r3705: Nobody has commented, so I'll take this as an ack...

abartlet, I'd like to ask you to take a severe look at this!

We have solved the problem to find the global groups a user is in twice: Once
in auth_util.c and another time for the corresponding samr call. The attached
patch unifies these and sends them through the passdb backend (new function
pdb_enum_group_memberships). Thus it gives pdb_ldap.c the chance to further
optimize the corresponding call if the samba and posix accounts are unified by
issuing a specialized ldap query.

The parameter to activate this ldapsam behaviour is

ldapsam:trusted = yes

Volker
(This used to be commit b94838aff1a009f8d8c2c3efd48756a5b8f3f989)

2 files changed, 44 insertions, 64 deletions

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index f4348fc83e..0c52e859ca 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -1943,11 +1943,16 @@ NTSTATUS _samr_query_userinfo(pipes_struct *p, SAMR_Q_QUERY_USERINFO *q_u, SAMR_
 NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, SAMR_R_QUERY_USERGROUPS *r_u)
 {
 	SAM_ACCOUNT *sam_pass=NULL;
+	struct passwd *passwd;
 	DOM_SID  sid;
+	DOM_SID *sids;
 	DOM_GID *gids = NULL;
 	int num_groups = 0;
+	gid_t *unix_gids;
+	int i, num_gids, num_sids;
 	uint32 acc_granted;
 	BOOL ret;
+	NTSTATUS result;
 
 	/*
 	 * from the SID in the request:
@@ -1986,19 +1991,53 @@ NTSTATUS _samr_query_usergroups(pipes_struct *p, SAMR_Q_QUERY_USERGROUPS *q_u, S
 		pdb_free_sam(&sam_pass);
 		return NT_STATUS_NO_SUCH_USER;
 	}
-	
-	if(!get_domain_user_groups(p->mem_ctx, &num_groups, &gids, sam_pass)) {
+
+	passwd = getpwnam_alloc(pdb_get_username(sam_pass));
+	if (passwd == NULL) {
 		pdb_free_sam(&sam_pass);
-		return NT_STATUS_NO_SUCH_GROUP;
+		return NT_STATUS_NO_SUCH_USER;
 	}
+
+	sids = NULL;
+	num_sids = 0;
+
+	become_root();
+	result = pdb_enum_group_memberships(pdb_get_username(sam_pass),
+					    passwd->pw_gid,
+					    &sids, &unix_gids, &num_groups);
+	unbecome_root();
+
+	pdb_free_sam(&sam_pass);
+	passwd_free(&passwd);
+
+	if (!NT_STATUS_IS_OK(result))
+		return result;
+
+	SAFE_FREE(unix_gids);
+
+	gids = NULL;
+	num_gids = 0;
+
+	for (i=0; i<num_groups; i++) {
+		uint32 rid;
+
+		if (!sid_peek_check_rid(get_global_sam_sid(),
+					&(sids[i]), &rid))
+			continue;
+
+		gids = talloc_realloc(p->mem_ctx, gids,
+				      sizeof(*gids) * (num_gids+1));
+		gids[num_gids].attr=7;
+		gids[num_gids].g_rid = rid;
+		num_gids += 1;
+	}
+	SAFE_FREE(sids);
 	
 	/* construct the response.  lkclXXXX: gids are not copied! */
 	init_samr_r_query_usergroups(r_u, num_groups, gids, r_u->status);
 	
 	DEBUG(5,("_samr_query_usergroups: %d\n", __LINE__));
 	
-	pdb_free_sam(&sam_pass);
-	
 	return r_u->status;
 }
 
diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c
index 215471b444..2689d89972 100644
--- a/source3/rpc_server/srv_util.c
+++ b/source3/rpc_server/srv_util.c
@@ -79,65 +79,6 @@ static const rid_name domain_group_rids[] =
     { 0                             , NULL }
 };
 
-/*******************************************************************
- gets a domain user's groups
- ********************************************************************/
-BOOL get_domain_user_groups(TALLOC_CTX *ctx, int *numgroups, DOM_GID **pgids, SAM_ACCOUNT *sam_pass)
-{
-
-	const char *username = pdb_get_username(sam_pass);
-	int		n_unix_groups;
-	int		i,j;
-	gid_t *unix_groups;
-
-	*numgroups = 0;
-	*pgids   = NULL;
-	
-	if (!getgroups_user(username, &unix_groups, &n_unix_groups)) {
-		return False;
-	}
-
-	/* now setup the space for storing the SIDS */
-	
-	if (n_unix_groups > 0) {
-	
-		*pgids   = talloc(ctx, sizeof(DOM_GID) * n_unix_groups);
-		
-		if (!*pgids) {
-			DEBUG(0, ("get_user_group: malloc() failed for DOM_GID list!\n"));
-			SAFE_FREE(unix_groups);
-			return False;
-		}
-	}
-
-	become_root();
-	j = 0;
-	for (i = 0; i < n_unix_groups; i++) {
-		GROUP_MAP map;
-		uint32 rid;
-		
-		if (!pdb_getgrgid(&map, unix_groups[i])) {
-			DEBUG(3, ("get_user_groups: failed to convert gid %ld to a domain group!\n", 
-				(long int)unix_groups[i+1]));
-			if (i == 0) {
-				DEBUG(1,("get_domain_user_groups: primary gid of user [%s] is not a Domain group !\n", username));
-				DEBUGADD(1,("get_domain_user_groups: You should fix it, NT doesn't like that\n"));
-			}
-		} else if ((map.sid_name_use == SID_NAME_DOM_GRP)
-			   && sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)) {
-			(*pgids)[j].attr=7;
-			(*pgids)[j].g_rid=rid;
-			j++;
-		}
-	}
-	unbecome_root();
-
-	*numgroups = j;
-
-	SAFE_FREE(unix_groups);
-
-	return True;
-}
 
 /*******************************************************************
  gets a domain user's groups from their already-calculated NT_USER_TOKEN