in which SID is it valid ?
+	 * our domain SID ? well known SID ? local SID ?
+	 */
+
 	if (*gid != pdb_group_rid_to_gid(pdb_get_group_rid(sampass))) {
 		DEBUG(0,("build_sam_pass: Failing attempt to store user with non-gid based primary group RID. \n"));
+		DEBUG(0,("build_sam_pass: %d %d %d. \n", *gid, pdb_group_rid_to_gid(pdb_get_group_rid(sampass)), pdb_get_group_rid(sampass)));
 		return False;
 	}
+#endif
 
 	return True;
 }	
@@ -1207,8 +1221,19 @@ static BOOL build_sam_account(SAM_ACCOUNT *sam_pass, const struct smb_passwd *pw
 	
 	pdb_set_user_rid(sam_pass, pdb_uid_to_user_rid (pwfile->pw_uid));
 
-	/* should check the group mapping here instead of static mappig. JFM */
-	pdb_set_group_rid(sam_pass, pdb_gid_to_group_rid(pwfile->pw_gid)); 
+	{
+		uint32 rid;
+		GROUP_MAP map;
+	
+		if (get_group_map_from_gid(pwfile->pw_gid, &map)) {
+			free_privilege(&map.priv_set);
+			sid_peek_rid(&map.sid, &rid);
+		}
+		else 
+			rid=pdb_gid_to_group_rid(pwfile->pw_gid);
+
+		pdb_set_group_rid(sam_pass, rid); 
+	}
 	
 	pdb_set_username (sam_pass, pw_buf->smb_name);
 	pdb_set_nt_passwd (sam_pass, pw_buf->smb_nt_passwd);
@@ -1249,7 +1274,7 @@ static BOOL build_sam_account(SAM_ACCOUNT *sam_pass, const struct smb_passwd *pw
 		
 	} else {
 		/* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */
-		pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS); 
+		/*pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS); */
 	}
 
 	sam_logon_in_ssb = False;