This patch modifies 'net rpc vampire' to add new and existing users to both

the idmap and the SAM.

The basic idea is this:  Lookup the user with GetPwnam(), and if they
exist then use that uid.  This is what people expect.  If the user does
not exist, try and run the right script.

This is also what people expect from previous Samba 3.0 behaviour, where
the Get_Pwnam() was at runtime.

If the idmap entry for this SID isn't valid, or isn't the right value,
modify the idmap to account for this mapping.

Also, the same logic is applied to the primary gid - if it has changed,
update the user's primary unix group.

This patch allows users to be added without a mapping - this is fine for
machine accounts, for example.  I've given it a quick test against my
Win2k DC, and I *think* it's sane.

Andrew Bartlett
(This used to be commit d2a70bfff182352da50cd6c23ddfa80fe1b353c7)

2 files changed, 43 insertions, 20 deletions

diff --git a/source3/utils/net.c b/source3/utils/net.c
index a18d3e4285..d8f3264840 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -710,6 +710,10 @@ static struct functable net_func[] = {
 		exit(1);
 
 	load_interfaces();
+	
+	/* this makes sure that when we do things like call scripts, 
+	   that it won't assert becouse we are not root */
+	sec_init();
 
 	if (opt_machine_pass) {
 		char *user = NULL;
diff --git a/source3/utils/net_rpc_samsync.c b/source3/utils/net_rpc_samsync.c
index ae6f52ebc4..e911fbce55 100644
--- a/source3/utils/net_rpc_samsync.c
+++ b/source3/utils/net_rpc_samsync.c
@@ -410,7 +410,9 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
 	GROUP_MAP map;
 	struct group *grp;
 	DOM_SID sid;
-	BOOL try_add = False;
+	struct passwd *passwd;
+	unid_t id;
+	int u_type;
 
 	fstrcpy(account, unistr2_static(&delta->uni_acct_name));
 	d_printf("Creating account: %s\n", account);
@@ -418,7 +420,7 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
 	if (!NT_STATUS_IS_OK(nt_ret = pdb_init_sam(&sam_account)))
 		return nt_ret;
 
-	if (!pdb_getsampwnam(sam_account, account)) {
+	if (!(passwd = Get_Pwnam(account))) {
 		/* Create appropriate user */
 		if (delta->acb_info & ACB_NORMAL) {
 			pstrcpy(add_script, lp_adduser_script());
@@ -429,8 +431,6 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
 		} else {
 			DEBUG(1, ("Unknown user type: %s\n",
 				  smbpasswd_encode_acb_info(delta->acb_info)));
-			pdb_free_sam(&sam_account);
-			return NT_STATUS_NO_SUCH_USER;
 		}
 		if (*add_script) {
 			int add_ret;
@@ -439,22 +439,22 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
 			add_ret = smbrun(add_script,NULL);
 			DEBUG(1,("fetch_account: Running the command `%s' "
 				 "gave %d\n", add_script, add_ret));
-		}
 
-		try_add = True;
+			/* try and find the possible unix account again */
+			passwd = Get_Pwnam(account);
+		}
 	}
 
 	sam_account_from_delta(sam_account, delta);
-
-	if (try_add) { 
-		if (!pdb_add_sam_account(sam_account)) {
-			DEBUG(1, ("SAM Account for %s failed to be added to the passdb!\n",
-				  account));
-		}
-	} else {
+	if (!pdb_add_sam_account(sam_account)) {
+		DEBUG(1, ("SAM Account for %s failed to be added to the passdb!\n",
+			  account));
 		if (!pdb_update_sam_account(sam_account)) {
 			DEBUG(1, ("SAM Account for %s failed to be updated in the passdb!\n",
 				  account));
+			pdb_free_sam(&sam_account);
+			return NT_STATUS_OK;
+/*			return NT_STATUS_ACCESS_DENIED; */
 		}
 	}
 
@@ -466,18 +466,37 @@ fetch_account_info(uint32 rid, SAM_ACCOUNT_INFO *delta)
 		pdb_free_sam(&sam_account);
 		return NT_STATUS_NO_SUCH_GROUP;
 	}
-
-	if (!(grp = getgrgid(map.gid))) {
-		DEBUG(0, ("Could not find unix group %d for user %s (group SID=%s)\n", 
-			  map.gid, pdb_get_username(sam_account), sid_string_static(&sid)));
+	
+	if (!passwd) {
+		/* if no unix user, changing the mapping won't help */
 		pdb_free_sam(&sam_account);
-		return NT_STATUS_NO_SUCH_GROUP;
+		return NT_STATUS_OK;
+	}
+		
+	if (map.gid != passwd->pw_gid) {
+		if (!(grp = getgrgid(map.gid))) {
+			DEBUG(0, ("Could not find unix group %d for user %s (group SID=%s)\n", 
+				  map.gid, pdb_get_username(sam_account), sid_string_static(&sid)));
+			pdb_free_sam(&sam_account);
+			return NT_STATUS_NO_SUCH_GROUP;
+		}
+		
+		smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
+	}
+	
+	nt_ret = idmap_get_id_from_sid(&id, &u_type, pdb_get_user_sid(sam_account));
+	if (!NT_STATUS_IS_OK(nt_ret)) {
+		pdb_free_sam(&sam_account);
+		return nt_ret;
 	}
 
-	smb_set_primary_group(grp->gr_name, pdb_get_username(sam_account));
+	if ((u_type != ID_USERID) || (id.uid != passwd->pw_uid)) {
+		id.uid = passwd->pw_uid;
+		nt_ret = idmap_set_mapping(pdb_get_user_sid(sam_account), id, ID_USERID);
+	}
 
 	pdb_free_sam(&sam_account);
-	return NT_STATUS_OK;
+	return nt_ret;
 }
 
 static NTSTATUS