Fix 'security = domain' without winbind. This stores the sid we got

from the PDC as a mapping to the uid we got from getpwnam in the
local idmap.

This should not be worse than the current state, so I decided to
commit it. It is different from abartlet's preliminary patch, but I
believe this is the better solution. Feel free to comment and/or
revert it.

Volker
(This used to be commit 0c16965e6f49a2c0d73b1392e9f8cfc7449e2e59)

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d57619942c4222311ad5ac5c2aae7f53ac429ab5..ed3ebdbabcf3e20dbdae0be379f759cdff8bfa20 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -842,6 +842,52 @@ NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
        return nt_status;
 }
 
+static NTSTATUS fill_sam_account(const char *domain,
+                                const char *username,
+                                const DOM_SID *user_sid,
+                                const DOM_SID *group_sid,
+                                SAM_ACCOUNT **sam_account)
+{
+       fstring dom_user;
+       struct passwd *passwd;
+       NTSTATUS result;
+       unid_t id;
+
+       fstr_sprintf(dom_user, "%s%s%s",
+                    domain, lp_winbind_separator(), username);
+
+       passwd = Get_Pwnam(dom_user);
+
+       if ( (passwd == NULL) && is_myworkgroup(domain) ) {
+               /* For our own domain also try unqualified */
+               passwd = Get_Pwnam(username);
+       }
+
+       if (passwd == NULL)
+               return NT_STATUS_NO_SUCH_USER;
+
+       result = pdb_init_sam_pw(sam_account, passwd);
+
+       if (!NT_STATUS_IS_OK(result))
+               return result;
+
+       id.uid = passwd->pw_uid;
+       result = idmap_set_mapping(user_sid, id, ID_USERID);
+       if (!NT_STATUS_IS_OK(result))
+               return result;
+
+       /* This is currently broken. We have two different sources of
+          information for the primary group: The info3 and
+          /etc/passwd. To make this work at all, the info3 sid is
+          mapped to the user's primary group from /etc/passwd.
+          This is broken, but it basically works. */
+
+       id.gid = passwd->pw_gid;
+       result = idmap_set_mapping(group_sid, id, ID_GROUPID);
+
+       return result;
+}
+
 /***************************************************************************
  Make a server_info struct from the info3 returned by a domain logon 
 ***************************************************************************/
@@ -910,38 +956,20 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
                nt_status = pdb_init_sam_pw(&sam_account, passwd);
                passwd_free(&passwd);
        } else {
-               int try = 0;
-               while (try < 2) {
-                       char *dom_user;
-                       dom_user = talloc_asprintf(mem_ctx, "%s%s%s", 
-                                                  nt_domain,
-                                                  lp_winbind_separator(),
-                                                  internal_username);
-                       
-                       if (!dom_user) {
-                               DEBUG(0, ("talloc_asprintf failed!\n"));
-                               nt_status = NT_STATUS_NO_MEMORY;
-                       } else { 
-                               
-                               if (!(passwd = Get_Pwnam(dom_user))
-                                   /* Only lookup local for the local
-                                      domain, we don't want this for
-                                      trusted domains */
-                                   && strequal(nt_domain, lp_workgroup())) {
-                                       passwd = Get_Pwnam(internal_username);
-                               }
-                               
-                               if (!passwd) {
-                                       nt_status = NT_STATUS_NO_SUCH_USER;
-                               } else {
-                                       nt_status = pdb_init_sam_pw(&sam_account, passwd);
-                                       break;
-                               }
-                       }
-                       if (try == 0) {
-                               auth_add_user_script(nt_domain, internal_username);
-                       }
-                       try++;
+
+               nt_status = fill_sam_account(nt_domain,
+                                            internal_username,
+                                            &user_sid, &group_sid,
+                                            &sam_account);
+
+               if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER)) {
+                       DEBUG(3,("User %s does not exist, trying to add it\n",
+                                internal_username));
+                       auth_add_user_script(nt_domain, internal_username);
+                       nt_status = fill_sam_account(nt_domain,
+                                                    internal_username,
+                                                    &user_sid, &group_sid,
+                                                    &sam_account);
                }
        }