Update a pile of Samba's SID lookup code to ensure:

- That we never call winbind recursivly
- That we never use an 'algorithmic' RID when we have a fixed uid or gid mapping
  in either the passdb or the group mapping db.

Also, remove restrictions that say 'this domain only'.  If we have a mapping
configured, allow it to be returned.  If we later decide certian mappings are
invalid, then we sould put that in the code that actually does the map.

Allow 'sid->name' transtations on the fixed 'well known' groups for NT, even
if they are not represented by Unix groups yet.

Andrew Bartlett
(This used to be commit d5bafb224337e393420c2ce9c0a787405314713c)

1 files changed, 39 insertions, 35 deletions

diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 2dcef54a5b..bf609e62e6 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -440,44 +440,43 @@ BOOL lookup_name(const char *domain, const char *name, DOM_SID *psid, enum SID_N
 	extern pstring global_myname;
 	extern fstring global_myworkgroup;
 	fstring sid;
-	BOOL ret = False;
+	BOOL local_lookup = False;
 	
 	*name_type = SID_NAME_UNKNOWN;
 
 	/* If we are looking up a domain user, make sure it is
 	   for the local machine only */
 	
-	switch (lp_server_role()) {
-	case ROLE_DOMAIN_PDC:
-	case ROLE_DOMAIN_BDC:
+	if (strequal(global_myname, domain)) {
+		local_lookup = True;
+	} else if (lp_server_role() == ROLE_DOMAIN_PDC || 
+		   lp_server_role() == ROLE_DOMAIN_PDC) {
 		if (strequal(domain, global_myworkgroup)) {
-			ret = local_lookup_name(name, psid, name_type);
-		}
-		/* No break is deliberate here. JRA. */
-	default:
-		if (ret) {
-		} else if (strequal(global_myname, domain)) {
-			ret = local_lookup_name(name, psid, name_type);
-		} else {
-			DEBUG(5, ("lookup_name: domain %s is not local\n", domain));
+			local_lookup = True;
 		}
 	}
-	
-	if (ret) {
-		DEBUG(10,
-		      ("lookup_name: (local) [%s]\\[%s] -> SID %s (type %s: %u)\n",
-		       domain, name, sid_to_string(sid,psid),
-		       sid_type_lookup(*name_type), (unsigned int)*name_type));
-		return True;
-	} else if (winbind_lookup_name(domain, name, psid, name_type)) {
 		
-		DEBUG(10,("lookup_name (winbindd): [%s]\\[%s] -> SID %s (type %u)\n",
-			  domain, name, sid_to_string(sid, psid), 
-			  (unsigned int)*name_type));
-		return True;
+	if (local_lookup) {
+		if (local_lookup_name(name, psid, name_type)) {
+			DEBUG(10,
+			      ("lookup_name: (local) [%s]\\[%s] -> SID %s (type %s: %u)\n",
+			       domain, name, sid_to_string(sid,psid),
+			       sid_type_lookup(*name_type), (unsigned int)*name_type));
+			return True;
+		}
+	} else {
+		/* Remote */
+		if (winbind_lookup_name(domain, name, psid, name_type)) {
+			
+			DEBUG(10,("lookup_name (winbindd): [%s]\\[%s] -> SID %s (type %u)\n",
+				  domain, name, sid_to_string(sid, psid), 
+				  (unsigned int)*name_type));
+			return True;
+		}
 	}
-
-	DEBUG(10, ("lookup_name: winbind and local lookups for [%s]\\[%s] failed\n", domain, name));
+	
+	DEBUG(10, ("lookup_name: %s lookup for [%s]\\[%s] failed\n", 
+		   local_lookup ? "local" : "winbind", domain, name));
 
 	return False;
 }
@@ -680,16 +679,21 @@ BOOL sid_to_gid(DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype)
 	 * First we must look up the name and decide if this is a group sid.
 	 */
 
+	/* if we know its local then don't try winbindd */
+	if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
+		BOOL result;
+		become_root();
+		result = local_sid_to_gid(pgid, psid, sidtype);
+		unbecome_root();
+		return result;
+	}
+
 	if (!winbind_lookup_sid(psid, dom_name, name, &name_type)) {
 		DEBUG(10,("sid_to_gid: winbind lookup for sid %s failed - trying local.\n",
 				sid_to_string(sid_str, psid) ));
-		if (!local_sid_to_gid(pgid, psid, sidtype)) {
-			/* this was probably a foreign sid - assume its a group rid 
-			   and continue */
-			name_type = SID_NAME_DOM_GRP;
-		} else {
-			return True;
-		}
+		/* this was probably a foreign sid - assume its a group rid 
+		   and continue */
+		name_type = SID_NAME_DOM_GRP;
 	}
 
 	/*
@@ -700,7 +704,7 @@ BOOL sid_to_gid(DOM_SID *psid, gid_t *pgid, enum SID_NAME_USE *sidtype)
 		DEBUG(10,("sid_to_gid: winbind lookup succeeded but SID is not a known group (%u)\n",
 				(unsigned int)name_type ));
 
-		return local_sid_to_gid(pgid, psid, sidtype);
+		return False;
 	}
 
 	*sidtype = name_type;