s3:winbind_group: fix "getent group" to allocate new gids.

"getent group" used to fill the idmap cache with negative
cache entries for unmapped group sids.

Don't pass domain name unconditionally to idmap_sid_to_gid().
idmap_sid_to_gid() only creates new mappings (allocating
idmap backends tdb, tdb2, ldap...) when the domain name passed
in is "".

Note that it is _wrong_ to directly call the idmap_sid_to_gid()
functions here, in the main winbindd. The correct fix would be
to send a sid_to_gid request to winbindd itself, but this needs
more work to prepare the async mechanisms, and we nee a quick
fix for getent passwd now.

Michael

diff --git a/source3/winbindd/winbindd_group.c b/source3/winbindd/winbindd_group.c
index bc532bbce7ca71afb8534a765ac890cf84075122..48e65779022a5c18d20004a277cd119a1fdb961d 100644 (file)
--- a/source3/winbindd/winbindd_group.c
+++ b/source3/winbindd/winbindd_group.c
@@ -1306,6 +1306,7 @@ void winbindd_getgrent(struct winbindd_cli_state *state)
                char *gr_mem;
                DOM_SID group_sid;
                struct winbindd_domain *domain;
+               char *domain_name_idmap;
 
                /* Do we need to fetch another chunk of groups? */
 
@@ -1353,8 +1354,13 @@ void winbindd_getgrent(struct winbindd_cli_state *state)
                sid_copy(&group_sid, &domain->sid);
                sid_append_rid(&group_sid, name_list[ent->sam_entry_index].rid);
 
-               if (!NT_STATUS_IS_OK(idmap_sid_to_gid(domain->name, &group_sid,
-                                                     &group_gid))) {
+               domain_name_idmap = domain->have_idmap_config
+                                 ? domain->name
+                                 : "";
+
+               if (!NT_STATUS_IS_OK(idmap_sid_to_gid(domain_name_idmap,
+                                                     &group_sid, &group_gid)))
+               {
                        union unid_t id;
                        enum lsa_SidType type;