1 files changed, 220 insertions, 43 deletions
diff --git a/source3/nsswitch/winbindd_group.c b/source3/nsswitch/winbindd_group.c
index 94b6326b90..d67d48d506 100644
--- a/source3/nsswitch/winbindd_group.c
+++ b/source3/nsswitch/winbindd_group.c
@@ -5,6 +5,7 @@
 
    Copyright (C) Tim Potter 2000
    Copyright (C) Jeremy Allison 2001.
+   Copyright (C) Gerald (Jerry) Carter 2003.
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -26,6 +27,34 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_WINBIND
 
+/*********************************************************************
+*********************************************************************/
+
+static int gr_mem_buffer( char **buffer, char **members, int num_members )
+{
+	int i;
+	int len = 0;
+	int idx = 0;
+
+	if ( num_members == 0 ) {
+		*buffer = NULL;
+		return 0;
+	}
+	
+	for ( i=0; i<num_members; i++ )
+		len += strlen(members[i])+1;
+
+	*buffer = (char*)smb_xmalloc(len);
+	for ( i=0; i<num_members; i++ ) {
+		snprintf( &(*buffer)[idx], len-idx, "%s,", members[i]);
+		idx += strlen(members[i])+1;
+	}
+	/* terminate with NULL */
+	(*buffer)[len-1] = '\0';
+	
+	return len;	
+}
+
 /***************************************************************
  Empty static struct for negative caching.
 ****************************************************************/
@@ -75,9 +104,12 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
 
 	*num_gr_mem = 0;
 	
-	if (group_name_type != SID_NAME_DOM_GRP) {
-		DEBUG(1, ("SID %s in domain %s isn't a domain group\n", 
-			  sid_to_string(sid_string, group_sid), domain->name));
+	if ( !((group_name_type==SID_NAME_DOM_GRP) ||
+		((group_name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) )
+	{
+		DEBUG(1, ("SID %s in domain %s isn't a domain group (%d)\n", 
+			  sid_to_string(sid_string, group_sid), domain->name, 
+			  group_name_type));
                 goto done;
 	}
 
@@ -189,6 +221,7 @@ done:
 enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
 {
 	DOM_SID group_sid;
+	WINBINDD_GR *grp;
 	struct winbindd_domain *domain;
 	enum SID_NAME_USE name_type;
 	fstring name_domain, name_group;
@@ -207,9 +240,39 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
 	memset(name_group, 0, sizeof(fstring));
 
 	tmp = state->request.data.groupname;
-	if (!parse_domain_user(tmp, name_domain, name_group))
+	
+	parse_domain_user(tmp, name_domain, name_group);
+
+	/* if no domain or our local domain, then do a local tdb search */
+	
+	if ( !*name_domain || strequal(name_domain, get_global_sam_name()) ) {
+		char *buffer = NULL;
+		
+		if ( !(grp=wb_getgrnam(name_group)) ) {
+			DEBUG(5,("winbindd_getgrnam: lookup for %s\\%s failed\n",
+				name_domain, name_group));
+			return WINBINDD_ERROR;
+		}
+		memcpy( &state->response.data.gr, grp, sizeof(WINBINDD_GR) );
+
+		gr_mem_len = gr_mem_buffer( &buffer, grp->gr_mem, grp->num_gr_mem );
+		
+		state->response.data.gr.gr_mem_ofs = 0;
+		state->response.length += gr_mem_len;
+		state->response.extra_data = buffer;	/* give the memory away */
+		
+		return WINBINDD_OK;
+	}
+
+	/* should we deal with users for our domain? */
+	
+	if ( lp_winbind_trusted_domains_only() && strequal(name_domain, lp_workgroup())) {
+		DEBUG(7,("winbindd_getgrnam: My domain -- rejecting getgrnam() for %s\\%s.\n", 
+			name_domain, name_group));
 		return WINBINDD_ERROR;
+	}	
 
+	
 	/* Get info for the domain */
 
 	if ((domain = find_domain_from_name(name_domain)) == NULL) {
@@ -227,13 +290,15 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
 		return WINBINDD_ERROR;
 	}
 
-	if ((name_type != SID_NAME_ALIAS) && (name_type != SID_NAME_DOM_GRP)) {
+	if ( !((name_type==SID_NAME_DOM_GRP) ||
+		((name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) )
+	{
 		DEBUG(1, ("name '%s' is not a local or domain group: %d\n", 
 			  name_group, name_type));
 		return WINBINDD_ERROR;
 	}
 
-	if (NT_STATUS_IS_ERR(sid_to_gid(&group_sid, &gid))) {
+	if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&group_sid, &gid, 0))) {
 		DEBUG(1, ("error converting unix gid to sid\n"));
 		return WINBINDD_ERROR;
 	}
@@ -261,6 +326,7 @@ enum winbindd_result winbindd_getgrnam(struct winbindd_cli_state *state)
 enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
 {
 	struct winbindd_domain *domain;
+	WINBINDD_GR *grp;
 	DOM_SID group_sid;
 	enum SID_NAME_USE name_type;
 	fstring dom_name;
@@ -277,8 +343,23 @@ enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
 	    (state->request.data.gid > server_state.gid_high))
 		return WINBINDD_ERROR;
 
+	/* alway try local tdb lookup first */
+	if ( ( grp=wb_getgrgid(state->request.data.gid)) != NULL ) {
+		char *buffer = NULL;
+		
+		memcpy( &state->response.data.gr, grp, sizeof(WINBINDD_GR) );
+		
+		gr_mem_len = gr_mem_buffer( &buffer, grp->gr_mem, grp->num_gr_mem );
+		
+		state->response.data.gr.gr_mem_ofs = 0;
+		state->response.length += gr_mem_len;
+		state->response.extra_data = buffer;	/* give away the memory */
+		
+		return WINBINDD_OK;
+	}
+
 	/* Get rid from gid */
-	if (NT_STATUS_IS_ERR(uid_to_sid(&group_sid, state->request.data.gid))) {
+	if (!NT_STATUS_IS_OK(idmap_gid_to_sid(&group_sid, state->request.data.gid))) {
 		DEBUG(1, ("could not convert gid %d to rid\n", 
 			  state->request.data.gid));
 		return WINBINDD_ERROR;
@@ -291,13 +372,6 @@ enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
 		return WINBINDD_ERROR;
 	}
 
-	if (!((name_type == SID_NAME_ALIAS) || 
-	      (name_type == SID_NAME_DOM_GRP))) {
-		DEBUG(1, ("name '%s' is not a local or domain group: %d\n", 
-			  group_name, name_type));
-		return WINBINDD_ERROR;
-	}
-
 	/* Fill in group structure */
 
 	domain = find_domain_from_sid(&group_sid);
@@ -307,6 +381,14 @@ enum winbindd_result winbindd_getgrgid(struct winbindd_cli_state *state)
 		return WINBINDD_ERROR;
 	}
 
+	if ( !((name_type==SID_NAME_DOM_GRP) ||
+		((name_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) )
+	{
+		DEBUG(1, ("name '%s' is not a local or domain group: %d\n", 
+			  group_name, name_type));
+		return WINBINDD_ERROR;
+	}
+
 	if (!fill_grent(&state->response.data.gr, dom_name, group_name, 
 			state->request.data.gid) ||
 	    !fill_grent_mem(domain, &group_sid, name_type,
@@ -353,6 +435,16 @@ enum winbindd_result winbindd_setgrent(struct winbindd_cli_state *state)
 	for (domain = domain_list(); domain != NULL; domain = domain->next) {
 		struct getent_state *domain_state;
 		
+		
+		/* don't add our domaina if we are a PDC or if we 
+		   are a member of a Samba domain */
+		
+		if ( (IS_DC || lp_winbind_trusted_domains_only())
+			&& strequal(domain->name, lp_workgroup()) )
+		{
+			continue;
+		}
+						
 		/* Create a state record for this domain */
 		
 		if ((domain_state = (struct getent_state *)
@@ -450,10 +542,10 @@ static BOOL get_sam_group_entries(struct getent_state *ent)
 	
 	ent->num_sam_entries = num_entries;
 	
-	/* get the domain local groups if we are a member of a native win2k domain */
+	/* get the domain local groups if we are a member of a native win2k domain
+	   and are not using LDAP to get the groups */
 	   
-	if ( domain->native_mode 
-		&& domain->methods->enum_local_groups 
+	if ( lp_security() != SEC_ADS && domain->native_mode 
 		&& strequal(lp_workgroup(), domain->name) )
 	{
 		DEBUG(4,("get_sam_group_entries: Native Mode 2k domain; enumerating local groups as well\n"));
@@ -590,7 +682,7 @@ enum winbindd_result winbindd_getgrent(struct winbindd_cli_state *state)
 		sid_copy(&group_sid, &domain->sid);
 		sid_append_rid(&group_sid, name_list[ent->sam_entry_index].rid);
 
-		if (NT_STATUS_IS_ERR(sid_to_gid(&group_sid, &group_gid))) {
+		if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&group_sid, &group_gid, 0))) {
 			
 			DEBUG(1, ("could not look up gid for group %s\n", 
 				  name_list[ent->sam_entry_index].acct_name));
@@ -743,7 +835,7 @@ enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state)
 		ZERO_STRUCT(groups);
 
 		/* Get list of sam groups */
-		ZERO_STRUCT(groups);
+		
 		fstrcpy(groups.domain_name, domain->name);
 
 		get_sam_group_entries(&groups);
@@ -799,21 +891,26 @@ enum winbindd_result winbindd_list_groups(struct winbindd_cli_state *state)
 }
 
 /* Get user supplementary groups.  This is much quicker than trying to
-   invert the groups database. */
+   invert the groups database.  We merge the groups from the gids and
+   other_sids info3 fields as trusted domain, universal group
+   memberships, and nested groups (win2k native mode only) are not
+   returned by the getgroups RPC call but are present in the info3. */
 
 enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
 {
 	fstring name_domain, name_user;
-	DOM_SID user_sid;
+	DOM_SID user_sid, group_sid;
 	enum SID_NAME_USE name_type;
-	uint32 num_groups, num_gids;
+	uint32 num_groups = 0;
+	uint32 num_gids = 0;
 	NTSTATUS status;
-	DOM_SID **user_gids;
+	DOM_SID **user_grpsids;
 	struct winbindd_domain *domain;
 	enum winbindd_result result = WINBINDD_ERROR;
 	gid_t *gid_list;
 	unsigned int i;
 	TALLOC_CTX *mem_ctx;
+	NET_USER_INFO_3 *info3 = NULL;
 	
 	/* Ensure null termination */
 	state->request.data.username[sizeof(state->request.data.username)-1]='\0';
@@ -827,8 +924,12 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
 
 	/* Parse domain and username */
 
-	if (!parse_domain_user(state->request.data.username, name_domain, 
-			  name_user))
+	parse_domain_user(state->request.data.username, 
+		name_domain, name_user);
+	
+	/* bail if there is no domain */ 
+	
+	if ( !*name_domain )
 		goto done;
 
 	/* Get info for the domain */
@@ -853,33 +954,109 @@ enum winbindd_result winbindd_getgroups(struct winbindd_cli_state *state)
 		goto done;
 	}
 
-	status = domain->methods->lookup_usergroups(domain, mem_ctx, 
-						    &user_sid, &num_groups, 
-						    &user_gids);
-	if (!NT_STATUS_IS_OK(status)) goto done;
+	/* Treat the info3 cache as authoritative as the
+	   lookup_usergroups() function may return cached data. */
 
-	/* Copy data back to client */
+	if ((info3 = netsamlogon_cache_get(mem_ctx, &user_sid))) {
 
-	num_gids = 0;
-	gid_list = malloc(sizeof(gid_t) * num_groups);
+		DEBUG(10, ("winbindd_getgroups: info3 has %d groups, %d other sids\n",
+			   info3->num_groups2, info3->num_other_sids));
 
-	if (state->response.extra_data)
-		goto done;
+		num_groups = info3->num_other_sids + info3->num_groups2;
+		gid_list = calloc(sizeof(gid_t), num_groups);
 
-	for (i = 0; i < num_groups; i++) {
-		gid_t gid;
+		/* Go through each other sid and convert it to a gid */
+
+		for (i = 0; i < info3->num_other_sids; i++) {
+			fstring name;
+			fstring dom_name;
+			enum SID_NAME_USE sid_type;
+
+			/* Is this sid known to us?  It can either be
+                           a trusted domain sid or a foreign sid. */
+
+			if (!winbindd_lookup_name_by_sid( &info3->other_sids[i].sid, 
+				dom_name, name, &sid_type))
+			{
+				DEBUG(10, ("winbindd_getgroups: could not lookup name for %s\n", 
+					   sid_string_static(&info3->other_sids[i].sid)));
+				continue;
+			}
+
+			/* Check it is a domain group or an alias (domain local group) 
+			   in a win2k native mode domain. */
+			
+			if ( !((sid_type==SID_NAME_DOM_GRP) ||
+				((sid_type==SID_NAME_ALIAS) && strequal(lp_workgroup(), domain->name))) )
+			{
+				DEBUG(10, ("winbindd_getgroups: sid type %d "
+					   "for %s is not a domain group\n",
+					   sid_type,
+					   sid_string_static(
+						   &info3->other_sids[i].sid)));
+				continue;
+			}
+
+			/* Map to a gid */
+
+			if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&info3->other_sids[i].sid, &gid_list[num_gids], 0)) )
+			{
+				DEBUG(10, ("winbindd_getgroups: could not map sid %s to gid\n",
+					   sid_string_static(&info3->other_sids[i].sid)));
+				continue;
+			}
+
+			/* We've jumped through a lot of hoops to get here */
+
+			DEBUG(10, ("winbindd_getgroups: mapped other sid %s to "
+				   "gid %d\n", sid_string_static(
+					   &info3->other_sids[i].sid),
+				   gid_list[num_gids]));
+
+			num_gids++;
+		}
+
+		for (i = 0; i < info3->num_groups2; i++) {
 		
-		if (NT_STATUS_IS_ERR(sid_to_gid(user_gids[i], &gid))) {
-			fstring sid_string;
+			/* create the group SID */
+			
+			sid_copy( &group_sid, &domain->sid );
+			sid_append_rid( &group_sid, info3->gids[i].g_rid );
 
-			DEBUG(1, ("unable to convert group sid %s to gid\n", 
-				  sid_to_string(sid_string, user_gids[i])));
-			continue;
+			if (!NT_STATUS_IS_OK(idmap_sid_to_gid(&group_sid, &gid_list[num_gids], 0)) ) {
+				DEBUG(10, ("winbindd_getgroups: could not map sid %s to gid\n",
+					   sid_string_static(&group_sid)));
+			}
+
+			num_gids++;
+		}
+
+		SAFE_FREE(info3);
+
+	} else {
+		status = domain->methods->lookup_usergroups(domain, mem_ctx, 
+						    &user_sid, &num_groups, 
+						    &user_grpsids);
+		if (!NT_STATUS_IS_OK(status)) 
+			goto done;
+
+		gid_list = malloc(sizeof(gid_t) * num_groups);
+
+		if (state->response.extra_data)
+			goto done;
+
+		for (i = 0; i < num_groups; i++) {
+			if (!NT_STATUS_IS_OK(idmap_sid_to_gid(user_grpsids[i], &gid_list[num_gids], 0))) {
+				DEBUG(1, ("unable to convert group sid %s to gid\n", 
+					  sid_string_static(user_grpsids[i])));
+				continue;
+			}
+			num_gids++;
 		}
-		gid_list[num_gids] = gid;
-		num_gids++;
 	}
 
+	/* Send data back to client */
+
 	state->response.data.num_entries = num_gids;
 	state->response.extra_data = gid_list;
 	state->response.length += num_gids * sizeof(gid_t);