Fixed LsaQueryInformationPolicy level 3 to return primary domain info.

Domain SID is saved in secrets.tdb upon joining domain.

Added "Authenticated Users" and "SYSTEM" well-known SIDs (under
NT Authority).
(This used to be commit 7710b4f48d3e8532df5e37f99a779758f750efdb)

7 files changed, 103 insertions, 30 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 7a95dd838e..83efdaf0df 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1576,6 +1576,8 @@ BOOL secrets_init(void);
 void *secrets_fetch(char *key, size_t *size);
 BOOL secrets_store(char *key, void *data, size_t size);
 BOOL secrets_delete(char *key);
+BOOL secrets_store_domain_sid(char *domain, DOM_SID *sid);
+BOOL secrets_fetch_domain_sid(char *domain, DOM_SID *sid);
 
 /*The following definitions come from  passdb/smbpass.c  */
 
@@ -1711,6 +1713,7 @@ BOOL do_lsa_query_info_pol(struct cli_state *cli,
 			POLICY_HND *hnd, uint16 info_class,
 			fstring domain_name, DOM_SID *domain_sid);
 BOOL do_lsa_close(struct cli_state *cli, POLICY_HND *hnd);
+BOOL cli_lsa_get_domain_sid(struct cli_state *cli, char *server);
 
 /*The following definitions come from  rpc_client/cli_netlogon.c  */
 
diff --git a/source3/include/secrets.h b/source3/include/secrets.h
index a87bdef56b..c16d5c7b30 100644
--- a/source3/include/secrets.h
+++ b/source3/include/secrets.h
@@ -2,7 +2,8 @@
 
 
 #define SECRETS_MACHINE_ACCT_PASS "SECRETS/$MACHINE.ACC"
-#define SECRETS_SAM_SID       "SAM/SAM_SID"
+#define SECRETS_DOMAIN_SID    "SECRETS/SID"
+#define SECRETS_SAM_SID       "SAM/SID"
 
 struct machine_acct_pass {
 	uint8 hash[16];
diff --git a/source3/lib/util_sid.c b/source3/lib/util_sid.c
index 3605dfbf27..46904162b1 100644
--- a/source3/lib/util_sid.c
+++ b/source3/lib/util_sid.c
@@ -49,15 +49,18 @@ typedef struct _known_sid_users {
 /* static known_sid_users no_users[] = {{0, 0, NULL}}; */
 static known_sid_users everyone_users[] = {{ 0, SID_NAME_WKN_GRP, "Everyone" }, {0, 0, NULL}};
 static known_sid_users creator_owner_users[] = {{ 0, SID_NAME_ALIAS, "Creator Owner" }, {0, 0, NULL}};
-static known_sid_users nt_authority_users[] = {{ 1, SID_NAME_ALIAS, "Dialup" },
-											   { 2, SID_NAME_ALIAS, "Network"},
-											   { 3, SID_NAME_ALIAS, "Batch"},
-											   { 4, SID_NAME_ALIAS, "Interactive"},
-											   { 6, SID_NAME_ALIAS, "Service"},
-											   { 7, SID_NAME_ALIAS, "AnonymousLogon"},
-											   { 8, SID_NAME_ALIAS, "Proxy"},
-											   { 9, SID_NAME_ALIAS, "ServerLogon"},
-											   {0, 0, NULL}};
+static known_sid_users nt_authority_users[] = {
+	{  1, SID_NAME_ALIAS, "Dialup" },
+	{  2, SID_NAME_ALIAS, "Network"},
+	{  3, SID_NAME_ALIAS, "Batch"},
+	{  4, SID_NAME_ALIAS, "Interactive"},
+	{  6, SID_NAME_ALIAS, "Service"},
+	{  7, SID_NAME_ALIAS, "AnonymousLogon"},
+	{  8, SID_NAME_ALIAS, "Proxy"},
+	{  9, SID_NAME_ALIAS, "ServerLogon"},
+	{ 11, SID_NAME_ALIAS, "Authenticated Users"},
+	{ 18, SID_NAME_ALIAS, "SYSTEM"},
+	{  0, 0, NULL}};
 
 static struct sid_name_map_info
 {
diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index b0021599cc..459cc6ae36 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -88,3 +88,35 @@ BOOL secrets_delete(char *key)
 	kbuf.dsize = strlen(key);
 	return tdb_delete(tdb, kbuf) == 0;
 }
+
+BOOL secrets_store_domain_sid(char *domain, DOM_SID *sid)
+{
+	fstring key;
+
+	slprintf(key, sizeof(key), "%s/%s", SECRETS_DOMAIN_SID, domain);
+	return secrets_store(key, sid, sizeof(DOM_SID));
+}
+
+BOOL secrets_fetch_domain_sid(char *domain, DOM_SID *sid)
+{
+	DOM_SID *dyn_sid;
+	fstring key;
+	int size;
+
+	slprintf(key, sizeof(key), "%s/%s", SECRETS_DOMAIN_SID, domain);
+	dyn_sid = (DOM_SID *)secrets_fetch(key, &size);
+
+	if (dyn_sid == NULL)
+		return False;
+
+	if (size != sizeof(DOM_SID))
+	{ 
+		free(dyn_sid);
+		return False;
+	}
+
+	*sid = *dyn_sid;
+	free(dyn_sid);
+	return True;
+}
+
diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c
index 34201ebc16..8362c1d172 100644
--- a/source3/rpc_client/cli_lsarpc.c
+++ b/source3/rpc_client/cli_lsarpc.c
@@ -379,3 +379,26 @@ BOOL do_lsa_close(struct cli_state *cli, POLICY_HND *hnd)
 
 	return True;
 }
+
+/****************************************************************************
+obtain a server's SAM SID and save it in the secrets database
+****************************************************************************/
+
+BOOL cli_lsa_get_domain_sid(struct cli_state *cli, char *server)
+{
+	fstring domain, key;
+	POLICY_HND pol;
+	DOM_SID sid;
+	BOOL res, res2, res3;
+
+	res = cli_nt_session_open(cli, PIPE_LSARPC);
+	res2 = res ? do_lsa_open_policy(cli, server, &pol, 0) : False;
+	res3 = res2 ? do_lsa_query_info_pol(cli, &pol, 5, domain, &sid) : False;
+
+	res3 = res3 ? secrets_store_domain_sid(domain, &sid) : False;
+
+	res2 = res2 ? do_lsa_close(cli, &pol) : False;
+	cli_nt_session_close(cli);
+	
+	return res3;
+}
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index ce4468d112..0043a1894e 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -579,7 +579,14 @@ Error was : %s.\n", remote_machine, cli_errstr(&cli) ));
    * Ok - we have an anonymous connection to the IPC$ share.
    * Now start the NT Domain stuff :-).
    */
-    
+
+  if(cli_lsa_get_domain_sid(&cli, remote_machine) == False) {
+    DEBUG(0,("modify_trust_password: unable to obtain domain sid from %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
+    cli_ulogoff(&cli);
+    cli_shutdown(&cli);
+    return False;
+  }
+
   if(cli_nt_session_open(&cli, PIPE_NETLOGON) == False) {
     DEBUG(0,("modify_trust_password: unable to open the domain client session to \
 machine %s. Error was : %s.\n", remote_machine, cli_errstr(&cli)));
diff --git a/source3/rpc_server/srv_lsa.c b/source3/rpc_server/srv_lsa.c
index e7d08ff788..71162ac782 100644
--- a/source3/rpc_server/srv_lsa.c
+++ b/source3/rpc_server/srv_lsa.c
@@ -88,24 +88,18 @@ Init dom_query
 
 static void init_dom_query(DOM_QUERY *d_q, char *dom_name, DOM_SID *dom_sid)
 {
-	fstring sid_str;
-	int domlen = strlen(dom_name);
-
-	*sid_str = '\0';
+	int domlen = (dom_name != NULL) ? strlen(dom_name) : 0;
 
 	d_q->uni_dom_max_len = domlen * 2;
 	d_q->uni_dom_str_len = domlen * 2;
 
-	d_q->buffer_dom_name = domlen  != 0    ? 1 : 0; /* domain buffer pointer */
-	d_q->buffer_dom_sid  = dom_sid != NULL ? 1 : 0; /* domain sid pointer */
+	d_q->buffer_dom_name = (dom_name != 0)   ? 1 : 0;
+	d_q->buffer_dom_sid  = (dom_sid != NULL) ? 1 : 0;
 
 	/* this string is supposed to be character short */
 	init_unistr2(&d_q->uni_domain_name, dom_name, domlen);
-
-	if(dom_sid) {
-		sid_to_string(sid_str, dom_sid);
+	if (dom_sid != NULL)
 		init_dom_sid2(&d_q->dom_sid, dom_sid);
-	}
 }
 
 /***************************************************************************
@@ -506,12 +500,11 @@ api_lsa_query_info
 static BOOL api_lsa_query_info(prs_struct *data, prs_struct *rdata)
 {
 	LSA_Q_QUERY_INFO q_i;
-	fstring name;
+	DOM_SID domain_sid;
+	char *name = NULL;
 	DOM_SID *sid = NULL;
 	uint32 status_code = 0;
 
-	memset(name, 0, sizeof(name));
-
 	ZERO_STRUCT(q_i);
 
 	/* grab the info class and policy handle */
@@ -522,15 +515,26 @@ static BOOL api_lsa_query_info(prs_struct *data, prs_struct *rdata)
 
 	switch (q_i.info_class) {
 	case 0x03:
-		if(lp_domain_logons()) {
-			fstrcpy(name, global_myworkgroup);
-			sid = &global_sam_sid;
-		} else {
-			*name = '\0';
+		switch (lp_server_role())
+		{
+			case ROLE_DOMAIN_PDC:
+			case ROLE_DOMAIN_BDC:
+				name = global_myworkgroup;
+				sid = &global_sam_sid;
+				break;
+			case ROLE_DOMAIN_MEMBER:
+				if (secrets_fetch_domain_sid(global_myworkgroup,
+					&domain_sid))
+				{
+					name = global_myworkgroup;
+					sid = &domain_sid;
+				}
+			default:
+				break;
 		}
 		break;
 	case 0x05:
-		fstrcpy(name, global_myname);
+		name = global_myname;
 		sid = &global_sam_sid;
 		break;
 	default: