From b2edf254eda92f775e7d3d9b6793b4d77f9000b6 Mon Sep 17 00:00:00 2001
From: Jelmer Vernooij <jelmer@samba.org>
Date: Sat, 17 Aug 2002 17:00:51 +0000
Subject: sync 3.0 branch with head (This used to be commit
 3928578b52cfc949be5e0ef444fce1558d75f290)

---
 source3/passdb/passdb.c | 158 ++++++++++++++++++++++++++++--------------------
 1 file changed, 93 insertions(+), 65 deletions(-)

(limited to 'source3/passdb/passdb.c')

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index 4e3d558e98..a9c6f0729b 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -157,6 +157,12 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
 {
 	GROUP_MAP map;
 
+	const char *guest_account = lp_guestaccount();
+	if (!(guest_account && *guest_account)) {
+		DEBUG(1, ("NULL guest account!?!?\n"));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
 	if (!pwd) {
 		return NT_STATUS_UNSUCCESSFUL;
 	}
@@ -183,24 +189,36 @@ NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
 	   -- abartlet 11-May-02
 	*/
 
-	if (!pdb_set_user_sid_from_rid(sam_account, 
-				       fallback_pdb_uid_to_user_rid(pwd->pw_uid))) {
-		DEBUG(0,("Can't set User SID from RID!\n"));
-		return NT_STATUS_INVALID_PARAMETER;
-	}
 
-	/* call the mapping code here */
-	if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
-		if (!pdb_set_group_sid(sam_account,&map.sid)){
-			DEBUG(0,("Can't set Group SID!\n"));
-			return NT_STATUS_INVALID_PARAMETER;
+	/* Ensure this *must* be set right */
+	if (strcmp(pwd->pw_name, guest_account) == 0) {
+		if (!pdb_set_user_sid_from_rid(sam_account, DOMAIN_USER_RID_GUEST)) {
+			return NT_STATUS_UNSUCCESSFUL;
 		}
-	} 
-	else {
-		if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) {
-			DEBUG(0,("Can't set Group SID\n"));
+		if (!pdb_set_group_sid_from_rid(sam_account, DOMAIN_GROUP_RID_GUESTS)) {
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+	} else {
+
+		if (!pdb_set_user_sid_from_rid(sam_account, 
+					       fallback_pdb_uid_to_user_rid(pwd->pw_uid))) {
+			DEBUG(0,("Can't set User SID from RID!\n"));
 			return NT_STATUS_INVALID_PARAMETER;
 		}
+		
+		/* call the mapping code here */
+		if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
+			if (!pdb_set_group_sid(sam_account,&map.sid)){
+				DEBUG(0,("Can't set Group SID!\n"));
+				return NT_STATUS_INVALID_PARAMETER;
+			}
+		} 
+		else {
+			if (!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) {
+				DEBUG(0,("Can't set Group SID\n"));
+				return NT_STATUS_INVALID_PARAMETER;
+			}
+		}
 	}
 
 	/* check if this is a user account or a machine account */
@@ -528,6 +546,9 @@ BOOL pdb_rid_is_user(uint32 rid)
    * such that it can be identified as either a user, group etc
    * type.  there are 5 such categories, and they are documented.
    */
+	/* However, they are not in the RID, just somthing you can query
+	   seperatly.  Sorry luke :-) */
+
    if(pdb_rid_is_well_known(rid)) {
       /*
        * The only well known user RIDs are DOMAIN_USER_RID_ADMIN
@@ -571,14 +592,6 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
 			fstrcpy(name, "Administrator");
 		}
 		return True;
-
-	} else if (rid == DOMAIN_USER_RID_GUEST) {
-		char *p = lp_guestaccount();
-		*psid_name_use = SID_NAME_USER;
-		if(!next_token(&p, name, NULL, sizeof(fstring)))
-			fstrcpy(name, "Guest");
-		return True;
-
 	}
 
 	/*
@@ -594,6 +607,7 @@ BOOL local_lookup_sid(DOM_SID *sid, char *name, enum SID_NAME_USE *psid_name_use
 	}
 		
 	/* This now does the 'generic' mapping in pdb_unix */
+	/* 'guest' is also handled there */
 	if (pdb_getsampwsid(sam_account, sid)) {
 		fstrcpy(name, pdb_get_username(sam_account));
 		*psid_name_use = SID_NAME_USER;
@@ -716,15 +730,9 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 
 	/* check if it's a mapped group */
 	if (get_group_map_from_ntname(user, &map, MAPPING_WITHOUT_PRIV)) {
-		if (map.gid!=-1) {
-			/* yes it's a mapped group to a valid unix group */
-			sid_copy(&local_sid, &map.sid);
-			*psid_name_use = map.sid_name_use;
-		}
-		else {
-       			/* it's a correct name but not mapped so it points to nothing*/
-			return False;
-		}
+		/* yes it's a mapped group */
+		sid_copy(&local_sid, &map.sid);
+		*psid_name_use = map.sid_name_use;
 	} else {
 		/* it's not a mapped group */
 		grp = getgrnam(user);
@@ -777,6 +785,8 @@ DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
 		
 		if (pdb_getsampwnam(sam_user, pass->pw_name)) {
 			sid_copy(psid, pdb_get_user_sid(sam_user));
+		} else if (strcmp(pass->pw_name, lp_guestaccount()) == 0) {
+			sid_append_rid(psid, DOMAIN_USER_RID_GUEST);
 		} else {
 			sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
 		}
@@ -802,25 +812,13 @@ DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
  Convert a SID to uid - locally.
 ****************************************************************************/
 
-BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
+BOOL local_sid_to_uid(uid_t *puid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
 {
-	DOM_SID dom_sid;
-	uint32 rid;
 	fstring str;
 	SAM_ACCOUNT *sam_user = NULL;
 
 	*name_type = SID_NAME_UNKNOWN;
 
-	sid_copy(&dom_sid, psid);
-	sid_split_rid(&dom_sid, &rid);
-
-	/*
-	 * We can only convert to a uid if this is our local
-	 * Domain SID (ie. we are the controling authority).
-	 */
-	if (!sid_equal(get_global_sam_sid(), &dom_sid))
-		return False;
-
 	if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
 		return False;
 	
@@ -832,12 +830,37 @@ BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 		}
 		DEBUG(10,("local_sid_to_uid: SID %s -> uid (%u) (%s).\n", sid_to_string( str, psid),
 			  (unsigned int)*puid, pdb_get_username(sam_user)));
-	} else {
-		DEBUG(5,("local_sid_to_uid: SID %s not mapped becouse RID was not found in passdb.\n", sid_to_string( str, psid)));
 		pdb_free_sam(&sam_user);
-		return False;
+	} else {
+
+		DOM_SID dom_sid;
+		uint32 rid;
+		GROUP_MAP map;
+
+		pdb_free_sam(&sam_user);  
+
+		if (get_group_map_from_sid(*psid, &map, MAPPING_WITHOUT_PRIV)) {
+			DEBUG(3, ("local_sid_to_uid: SID '%s' is a group, not a user... \n", sid_to_string(str, psid)));
+			/* It's a group, not a user... */
+			return False;
+		}
+
+		sid_copy(&dom_sid, psid);
+		if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
+			DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
+			return False;
+		}
+
+		if (!pdb_rid_is_user(rid)) {
+			DEBUG(3, ("local_sid_to_uid: sid '%s' cannot be mapped to a uid algorithmicly becouse it is a group\n", sid_to_string(str, psid)));
+			return False;
+		}
+		
+		*puid = fallback_pdb_user_rid_to_uid(rid);
+		
+		DEBUG(5,("local_sid_to_uid: SID %s algorithmicly mapped to %ld mapped becouse SID was not found in passdb.\n", 
+			 sid_to_string(str, psid), (signed long int)(*puid)));
 	}
-	pdb_free_sam(&sam_user);
 
 	*name_type = SID_NAME_USER;
 
@@ -868,18 +891,13 @@ DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
  Convert a SID to gid - locally.
 ****************************************************************************/
 
-BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
+BOOL local_sid_to_gid(gid_t *pgid, const DOM_SID *psid, enum SID_NAME_USE *name_type)
 {
-	DOM_SID dom_sid;
-	uint32 rid;
 	fstring str;
 	GROUP_MAP map;
 
 	*name_type = SID_NAME_UNKNOWN;
 
-	sid_copy(&dom_sid, psid);
-	sid_split_rid(&dom_sid, &rid);
-
 	/*
 	 * We can only convert to a gid if this is our local
 	 * Domain SID (ie. we are the controling authority).
@@ -887,35 +905,45 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 	 * Or in the Builtin SID too. JFM, 11/30/2001
 	 */
 
-	if (!sid_equal(get_global_sam_sid(), &dom_sid))
-		return False;
-
 	if (get_group_map_from_sid(*psid, &map, MAPPING_WITHOUT_PRIV)) {
 		
 		/* the SID is in the mapping table but not mapped */
 		if (map.gid==-1)
 			return False;
 
-		if (!sid_peek_check_rid(get_global_sam_sid(), &map.sid, &rid)){
-			DEBUG(0,("local_sid_to_gid: sid_peek_check_rid return False! SID: %s\n",
-				sid_string_static(&map.sid)));
-			return False;
-		}
 		*pgid = map.gid;
 		*name_type = map.sid_name_use;
-		DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", sid_to_string( str, psid),
+		DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", 
+			  sid_to_string( str, psid),
 			  map.nt_name, (unsigned int)*pgid));
 
 	} else {
-		if (pdb_rid_is_user(rid))
+		uint32 rid;
+		SAM_ACCOUNT *sam_user = NULL;
+		if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
+			return False;
+		
+		if (pdb_getsampwsid(sam_user, psid)) {
 			return False;
+			pdb_free_sam(&sam_user);
+		}
+
+		pdb_free_sam(&sam_user);
 
+		if (!sid_peek_check_rid(get_global_sam_sid(), psid, &rid)) {
+			DEBUG(3, ("sid_peek_rid failed - sid '%s' is not in our domain\n", sid_to_string(str, psid)));
+			return False;
+		}
+
+		if (pdb_rid_is_user(rid))
+			return False;
+		
 		*pgid = pdb_group_rid_to_gid(rid);
 		*name_type = SID_NAME_ALIAS;
 		DEBUG(10,("local_sid_to_gid: SID %s -> gid (%u).\n", sid_to_string( str, psid),
 			  (unsigned int)*pgid));
 	}
-
+	
 	return True;
 }
 
-- 
cgit