[SCM] Samba Shared Repository - branch master updated

Michael Adam obnox at samba.org
Mon Dec 3 02:48:03 MST 2012


The branch, master has been updated
       via  99efe84 s3:selftest: extend sids2xids test script to cope with "ID_TYPE_BOTH mappings
       via  93c0c07 s3:passdb: don't look into group mappings in legacy_sid_to_unixid()
       via  5fbdc5f s3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id()
       via  a0f4129 s3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb()
       via  671f534 s3:passdb: add sid_check_object_is_for_passdb()
       via  d96aede s3:passdb: factor pdb_sid_to_id_unix_users_and_groups() out of pdb_default_sid_to_id()
       via  ef0ed56 s3:passdb: don't bail out in pdb_default_sid_to_id() if sid is not in our sam
       via  2d3f7e3 s3:winbindd: use the new sid_check_is_for_passdb() in idmap_find_domain_with_sid()
       via  845a142 build the new sid_check_is_for_passdb() function into passdb
       via  fecdf48 s3:lib: add utility function sid_check_is_for_passdb()
       via  e3ee397 s3:winbindd: remove unused function idmap_backends_sid_to_unixid()
       via  7f2f296 s3:test:wbinfo_sids2xids: test the results with singular calls with filled and with empty cache
       via  25018d8 s3:test: fix intialization of WBINFO in test_wbinfo_sids2xids.sh
       via  a1411a8 s3:idmap_autorid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
       via  55607f0 s3:idmap_rid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
       via  c408126 s3:winbindd: remove unused idmap_sid_to_gid()
       via  5f7a372 s3:winbindd: remove unused idmap_sid_to_uid()
       via  b47be53 s3:winbindd: remove unused server implementation of wbint_Sid2Gid()
       via  c927ff4 s3:winbindd: remove unused server implementation of wbint_Sid2Uid()
       via  aa77161 s3:winbindd: remove wbint_Sid2Gid from the wbint.idl
       via  8b73556 s3:winbindd: remove wbint_Sid2Uid() from the wbint.idl
       via  de2cf94 s3:winbindd: remove now unused wb_sid2uid and wb_sid2gid modules
       via  5e74676 s3:winbindd: change winbindd_getgroups to use wb_sids2xids instead of wb_sid2gid
       via  eb0fca9 s3:winbindd: change wb_getgrsid to use wb_sids2xids instead of wb_sid2gid
       via  55ea921 s3:winbindd: change wb_fill_pwent to use wb_sids2xids instead of wb_sid2[ug]id
       via  46f2dfa selftest:Samba3: provision the BUILTIN\Users group if the environment runs winbindd
       via  11ca063 selftest:Samba3: add "wbinfo -p" test to wait_for_start()
       via  5b975ce selftest:Samba3: add nmbd, winbindd smbd arguments to wait_for_start()
       via  f7dca55 selftest:Samba3: call wait_for_start() from check_or_start()
       via  4210e08 s3:winbindd: make idmap_find_domain() static.
       via  27f88ba s3:winbindd: also use idmap_passdb for own sam and builtin in wbint_Sids2UnixIDs()
       via  370d625 s3:winbindd: add idmap_find_domain_with_sid()
       via  150cfb4 s3:winbindd: rename idmap_init_passdb_domain() -> idmap_passdb_domain()
       via  ee17a51 selftest:Samba3: provision the domain adminstrators group in the s3 environments
       via  28e7d73 s3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->child
       via  da8d026 s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
       via  75a7524 s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
       via  3e7f04b s3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid
       via  7637c93 s3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid
       via  8e5ce1e s3:winbindd: factor winbindd_sids_to_xids into external and internal part
       via  c58c68d s3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()
       via  349b9ac s3:winbindd: add explaining comment winbindd_sids_to_xids_send()
       via  be033a1 s3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_done()
       via  b435e66 s3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.
       via  3f0c31f s3:winbindd:util: add a comment explaining the function parse_sidlist()
       via  6f71071 s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()
       via  06f0263 s4:python/ntacl: allow string or objects for sd/sid in setntacl()
       via  d48d0c5 s4:samba-tool/gpo: fix the operation order when creating gpos
       via  dde7eb0 s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos
       via  a1a525e s4:samba-tool/gpo: use the dns_domain from the server when creating gpos
       via  a42c49c s4:libcli/finddcs_cldap: allow io->in.server_address as hostname
       via  c4d51d8 s4:libcli/finddcs_cldap: try all NBT#1C addresses
       via  0e2e3ff s3:smbcacls: add --query-security-info and --set-security-info options
       via  9afba14 s3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flags
       via  cf60338 libcli/security: remove duplicate aces in se_create_child_secdesc()
       via  8fbe39d s3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group
       via  1392326 s3:smbd/open: try the primary sid (user) as group_sid if the token has just one sid
       via  0a3396b s3:smbd/open: use Builtin_Administrators as owner of files (if possible)
       via  8ababf4 s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags
      from  057c56a s4:dsdb/tests: add SdAutoInheritTests

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 99efe8480ebb0493be93a6ca5f77a1fe640f3be0
Author: Michael Adam <obnox at samba.org>
Date:   Mon Dec 3 02:25:40 2012 +0100

    s3:selftest: extend sids2xids test script to cope with "ID_TYPE_BOTH mappings
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Michael Adam <obnox at samba.org>
    Autobuild-Date(master): Mon Dec  3 10:47:17 CET 2012 on sn-devel-104

commit 93c0c0749a2c3cbb1bc85e18b7dd77989a3eada8
Author: Michael Adam <obnox at samba.org>
Date:   Mon Dec 3 08:34:43 2012 +0100

    s3:passdb: don't look into group mappings in legacy_sid_to_unixid()
    
    The backends (tdbsam and ldapsam) do this.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5fbdc5f35a122ff040c6120e2aa2cf5485e32097
Author: Michael Adam <obnox at samba.org>
Date:   Mon Dec 3 01:44:49 2012 +0100

    s3:passdb:pdb_ldap: treat "Unix User" and "Unix Group" in sid_to_id()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit a0f41294488fcf4c9dbe5e85be6539394b6d6d1a
Author: Michael Adam <obnox at samba.org>
Date:   Mon Dec 3 01:42:38 2012 +0100

    s3:passdb:pdb_ldap: pre-validate sid with sid_check_object_is_for_passdb()
    
    instead of sid_check_sid_is_in_our_sam). This allows for builtin sids,
    wellknown sids and "Unix User" and "Unix Group" domains.
    
    This broadens up the check moved here in commit
    02e25b2a43ae02205a3412f862a1482d24b70aa4.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 671f534e5e02adafe945a4e77813e80b5adaeb70
Author: Michael Adam <obnox at samba.org>
Date:   Mon Dec 3 01:40:37 2012 +0100

    s3:passdb: add sid_check_object_is_for_passdb()
    
    Variant of sid_check_is_for_passdb() that only checks for objects
    in the various domains, not for the domain sids themselves.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d96aeded6193cb6381540c1073182bfb7f079025
Author: Michael Adam <obnox at samba.org>
Date:   Mon Dec 3 01:34:32 2012 +0100

    s3:passdb: factor pdb_sid_to_id_unix_users_and_groups() out of pdb_default_sid_to_id()
    
    The special treatment of the "Unix User" and "Unix Group" pseudo domains
    can be reused.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit ef0ed56eb15f24db5934f174f90f65d3f5c3c526
Author: Michael Adam <obnox at samba.org>
Date:   Thu Nov 22 23:12:19 2012 +0100

    s3:passdb: don't bail out in pdb_default_sid_to_id() if sid is not in our sam
    
    This code treats the own sam, builtin, wellknown, and sids from the
    "Unix User" and "Unix Group" pseudo-domains.
    
    This reverts part of commit 02e25b2a43ae02205a3412f862a1482d24b70aa4.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 2d3f7e31411cc63d5c83337f7280fcd6d2330282
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 30 16:27:59 2012 +0100

    s3:winbindd: use the new sid_check_is_for_passdb() in idmap_find_domain_with_sid()
    
    This is more correct than the original one:
    It also hands the wellknown and "Unix Users" and "Unix Groups" sids to passdb
    for id mapping.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 845a14210729c6a4c39a65be00e2f8b19fc13ec0
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 30 16:26:28 2012 +0100

    build the new sid_check_is_for_passdb() function into passdb
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit fecdf48aaf514e6cda5cd0412d7407319a3ff89f
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 30 12:27:00 2012 +0100

    s3:lib: add utility function sid_check_is_for_passdb()
    
    This function checks whether the given sid should be treated
    by passdb (e.g. for id mapping).
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit e3ee3971403c7dac4e8e3578a60973b97451af68
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 30 15:27:15 2012 +0100

    s3:winbindd: remove unused function idmap_backends_sid_to_unixid()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 7f2f29647a5d5906db5a267f614f30607d9162e3
Author: Michael Adam <obnox at samba.org>
Date:   Tue Nov 27 12:08:33 2012 +0100

    s3:test:wbinfo_sids2xids: test the results with singular calls with filled and with empty cache
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 25018d8ae6de32a2a51168a30788545646fddcae
Author: Michael Adam <obnox at samba.org>
Date:   Tue Nov 27 22:43:04 2012 +0100

    s3:test: fix intialization of WBINFO in test_wbinfo_sids2xids.sh
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit a1411a884c5361bb8b090695236724cd25857269
Author: Michael Adam <obnox at samba.org>
Date:   Mon Oct 15 16:34:02 2012 +0200

    s3:idmap_autorid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
    
    This is to remove problems with the same unix-id being used both
    as a uid and a gid.
    
    The autorid backend will map a given number to the same SID, no matter whether this
    is a uid or a gid. This will prime the idmap cache with mappings.
    The sid-to-u/gid mapping, when not going through the cache, instead checks for
    the type of the sid and only allows unix ids of the corresponding type.
    Hence the rid backend will give different results, depending on whether the
    cache is filled or not.
    
    This patch lets the autorid backend always create sid->id mappings of type both.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 55607f0f334ca5d72f35eb6b259db5283b35e86a
Author: Michael Adam <obnox at samba.org>
Date:   Mon Oct 15 16:32:25 2012 +0200

    s3:idmap_rid: force mapping type to ID_TYPE_BOTH for sid->unixid mapping
    
    This is to remove problems with the same unix-id being used both
    as a uid and a gid.
    
    The rid backend will map a given number to the same SID, no matter whether this
    is a uid or a gid. This will prime the idmap cache with mappings.
    The sid-to-u/gid mapping, when not going through the cache, instead checks for
    the type of the sid and only allows unix ids of the corresponding type.
    Hence the rid backend will give different results, depending on whether the
    cache is filled or not.
    
    This patch lets the rid backend always create sid->id mappings of type both.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit c408126b47b0ce496a8b2293a8481d439b4234cf
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 17:53:39 2012 +0100

    s3:winbindd: remove unused idmap_sid_to_gid()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5f7a3720036c422142774ce49147328dc784fec8
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 17:53:04 2012 +0100

    s3:winbindd: remove unused idmap_sid_to_uid()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit b47be53a1f68735b1a95d57781eaf9beea68481b
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 17:50:50 2012 +0100

    s3:winbindd: remove unused server implementation of wbint_Sid2Gid()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit c927ff4b3641e10369f9e17b20d92d3148f55633
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 17:50:11 2012 +0100

    s3:winbindd: remove unused server implementation of wbint_Sid2Uid()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit aa771618718378bc3449b1caa78d1d942ff937c4
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 17:49:09 2012 +0100

    s3:winbindd: remove wbint_Sid2Gid from the wbint.idl
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 8b73556e3f583af0a073a743f4973967aa5ad004
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 17:48:36 2012 +0100

    s3:winbindd: remove wbint_Sid2Uid() from the wbint.idl
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit de2cf94719fa07847b9c1b8149144bb1e36ba403
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 17:05:01 2012 +0100

    s3:winbindd: remove now unused wb_sid2uid and wb_sid2gid modules
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5e746768c8adf77551d7904f8534372f88475675
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 16:54:36 2012 +0100

    s3:winbindd: change winbindd_getgroups to use wb_sids2xids instead of wb_sid2gid
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit eb0fca9b7b06a2aebce0da3031b1af313f0c8081
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 16:44:41 2012 +0100

    s3:winbindd: change wb_getgrsid to use wb_sids2xids instead of wb_sid2gid
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 55ea9210e9b9cbb5a8b4633f492920af7eda77ab
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 16:40:48 2012 +0100

    s3:winbindd: change wb_fill_pwent to use wb_sids2xids instead of wb_sid2[ug]id
    
    We can optimize this later and just do one wb_sids2xids_send/recv call.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 46f2dfa7a51487e1b21c329dfb2e4cac3e6ada11
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 01:35:30 2012 +0100

    selftest:Samba3: provision the BUILTIN\Users group if the environment runs winbindd
    
    Note that in order to create a local group (alias), the id-allocator of
    id-mapping is needed, so this can only work if winbindd is running.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 11ca06338670c3aa1ad6928232f2c582116f42e8
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 00:18:44 2012 +0100

    selftest:Samba3: add "wbinfo -p" test to wait_for_start()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5b975ce78cc77bd9ff39e2ec0c2e7d674bf61ebe
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 00:09:43 2012 +0100

    selftest:Samba3: add nmbd, winbindd smbd arguments to wait_for_start()
    
    to make checks conditional
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit f7dca55224af2cb2ac172831755246f5c9b04e0f
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 23 00:02:33 2012 +0100

    selftest:Samba3: call wait_for_start() from check_or_start()
    
    ...instead of calling the two one after another each time.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 4210e08109d9bc24168740f5a8a52953c532df4a
Author: Michael Adam <obnox at samba.org>
Date:   Tue Nov 27 01:11:16 2012 +0100

    s3:winbindd: make idmap_find_domain() static.
    
    idmap_find_domain_with_sid() should be used instead
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 27f88ba2deeec8b5b0a72ef97ae84c1016532a3c
Author: Michael Adam <obnox at samba.org>
Date:   Sun Nov 25 02:13:15 2012 +0100

    s3:winbindd: also use idmap_passdb for own sam and builtin in wbint_Sids2UnixIDs()
    
    This is the way the singular calls work and how they should (currently) work.
    The two code paths need to give the same results. It is important to use
    the passdb backend, otherwise groups don't work.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 370d62578dd171c6f898f4868f382cdddb908bcf
Author: Michael Adam <obnox at samba.org>
Date:   Thu Nov 22 18:16:31 2012 +0100

    s3:winbindd: add idmap_find_domain_with_sid()
    
    This will return the passdb domain if the given sid is in our sam or builtin
    or is the domain sid of those domains. Otherwise it returns the idmap domain
    that results from the idmap configuration.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 150cfb4b97e2ee67ec1fa8fc379ac03d42002da9
Author: Michael Adam <obnox at samba.org>
Date:   Thu Nov 22 16:21:53 2012 +0100

    s3:winbindd: rename idmap_init_passdb_domain() -> idmap_passdb_domain()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit ee17a516c82acbdf347c2a47e7003b6a7fb879de
Author: Michael Adam <obnox at samba.org>
Date:   Tue Nov 20 16:48:23 2012 +0100

    selftest:Samba3: provision the domain adminstrators group in the s3 environments
    
    I discovered that this sid / mapping is missing by working with the Sids2Uids
    code and test. I do even wonder why this test could succeed prior to my pending
    changes to the winbindd sids-to-xids code, for example against the s3:local
    environment, since the test tries to map the sid <domsid>-512.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 28e7d73bdcdf1a3d588e92eee982ff01db53d65d
Author: Michael Adam <obnox at samba.org>
Date:   Sun Nov 18 13:51:13 2012 +0100

    s3:winbindd: use struct unixid instead of uint64 in Sids2Xids parent<->child
    
    This implicitly also hands the type of the resulting unix-id that the idmap
    backend has created back to the caller. This is important for backends that
    would set a broader type than the requested one, e.g. rid backend returning
    BOTH instead of UID or GID.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit da8d0263806260fdb4973f22fc874710bd490421
Author: Michael Adam <obnox at samba.org>
Date:   Sun Nov 18 19:58:07 2012 +0100

    s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 75a752473f932f84d15ba043c9b9167db10dd572
Author: Michael Adam <obnox at samba.org>
Date:   Sun Nov 18 19:29:37 2012 +0100

    s3:winbindd: add an explanatory comment to _wbint_Sids2UnixIDs()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 3e7f04b70f89d528aacfdc420b635d8aff0f4af6
Author: Michael Adam <obnox at samba.org>
Date:   Sat Nov 17 13:10:26 2012 +0100

    s3:winbindd: use wb_sids2xids instead of wb_sid2gid in winbindd_sid_to_gid
    
    The main purpose of the change is to hand the sid into the
    idmap backend and handle responsiblity for handling the
    sid-type correctly to the idmap backend instead of failing
    directly when the sid is not of group type.
    
    Hence backends like rid who are sid-type agnostic, can
    return gids also for sids of other types. This is an important
    fix to make sid_to_gid behave the consistently with and without
    the presence of cache entries.
    
    We need to additionally filter the result for id type GID
    or more general (BOTH) to keep the behaviour.
    
    This is a step towards using only one codepath to id_mapping.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 7637c93472492f1bfd7bf46b8f855ef4818c75a9
Author: Michael Adam <obnox at samba.org>
Date:   Sat Nov 17 13:04:41 2012 +0100

    s3:winbindd: use wb_sids2xids instead of wb_sid2uid in winbindd_sid_to_uid
    
    The main purpose of the change is to hand the sid into the
    idmap backend and handle responsiblity for handling the
    sid-type correctly to the idmap backend instead of failing
    directly when the sid is not of type user.
    
    Hence backends like rid who are sid-type agnostic, can
    return uids also for sids of other types. This is an important
    fix to make sid_to_uid behave the consistently with and without
    the presence of cache entries.
    
    We need to additionally filter the result for id type UID
    or more general (BOTH) to keep the behaviour.
    
    This is a step towards using only one codepath to id_mapping.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 8e5ce1e2d53f36fd35eb8efad7da680dcf0b1ce1
Author: Michael Adam <obnox at samba.org>
Date:   Sat Nov 17 02:30:07 2012 +0100

    s3:winbindd: factor winbindd_sids_to_xids into external and internal part
    
    - external part takes winbindd request/reponse structs (with sid strings)
    - internal part takes sid lists
    
    The new internal part implements functions wb_sids2xids_* that are
    moved into the new module wb_sids2xids.c.
    
    The purpose of this change is to use wb_sids2xids in winbindd_sid_to_uid
    and winbindd_sid_to_gid instead of the currently used wb_sid2uid and wb_sid2gid.
    We should just have one code path into id mapping and not several that behave
    differently.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit c58c68d5ba58855098d24c54db9c0cda19db0f4b
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 16 17:49:25 2012 +0100

    s3:winbindd: convert some spaces to tabs in winbindd_sids_to_xids_send()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 349b9ac05242f87fa5afcc06c72ccc02bdb05d8b
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 9 16:09:59 2012 +0100

    s3:winbindd: add explaining comment winbindd_sids_to_xids_send()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit be033a1d165f815bbddceda46384be1f9c0c2b7f
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 9 14:09:10 2012 +0100

    s3:winbindd: factor lsa_SidType_to_id_type() out of winbindd_sids_to_xids_lookupsids_done()
    
    for readability
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit b435e668aa8b2805cd94bde37b9ddf6a7ad335f8
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 9 13:54:20 2012 +0100

    s3:winbindd: simplify winbindd_sids_to_xids_recv() a bit.
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 3f0c31fbd388986d636b5701f66ed7b215a1b903
Author: Michael Adam <obnox at samba.org>
Date:   Fri Nov 9 11:32:47 2012 +0100

    s3:winbindd:util: add a comment explaining the function parse_sidlist()
    
    Signed-off-by: Michael Adam <obnox at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 6f71071381ead9976f4a6d296c9a1ade385484e0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 29 09:57:44 2012 +0100

    s4:python/ntacl: add 'as_sddl' option to dsacl2fsacl()
    
    This allows the caller to ask for a security.descriptor instead of sddl
    by passing 'as_sddl=False'.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 06f026368e5b657394bb9e681c3d0184104bc120
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 29 09:28:23 2012 +0100

    s4:python/ntacl: allow string or objects for sd/sid in setntacl()
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit d48d0c5bbf70394dfc6ab44ef124582fd836695f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 29 09:31:12 2012 +0100

    s4:samba-tool/gpo: fix the operation order when creating gpos
    
    We should do it like the windows GUI.
    
    1. create the LDAP objects
    2. query the security_descriptor of the groupPolicyContainer
    3. create the gPCFileSysPath via smb
    4. set the security_descriptor of gPCFileSysPath
    5. copy the files and directories into gPCFileSysPath
    6. modify the groupPolicyContainer and link gPCFileSysPath
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit dde7eb0d82e9b980c9b08fb4590b7e77bda0c76b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 29 09:31:12 2012 +0100

    s4:samba-tool/gpo: use 'gPCFileSysPath' when deleting gpos
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit a1a525e2a9b0bc20e3e06695fbcbdf0d172839a1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 29 09:31:12 2012 +0100

    s4:samba-tool/gpo: use the dns_domain from the server when creating gpos
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit a42c49c93acb9e480b6e174f56fb75ae0524b984
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Dec 1 09:14:19 2012 +0100

    s4:libcli/finddcs_cldap: allow io->in.server_address as hostname
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit c4d51d8d17f04583868f1fdc82322b26bcb1c7a0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Dec 1 08:56:57 2012 +0100

    s4:libcli/finddcs_cldap: try all NBT#1C addresses
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 0e2e3ff5e864115495be68040959838e2835e260
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 30 14:36:07 2012 +0100

    s3:smbcacls: add --query-security-info and --set-security-info options
    
    This allows the caller to specify the security_information flags.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 9afba14417ebb8e13623b62d3c81492629b92f29
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 30 13:52:53 2012 +0100

    s3:libsmb: add cli_{query,set}_security_descriptor() which take sec_info flags
    
    In order to set and get security_descriptors it's important to specify
    the sec_info flags.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit cf60338ada9b1685aaa49a41cefbe1e14040a283
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 29 12:33:22 2012 +0100

    libcli/security: remove duplicate aces in se_create_child_secdesc()
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 8fbe39d5134e136101425f9fc8d3d5080cbe25ba
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 30 13:33:59 2012 +0100

    s3:smbd/open: fall back to Builtin_Administrators if SYSTEM doesn't map to a group
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 139232656a5de5f1c4694bbea8554a01c677081a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 30 13:32:04 2012 +0100

    s3:smbd/open: try the primary sid (user) as group_sid if the token has just one sid
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 0a3396b53683f5efe439bfb8395e275f53108255
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 29 10:00:03 2012 +0100

    s3:smbd/open: use Builtin_Administrators as owner of files (if possible)
    
    We do this if the idmap layer resolves Builtin_Administrators
    as ID_TYPE_BOTH and if the current token has the
    Builtin_Administrators SID or it's SYSTEM.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 8ababf4367eb4faaeeda6cf66191aaf66a3a69da
Author: Stefan Metzmacher <metze at samba.org>
Date:   Sat Dec 1 15:10:38 2012 +0100

    s4:dsdb/descriptor: NULL out user_descriptor elements depending on the sd_flags
    
    A client can send a full security_descriptor while just passing
    sd_flags of SECINFO_DACL.
    
    We need to NULL out elements which will be ignored depending on
    the sd_flags and may set the old owner/group sids. Otherwise
    the calculation of the DACL/SACL can replace CREATOR_OWNER with
    the wrong sid.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libcli/security/secdesc.c                          |   34 +++
 selftest/target/Samba3.pm                          |  137 ++++++++-----
 source3/Makefile.in                                |    4 +-
 source3/include/passdb.h                           |    3 +
 source3/lib/util_sid_passdb.c                      |  100 +++++++++
 lib/util/tsort.h => source3/lib/util_sid_passdb.h  |   38 ++--
 source3/librpc/idl/wbint.idl                       |   14 +--
 source3/libsmb/clisecdesc.c                        |   56 ++++--
 source3/libsmb/proto.h                             |    9 +
 source3/passdb/ABI/pdb-0.sigs                      |    2 +
 source3/passdb/lookup_sid.c                        |   29 +---
 source3/passdb/pdb_interface.c                     |   53 +++--
 source3/passdb/pdb_ldap.c                          |   11 +-
 source3/script/tests/test_wbinfo_sids2xids.sh      |    5 +-
 source3/script/tests/test_wbinfo_sids2xids_int.py  |   39 +++-
 source3/smbd/open.c                                |  103 +++++++++-
 source3/utils/smbcacls.c                           |   65 +++++-
 source3/winbindd/idmap.c                           |   61 ++----
 source3/winbindd/idmap_autorid.c                   |    3 +
 source3/winbindd/idmap_proto.h                     |    4 -
 source3/winbindd/idmap_rid.c                       |    2 +
 source3/winbindd/idmap_util.c                      |  148 --------------
 source3/winbindd/wb_fill_pwent.c                   |   36 +++-
 source3/winbindd/wb_getgrsid.c                     |   19 ++-
 source3/winbindd/wb_sid2gid.c                      |  167 ---------------
 source3/winbindd/wb_sid2uid.c                      |  165 ---------------
 .../{winbindd_sids_to_xids.c => wb_sids2xids.c}    |  213 ++++++++------------
 source3/winbindd/winbindd_dual_srv.c               |   47 ++---
 source3/winbindd/winbindd_getgroups.c              |   19 ++-
 source3/winbindd/winbindd_proto.h                  |   19 +-
 source3/winbindd/winbindd_sid_to_gid.c             |   18 ++-
 source3/winbindd/winbindd_sid_to_uid.c             |   18 ++-
 source3/winbindd/winbindd_sids_to_xids.c           |  211 +++-----------------
 source3/winbindd/winbindd_util.c                   |    9 +
 source3/wscript_build                              |    4 +-
 source4/dsdb/samdb/ldb_modules/descriptor.c        |   44 ++++
 source4/libcli/finddcs_cldap.c                     |   77 ++++++--
 source4/scripting/python/samba/netcmd/gpo.py       |   55 ++++--
 source4/scripting/python/samba/ntacls.py           |   22 ++-
 39 files changed, 948 insertions(+), 1115 deletions(-)
 create mode 100644 source3/lib/util_sid_passdb.c
 copy lib/util/tsort.h => source3/lib/util_sid_passdb.h (57%)
 delete mode 100644 source3/winbindd/wb_sid2gid.c
 delete mode 100644 source3/winbindd/wb_sid2uid.c
 copy source3/winbindd/{winbindd_sids_to_xids.c => wb_sids2xids.c} (51%)


Changeset truncated at 500 lines:

diff --git a/libcli/security/secdesc.c b/libcli/security/secdesc.c
index a3db1b6..d2c5833 100644
--- a/libcli/security/secdesc.c
+++ b/libcli/security/secdesc.c
@@ -679,6 +679,40 @@ NTSTATUS se_create_child_secdesc(TALLOC_CTX *ctx,
 
 	talloc_free(frame);
 
+	/*
+	 * remove duplicates
+	 */
+	for (i=1; i < new_ace_list_ndx;) {
+		struct security_ace *ai = &new_ace_list[i];
+		unsigned int remaining, j;
+		bool remove = false;
+
+		for (j=0; j < i; j++) {
+			struct security_ace *aj = &new_ace_list[j];
+
+			if (!sec_ace_equal(ai, aj)) {
+				continue;
+			}
+
+			remove = true;
+			break;
+		}
+
+		if (!remove) {
+			i++;
+			continue;
+		}
+
+		new_ace_list_ndx--;
+		remaining = new_ace_list_ndx - i;
+		if (remaining == 0) {
+			ZERO_STRUCT(new_ace_list[i]);
+			continue;
+		}
+		memmove(&new_ace_list[i], &new_ace_list[i+1],
+			sizeof(new_ace_list[i]) * remaining);
+	}
+
 	/* Create child security descriptor to return */
 	if (new_ace_list_ndx) {
 		new_dacl = make_sec_acl(ctx,
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 28669aa..ea2e21d 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -201,10 +201,7 @@ sub setup_s3dc($$)
 
 	$vars or return undef;
 
-	$self->check_or_start($vars,
-			       "yes", "yes", "yes");
-
-	if (not $self->wait_for_start($vars)) {
+	if (not $self->check_or_start($vars, "yes", "yes", "yes")) {
 	       return undef;
 	}
 
@@ -247,9 +244,7 @@ sub setup_member($$$)
 	    return undef;
 	}
 
-	$self->check_or_start($ret, "yes", "yes", "yes");
-
-	if (not $self->wait_for_start($ret)) {
+	if (not $self->check_or_start($ret, "yes", "yes", "yes")) {
 	       return undef;
 	}
 
@@ -320,10 +315,9 @@ sub setup_admember($$$$)
 	# access the share for tests.
 	chmod 0777, "$prefix/share";
 
-	$self->check_or_start($ret,
-			      "yes", "yes", "yes");
-
-	$self->wait_for_start($ret);
+	if (not $self->check_or_start($ret, "yes", "yes", "yes")) {
+		return undef;
+	}
 
 	$ret->{DC_SERVER} = $dcvars->{SERVER};
 	$ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
@@ -364,9 +358,7 @@ sub setup_simpleserver($$)
 
 	$vars or return undef;
 
-	$self->check_or_start($vars, "yes", "no", "yes");
-
-	if (not $self->wait_for_start($vars)) {
+	if (not $self->check_or_start($vars, "yes", "no", "yes")) {
 	       return undef;
 	}
 
@@ -462,9 +454,7 @@ $ret->{USERNAME} = KTEST\\Administrator
 	# access the share for tests.
 	chmod 0777, "$prefix/share";
 
-	$self->check_or_start($ret, "yes", "no", "yes");
-
-	if (not $self->wait_for_start($ret)) {
+	if (not $self->check_or_start($ret, "yes", "no", "yes")) {
 	       return undef;
 	}
 	return $ret;
@@ -487,10 +477,7 @@ map to guest = bad user
 
 	$vars or return undef;
 
-	$self->check_or_start($vars,
-			       "yes", "no", "yes");
-
-	if (not $self->wait_for_start($vars)) {
+	if (not $self->check_or_start($vars, "yes", "no", "yes")) {
 	       return undef;
 	}
 
@@ -688,7 +675,7 @@ sub check_or_start($$$$$) {
 
 	close(STDIN_READER);
 
-	return 0;
+	return $self->wait_for_start($env_vars, $nmbd, $winbindd, $smbd);
 }
 
 sub provision($$$$$$)
@@ -816,7 +803,7 @@ sub provision($$$$$$)
 
 	my ($max_uid, $max_gid);
 	my ($uid_nobody, $uid_root, $uid_pdbtest);
-	my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers);
+	my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
 
 	if ($unix_uid < 0xffff - 2) {
 		$max_uid = 0xffff;
@@ -838,6 +825,7 @@ sub provision($$$$$$)
 	$gid_nogroup = $max_gid - 2;
 	$gid_root = $max_gid - 3;
 	$gid_domusers = $max_gid - 4;
+	$gid_domadmins = $max_gid - 5;
 
 	##
 	## create conffile
@@ -1041,6 +1029,7 @@ pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
 nogroup:x:$gid_nogroup:nobody
 $unix_name-group:x:$unix_gids[0]:
 domusers:X:$gid_domusers:
+domadmins:X:$gid_domadmins:
 ";
 	if ($unix_gids[0] != 0) {
 		print GROUP "root:x:$gid_root:";
@@ -1105,43 +1094,93 @@ domusers:X:$gid_domusers:
 	return \%ret;
 }
 
-sub wait_for_start($$)
+sub wait_for_start($$$$$)
 {
-	my ($self, $envvars) = @_;
+	my ($self, $envvars, $nmbd, $winbindd, $smbd) = @_;
+	my $ret;
 
-	# give time for nbt server to register its names
-	print "delaying for nbt name registration\n";
-	sleep(10);
-	# This will return quickly when things are up, but be slow if we need to wait for (eg) SSL init 
-	my $nmblookup = Samba::bindir_path($self, "nmblookup3");
-	system("$nmblookup $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} __SAMBA__");
-	system("$nmblookup $envvars->{CONFIGURATION} __SAMBA__");
-	system("$nmblookup $envvars->{CONFIGURATION} -U 127.255.255.255 __SAMBA__");
-	system("$nmblookup $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} $envvars->{SERVER}");
-	system("$nmblookup $envvars->{CONFIGURATION} $envvars->{SERVER}");
+	if ($nmbd eq "yes") {
+	    # give time for nbt server to register its names
+	    print "delaying for nbt name registration\n";
+	    sleep(10);
+	    # This will return quickly when things are up, but be slow if we need to wait for (eg) SSL init 
+	    my $nmblookup = Samba::bindir_path($self, "nmblookup3");
+	    system("$nmblookup $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} __SAMBA__");
+	    system("$nmblookup $envvars->{CONFIGURATION} __SAMBA__");
+	    system("$nmblookup $envvars->{CONFIGURATION} -U 127.255.255.255 __SAMBA__");
+	    system("$nmblookup $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} $envvars->{SERVER}");
+	    system("$nmblookup $envvars->{CONFIGURATION} $envvars->{SERVER}");
+	}
+
+	if ($winbindd eq "yes") {
+	    print "checking for winbindd\n";
+	    my $count = 0;
+	    do {
+		$ret = system("WINBINDD_SOCKET_DIR=" . $envvars->{WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " -p");
+		if ($ret != 0) {
+		    sleep(2);
+		}
+		$count++;
+	    } while ($ret != 0 && $count < 10);
+	    if ($count == 10) {
+		print "WINBINDD not reachable after 20 seconds\n";
+		teardown_env($self, $envvars);
+		return 0;
+	    }
+	}
 
-	# make sure smbd is also up set
-	print "wait for smbd\n";
+	if ($smbd eq "yes") {
+	    # make sure smbd is also up set
+	    print "wait for smbd\n";
 
-	my $count = 0;
-	my $ret;
-	do {
-	    $ret = system(Samba::bindir_path($self, "smbclient3") ." $envvars->{CONFIGURATION} -L $envvars->{SERVER} -U% -p 139");
-	    if ($ret != 0) {
-		sleep(2);
+	    my $count = 0;
+	    do {
+		$ret = system(Samba::bindir_path($self, "smbclient3") ." $envvars->{CONFIGURATION} -L $envvars->{SERVER} -U% -p 139");
+		if ($ret != 0) {
+		    sleep(2);
+		}
+		$count++
+	    } while ($ret != 0 && $count < 10);
+	    if ($count == 10) {
+		print "SMBD failed to start up in a reasonable time (20sec)\n";
+		teardown_env($self, $envvars);
+		return 0;
 	    }
-	    $count++
-	} while ($ret != 0 && $count < 10);
-	if ($count == 10) {
-	    print "SMBD failed to start up in a reasonable time (20sec)\n";
-	    teardown_env($self, $envvars);
-	    return 0;
 	}
+
 	# Ensure we have domain users mapped.
 	$ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=513 unixgroup=domusers type=domain");
 	if ($ret != 0) {
 	    return 1;
 	}
+	$ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=512 unixgroup=domadmins type=domain");
+	if ($ret != 0) {
+	    return 1;
+	}
+
+	if ($winbindd eq "yes") {
+	    # note: creating builtin groups requires winbindd for the
+	    # unix id allocator
+	    $ret = system("WINBINDD_SOCKET_DIR=" . $envvars->{WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} sam createbuiltingroup Users");
+	    if ($ret != 0) {
+	        print "Failed to create BUILTIN\\Users group\n";
+	        return 0;
+	    }
+	    my $count = 0;
+	    do {
+		system(Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} cache flush");
+		$ret = system("WINBINDD_SOCKET_DIR=" . $envvars->{WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545");
+		if ($ret != 0) {
+		    sleep(2);
+		}
+		$count++;
+	    } while ($ret != 0 && $count < 10);
+	    if ($count == 10) {
+		print "WINBINDD not reachable after 20 seconds\n";
+		teardown_env($self, $envvars);
+		return 0;
+	    }
+	}
 
 	print $self->getlog_env($envvars);
 
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 3555687..41e97ef 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -825,6 +825,7 @@ PASSDB_GET_SET_OBJ = passdb/pdb_get_set.o
 
 PASSDB_OBJ = $(PASSDB_GET_SET_OBJ) passdb/passdb.o passdb/pdb_interface.o \
 		lib/util_wellknown.o lib/util_builtin.o passdb/pdb_compat.o \
+		lib/util_sid_passdb.o \
 		lib/util_unixsids.o passdb/lookup_sid.o \
 		passdb/login_cache.o @PDB_STATIC@ \
 		passdb/account_pol.o $(PRIVILEGES_OBJ) \
@@ -1396,10 +1397,9 @@ WINBINDD_OBJ1 = \
 		winbindd/wb_lookupsid.o \
 		winbindd/wb_lookupsids.o \
 		winbindd/wb_lookupname.o \
-		winbindd/wb_sid2uid.o \
-		winbindd/wb_sid2gid.o \
 		winbindd/wb_uid2sid.o \
 		winbindd/wb_gid2sid.o \
+		winbindd/wb_sids2xids.o \
 		winbindd/wb_queryuser.o \
 		winbindd/wb_lookupuseraliases.o \
 		winbindd/wb_lookupusergroups.o \
diff --git a/source3/include/passdb.h b/source3/include/passdb.h
index 5202bd3..908631d 100644
--- a/source3/include/passdb.h
+++ b/source3/include/passdb.h
@@ -908,6 +908,9 @@ NTSTATUS pdb_set_secret(const char *secret_name,
 			DATA_BLOB *secret_old,
 			struct security_descriptor *sd);
 NTSTATUS pdb_delete_secret(const char *secret_name);
+bool pdb_sid_to_id_unix_users_and_groups(const struct dom_sid *sid,
+					 struct unixid *id);
+
 
 /* The following definitions come from passdb/pdb_util.c  */
 
diff --git a/source3/lib/util_sid_passdb.c b/source3/lib/util_sid_passdb.c
new file mode 100644
index 0000000..33fb542
--- /dev/null
+++ b/source3/lib/util_sid_passdb.c
@@ -0,0 +1,100 @@
+/*
+   Unix SMB/CIFS implementation.
+   sid utility functions
+
+   Copyright (C) Michael Adam 2012
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "lib/util_sid_passdb.h"
+#include "passdb/machine_sid.h"
+
+/**
+ * check whether this is an object-sid that should
+ * be treated by the passdb, e.g. for id-mapping.
+ */
+bool sid_check_object_is_for_passdb(const struct dom_sid *sid)
+{
+	if (sid_check_is_in_our_sam(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_in_builtin(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_in_wellknown_domain(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_in_unix_users(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_in_unix_groups(sid)) {
+		return true;
+	}
+
+	return false;
+}
+/**
+ * check whether this is an object- or domain-sid that should
+ * be treated by the passdb, e.g. for id-mapping.
+ */
+bool sid_check_is_for_passdb(const struct dom_sid *sid)
+{
+	if (sid_check_is_our_sam(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_in_our_sam(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_builtin(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_in_builtin(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_wellknown_domain(sid, NULL)) {
+		return true;
+	}
+
+	if (sid_check_is_in_wellknown_domain(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_unix_users(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_in_unix_users(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_unix_groups(sid)) {
+		return true;
+	}
+
+	if (sid_check_is_in_unix_groups(sid)) {
+		return true;
+	}
+
+	return false;
+}
diff --git a/lib/util/tsort.h b/source3/lib/util_sid_passdb.h
similarity index 57%
copy from lib/util/tsort.h
copy to source3/lib/util_sid_passdb.h
index 811d6cd..381d63c 100644
--- a/lib/util/tsort.h
+++ b/source3/lib/util_sid_passdb.h
@@ -1,9 +1,8 @@
 /*
    Unix SMB/CIFS implementation.
+   sid utility functions
 
-   typesafe qsort
-
-   Copyright (C) Andrew Tridgell 2010
+   Copyright (C) Michael Adam 2012
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -17,24 +16,21 @@
 
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
+ */
 
-#ifndef _TSORT_H
-#define _TSORT_H
-#include <assert.h>
+#ifndef __LIB_UTIL_SID_PASSDB_H__
+#define __LIB_UTIL_SID_PASSDB_H__
 
-/*
-  a wrapper around qsort() that ensures the comparison function is
-  type safe.
+/**
+ * check whether this is an object-sid that should
+ * be treated by the passdb, e.g. for id-mapping.
  */
-#ifndef TYPESAFE_QSORT
-#define TYPESAFE_QSORT(base, numel, comparison) \
-do { \
-	if (numel > 1) { \
-		qsort(base, numel, sizeof((base)[0]), (int (*)(const void *, const void *))comparison); \
-		assert(comparison(&((base)[0]), &((base)[1])) <= 0); \
-	} \
-} while (0)
-#endif
-
-#endif
+bool sid_check_object_is_for_passdb(const struct dom_sid *sid);
+
+/**
+ * check whether this is an object- or domain-sid that should
+ * be treated by the passdb, e.g. for id-mapping.
+ */
+bool sid_check_is_for_passdb(const struct dom_sid *sid);
+
+#endif /* __LIB_UTIL_SID_PASSDB_H__ */
diff --git a/source3/librpc/idl/wbint.idl b/source3/librpc/idl/wbint.idl
index 159af76..f05107a 100644
--- a/source3/librpc/idl/wbint.idl
+++ b/source3/librpc/idl/wbint.idl
@@ -37,23 +37,11 @@ interface wbint
 	[out] dom_sid *sid
 	);
 
-    NTSTATUS wbint_Sid2Uid(
-	[in,unique,string,charset(UTF8)] char *dom_name,
-	[in] dom_sid *sid,
-	[out] hyper *uid
-	);
-
-    NTSTATUS wbint_Sid2Gid(
-	[in,unique,string,charset(UTF8)] char *dom_name,
-	[in] dom_sid *sid,
-	[out] hyper *gid
-	);
-
     typedef struct {
 	id_type type;
 	uint32 domain_index;


-- 
Samba Shared Repository


More information about the samba-cvs mailing list