added a boolean to the group mapping functions to specify if we need or

not the privileges. Usually we don't need them, so the memory is free
early.

lib/util_sid.c: added some helper functions to check an SID.

passdb/passdb.c: renamed local_lookup_rid() to local_lookup_sid() and pass
an RID all the way. If the group doesn't exist on the domain SID,
don't return a faked one as it can collide with a builtin one. Some rpc
structures have been badly designed, they return only rids and force the
client to do subsequent lsa_lookup_sid() on the domain sid and the builtin
sid !

rpc_server/srv_util.c: wrote a new version of get_domain_user_groups().
Only the samr code uses it atm. It uses the group mapping code instead of
a bloody hard coded crap. The netlogon code will use it too, but I have to
do some test first.

	J.F.
(This used to be commit 6c87e96149101995b7d049657d5c26eefef37d8c)

1 files changed, 8 insertions, 6 deletions

diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index b16e3836f6..da5597132d 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -622,7 +622,7 @@ NTSTATUS _lsa_enum_accounts(pipes_struct *p, LSA_Q_ENUM_ACCOUNTS *q_u, LSA_R_ENU
 		return NT_STATUS_INVALID_HANDLE;
 
 	/* get the list of mapped groups (domain, local, builtin) */
-	if(!enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED))
+	if(!enum_group_mapping(SID_NAME_UNKNOWN, &map, &num_entries, ENUM_ONLY_MAPPED, MAPPING_WITHOUT_PRIV))
 		return NT_STATUS_OK;
 
 	if (q_u->enum_context >= num_entries)
@@ -727,7 +727,7 @@ NTSTATUS _lsa_enum_privsaccount(pipes_struct *p, LSA_Q_ENUMPRIVSACCOUNT *q_u, LS
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!get_group_map_from_sid(info->sid, &map))
+	if (!get_group_map_from_sid(info->sid, &map, MAPPING_WITH_PRIV))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	DEBUG(10,("_lsa_enum_privsaccount: %d privileges\n", map.priv_set.count));
@@ -768,7 +768,7 @@ NTSTATUS _lsa_getsystemaccount(pipes_struct *p, LSA_Q_GETSYSTEMACCOUNT *q_u, LSA
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!get_group_map_from_sid(info->sid, &map))
+	if (!get_group_map_from_sid(info->sid, &map, MAPPING_WITHOUT_PRIV))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	/*
@@ -799,7 +799,7 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!get_group_map_from_sid(info->sid, &map))
+	if (!get_group_map_from_sid(info->sid, &map, MAPPING_WITH_PRIV))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	map.systemaccount=q_u->access;
@@ -807,6 +807,8 @@ NTSTATUS _lsa_setsystemaccount(pipes_struct *p, LSA_Q_SETSYSTEMACCOUNT *q_u, LSA
 	if(!add_mapping_entry(&map, TDB_REPLACE))
 		return NT_STATUS_NO_SUCH_GROUP;
 
+	free_privilege(&map.priv_set);
+
 	return r_u->status;
 }
 
@@ -829,7 +831,7 @@ NTSTATUS _lsa_addprivs(pipes_struct *p, LSA_Q_ADDPRIVS *q_u, LSA_R_ADDPRIVS *r_u
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!get_group_map_from_sid(info->sid, &map))
+	if (!get_group_map_from_sid(info->sid, &map, MAPPING_WITH_PRIV))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	set=&q_u->set;
@@ -873,7 +875,7 @@ NTSTATUS _lsa_removeprivs(pipes_struct *p, LSA_Q_REMOVEPRIVS *q_u, LSA_R_REMOVEP
 	if (!find_policy_by_hnd(p, &q_u->pol, (void **)&info))
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!get_group_map_from_sid(info->sid, &map))
+	if (!get_group_map_from_sid(info->sid, &map, MAPPING_WITH_PRIV))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	if (q_u->allrights!=0) {