[PATCH] store SID's in SAM_ACCOUNT

Stefan (metze) Metzmacher metze at metzemix.de
Mon Jun 3 02:15:03 GMT 2002


Hi Andrew and Simo,

Here's a new version of my patch.

I've tested the patch and didn't find a bug.

I fixed a BUG from the last patch:
         - Error while set up the group sid and the unix group is mapped to 
S-1-5-32-xxx (Builtin)

Note: sid-04.diff and sid-04-Make.diff have to apply to get things 
compile...:-)

metze



Code Patch:
------------------------------------------------------------------

diff -Nur HEAD/source/include/sids.h HEAD-fix/source/include/sids.h
--- HEAD/source/include/sids.h  Wed Jan 30 07:08:15 2002
+++ HEAD-fix/source/include/sids.h      Wed May 29 14:27:26 2002
@@ -23,7 +23,7 @@
  #ifndef _SIDS_H
  #define _SIDS_H

-extern DOM_SID global_sam_sid;
+extern DOM_SID *global_sam_sid;
  extern fstring global_sam_name;

  extern DOM_SID global_member_sid;
diff -Nur HEAD/source/include/smb.h HEAD-fix/source/include/smb.h
--- HEAD/source/include/smb.h   Mon Jun  3 09:20:20 2002
+++ HEAD-fix/source/include/smb.h       Mon Jun  3 09:20:46 2002
@@ -624,8 +624,8 @@

                 uid_t uid;          /* this is a unix uid_t */
                 gid_t gid;          /* this is a unix gid_t */
-               uint32 user_rid;    /* Primary User ID */
-               uint32 group_rid;   /* Primary Group ID */
+               DOM_SID user_sid;    /* Primary User SID */
+               DOM_SID group_sid;   /* Primary Group SID */

                 DATA_BLOB lm_pw; /* .data is Null if no password */
                 DATA_BLOB nt_pw; /* .data is Null if no password */
diff -Nur HEAD/source/nsswitch/winbindd_ads.c 
HEAD-fix/source/nsswitch/winbindd_ads.c
--- HEAD/source/nsswitch/winbindd_ads.c Mon Jun  3 09:20:24 2002
+++ HEAD-fix/source/nsswitch/winbindd_ads.c     Mon Jun  3 09:20:48 2002
@@ -273,7 +273,7 @@
                         continue;
                 }

-               if (!sid_peek_rid(&sid, &rid)) {
+               if (!sid_peek_rid(&domain->sid,&sid, &rid)) {
                         DEBUG(1,("No rid for %s !?\n", name));
                         continue;
                 }
@@ -356,7 +356,7 @@
                         continue;
                 }

-               if (!sid_peek_rid(&sid, &rid)) {
+               if (!sid_peek_rid(&domain->sid,&sid, &rid)) {
                         DEBUG(1,("No rid for %s !?\n", name));
                         continue;
                 }
@@ -584,7 +584,7 @@
                 goto done;
         }

-       if (!sid_peek_rid(&sid, &info->user_rid)) {
+       if (!sid_peek_rid(&domain->sid,&sid, &info->user_rid)) {
                 DEBUG(1,("No rid for %d !?\n", user_rid));
                 goto done;
         }
@@ -662,7 +662,7 @@

         for (i=1;i<count;i++) {
                 uint32 rid;
-               if (!sid_peek_rid(&sids[i-1], &rid)) continue;
+               if (!sid_peek_rid(&domain->sid,&sids[i-1], &rid)) continue;
                 (*user_gids)[*num_groups] = rid;
                 (*num_groups)++;
         }
@@ -737,7 +737,7 @@
                         DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
                         continue;
                 }
-               if (!sid_peek_rid(&sid, &rid)) {
+               if (!sid_peek_rid(&domain->sid,&sid, &rid)) {
                         DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
                         continue;
                 }
diff -Nur HEAD/source/nsswitch/winbindd_cache.c 
HEAD-fix/source/nsswitch/winbindd_cache.c
--- HEAD/source/nsswitch/winbindd_cache.c       Mon Apr 29 08:26:40 2002
+++ HEAD-fix/source/nsswitch/winbindd_cache.c   Fri May 31 11:56:46 2002
@@ -648,7 +648,8 @@
         NTSTATUS status;
         uint32 rid = 0;

-       sid_peek_rid(sid, &rid);
+       if(!sid_peek_rid(&domain->sid,sid, &rid))
+               return NT_STATUS_NO_SUCH_USER;

         if (!cache->tdb) goto do_query;

diff -Nur HEAD/source/nsswitch/winbindd_group.c 
HEAD-fix/source/nsswitch/winbindd_group.c
--- HEAD/source/nsswitch/winbindd_group.c       Tue Apr  2 07:28:07 2002
+++ HEAD-fix/source/nsswitch/winbindd_group.c   Fri May 31 10:25:23 2002
@@ -228,7 +228,8 @@
         }

         /* Fill in group structure */
-       sid_peek_rid(&group_sid, &group_rid);
+       if(!sid_peek_rid(&domain->sid,&group_sid, &group_rid))
+               return WINBINDD_ERROR;

         if (!winbindd_idmap_get_gid_from_sid(&group_sid, &gid)) {
                 DEBUG(1, ("error converting unix gid to sid\n"));
diff -Nur HEAD/source/passdb/machine_sid.c HEAD-fix/source/passdb/machine_sid.c
--- HEAD/source/passdb/machine_sid.c    Tue May 21 14:07:16 2002
+++ HEAD-fix/source/passdb/machine_sid.c        Fri May 31 10:10:55 2002
@@ -4,6 +4,7 @@
     Copyright (C) Jeremy Allison                1996-2002
     Copyright (C) Andrew Tridgell               2002
     Copyright (C) Gerald (Jerry) Carter         2000
+   Copyright (C) Stefan (metze) Metzmacher     2002

     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -77,6 +78,10 @@
         extern fstring global_myworkgroup;
         BOOL is_dc = False;

+       if(global_sam_sid==NULL)
+               if(!(global_sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID))))
+                       return False;
+
         generate_wellknown_sids();

         switch (lp_server_role()) {
@@ -89,7 +94,7 @@
                 break;
         }

-       if (secrets_fetch_domain_sid(global_myname, &global_sam_sid)) {
+       if (secrets_fetch_domain_sid(global_myname, global_sam_sid)) {
                 DOM_SID domain_sid;

                 /* We got our sid. If not a pdc/bdc, we're done. */
@@ -100,19 +105,19 @@

                         /* No domain sid and we're a pdc/bdc. Store it */

-                       if (!secrets_store_domain_sid(global_myworkgroup, 
&global_sam_sid)) {
+                       if (!secrets_store_domain_sid(global_myworkgroup, 
global_sam_sid)) {
                                 DEBUG(0,("pdb_generate_sam_sid: Can't 
store domain SID as a pdc/bdc.\n"));
                                 return False;
                         }
                         return True;
                 }

-               if (!sid_equal(&domain_sid, &global_sam_sid)) {
+               if (!sid_equal(&domain_sid, global_sam_sid)) {

                         /* Domain name sid doesn't match global sam sid. 
Re-store global sam sid as domain sid. */

                         DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as 
a pdc/bdc.\n"));
-                       if (!secrets_store_domain_sid(global_myworkgroup, 
&global_sam_sid)) {
+                       if (!secrets_store_domain_sid(global_myworkgroup, 
global_sam_sid)) {
                                 DEBUG(0,("pdb_generate_sam_sid: Can't 
re-store domain SID as a pdc/bdc.\n"));
                                 return False;
                         }
@@ -126,24 +131,23 @@
         /* check for an old MACHINE.SID file for backwards compatibility */
         asprintf(&fname, "%s/MACHINE.SID", lp_private_dir());

-       if (read_sid_from_file(fname, &global_sam_sid)) {
+       if (read_sid_from_file(fname, global_sam_sid)) {
                 /* remember it for future reference and unlink the old 
MACHINE.SID */
-               if (!secrets_store_domain_sid(global_myname, 
&global_sam_sid)) {
+               if (!secrets_store_domain_sid(global_myname, global_sam_sid)) {
                         DEBUG(0,("pdb_generate_sam_sid: Failed to store 
SID from file.\n"));
                         SAFE_FREE(fname);
                         return False;
                 }
                 unlink(fname);
                 if (is_dc) {
-                       if (!secrets_store_domain_sid(global_myworkgroup, 
&global_sam_sid)) {
+                       if (!secrets_store_domain_sid(global_myworkgroup, 
global_sam_sid)) {
                                 DEBUG(0,("pdb_generate_sam_sid: Failed to 
store domain SID from file.\n"));
                                 SAFE_FREE(fname);
                                 return False;
                         }
                 }

-               /* Stored the old sid from MACHINE.SID successfully.
-                       Patch from Stefan "metze" Metzmacher 
<metze at metzemix.de>*/
+               /* Stored the old sid from MACHINE.SID successfully.*/
                 SAFE_FREE(fname);
                 return True;
         }
@@ -152,14 +156,14 @@

         /* we don't have the SID in secrets.tdb, we will need to
             generate one and save it */
-       generate_random_sid(&global_sam_sid);
+       generate_random_sid(global_sam_sid);

-       if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) {
+       if (!secrets_store_domain_sid(global_myname, global_sam_sid)) {
                 DEBUG(0,("pdb_generate_sam_sid: Failed to store generated 
machine SID.\n"));
                 return False;
         }
         if (is_dc) {
-               if (!secrets_store_domain_sid(global_myworkgroup, 
&global_sam_sid)) {
+               if (!secrets_store_domain_sid(global_myworkgroup, 
global_sam_sid)) {
                         DEBUG(0,("pdb_generate_sam_sid: Failed to store 
generated domain SID.\n"));
                         return False;
                 }
@@ -167,3 +171,17 @@

         return True;
  }
+
+/* return our global_sam_sid */
+DOM_SID *get_global_sam_sid(void)
+{
+       if(global_sam_sid!=NULL)
+               return global_sam_sid;
+
+       /* memory for global_sam_sid is allocated in
+          pdb_generate_sam_sid() is needed*/
+       if(!pdb_generate_sam_sid())
+               global_sam_sid=NULL;
+
+       return global_sam_sid;
+}
diff -Nur HEAD/source/passdb/passdb.c HEAD-fix/source/passdb/passdb.c
--- HEAD/source/passdb/passdb.c Mon May 27 13:11:01 2002
+++ HEAD-fix/source/passdb/passdb.c     Mon Jun  3 09:16:00 2002
@@ -26,13 +26,6 @@
  #undef DBGC_CLASS
  #define DBGC_CLASS DBGC_PASSDB

-/*
- * This is set on startup - it defines the SID for this
- * machine, and therefore the SAM database for which it is
- * responsible.
- */
-
-extern DOM_SID global_sam_sid;
  extern pstring global_myname;

  /************************************************************
@@ -157,7 +150,6 @@
  NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
  {
         GROUP_MAP map;
-       uint32 rid;

         if (!pwd) {
                 return NT_STATUS_UNSUCCESSFUL;
@@ -185,18 +177,23 @@
            -- abartlet 11-May-02
         */

-       pdb_set_user_rid(sam_account,
+       pdb_set_user_sid_from_rid(sam_account,
                          fallback_pdb_uid_to_user_rid(pwd->pw_uid));

         /* call the mapping code here */
         if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
-               sid_peek_rid(&map.sid, &rid);
+               if(!pdb_set_group_sid(sam_account,&map.sid)){
+                       DEBUG(0,("Can't set Group SID\n"));
+                       return NT_STATUS_NO_SUCH_GROUP;
+               }
         }
         else {
-               rid=pdb_gid_to_group_rid(pwd->pw_gid);
+ 
if(!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) 
{
+                       DEBUG(0,("Can't set Group SID\n"));
+                       return NT_STATUS_NO_SUCH_GROUP;
+               }
         }

-       pdb_set_group_rid(sam_account, rid);

         /* check if this is a user account or a machine account */
         if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
@@ -456,39 +453,6 @@
         return (True);
  }

-#if 0 /* seem it is not used by anyone */
-/*******************************************************************
- Group and User RID username mapping function
- ********************************************************************/
-
-BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
-{
-       GROUP_MAP map;
-       struct passwd *pw = Get_Pwnam(user_name);
-
-       if (u_rid == NULL || g_rid == NULL || user_name == NULL)
-               return False;
-
-       if (!pw) {
-               DEBUG(1,("Username %s is invalid on this system\n", 
user_name));
-               return False;
-       }
-
-       /* turn the unix UID into a Domain RID.  this is what the posix
-          sub-system does (adds 1000 to the uid) */
-       *u_rid = fallback_pdb_uid_to_user_rid(pw->pw_uid);
-
-       /* absolutely no idea what to do about the unix GID to Domain RID 
mapping */
-       /* map it ! */
-       if (get_group_map_from_gid(pw->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
-               sid_peek_rid(&map.sid, g_rid);
-       } else
-               *g_rid = pdb_gid_to_group_rid(pw->pw_gid);
-
-       return True;
-}
-#endif /* seem it is not used by anyone */
-
  /*******************************************************************
   Converts NT user RID to a UNIX uid.
   ********************************************************************/
@@ -579,7 +543,11 @@
         SAM_ACCOUNT *sam_account = NULL;
         GROUP_MAP map;

-       sid_peek_rid(sid, &rid);
+       if(!sid_peek_rid(NULL,sid, &rid)){
+               DEBUG(0,("local_sid_to_gid: sid_peek_rid return False! SID: 
%s\n",
+                       sid_string_static(&map.sid)));
+               return False;
+       }
         *psid_name_use = SID_NAME_UNKNOWN;

         DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned 
int)rid));
@@ -699,7 +667,7 @@

         fstrcpy(user, c_user);

-       sid_copy(&local_sid, &global_sam_sid);
+       sid_copy(&local_sid, get_global_sam_sid());

         /*
          * Special case for MACHINE\Everyone. Map to the world_sid.
@@ -725,10 +693,9 @@
         }

         if (pdb_getsampwnam(sam_account, user)) {
-               sid_append_rid( &local_sid, pdb_get_user_rid(sam_account));
+               sid_copy(psid,(DOM_SID *)pdb_get_user_sid(sam_account));
                 *psid_name_use = SID_NAME_USER;

-               sid_copy( psid, &local_sid);
                 pdb_free_sam(&sam_account);
                 return True;
         }
@@ -787,12 +754,11 @@

  DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
  {
-       extern DOM_SID global_sam_sid;
         struct passwd *pass;
         SAM_ACCOUNT *sam_user = NULL;
         fstring str; /* sid string buffer */

-       sid_copy(psid, &global_sam_sid);
+       sid_copy(psid, get_global_sam_sid());

         if((pass = getpwuid_alloc(uid))) {

@@ -802,7 +768,7 @@
                 }

                 if (pdb_getsampwnam(sam_user, pass->pw_name)) {
-                       sid_append_rid(psid, pdb_get_user_rid(sam_user));
+                       sid_copy(psid,(DOM_SID *) pdb_get_user_sid(sam_user));
                 } else {
                         sid_append_rid(psid, 
fallback_pdb_uid_to_user_rid(uid));
                 }
@@ -830,7 +796,6 @@

  BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE 
*name_type)
  {
-       extern DOM_SID global_sam_sid;

         DOM_SID dom_sid;
         uint32 rid;
@@ -846,7 +811,7 @@
          * We can only convert to a uid if this is our local
          * Domain SID (ie. we are the controling authority).
          */
-       if (!sid_equal(&global_sam_sid, &dom_sid))
+       if (!sid_equal(get_global_sam_sid(), &dom_sid))
                 return False;

         if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
@@ -878,10 +843,9 @@

  DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
  {
-       extern DOM_SID global_sam_sid;
         GROUP_MAP map;

-       sid_copy(psid, &global_sam_sid);
+       sid_copy(psid, get_global_sam_sid());

         if (get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
                 sid_copy(psid, &map.sid);
@@ -899,7 +863,6 @@

  BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE 
*name_type)
  {
-       extern DOM_SID global_sam_sid;
         DOM_SID dom_sid;
         uint32 rid;
         fstring str;
@@ -917,7 +880,7 @@
          * Or in the Builtin SID too. JFM, 11/30/2001
          */

-       if (!sid_equal(&global_sam_sid, &dom_sid))
+       if (!sid_equal(get_global_sam_sid(), &dom_sid))
                 return False;

         if (get_group_map_from_sid(*psid, &map, MAPPING_WITHOUT_PRIV)) {
@@ -926,7 +889,11 @@
                 if (map.gid==-1)
                         return False;

-               sid_peek_rid(&map.sid, &rid);
+               if(!sid_peek_rid(NULL,&map.sid, &rid)){
+                       DEBUG(0,("local_sid_to_gid: sid_peek_rid return 
False! SID: %s\n",
+                               sid_string_static(&map.sid)));
+                       return False;
+               }
                 *pgid = map.gid;
                 *name_type = map.sid_name_use;
                 DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid 
(%u).\n", sid_to_string( str, psid),
@@ -1002,9 +969,9 @@
                 pdb_set_munged_dial(to   , 
pdb_unistr2_convert(&from->uni_munged_dial ));

         if (from->user_rid)
-               pdb_set_user_rid(to, from->user_rid);
+               pdb_set_user_sid_from_rid(to, from->user_rid);
         if (from->group_rid)
-               pdb_set_group_rid(to, from->group_rid);
+               pdb_set_group_sid_from_rid(to, from->group_rid);

         pdb_set_acct_ctrl(to, from->acb_info);
         pdb_set_unknown_3(to, from->unknown_3);
@@ -1057,9 +1024,9 @@
                 pdb_set_munged_dial(to   , 
pdb_unistr2_convert(&from->uni_munged_dial ));

         if (from->user_rid)
-               pdb_set_user_rid(to, from->user_rid);
+               pdb_set_user_sid_from_rid(to, from->user_rid);
         if (from->group_rid)
-               pdb_set_group_rid(to, from->group_rid);
+               pdb_set_group_sid_from_rid(to, from->group_rid);

         /* FIXME!!  Do we need to copy the passwords here as well?
            I don't know.  Need to figure this out   --jerry */
diff -Nur HEAD/source/passdb/pdb_get_set.c HEAD-fix/source/passdb/pdb_get_set.c
--- HEAD/source/passdb/pdb_get_set.c    Tue May 21 14:07:17 2002
+++ HEAD-fix/source/passdb/pdb_get_set.c        Fri May 31 13:12:04 2002
@@ -5,6 +5,7 @@
     Copyright (C) Luke Kenneth Casson Leighton  1996-1998
     Copyright (C) Gerald (Jerry) Carter         2000-2001
     Copyright (C) Andrew Bartlett               2001-2002
+   Copyright (C) Stefan (metze) Metzmacher     2002

     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -155,21 +156,35 @@
         else
                 return (NULL);
  }
+const DOM_SID *pdb_get_user_sid(const SAM_ACCOUNT *sampass)
+{
+       return &sampass->private.user_sid;
+}
+
+const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass)
+{
+       return &sampass->private.group_sid;
+}

  uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass)
  {
+       uint32 u_rid;
+
         if (sampass)
-               return (sampass->private.user_rid);
-       else
-               return (-1);
+               if(sid_peek_rid(NULL,(DOM_SID 
*)pdb_get_user_sid(sampass),&u_rid))
+                       return u_rid;
+
+       return (-1);
  }

  uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass)
  {
+       uint32 g_rid;
+
         if (sampass)
-               return (sampass->private.group_rid);
-       else
-               return (-1);
+               if(sid_peek_rid(NULL,(DOM_SID 
*)pdb_get_group_sid(sampass),&g_rid))
+                       return g_rid;
+       return (-1);
  }

  /**
@@ -487,27 +502,71 @@

  }

-BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid)
+BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid)
+{
+       if(!sampass||!u_sid)
+               return False;
+
+       sid_copy(&sampass->private.user_sid,u_sid);
+
+       DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n",
+                   sid_string_static(&sampass->private.user_sid)));
+
+       return True;
+}
+
+BOOL pdb_set_group_sid(SAM_ACCOUNT *sampass, DOM_SID *g_sid)
+{
+       if (!sampass||!g_sid)
+               return False;
+
+       sid_copy(&sampass->private.group_sid,g_sid);
+
+       DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n",
+                   sid_string_static(&sampass->private.group_sid)));
+
+       return True;
+}
+
+BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid)
  {
+       DOM_SID u_sid;
+
         if (!sampass)
                 return False;

-       DEBUG(10, ("pdb_set_rid: setting user rid %d, was %d\n",
-                  rid, sampass->private.user_rid));
-
-       sampass->private.user_rid = rid;
+       sid_copy(&u_sid,get_global_sam_sid());
+
+       if(!sid_append_rid(&u_sid,rid))
+               return False;
+
+       if(!pdb_set_user_sid(sampass,&u_sid))
+               return False;
+
+       DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from 
rid %d\n",
+                   sid_string_static(&u_sid),rid));
+
         return True;
  }

-BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid)
+BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid)
  {
+       DOM_SID g_sid;
+
         if (!sampass)
                 return False;
+
+       sid_copy(&g_sid,get_global_sam_sid());
+
+       if(!sid_append_rid(&g_sid,grid))
+               return False;
+
+       if(!pdb_set_group_sid(sampass,&g_sid))
+               return False;
+
+       DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s 
from rid %d\n",
+                   sid_string_static(&g_sid),grid));

-       DEBUG(10, ("pdb_set_group_rid: setting group rid %d, was %d\n",
-                  grid, sampass->private.group_rid));
-
-       sampass->private.group_rid = grid;
         return True;
  }

diff -Nur HEAD/source/passdb/pdb_ldap.c HEAD-fix/source/passdb/pdb_ldap.c
--- HEAD/source/passdb/pdb_ldap.c       Mon May 27 13:11:01 2002
+++ HEAD-fix/source/passdb/pdb_ldap.c   Fri May 31 10:31:24 2002
@@ -624,7 +624,8 @@
                         GROUP_MAP map;
                         /* call the mapping code here */
                         if(get_group_map_from_gid(gid, &map, 
MAPPING_WITHOUT_PRIV)) {
-                               sid_peek_rid(&map.sid, &group_rid);
+                               if(!sid_peek_rid(NULL,&map.sid, &group_rid))
+                                       return False;
                         }
                         else {
                                 group_rid=pdb_gid_to_group_rid(gid);
@@ -780,8 +781,8 @@
         pdb_set_hours_len(sampass, hours_len);
         pdb_set_logon_divs(sampass, logon_divs);

-       pdb_set_user_rid(sampass, user_rid);
-       pdb_set_group_rid(sampass, group_rid);
+       pdb_set_user_sid_from_rid(sampass, user_rid);
+       pdb_set_group_sid_from_rid(sampass, group_rid);

         pdb_set_username(sampass, username);

@@ -1273,7 +1274,8 @@
  static BOOL ldapsam_getsampwsid(struct pdb_methods *my_methods, 
SAM_ACCOUNT * user, DOM_SID *sid)
  {
         uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if(!sid_peek_rid(NULL,sid, &rid))
+               return False;
         return ldapsam_getsampwrid(my_methods, user, rid);
  }

diff -Nur HEAD/source/passdb/pdb_nisplus.c HEAD-fix/source/passdb/pdb_nisplus.c
--- HEAD/source/passdb/pdb_nisplus.c    Mon May 27 13:11:01 2002
+++ HEAD-fix/source/passdb/pdb_nisplus.c        Fri May 31 10:32:18 2002
@@ -339,8 +339,8 @@

    pdb_set_uid(pw_buf, atoi(ENTRY_VAL(obj, NPF_UID)));
    pdb_set_gid(pw_buf, atoi(ENTRY_VAL(obj, NPF_SMB_GRPID)));
-  pdb_set_user_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID)));
-  pdb_set_group_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID)));
+  pdb_set_user_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID)));
+  pdb_set_group_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID)));

    /* values, must exist for user */
    if( !(pdb_get_acct_ctrl(pw_buf) & ACB_WSTRUST) ) {
@@ -381,7 +381,7 @@
    else
    {
      /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */
-    pdb_set_group_rid (pw_buf, DOMAIN_GROUP_RID_USERS);
+    pdb_set_group_sid_from_rid (pw_buf, DOMAIN_GROUP_RID_USERS);
    }

    /* Check the lanman password column. */
@@ -538,7 +538,8 @@

                 if (rid==0) {
                         if (get_group_map_from_gid(pdb_get_gid(sampass), 
&map, MAPPING_WITHOUT_PRIV)) {
-                               sid_peek_rid(&map.sid, &rid);
+                               if(!sid_peek_rid(NULL,&map.sid, &rid))
+                                       return False;
                         } else
                                 rid=pdb_gid_to_group_rid(pdb_get_gid(sampass));
                 }
@@ -1034,7 +1035,8 @@
  BOOL pdb_getsampwsid(SAM_ACCOUNT * user, DOM_SID *sid)
  {
         uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if(!sid_peek_rid(NULL,sid, &rid))
+               return False;
         return pdb_getsampwrid(user, rid);
  }

diff -Nur HEAD/source/passdb/pdb_smbpasswd.c 
HEAD-fix/source/passdb/pdb_smbpasswd.c
--- HEAD/source/passdb/pdb_smbpasswd.c  Mon May 27 13:11:02 2002
+++ HEAD-fix/source/passdb/pdb_smbpasswd.c      Fri May 31 10:32:39 2002
@@ -1242,14 +1242,14 @@
             && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid)
             && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {

-               pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid 
(pw_buf->smb_userid));
+               pdb_set_user_sid_from_rid(sam_pass, 
fallback_pdb_uid_to_user_rid (pw_buf->smb_userid));

                 /* lkclXXXX this is OBSERVED behaviour by NT PDCs, 
enforced here.

                    This was down the bottom for machines, but it looks 
pretty good as
                    a general default for non-unix users. --abartlet 2002-01-08
                 */
-               pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS);
+               pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS);
                 pdb_set_username (sam_pass, pw_buf->smb_name);
                 pdb_set_domain (sam_pass, lp_workgroup());
         } else {
@@ -1458,7 +1458,8 @@
  static BOOL smbpasswd_getsampwsid(struct pdb_methods *my_methods, 
SAM_ACCOUNT * user, DOM_SID *sid)
  {
         uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if(!sid_peek_rid(NULL,sid, &rid))
+               return False;
         return smbpasswd_getsampwrid(my_methods, user, rid);
  }

diff -Nur HEAD/source/passdb/pdb_tdb.c HEAD-fix/source/passdb/pdb_tdb.c
--- HEAD/source/passdb/pdb_tdb.c        Mon May 27 13:11:02 2002
+++ HEAD-fix/source/passdb/pdb_tdb.c    Fri May 31 10:32:55 2002
@@ -246,8 +246,8 @@
                 }
         }

-       pdb_set_user_rid(sampass, user_rid);
-       pdb_set_group_rid(sampass, group_rid);
+       pdb_set_user_sid_from_rid(sampass, user_rid);
+       pdb_set_group_sid_from_rid(sampass, group_rid);
         pdb_set_unknown_3(sampass, unknown_3);
         pdb_set_hours_len(sampass, hours_len);
         pdb_set_unknown_5(sampass, unknown_5);
@@ -671,7 +671,8 @@
  static BOOL tdbsam_getsampwsid(struct pdb_methods *my_methods, 
SAM_ACCOUNT * user, DOM_SID *sid)
  {
         uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if(!sid_peek_rid(NULL,sid, &rid))
+               return False;
         return tdbsam_getsampwrid(my_methods, user, rid);
  }

@@ -775,7 +776,7 @@
                                                 goto done;
                                         }
                                 }
-                               pdb_set_user_rid(newpwd, user_rid);
+                               pdb_set_user_sid_from_rid(newpwd, user_rid);
                         } else {
                                 user_rid = tdb_state->low_nua_rid;
                                 tdb_ret = 
tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, 
RID_MULTIPLIER);
@@ -788,7 +789,7 @@
                                         ret = False;
                                         goto done;
                                 }
-                               pdb_set_user_rid(newpwd, user_rid);
+                               pdb_set_user_sid_from_rid(newpwd, user_rid);
                         }
                 } else {
                         DEBUG (0,("tdb_update_sam: Failing to store a 
SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
@@ -805,7 +806,7 @@
                                 goto done;
                         } else {
                                 /* This seems like a good default choice 
for non-unix users */
-                               pdb_set_group_rid(newpwd, 
DOMAIN_GROUP_RID_USERS);
+                               pdb_set_group_sid_from_rid(newpwd, 
DOMAIN_GROUP_RID_USERS);
                         }
                 } else {
                         DEBUG (0,("tdb_update_sam: Failing to store a 
SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
diff -Nur HEAD/source/passdb/pdb_unix.c HEAD-fix/source/passdb/pdb_unix.c
--- HEAD/source/passdb/pdb_unix.c       Mon May 27 13:11:02 2002
+++ HEAD-fix/source/passdb/pdb_unix.c   Fri May 31 10:33:56 2002
@@ -68,7 +68,8 @@
  static BOOL unixsam_getsampwsid(struct pdb_methods *my_methods, 
SAM_ACCOUNT * user, DOM_SID *sid)
  {
         uint32 rid;
-       sid_peek_rid(sid, &rid);
+       if(!sid_peek_rid(NULL,sid, &rid))
+               return False;
         return unixsam_getsampwrid(my_methods, user, rid);
  }

diff -Nur HEAD/source/printing/nt_printing.c 
HEAD-fix/source/printing/nt_printing.c
--- HEAD/source/printing/nt_printing.c  Mon May 13 14:09:47 2002
+++ HEAD-fix/source/printing/nt_printing.c      Wed May 29 15:14:08 2002
@@ -3683,7 +3683,6 @@

  static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
  {
-       extern DOM_SID global_sam_sid;
         SEC_ACE ace[3];
         SEC_ACCESS sa;
         SEC_ACL *psa = NULL;
@@ -3709,7 +3708,7 @@
                    This should emulate a lanman printer as security
                    settings can't be changed. */

-               sid_copy(&owner_sid, &global_sam_sid);
+               sid_copy(&owner_sid, get_global_sam_sid());
                 sid_append_rid(&owner_sid, DOMAIN_USER_RID_ADMIN);
         }

diff -Nur HEAD/source/rpc_server/srv_lsa_nt.c 
HEAD-fix/source/rpc_server/srv_lsa_nt.c
--- HEAD/source/rpc_server/srv_lsa_nt.c Tue May 21 14:07:20 2002
+++ HEAD-fix/source/rpc_server/srv_lsa_nt.c     Wed May 29 15:22:01 2002
@@ -26,7 +26,6 @@

  #include "includes.h"

-extern DOM_SID global_sam_sid;
  extern fstring global_myworkgroup;
  extern pstring global_myname;
  extern PRIVS privs[];
@@ -320,7 +319,7 @@
         init_sec_access(&mask, POLICY_EXECUTE);
         init_sec_ace(&ace[0], &global_sid_World, 
SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);

-       sid_copy(&adm_sid, &global_sam_sid);
+       sid_copy(&adm_sid, get_global_sam_sid());
         sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
         init_sec_access(&mask, POLICY_ALL_ACCESS);
         init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
@@ -367,7 +366,7 @@
                 return NT_STATUS_NO_MEMORY;

         ZERO_STRUCTP(info);
-       info->sid = global_sam_sid;
+       info->sid = *(get_global_sam_sid());
         info->access = acc_granted;

         /* set up the LSA QUERY INFO response */
@@ -405,7 +404,7 @@
                 return NT_STATUS_NO_MEMORY;

         ZERO_STRUCTP(info);
-       info->sid = global_sam_sid;
+       info->sid = *(get_global_sam_sid());
         info->access = acc_granted;

         /* set up the LSA QUERY INFO response */
@@ -502,7 +501,7 @@
                         case ROLE_DOMAIN_PDC:
                         case ROLE_DOMAIN_BDC:
                                 name = global_myworkgroup;
-                               sid = &global_sam_sid;
+                               sid = get_global_sam_sid();
                                 break;
                         case ROLE_DOMAIN_MEMBER:
                                 name = global_myworkgroup;
@@ -532,15 +531,15 @@
                         case ROLE_DOMAIN_PDC:
                         case ROLE_DOMAIN_BDC:
                                 name = global_myworkgroup;
-                               sid = &global_sam_sid;
+                               sid = get_global_sam_sid();
                                 break;
                         case ROLE_DOMAIN_MEMBER:
                                 name = global_myname;
-                               sid = &global_sam_sid;
+                               sid = get_global_sam_sid();
                                 break;
                         case ROLE_STANDALONE:
                                 name = global_myname;
-                               sid = &global_sam_sid;
+                               sid = get_global_sam_sid();
                                 break;
                         default:
                                 return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
diff -Nur HEAD/source/rpc_server/srv_netlog_nt.c 
HEAD-fix/source/rpc_server/srv_netlog_nt.c
--- HEAD/source/rpc_server/srv_netlog_nt.c      Tue May 21 14:07:20 2002
+++ HEAD-fix/source/rpc_server/srv_netlog_nt.c  Wed May 29 15:18:31 2002
@@ -27,7 +27,6 @@
  #include "includes.h"

  extern pstring global_myname;
-extern DOM_SID global_sam_sid;

  /*************************************************************************
   init_net_r_req_chal:
@@ -705,7 +704,7 @@
                                     NULL, /* uchar sess_key[16] */
                                     my_name     , /* char *logon_srv */
                                     my_workgroup, /* char *logon_dom */
-                                   &global_sam_sid,     /* DOM_SID *dom_sid */
+                                   get_global_sam_sid(),     /* DOM_SID 
*dom_sid */
                                     NULL); /* char *other_sids */
         }
         free_server_info(&server_info);
diff -Nur HEAD/source/rpc_server/srv_samr_nt.c 
HEAD-fix/source/rpc_server/srv_samr_nt.c
--- HEAD/source/rpc_server/srv_samr_nt.c        Mon Jun  3 09:20:28 2002
+++ HEAD-fix/source/rpc_server/srv_samr_nt.c    Mon Jun  3 09:20:55 2002
@@ -31,7 +31,6 @@

  extern fstring global_myworkgroup;
  extern pstring global_myname;
-extern DOM_SID global_sam_sid;
  extern DOM_SID global_sid_Builtin;

  extern rid_name domain_group_rids[];
@@ -654,7 +653,7 @@
                 }
                 SAFE_FREE(map);

-       } else if (sid_equal(sid, &global_sam_sid) && !lp_hide_local_users()) {
+       } else if (sid_equal(sid, get_global_sam_sid()) && 
!lp_hide_local_users()) {
                 struct sys_grent *glist;
                 struct sys_grent *grp;
                 struct passwd *pw;
@@ -1356,7 +1355,7 @@
                 group_attrs[i] = SID_NAME_UNKNOWN;
                 *group_names[i] = '\0';

-               if (sid_equal(&pol_sid, &global_sam_sid)) {
+               if (sid_equal(&pol_sid, get_global_sam_sid())) {
                         sid_copy(&sid, &pol_sid);
                         sid_append_rid(&sid, q_u->rid[i]);

@@ -1796,7 +1795,7 @@
                         num_users=info->disp_info.num_user_account;
                         free_samr_db(info);

-                       r_u->status=load_group_domain_entries(info, 
&global_sam_sid);
+                       r_u->status=load_group_domain_entries(info, 
get_global_sam_sid());
                         if (NT_STATUS_IS_ERR(r_u->status)) {
                                 DEBUG(5, ("_samr_query_dispinfo: 
load_group_domain_entries failed\n"));
                                 return r_u->status;
@@ -1982,19 +1981,10 @@
                           account));
                 return NT_STATUS_ACCESS_DENIED;
         }
-
-       /* Get the domain SID stored in the domain policy */
-       if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) {
-               pdb_free_sam(&sam_pass);
-               return NT_STATUS_INVALID_HANDLE;
-       }
-
-       /* append the user's RID to it */
-       if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) {
-               pdb_free_sam(&sam_pass);
-               return NT_STATUS_NO_SUCH_USER;
-       }

+       /* Get the user's SID */
+       sid_copy(&sid,(DOM_SID *)pdb_get_user_sid(sam_pass));
+
         /* associate the user's SID with the new handle. */
         if ((info = get_samr_info_by_sid(&sid)) == NULL) {
                 pdb_free_sam(&sam_pass);
@@ -2725,7 +2715,7 @@
                 if(!get_local_group_from_sid(als_sid, &map, 
MAPPING_WITHOUT_PRIV))
                         return NT_STATUS_NO_SUCH_ALIAS;
         } else {
-               if (sid_equal(&alias_sid, &global_sam_sid)) {
+               if (sid_equal(&alias_sid, get_global_sam_sid())) {
                         DEBUG(10, ("lookup on Server SID\n"));
                         if(!get_local_group_from_sid(als_sid, &map, 
MAPPING_WITHOUT_PRIV))
                                 return NT_STATUS_NO_SUCH_ALIAS;
@@ -2744,7 +2734,7 @@
                 struct passwd *pass;
                 uint32 rid;

-               sid_copy(&temp_sid, &global_sam_sid);
+               sid_copy(&temp_sid, get_global_sam_sid());

                 pass = getpwuid_alloc(uid[i]);
                 if (!pass) continue;
@@ -2818,7 +2808,7 @@
         DEBUG(10, ("sid is %s\n", group_sid_str));

         /* can we get a query for an SID outside our domain ? */
-       if (!sid_equal(&group_sid, &global_sam_sid))
+       if (!sid_equal(&group_sid, get_global_sam_sid()))
                 return NT_STATUS_NO_SUCH_GROUP;

         sid_append_rid(&group_sid, group_rid);
@@ -2901,7 +2891,7 @@
         sid_to_string(alias_sid_str, &alias_sid);
         DEBUG(10, ("sid is %s\n", alias_sid_str));

-       if (sid_compare(&alias_sid, &global_sam_sid)>0) {
+       if (sid_compare(&alias_sid, get_global_sam_sid())>0) {
                 DEBUG(10, ("adding member on Server SID\n"));
                 if(!get_local_group_from_sid(alias_sid, &map, 
MAPPING_WITHOUT_PRIV))
                         return NT_STATUS_NO_SUCH_ALIAS;
@@ -3050,7 +3040,7 @@
         sid_to_string(group_sid_str, &group_sid);
         DEBUG(10, ("sid is %s\n", group_sid_str));

-       if (sid_compare(&group_sid, &global_sam_sid)<=0)
+       if (sid_compare(&group_sid, get_global_sam_sid())<=0)
                 return NT_STATUS_NO_SUCH_GROUP;

         DEBUG(10, ("lookup on Domain SID\n"));
@@ -3058,7 +3048,7 @@
         if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
                 return NT_STATUS_NO_SUCH_GROUP;

-       sid_copy(&user_sid, &global_sam_sid);
+       sid_copy(&user_sid, get_global_sam_sid());
         sid_append_rid(&user_sid, q_u->rid);

         ret = pdb_init_sam(&sam_user);
@@ -3137,7 +3127,7 @@
         if(!sid_check_is_in_our_domain(&group_sid))
                 return NT_STATUS_NO_SUCH_GROUP;

-       sid_copy(&user_sid, &global_sam_sid);
+       sid_copy(&user_sid, get_global_sam_sid());
         sid_append_rid(&user_sid, q_u->rid);

         if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
@@ -3270,7 +3260,7 @@
         DEBUG(10, ("sid is %s\n", group_sid_str));

         /* we check if it's our SID before deleting */
-       if (!sid_equal(&dom_sid, &global_sam_sid))
+       if (!sid_equal(&dom_sid, get_global_sam_sid()))
                 return NT_STATUS_NO_SUCH_GROUP;

         DEBUG(10, ("lookup on Domain SID\n"));
@@ -3327,7 +3317,7 @@
         DEBUG(10, ("sid is %s\n", alias_sid_str));

         /* we check if it's our SID before deleting */
-       if (!sid_equal(&dom_sid, &global_sam_sid))
+       if (!sid_equal(&dom_sid, get_global_sam_sid()))
                 return NT_STATUS_NO_SUCH_ALIAS;

         DEBUG(10, ("lookup on Local SID\n"));
@@ -3377,7 +3367,7 @@
         if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid))
                 return NT_STATUS_INVALID_HANDLE;

-       if (!sid_equal(&dom_sid, &global_sam_sid))
+       if (!sid_equal(&dom_sid, get_global_sam_sid()))
                 return NT_STATUS_ACCESS_DENIED;

         /* TODO: check if allowed to create group and add a 
become_root/unbecome_root pair.*/
@@ -3398,7 +3388,7 @@
         r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);

         /* add the group to the mapping table */
-       sid_copy(&info_sid, &global_sam_sid);
+       sid_copy(&info_sid, get_global_sam_sid());
         sid_append_rid(&info_sid, r_u->rid);
         sid_to_string(sid_string, &info_sid);

@@ -3435,7 +3425,7 @@
         if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid))
                 return NT_STATUS_INVALID_HANDLE;

-       if (!sid_equal(&dom_sid, &global_sam_sid))
+       if (!sid_equal(&dom_sid, get_global_sam_sid()))
                 return NT_STATUS_ACCESS_DENIED;

         /* TODO: check if allowed to create group  and add a 
become_root/unbecome_root pair.*/
@@ -3455,7 +3445,7 @@

         r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);

-       sid_copy(&info_sid, &global_sam_sid);
+       sid_copy(&info_sid, get_global_sam_sid());
         sid_append_rid(&info_sid, r_u->rid);
         sid_to_string(sid_string, &info_sid);

@@ -3641,10 +3631,10 @@
                 return NT_STATUS_INVALID_HANDLE;

         /* this should not be hard-coded like this */
-       if (!sid_equal(&sid, &global_sam_sid))
+       if (!sid_equal(&sid, get_global_sam_sid()))
                 return NT_STATUS_ACCESS_DENIED;

-       sid_copy(&info_sid, &global_sam_sid);
+       sid_copy(&info_sid, get_global_sam_sid());
         sid_append_rid(&info_sid, q_u->rid_group);
         sid_to_string(sid_string, &info_sid);

@@ -3733,7 +3723,7 @@
                         num_users=info->disp_info.num_user_account;
                         free_samr_db(info);

-                       r_u->status=load_group_domain_entries(info, 
&global_sam_sid);
+                       r_u->status=load_group_domain_entries(info, 
get_global_sam_sid());
                         if (NT_STATUS_IS_ERR(r_u->status)) {
                                 DEBUG(5, ("_samr_query_dispinfo: 
load_group_domain_entries failed\n"));
                                 return r_u->status;
diff -Nur HEAD/source/rpc_server/srv_util.c 
HEAD-fix/source/rpc_server/srv_util.c
--- HEAD/source/rpc_server/srv_util.c   Mon May 27 13:11:02 2002
+++ HEAD-fix/source/rpc_server/srv_util.c       Fri May 31 11:55:04 2002
@@ -181,7 +181,8 @@
                                 }
                                 rids=new_rids;

-                               sid_peek_rid(&map.sid, &(rids[cur_rid]));
+                               if(!sid_peek_rid(NULL,&map.sid, 
&(rids[cur_rid])))
+                                       return NT_STATUS_NO_SUCH_USER;
                                 DEBUG(10,("get_alias_user_groups: user 
found in group %s\n", map.nt_name));
                                 cur_rid++;
                                 break;
@@ -243,7 +244,8 @@
         }
         rids=new_rids;

-       sid_peek_rid(&map.sid, &(rids[cur_rid]));
+       if(!sid_peek_rid(NULL,&map.sid, &(rids[cur_rid])))
+               return NT_STATUS_NO_SUCH_USER;
         cur_rid++;

  done:
@@ -298,7 +300,8 @@
                 for(num=0; grp->gr_mem[num]!=NULL; num++) {
                         if(strcmp(grp->gr_mem[num], user_name)==0) {
                                 /* we found the user, add the group to the 
list */
-                               sid_peek_rid(&map[i].sid, 
&(gids[cur_gid].g_rid));
+                               if(!sid_peek_rid(NULL,&map[i].sid, 
&(gids[cur_gid].g_rid)))
+                                       return False;
                                 gids[cur_gid].attr=7;
                                 DEBUG(10,("get_domain_user_groups: user 
found in group %s\n", map[i].nt_name));
                                 cur_gid++;
@@ -324,7 +327,8 @@
         }

         for(i=0; i<num_entries; i++) {
-               sid_peek_rid(&map[i].sid, &tmp_rid);
+               if(!sid_peek_rid(NULL,&map[i].sid, &tmp_rid))
+                       return False;
                 if (tmp_rid==grid) {
                         /*
                          * the primary group of the user but be the first 
one in the list
diff -Nur HEAD/source/smbd/groupname.c HEAD-fix/source/smbd/groupname.c
--- HEAD/source/smbd/groupname.c        Wed Jan 30 07:08:38 2002
+++ HEAD-fix/source/smbd/groupname.c    Wed May 29 15:26:38 2002
@@ -21,7 +21,6 @@
  #ifdef USING_GROUPNAME_MAP

  #include "includes.h"
-extern DOM_SID global_sam_sid;

  /**************************************************************************
   Groupname map functionality. The code loads a groupname map file and
@@ -160,7 +159,7 @@
         * It's not a well known name, convert the UNIX gid_t
         * to a rid within this domain SID.
         */
-      tmp_sid = global_sam_sid;
+      tmp_sid = *(get_global_sam_sid());
        tmp_sid.sub_auths[tmp_sid.num_auths++] =
                      pdb_gid_to_group_rid(gid);
      }
@@ -228,7 +227,7 @@
     * If there's no map, convert the UNIX gid_t
     * to a rid within this domain SID.
     */
-  *psid = global_sam_sid;
+  sid_copy(psid,get_global_sam_sid());
    psid->sub_auths[psid->num_auths++] = pdb_gid_to_group_rid(gid);

    return;
diff -Nur HEAD/source/smbd/uid.c HEAD-fix/source/smbd/uid.c
--- HEAD/source/smbd/uid.c      Mon Apr 15 10:33:07 2002
+++ HEAD-fix/source/smbd/uid.c  Wed May 29 12:09:31 2002
@@ -504,7 +504,7 @@
                 sid_copy(&tmp_sid, sid);
                 sid_split_rid(&tmp_sid, &rid);

-               if (sid_equal(&global_sam_sid, &tmp_sid)) {
+               if (sid_equal(get_global_sam_sid(), &tmp_sid)) {

                         return map_domain_sid_to_name(&tmp_sid, dom_name) &&
                                 local_lookup_sid(sid, name, name_type);
@@ -598,7 +598,7 @@
         fstring sid_str;

         /* if we know its local then don't try winbindd */
-       if (sid_compare_domain(&global_sam_sid, psid) == 0) {
+       if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
                 return local_sid_to_uid(puid, psid, sidtype);
         }

diff -Nur HEAD/source/utils/pdbedit.c HEAD-fix/source/utils/pdbedit.c
--- HEAD/source/utils/pdbedit.c Mon May 27 13:11:03 2002
+++ HEAD-fix/source/utils/pdbedit.c     Wed May 29 13:19:29 2002
@@ -81,10 +81,12 @@
                 if (IS_SAM_UNIX_USER(sam_pwent)) {
                         uid = pdb_get_uid(sam_pwent);
                         gid = pdb_get_gid(sam_pwent);
-                       printf ("user ID/Group:        %d/%d\n", uid, gid);
+                       printf ("User ID/Group ID:     %d/%d\n", uid, gid);
                 }
-               printf ("user RID/GRID:        %u/%u\n", (unsigned 
int)pdb_get_user_rid(sam_pwent),
-                       (unsigned int)pdb_get_group_rid(sam_pwent));
+               printf ("User SID:             %s\n",
+                       sid_string_static((DOM_SID 
*)pdb_get_user_sid(sam_pwent)));
+               printf ("Primary Group SID:    %s\n",
+                       sid_string_static((DOM_SID 
*)pdb_get_group_sid(sam_pwent)));
                 printf ("Full Name:            %s\n", 
pdb_get_fullname(sam_pwent));
                 printf ("Home Directory:       %s\n", 
pdb_get_homedir(sam_pwent));
                 printf ("HomeDir Drive:        %s\n", 
pdb_get_dirdrive(sam_pwent));
@@ -329,7 +331,7 @@

         pdb_set_acct_ctrl (sam_pwent, ACB_WSTRUST);

-       pdb_set_group_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS);
+       pdb_set_group_sid_from_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS);

         if (in->pdb_add_sam_account (in, sam_pwent)) {
                 print_user_info (in, name, True, False);
diff -Nur HEAD/source/utils/smbgroupedit.c HEAD-fix/source/utils/smbgroupedit.c
--- HEAD/source/utils/smbgroupedit.c    Fri Apr 19 00:56:34 2002
+++ HEAD-fix/source/utils/smbgroupedit.c        Wed May 29 15:27:46 2002
@@ -23,7 +23,6 @@

  extern pstring global_myname;
  extern pstring global_myworkgroup;
-extern DOM_SID global_sam_sid;

  /*
   * Next two lines needed for SunOS and don't
diff -Nur HEAD/source/lib/util_sid.c HEAD-fix/source/lib/util_sid.c
--- HEAD/source/lib/util_sid.c  Mon Apr 15 10:32:58 2002
+++ HEAD-fix/source/lib/util_sid.c      Mon Jun  3 09:54:09 2002
@@ -4,6 +4,7 @@
     Copyright (C) Andrew Tridgell 1992-1998
     Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
     Copyright (C) Jeremy Allison  1999
+   Copyright (C) Stefan (metze) Metzmacher 2002

     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -25,7 +26,7 @@
  /* NOTE! the global_sam_sid is the SID of our local SAM. This is only
     equal to the domain SID when we are a DC, otherwise its our
     workstation SID */
-DOM_SID global_sam_sid;
+DOM_SID *global_sam_sid=NULL;
  extern pstring global_myname;
  extern fstring global_myworkgroup;

@@ -120,17 +121,17 @@


         if ((lp_security() == SEC_USER) && lp_domain_logons()) {
-               sid_name_map[i].sid = &global_sam_sid;
+               sid_name_map[i].sid = get_global_sam_sid();
                 sid_name_map[i].name = global_myworkgroup;
                 sid_name_map[i].known_users = NULL;
                 i++;
-               sid_name_map[i].sid = &global_sam_sid;
+               sid_name_map[i].sid = get_global_sam_sid();
                 sid_name_map[i].name = global_myname;
                 sid_name_map[i].known_users = NULL;
                 i++;
         }
         else {
-               sid_name_map[i].sid = &global_sam_sid;
+               sid_name_map[i].sid = get_global_sam_sid();
                 sid_name_map[i].name = global_myname;
                 sid_name_map[i].known_users = NULL;
                 i++;
@@ -270,14 +271,14 @@

         if (nt_domain == NULL) {
                 DEBUG(5,("map_domain_name_to_sid: mapping NULL domain to 
our SID.\n"));
-               sid_copy(sid, &global_sam_sid);
+               sid_copy(sid, get_global_sam_sid());
                 return True;
         }

         if (nt_domain[0] == 0) {
                 fstrcpy(nt_domain, global_myname);
                 DEBUG(5,("map_domain_name_to_sid: overriding blank name to 
%s\n", nt_domain));
-               sid_copy(sid, &global_sam_sid);
+               sid_copy(sid, get_global_sam_sid());
                 return True;
         }

@@ -473,8 +474,24 @@
   Return the last rid from the end of a sid
  *****************************************************************/

-BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid)
+BOOL sid_peek_rid(DOM_SID *exp_dom_sid,DOM_SID *sid, uint32 *rid)
  {
+       DOM_SID *_exp_dom_sid=exp_dom_sid;
+
+       if(!sid||!rid)
+               return False;
+
+       if(!_exp_dom_sid)
+               if(!(_exp_dom_sid=get_global_sam_sid())){
+                       *rid=(-1);
+                       return False;
+               }
+
+       if(sid_compare_domain(_exp_dom_sid,sid)!=0){
+               *rid=(-1);
+               return False;
+       }
+
         if (sid->num_auths > 0) {
                 *rid = sid->sub_auths[sid->num_auths - 1];
                 return True;
@@ -631,7 +648,7 @@
  *****************************************************************/
  BOOL sid_check_is_domain(const DOM_SID *sid)
  {
-       return sid_equal(sid, &global_sam_sid);
+       return sid_equal(sid, get_global_sam_sid());
  }


@@ -655,7 +672,7 @@
         sid_copy(&dom_sid, sid);
         sid_split_rid(&dom_sid, &rid);

-       return sid_equal(&dom_sid, &global_sam_sid);
+       return sid_equal(&dom_sid, get_global_sam_sid());
  }

  /*****************************************************************
diff -Nur HEAD/source/groupdb/mapping.c HEAD-fix/source/groupdb/mapping.c
--- HEAD/source/groupdb/mapping.c       Mon Apr 29 08:26:39 2002
+++ HEAD-fix/source/groupdb/mapping.c   Mon Jun  3 10:51:15 2002
@@ -21,7 +21,6 @@

  #include "includes.h"

-extern DOM_SID global_sam_sid;

  static TDB_CONTEXT *tdb; /* used for driver files */

@@ -186,17 +185,17 @@

         /* Add the defaults domain groups */

-       sid_copy(&sid_admins, &global_sam_sid);
+       sid_copy(&sid_admins, get_global_sam_sid());
         sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
         sid_to_string(str_admins, &sid_admins);
         add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain 
Admins", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);

-       sid_copy(&sid_users,  &global_sam_sid);
+       sid_copy(&sid_users,  get_global_sam_sid());
         sid_append_rid(&sid_users,  DOMAIN_GROUP_RID_USERS);
         sid_to_string(str_users, &sid_users);
         add_initial_entry(-1, str_users,  SID_NAME_DOM_GRP, "Domain 
Users",  "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);

-       sid_copy(&sid_guests, &global_sam_sid);
+       sid_copy(&sid_guests, get_global_sam_sid());
         sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
         sid_to_string(str_guests, &sid_guests);
         add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain 
Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
@@ -987,7 +986,12 @@
                  * make one based on the unix information */
                 uint32 alias_rid;

-               sid_peek_rid(&sid, &alias_rid);
+               if(!sid_peek_rid(NULL,&sid, &alias_rid)) {
+                       DEBUG(0,("sid_peek_rid return False!\n SID: %s\n",
+                               sid_string_static(&sid)));
+                       return False;
+               }
+
                 map->gid=pdb_group_rid_to_gid(alias_rid);

                 if ((grp=getgrgid(map->gid)) == NULL)
@@ -1070,7 +1074,7 @@

                 /* interim solution until we have a last RID allocated */

-               sid_copy(&map->sid, &global_sam_sid);
+               sid_copy(&map->sid, get_global_sam_sid());
                 sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));

                 fstrcpy(map->nt_name, grp->gr_name);
-------------------------------------------------------



metze
-----------------------------------------------------------------------------
Stefan "metze" Metzmacher <metze at metzemix.de>
-------------- next part --------------
diff -Nur HEAD/source/Makefile.in HEAD-fix/source/Makefile.in
--- HEAD/source/Makefile.in	Mon May 27 13:10:59 2002
+++ HEAD-fix/source/Makefile.in	Fri May 31 12:03:01 2002
@@ -134,7 +134,7 @@
 	  lib/md5.o lib/hmacmd5.o lib/iconv.o lib/smbpasswd.o \
 	  nsswitch/wb_client.o nsswitch/wb_common.o \
 	  lib/pam_errors.o intl/lang_tdb.o lib/account_pol.o \
-	  $(TDB_OBJ) 
+	  $(TDB_OBJ)
 
 READLINE_OBJ = lib/readline.o
 
@@ -264,13 +264,14 @@
             nmbd/nmbd_workgroupdb.o nmbd/nmbd_synclists.o
 
 NMBD_OBJ = $(NMBD_OBJ1) $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) \
-           $(PROFILE_OBJ) $(LIB_OBJ)
+           $(PROFILE_OBJ) $(LIB_OBJ) passdb/machine_sid.o
 
 WREPL_OBJ1 = wrepld/server.o wrepld/process.o wrepld/parser.o wrepld/socket.o \
              wrepld/partners.o
 
 WREPL_OBJ = $(WREPL_OBJ1)  $(PARAM_OBJ) $(UBIQX_OBJ) \
-	    $(PROFILE_OBJ) $(LIB_OBJ)
+	    $(PROFILE_OBJ) $(LIB_OBJ) passdb/machine_sid.o \
+            libsmb/smbencrypt.o libsmb/smbdes.o passdb/secrets.o 
 
 SWAT_OBJ = web/cgi.o web/diagnose.o web/startstop.o web/statuspage.o \
            web/swat.o web/neg_lang.o $(PRINTING_OBJ) $(LIBSMB_OBJ) $(LOCKING_OBJ) \
@@ -279,29 +280,41 @@
 	   smbwrapper/shared.o
 
 SMBSH_OBJ = smbwrapper/smbsh.o smbwrapper/shared.o \
-            $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
+            $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) passdb/machine_sid.o \
+	    passdb/secrets.o libsmb/smbencrypt.o libsmb/smbdes.o
+
+
 
 MAKE_PRINTERDEF_OBJ = utils/make_printerdef.o $(PARAM_OBJ) \
                       $(UBIQX_OBJ) $(LIB_OBJ)
 
 STATUS_OBJ = utils/status.o $(LOCKING_OBJ) $(PARAM_OBJ) \
-             $(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ)
+             $(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ) passdb/machine_sid.o \
+	     passdb/secrets.o libsmb/smbencrypt.o libsmb/smbdes.o
 
 SMBCONTROL_OBJ = utils/smbcontrol.o $(LOCKING_OBJ) $(PARAM_OBJ) \
-             $(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ)
+             $(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ) passdb/machine_sid.o \
+	     passdb/secrets.o libsmb/smbencrypt.o libsmb/smbdes.o
+
+
 
 SMBTREE_OBJ = utils/smbtree.o $(LOCKING_OBJ) $(PARAM_OBJ) \
-             $(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ) $(LIBSMB_OBJ)
+             $(UBIQX_OBJ) $(PROFILE_OBJ) $(LIB_OBJ) $(LIBSMB_OBJ) \
+	     passdb/machine_sid.o 
+
+
 
 TESTPARM_OBJ = utils/testparm.o \
-               $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
+               $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) passdb/machine_sid.o \
+               libsmb/smbencrypt.o libsmb/smbdes.o passdb/secrets.o 
 
 TESTPRNS_OBJ = utils/testprns.o $(PARAM_OBJ) $(PRINTING_OBJ) $(UBIQX_OBJ) \
-               $(LIB_OBJ)
+               $(LIB_OBJ) passdb/machine_sid.o \
+               libsmb/smbencrypt.o libsmb/smbdes.o passdb/secrets.o 
 
 SMBPASSWD_OBJ = utils/smbpasswd.o $(PARAM_OBJ) \
 		$(LIBSMB_OBJ) $(PASSDB_OBJ) $(GROUPDB_OBJ)\
-                $(UBIQX_OBJ) $(LIB_OBJ)
+                $(UBIQX_OBJ) $(LIB_OBJ) 
 
 PDBEDIT_OBJ = utils/pdbedit.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(PASSDB_OBJ) \
 		$(UBIQX_OBJ) $(LIB_OBJ) $(GROUPDB_OBJ)
@@ -313,7 +326,7 @@
 	         rpcclient/cmd_samr.o rpcclient/cmd_spoolss.o \
 		 rpcclient/cmd_netlogon.o rpcclient/cmd_srvsvc.o \
 		 rpcclient/cmd_dfs.o rpcclient/cmd_reg.o \
-		 rpcclient/display_sec.o
+		 rpcclient/display_sec.o 
 
 RPCCLIENT_OBJ = $(RPCCLIENT_OBJ1) \
              $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
@@ -342,7 +355,7 @@
 
 CLIENT_OBJ = client/client.o client/clitar.o \
              $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) \
-             $(READLINE_OBJ)
+             $(READLINE_OBJ) passdb/machine_sid.o 
 
 NET_OBJ = utils/net.o utils/net_ads.o utils/net_help.o \
           utils/net_rap.o utils/net_rpc.o \
@@ -351,23 +364,26 @@
 	$(GROUPDB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
 
 
-CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
+CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) passdb/machine_sid.o
 
 MOUNT_OBJ = client/smbmount.o \
-             $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
+             $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) passdb/machine_sid.o 
 
 MNT_OBJ = client/smbmnt.o \
-             $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
+             $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) passdb/machine_sid.o 
 
 UMOUNT_OBJ = client/smbumount.o \
-             $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
+             $(PARAM_OBJ) $(LIBSMB_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) passdb/machine_sid.o 
 
 NMBLOOKUP_OBJ = utils/nmblookup.o $(PARAM_OBJ) $(UBIQX_OBJ) \
-                $(LIBSMB_OBJ) $(LIB_OBJ)
+                $(LIBSMB_OBJ) $(LIB_OBJ) passdb/machine_sid.o 
 
 SMBTORTURE_OBJ = torture/torture.o torture/nbio.o torture/scanner.o torture/utable.o \
 		torture/denytest.o torture/mangle_test.o \
-	$(LIBSMB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ)
+	$(LIBSMB_OBJ) $(PARAM_OBJ) $(UBIQX_OBJ) $(LIB_OBJ) passdb/machine_sid.o \
+	     passdb/secrets.o libsmb/smbencrypt.o libsmb/smbdes.o
+
+
 
 MASKTEST_OBJ = torture/masktest.o $(LIBSMB_OBJ) $(PARAM_OBJ) \
                  $(UBIQX_OBJ) $(LIB_OBJ)
@@ -454,7 +470,7 @@
 		$(GROUPDB_OBJ) $(PROFILE_OBJ) $(UNIGRP_OBJ)
 
 WBINFO_OBJ = nsswitch/wbinfo.o libsmb/smbencrypt.o libsmb/smbdes.o \
-	passdb/secrets.o
+	     passdb/secrets.o passdb/machine_sid.o
 
 WINBIND_NSS_OBJ = nsswitch/winbind_nss.o nsswitch/wb_common.o @WINBIND_NSS_EXTRA_OBJS@
 
-------------- next part --------------
diff -Nur HEAD/source/include/sids.h HEAD-fix/source/include/sids.h
--- HEAD/source/include/sids.h	Wed Jan 30 07:08:15 2002
+++ HEAD-fix/source/include/sids.h	Wed May 29 14:27:26 2002
@@ -23,7 +23,7 @@
 #ifndef _SIDS_H
 #define _SIDS_H 
 
-extern DOM_SID global_sam_sid;
+extern DOM_SID *global_sam_sid;
 extern fstring global_sam_name;
 
 extern DOM_SID global_member_sid;
diff -Nur HEAD/source/include/smb.h HEAD-fix/source/include/smb.h
--- HEAD/source/include/smb.h	Mon Jun  3 09:20:20 2002
+++ HEAD-fix/source/include/smb.h	Mon Jun  3 09:20:46 2002
@@ -624,8 +624,8 @@
 		
 		uid_t uid;          /* this is a unix uid_t */
 		gid_t gid;          /* this is a unix gid_t */
-		uint32 user_rid;    /* Primary User ID */
-		uint32 group_rid;   /* Primary Group ID */
+		DOM_SID user_sid;    /* Primary User SID */
+		DOM_SID group_sid;   /* Primary Group SID */
 		
 		DATA_BLOB lm_pw; /* .data is Null if no password */
 		DATA_BLOB nt_pw; /* .data is Null if no password */
diff -Nur HEAD/source/nsswitch/winbindd_ads.c HEAD-fix/source/nsswitch/winbindd_ads.c
--- HEAD/source/nsswitch/winbindd_ads.c	Mon Jun  3 09:20:24 2002
+++ HEAD-fix/source/nsswitch/winbindd_ads.c	Mon Jun  3 09:20:48 2002
@@ -273,7 +273,7 @@
 			continue;
 		}
 
-		if (!sid_peek_rid(&sid, &rid)) {
+		if (!sid_peek_rid(&domain->sid,&sid, &rid)) {
 			DEBUG(1,("No rid for %s !?\n", name));
 			continue;
 		}
@@ -356,7 +356,7 @@
 			continue;
 		}
 
-		if (!sid_peek_rid(&sid, &rid)) {
+		if (!sid_peek_rid(&domain->sid,&sid, &rid)) {
 			DEBUG(1,("No rid for %s !?\n", name));
 			continue;
 		}
@@ -584,7 +584,7 @@
 		goto done;
 	}
 	
-	if (!sid_peek_rid(&sid, &info->user_rid)) {
+	if (!sid_peek_rid(&domain->sid,&sid, &info->user_rid)) {
 		DEBUG(1,("No rid for %d !?\n", user_rid));
 		goto done;
 	}
@@ -662,7 +662,7 @@
 
 	for (i=1;i<count;i++) {
 		uint32 rid;
-		if (!sid_peek_rid(&sids[i-1], &rid)) continue;
+		if (!sid_peek_rid(&domain->sid,&sids[i-1], &rid)) continue;
 		(*user_gids)[*num_groups] = rid;
 		(*num_groups)++;
 	}
@@ -737,7 +737,7 @@
 			DEBUG(1,("No sid for %s !?\n", (*names)[*num_names]));
 			continue;
 		}
-		if (!sid_peek_rid(&sid, &rid)) {
+		if (!sid_peek_rid(&domain->sid,&sid, &rid)) {
 			DEBUG(1,("No rid for %s !?\n", (*names)[*num_names]));
 			continue;
 		}
diff -Nur HEAD/source/nsswitch/winbindd_cache.c HEAD-fix/source/nsswitch/winbindd_cache.c
--- HEAD/source/nsswitch/winbindd_cache.c	Mon Apr 29 08:26:40 2002
+++ HEAD-fix/source/nsswitch/winbindd_cache.c	Fri May 31 11:56:46 2002
@@ -648,7 +648,8 @@
 	NTSTATUS status;
 	uint32 rid = 0;
 
-	sid_peek_rid(sid, &rid);
+	if(!sid_peek_rid(&domain->sid,sid, &rid))
+		return NT_STATUS_NO_SUCH_USER;
 
 	if (!cache->tdb) goto do_query;
 
diff -Nur HEAD/source/nsswitch/winbindd_group.c HEAD-fix/source/nsswitch/winbindd_group.c
--- HEAD/source/nsswitch/winbindd_group.c	Tue Apr  2 07:28:07 2002
+++ HEAD-fix/source/nsswitch/winbindd_group.c	Fri May 31 10:25:23 2002
@@ -228,7 +228,8 @@
 	}
 
 	/* Fill in group structure */
-	sid_peek_rid(&group_sid, &group_rid);
+	if(!sid_peek_rid(&domain->sid,&group_sid, &group_rid))
+		return WINBINDD_ERROR;
 
 	if (!winbindd_idmap_get_gid_from_sid(&group_sid, &gid)) {
 		DEBUG(1, ("error converting unix gid to sid\n"));
diff -Nur HEAD/source/passdb/machine_sid.c HEAD-fix/source/passdb/machine_sid.c
--- HEAD/source/passdb/machine_sid.c	Tue May 21 14:07:16 2002
+++ HEAD-fix/source/passdb/machine_sid.c	Fri May 31 10:10:55 2002
@@ -4,6 +4,7 @@
    Copyright (C) Jeremy Allison 		1996-2002
    Copyright (C) Andrew Tridgell		2002
    Copyright (C) Gerald (Jerry) Carter		2000
+   Copyright (C) Stefan (metze) Metzmacher	2002
       
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -77,6 +78,10 @@
 	extern fstring global_myworkgroup;
 	BOOL is_dc = False;
 
+	if(global_sam_sid==NULL)
+		if(!(global_sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID))))
+			return False;
+			
 	generate_wellknown_sids();
 
 	switch (lp_server_role()) {
@@ -89,7 +94,7 @@
 		break;
 	}
 
-	if (secrets_fetch_domain_sid(global_myname, &global_sam_sid)) {
+	if (secrets_fetch_domain_sid(global_myname, global_sam_sid)) {
 		DOM_SID domain_sid;
 
 		/* We got our sid. If not a pdc/bdc, we're done. */
@@ -100,19 +105,19 @@
 
 			/* No domain sid and we're a pdc/bdc. Store it */
 
-			if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
+			if (!secrets_store_domain_sid(global_myworkgroup, global_sam_sid)) {
 				DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n"));
 				return False;
 			}
 			return True;
 		}
 
-		if (!sid_equal(&domain_sid, &global_sam_sid)) {
+		if (!sid_equal(&domain_sid, global_sam_sid)) {
 
 			/* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */
 
 			DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
-			if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
+			if (!secrets_store_domain_sid(global_myworkgroup, global_sam_sid)) {
 				DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n"));
 				return False;
 			}
@@ -126,24 +131,23 @@
 	/* check for an old MACHINE.SID file for backwards compatibility */
 	asprintf(&fname, "%s/MACHINE.SID", lp_private_dir());
 
-	if (read_sid_from_file(fname, &global_sam_sid)) {
+	if (read_sid_from_file(fname, global_sam_sid)) {
 		/* remember it for future reference and unlink the old MACHINE.SID */
-		if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) {
+		if (!secrets_store_domain_sid(global_myname, global_sam_sid)) {
 			DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n"));
 			SAFE_FREE(fname);
 			return False;
 		}
 		unlink(fname);
 		if (is_dc) {
-			if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
+			if (!secrets_store_domain_sid(global_myworkgroup, global_sam_sid)) {
 				DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n"));
 				SAFE_FREE(fname);
 				return False;
 			}
 		}
 
-		/* Stored the old sid from MACHINE.SID successfully.
-			Patch from Stefan "metze" Metzmacher <metze at metzemix.de>*/
+		/* Stored the old sid from MACHINE.SID successfully.*/
 		SAFE_FREE(fname);
 		return True;
 	}
@@ -152,14 +156,14 @@
 
 	/* we don't have the SID in secrets.tdb, we will need to
            generate one and save it */
-	generate_random_sid(&global_sam_sid);
+	generate_random_sid(global_sam_sid);
 
-	if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) {
+	if (!secrets_store_domain_sid(global_myname, global_sam_sid)) {
 		DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n"));
 		return False;
 	}
 	if (is_dc) {
-		if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
+		if (!secrets_store_domain_sid(global_myworkgroup, global_sam_sid)) {
 			DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n"));
 			return False;
 		}
@@ -167,3 +171,17 @@
 
 	return True;
 }   
+
+/* return our global_sam_sid */
+DOM_SID *get_global_sam_sid(void)
+{
+	if(global_sam_sid!=NULL)
+		return global_sam_sid;
+	
+	/* memory for global_sam_sid is allocated in 
+	   pdb_generate_sam_sid() is needed*/
+	if(!pdb_generate_sam_sid())
+		global_sam_sid=NULL;	
+	
+	return global_sam_sid;
+}
diff -Nur HEAD/source/passdb/passdb.c HEAD-fix/source/passdb/passdb.c
--- HEAD/source/passdb/passdb.c	Mon May 27 13:11:01 2002
+++ HEAD-fix/source/passdb/passdb.c	Mon Jun  3 09:16:00 2002
@@ -26,13 +26,6 @@
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_PASSDB
 
-/*
- * This is set on startup - it defines the SID for this
- * machine, and therefore the SAM database for which it is
- * responsible.
- */
-
-extern DOM_SID global_sam_sid;
 extern pstring global_myname;
 
 /************************************************************
@@ -157,7 +150,6 @@
 NTSTATUS pdb_fill_sam_pw(SAM_ACCOUNT *sam_account, const struct passwd *pwd)
 {
 	GROUP_MAP map;
-	uint32 rid;
 
 	if (!pwd) {
 		return NT_STATUS_UNSUCCESSFUL;
@@ -185,18 +177,23 @@
 	   -- abartlet 11-May-02
 	*/
 
-	pdb_set_user_rid(sam_account, 
+	pdb_set_user_sid_from_rid(sam_account, 
 			 fallback_pdb_uid_to_user_rid(pwd->pw_uid));
 
 	/* call the mapping code here */
 	if(get_group_map_from_gid(pwd->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
-		sid_peek_rid(&map.sid, &rid);
+		if(!pdb_set_group_sid(sam_account,&map.sid)){
+			DEBUG(0,("Can't set Group SID\n"));
+			return NT_STATUS_NO_SUCH_GROUP;
+		}
 	} 
 	else {
-		rid=pdb_gid_to_group_rid(pwd->pw_gid);
+		if(!pdb_set_group_sid_from_rid(sam_account,pdb_gid_to_group_rid(pwd->pw_gid))) {
+			DEBUG(0,("Can't set Group SID\n"));
+			return NT_STATUS_NO_SUCH_GROUP;
+		}
 	}
 		
-	pdb_set_group_rid(sam_account, rid);
 
 	/* check if this is a user account or a machine account */
 	if (pwd->pw_name[strlen(pwd->pw_name)-1] != '$')
@@ -456,39 +453,6 @@
 	return (True);
 }
 
-#if 0 /* seem it is not used by anyone */
-/*******************************************************************
- Group and User RID username mapping function
- ********************************************************************/
-
-BOOL pdb_name_to_rid(const char *user_name, uint32 *u_rid, uint32 *g_rid)
-{
-	GROUP_MAP map;
-	struct passwd *pw = Get_Pwnam(user_name);
-
-	if (u_rid == NULL || g_rid == NULL || user_name == NULL)
-		return False;
-
-	if (!pw) {
-		DEBUG(1,("Username %s is invalid on this system\n", user_name));
-		return False;
-	}
-
-	/* turn the unix UID into a Domain RID.  this is what the posix
-	   sub-system does (adds 1000 to the uid) */
-	*u_rid = fallback_pdb_uid_to_user_rid(pw->pw_uid);
-
-	/* absolutely no idea what to do about the unix GID to Domain RID mapping */
-	/* map it ! */
-	if (get_group_map_from_gid(pw->pw_gid, &map, MAPPING_WITHOUT_PRIV)) {
-		sid_peek_rid(&map.sid, g_rid);
-	} else 
-		*g_rid = pdb_gid_to_group_rid(pw->pw_gid);
-
-	return True;
-}
-#endif /* seem it is not used by anyone */
-
 /*******************************************************************
  Converts NT user RID to a UNIX uid.
  ********************************************************************/
@@ -579,7 +543,11 @@
 	SAM_ACCOUNT *sam_account = NULL;
 	GROUP_MAP map;
 
-	sid_peek_rid(sid, &rid);
+	if(!sid_peek_rid(NULL,sid, &rid)){
+		DEBUG(0,("local_sid_to_gid: sid_peek_rid return False! SID: %s\n",
+			sid_string_static(&map.sid)));
+		return False;
+	}	
 	*psid_name_use = SID_NAME_UNKNOWN;
 	
 	DEBUG(5,("local_lookup_sid: looking up RID %u.\n", (unsigned int)rid));
@@ -699,7 +667,7 @@
 
 	fstrcpy(user, c_user);
 
-	sid_copy(&local_sid, &global_sam_sid);
+	sid_copy(&local_sid, get_global_sam_sid());
 
 	/*
 	 * Special case for MACHINE\Everyone. Map to the world_sid.
@@ -725,10 +693,9 @@
 	}
 	
 	if (pdb_getsampwnam(sam_account, user)) {
-		sid_append_rid( &local_sid, pdb_get_user_rid(sam_account));
+		sid_copy(psid,(DOM_SID *)pdb_get_user_sid(sam_account));
 		*psid_name_use = SID_NAME_USER;
 		
-		sid_copy( psid, &local_sid);
 		pdb_free_sam(&sam_account);
 		return True;
 	}
@@ -787,12 +754,11 @@
 
 DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
 {
-	extern DOM_SID global_sam_sid;
 	struct passwd *pass;
 	SAM_ACCOUNT *sam_user = NULL;
 	fstring str; /* sid string buffer */
 
-	sid_copy(psid, &global_sam_sid);
+	sid_copy(psid, get_global_sam_sid());
 
 	if((pass = getpwuid_alloc(uid))) {
 
@@ -802,7 +768,7 @@
 		}
 		
 		if (pdb_getsampwnam(sam_user, pass->pw_name)) {
-			sid_append_rid(psid, pdb_get_user_rid(sam_user));
+			sid_copy(psid,(DOM_SID *) pdb_get_user_sid(sam_user));
 		} else {
 			sid_append_rid(psid, fallback_pdb_uid_to_user_rid(uid));
 		}
@@ -830,7 +796,6 @@
 
 BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 {
-	extern DOM_SID global_sam_sid;
 
 	DOM_SID dom_sid;
 	uint32 rid;
@@ -846,7 +811,7 @@
 	 * We can only convert to a uid if this is our local
 	 * Domain SID (ie. we are the controling authority).
 	 */
-	if (!sid_equal(&global_sam_sid, &dom_sid))
+	if (!sid_equal(get_global_sam_sid(), &dom_sid))
 		return False;
 
 	if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
@@ -878,10 +843,9 @@
 
 DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
 {
-	extern DOM_SID global_sam_sid;
 	GROUP_MAP map;
 
-	sid_copy(psid, &global_sam_sid);
+	sid_copy(psid, get_global_sam_sid());
 	
 	if (get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
 		sid_copy(psid, &map.sid);
@@ -899,7 +863,6 @@
 
 BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 {
-	extern DOM_SID global_sam_sid;
 	DOM_SID dom_sid;
 	uint32 rid;
 	fstring str;
@@ -917,7 +880,7 @@
 	 * Or in the Builtin SID too. JFM, 11/30/2001
 	 */
 
-	if (!sid_equal(&global_sam_sid, &dom_sid))
+	if (!sid_equal(get_global_sam_sid(), &dom_sid))
 		return False;
 
 	if (get_group_map_from_sid(*psid, &map, MAPPING_WITHOUT_PRIV)) {
@@ -926,7 +889,11 @@
 		if (map.gid==-1)
 			return False;
 
-		sid_peek_rid(&map.sid, &rid);
+		if(!sid_peek_rid(NULL,&map.sid, &rid)){
+			DEBUG(0,("local_sid_to_gid: sid_peek_rid return False! SID: %s\n",
+				sid_string_static(&map.sid)));
+			return False;
+		}
 		*pgid = map.gid;
 		*name_type = map.sid_name_use;
 		DEBUG(10,("local_sid_to_gid: mapped SID %s (%s) -> gid (%u).\n", sid_to_string( str, psid),
@@ -1002,9 +969,9 @@
 		pdb_set_munged_dial(to   , pdb_unistr2_convert(&from->uni_munged_dial ));
 
 	if (from->user_rid)
-		pdb_set_user_rid(to, from->user_rid);
+		pdb_set_user_sid_from_rid(to, from->user_rid);
 	if (from->group_rid)
-		pdb_set_group_rid(to, from->group_rid);
+		pdb_set_group_sid_from_rid(to, from->group_rid);
 
 	pdb_set_acct_ctrl(to, from->acb_info);
 	pdb_set_unknown_3(to, from->unknown_3);
@@ -1057,9 +1024,9 @@
 		pdb_set_munged_dial(to   , pdb_unistr2_convert(&from->uni_munged_dial ));
 
 	if (from->user_rid)
-		pdb_set_user_rid(to, from->user_rid);
+		pdb_set_user_sid_from_rid(to, from->user_rid);
 	if (from->group_rid)
-		pdb_set_group_rid(to, from->group_rid);
+		pdb_set_group_sid_from_rid(to, from->group_rid);
 
 	/* FIXME!!  Do we need to copy the passwords here as well?
 	   I don't know.  Need to figure this out   --jerry */
diff -Nur HEAD/source/passdb/pdb_get_set.c HEAD-fix/source/passdb/pdb_get_set.c
--- HEAD/source/passdb/pdb_get_set.c	Tue May 21 14:07:17 2002
+++ HEAD-fix/source/passdb/pdb_get_set.c	Fri May 31 13:12:04 2002
@@ -5,6 +5,7 @@
    Copyright (C) Luke Kenneth Casson Leighton 	1996-1998
    Copyright (C) Gerald (Jerry) Carter		2000-2001
    Copyright (C) Andrew Bartlett		2001-2002
+   Copyright (C) Stefan (metze) Metzmacher	2002
       
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -155,21 +156,35 @@
 	else
 		return (NULL);
 }
+const DOM_SID *pdb_get_user_sid(const SAM_ACCOUNT *sampass)
+{
+	return &sampass->private.user_sid;
+}
+
+const DOM_SID *pdb_get_group_sid(const SAM_ACCOUNT *sampass)
+{
+	return &sampass->private.group_sid;
+}
 
 uint32 pdb_get_user_rid (const SAM_ACCOUNT *sampass)
 {
+	uint32 u_rid;
+
 	if (sampass)
-		return (sampass->private.user_rid);
-	else
-		return (-1);
+		if(sid_peek_rid(NULL,(DOM_SID *)pdb_get_user_sid(sampass),&u_rid))
+			return u_rid;
+	
+	return (-1);
 }
 
 uint32 pdb_get_group_rid (const SAM_ACCOUNT *sampass)
 {
+	uint32 g_rid;
+
 	if (sampass)
-		return (sampass->private.group_rid);
-	else
-		return (-1);
+		if(sid_peek_rid(NULL,(DOM_SID *)pdb_get_group_sid(sampass),&g_rid))
+			return g_rid;
+	return (-1);
 }
 
 /**
@@ -487,27 +502,71 @@
 
 }
 
-BOOL pdb_set_user_rid (SAM_ACCOUNT *sampass, uint32 rid)
+BOOL pdb_set_user_sid (SAM_ACCOUNT *sampass, DOM_SID *u_sid)
+{
+	if(!sampass||!u_sid)
+		return False;
+	
+	sid_copy(&sampass->private.user_sid,u_sid);
+
+	DEBUG(10, ("pdb_set_user_sid: setting user sid %s\n", 
+		    sid_string_static(&sampass->private.user_sid)));
+	
+	return True;
+}
+
+BOOL pdb_set_group_sid(SAM_ACCOUNT *sampass, DOM_SID *g_sid)
+{
+	if (!sampass||!g_sid)
+		return False;
+
+	sid_copy(&sampass->private.group_sid,g_sid);
+
+	DEBUG(10, ("pdb_set_group_sid: setting group sid %s\n", 
+		    sid_string_static(&sampass->private.group_sid)));
+
+	return True;
+}
+
+BOOL pdb_set_user_sid_from_rid (SAM_ACCOUNT *sampass, uint32 rid)
 {
+	DOM_SID u_sid;
+
 	if (!sampass)
 		return False;
 
-	DEBUG(10, ("pdb_set_rid: setting user rid %d, was %d\n", 
-		   rid, sampass->private.user_rid));
- 
-	sampass->private.user_rid = rid;
+	sid_copy(&u_sid,get_global_sam_sid());
+
+	if(!sid_append_rid(&u_sid,rid))
+		return False;
+
+	if(!pdb_set_user_sid(sampass,&u_sid))
+		return False;
+
+	DEBUG(10, ("pdb_set_user_sid_from_rid:\n\tsetting user sid %s from rid %d\n", 
+		    sid_string_static(&u_sid),rid));
+
 	return True;
 }
 
-BOOL pdb_set_group_rid (SAM_ACCOUNT *sampass, uint32 grid)
+BOOL pdb_set_group_sid_from_rid (SAM_ACCOUNT *sampass, uint32 grid)
 {
+	DOM_SID g_sid;
+
 	if (!sampass)
 		return False;
+	
+	sid_copy(&g_sid,get_global_sam_sid());
+	
+	if(!sid_append_rid(&g_sid,grid))
+		return False;
+
+	if(!pdb_set_group_sid(sampass,&g_sid))
+		return False;
+
+	DEBUG(10, ("pdb_set_group_sid_from_rid:\n\tsetting group sid %s from rid %d\n", 
+		    sid_string_static(&g_sid),grid));
 
-	DEBUG(10, ("pdb_set_group_rid: setting group rid %d, was %d\n", 
-		   grid, sampass->private.group_rid));
- 
-	sampass->private.group_rid = grid;
 	return True;
 }
 
diff -Nur HEAD/source/passdb/pdb_ldap.c HEAD-fix/source/passdb/pdb_ldap.c
--- HEAD/source/passdb/pdb_ldap.c	Mon May 27 13:11:01 2002
+++ HEAD-fix/source/passdb/pdb_ldap.c	Fri May 31 10:31:24 2002
@@ -624,7 +624,8 @@
 			GROUP_MAP map;
 			/* call the mapping code here */
 			if(get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
-				sid_peek_rid(&map.sid, &group_rid);
+				if(!sid_peek_rid(NULL,&map.sid, &group_rid))
+					return False;
 			} 
 			else {
 				group_rid=pdb_gid_to_group_rid(gid);
@@ -780,8 +781,8 @@
 	pdb_set_hours_len(sampass, hours_len);
 	pdb_set_logon_divs(sampass, logon_divs);
 
-	pdb_set_user_rid(sampass, user_rid);
-	pdb_set_group_rid(sampass, group_rid);
+	pdb_set_user_sid_from_rid(sampass, user_rid);
+	pdb_set_group_sid_from_rid(sampass, group_rid);
 
 	pdb_set_username(sampass, username);
 
@@ -1273,7 +1274,8 @@
 static BOOL ldapsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
 {
 	uint32 rid;
-	sid_peek_rid(sid, &rid);
+	if(!sid_peek_rid(NULL,sid, &rid))
+		return False;
 	return ldapsam_getsampwrid(my_methods, user, rid);
 }	
 
diff -Nur HEAD/source/passdb/pdb_nisplus.c HEAD-fix/source/passdb/pdb_nisplus.c
--- HEAD/source/passdb/pdb_nisplus.c	Mon May 27 13:11:01 2002
+++ HEAD-fix/source/passdb/pdb_nisplus.c	Fri May 31 10:32:18 2002
@@ -339,8 +339,8 @@
 
   pdb_set_uid(pw_buf, atoi(ENTRY_VAL(obj, NPF_UID)));
   pdb_set_gid(pw_buf, atoi(ENTRY_VAL(obj, NPF_SMB_GRPID)));
-  pdb_set_user_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID)));
-  pdb_set_group_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID)));
+  pdb_set_user_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_USER_RID)));
+  pdb_set_group_sid_from_rid(pw_buf, atoi(ENTRY_VAL(obj, NPF_GROUP_RID)));
 
   /* values, must exist for user */
   if( !(pdb_get_acct_ctrl(pw_buf) & ACB_WSTRUST) ) {
@@ -381,7 +381,7 @@
   else 
   {
     /* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. */
-    pdb_set_group_rid (pw_buf, DOMAIN_GROUP_RID_USERS); 
+    pdb_set_group_sid_from_rid (pw_buf, DOMAIN_GROUP_RID_USERS); 
   }
 
   /* Check the lanman password column. */
@@ -538,7 +538,8 @@
 
 		if (rid==0) {
 			if (get_group_map_from_gid(pdb_get_gid(sampass), &map, MAPPING_WITHOUT_PRIV)) {
-				sid_peek_rid(&map.sid, &rid);
+				if(!sid_peek_rid(NULL,&map.sid, &rid))
+					return False;
 			} else 
 				rid=pdb_gid_to_group_rid(pdb_get_gid(sampass));
 		}
@@ -1034,7 +1035,8 @@
 BOOL pdb_getsampwsid(SAM_ACCOUNT * user, DOM_SID *sid)
 {
 	uint32 rid;
-	sid_peek_rid(sid, &rid);
+	if(!sid_peek_rid(NULL,sid, &rid))
+		return False;
 	return pdb_getsampwrid(user, rid);
 }
 
diff -Nur HEAD/source/passdb/pdb_smbpasswd.c HEAD-fix/source/passdb/pdb_smbpasswd.c
--- HEAD/source/passdb/pdb_smbpasswd.c	Mon May 27 13:11:02 2002
+++ HEAD-fix/source/passdb/pdb_smbpasswd.c	Fri May 31 10:32:39 2002
@@ -1242,14 +1242,14 @@
 	    && (pw_buf->smb_userid >= smbpasswd_state->low_nua_userid) 
 	    && (pw_buf->smb_userid <= smbpasswd_state->high_nua_userid)) {
 
-		pdb_set_user_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid));
+		pdb_set_user_sid_from_rid(sam_pass, fallback_pdb_uid_to_user_rid (pw_buf->smb_userid));
 
 		/* lkclXXXX this is OBSERVED behaviour by NT PDCs, enforced here. 
 		   
 		   This was down the bottom for machines, but it looks pretty good as
 		   a general default for non-unix users. --abartlet 2002-01-08
 		*/
-		pdb_set_group_rid (sam_pass, DOMAIN_GROUP_RID_USERS); 
+		pdb_set_group_sid_from_rid (sam_pass, DOMAIN_GROUP_RID_USERS); 
 		pdb_set_username (sam_pass, pw_buf->smb_name);
 		pdb_set_domain (sam_pass, lp_workgroup());
 	} else {
@@ -1458,7 +1458,8 @@
 static BOOL smbpasswd_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
 {
 	uint32 rid;
-	sid_peek_rid(sid, &rid);
+	if(!sid_peek_rid(NULL,sid, &rid))
+		return False;
 	return smbpasswd_getsampwrid(my_methods, user, rid);
 }
 
diff -Nur HEAD/source/passdb/pdb_tdb.c HEAD-fix/source/passdb/pdb_tdb.c
--- HEAD/source/passdb/pdb_tdb.c	Mon May 27 13:11:02 2002
+++ HEAD-fix/source/passdb/pdb_tdb.c	Fri May 31 10:32:55 2002
@@ -246,8 +246,8 @@
 		}
 	}
 
-	pdb_set_user_rid(sampass, user_rid);
-	pdb_set_group_rid(sampass, group_rid);
+	pdb_set_user_sid_from_rid(sampass, user_rid);
+	pdb_set_group_sid_from_rid(sampass, group_rid);
 	pdb_set_unknown_3(sampass, unknown_3);
 	pdb_set_hours_len(sampass, hours_len);
 	pdb_set_unknown_5(sampass, unknown_5);
@@ -671,7 +671,8 @@
 static BOOL tdbsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
 {
 	uint32 rid;
-	sid_peek_rid(sid, &rid);
+	if(!sid_peek_rid(NULL,sid, &rid))
+		return False;
 	return tdbsam_getsampwrid(my_methods, user, rid);
 }
 
@@ -775,7 +776,7 @@
 						goto done;
 					}
 				}
-				pdb_set_user_rid(newpwd, user_rid);
+				pdb_set_user_sid_from_rid(newpwd, user_rid);
 			} else {
 				user_rid = tdb_state->low_nua_rid;
 				tdb_ret = tdb_change_uint32_atomic(pwd_tdb, "NUA_RID_COUNTER", &user_rid, RID_MULTIPLIER);
@@ -788,7 +789,7 @@
 					ret = False;
 					goto done;
 				}
-				pdb_set_user_rid(newpwd, user_rid);
+				pdb_set_user_sid_from_rid(newpwd, user_rid);
 			}
 		} else {
 			DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a RID\n",pdb_get_username(newpwd)));
@@ -805,7 +806,7 @@
 				goto done;
 			} else {
 				/* This seems like a good default choice for non-unix users */
-				pdb_set_group_rid(newpwd, DOMAIN_GROUP_RID_USERS);
+				pdb_set_group_sid_from_rid(newpwd, DOMAIN_GROUP_RID_USERS);
 			}
 		} else {
 			DEBUG (0,("tdb_update_sam: Failing to store a SAM_ACCOUNT for [%s] without a primary group RID\n",pdb_get_username(newpwd)));
diff -Nur HEAD/source/passdb/pdb_unix.c HEAD-fix/source/passdb/pdb_unix.c
--- HEAD/source/passdb/pdb_unix.c	Mon May 27 13:11:02 2002
+++ HEAD-fix/source/passdb/pdb_unix.c	Fri May 31 10:33:56 2002
@@ -68,7 +68,8 @@
 static BOOL unixsam_getsampwsid(struct pdb_methods *my_methods, SAM_ACCOUNT * user, DOM_SID *sid)
 {
 	uint32 rid;
-	sid_peek_rid(sid, &rid);
+	if(!sid_peek_rid(NULL,sid, &rid))
+		return False;
 	return unixsam_getsampwrid(my_methods, user, rid);
 }
 
diff -Nur HEAD/source/printing/nt_printing.c HEAD-fix/source/printing/nt_printing.c
--- HEAD/source/printing/nt_printing.c	Mon May 13 14:09:47 2002
+++ HEAD-fix/source/printing/nt_printing.c	Wed May 29 15:14:08 2002
@@ -3683,7 +3683,6 @@
 
 static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
 {
-	extern DOM_SID global_sam_sid;
 	SEC_ACE ace[3];
 	SEC_ACCESS sa;
 	SEC_ACL *psa = NULL;
@@ -3709,7 +3708,7 @@
  		   This should emulate a lanman printer as security
  		   settings can't be changed. */
 
-		sid_copy(&owner_sid, &global_sam_sid);
+		sid_copy(&owner_sid, get_global_sam_sid());
 		sid_append_rid(&owner_sid, DOMAIN_USER_RID_ADMIN);
 	}
 
diff -Nur HEAD/source/rpc_server/srv_lsa_nt.c HEAD-fix/source/rpc_server/srv_lsa_nt.c
--- HEAD/source/rpc_server/srv_lsa_nt.c	Tue May 21 14:07:20 2002
+++ HEAD-fix/source/rpc_server/srv_lsa_nt.c	Wed May 29 15:22:01 2002
@@ -26,7 +26,6 @@
 
 #include "includes.h"
 
-extern DOM_SID global_sam_sid;
 extern fstring global_myworkgroup;
 extern pstring global_myname;
 extern PRIVS privs[];
@@ -320,7 +319,7 @@
 	init_sec_access(&mask, POLICY_EXECUTE);
 	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
-	sid_copy(&adm_sid, &global_sam_sid);
+	sid_copy(&adm_sid, get_global_sam_sid());
 	sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
 	init_sec_access(&mask, POLICY_ALL_ACCESS);
 	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
@@ -367,7 +366,7 @@
 		return NT_STATUS_NO_MEMORY;
 
 	ZERO_STRUCTP(info);
-	info->sid = global_sam_sid;
+	info->sid = *(get_global_sam_sid());
 	info->access = acc_granted;
 
 	/* set up the LSA QUERY INFO response */
@@ -405,7 +404,7 @@
 		return NT_STATUS_NO_MEMORY;
 
 	ZERO_STRUCTP(info);
-	info->sid = global_sam_sid;
+	info->sid = *(get_global_sam_sid());
 	info->access = acc_granted;
 
 	/* set up the LSA QUERY INFO response */
@@ -502,7 +501,7 @@
 			case ROLE_DOMAIN_PDC:
 			case ROLE_DOMAIN_BDC:
 				name = global_myworkgroup;
-				sid = &global_sam_sid;
+				sid = get_global_sam_sid();
 				break;
 			case ROLE_DOMAIN_MEMBER:
 				name = global_myworkgroup;
@@ -532,15 +531,15 @@
 			case ROLE_DOMAIN_PDC:
 			case ROLE_DOMAIN_BDC:
 				name = global_myworkgroup;
-				sid = &global_sam_sid;
+				sid = get_global_sam_sid();
 				break;
 			case ROLE_DOMAIN_MEMBER:
 				name = global_myname;
-				sid = &global_sam_sid;
+				sid = get_global_sam_sid();
 				break;
 			case ROLE_STANDALONE:
 				name = global_myname;
-				sid = &global_sam_sid;
+				sid = get_global_sam_sid();
 				break;
 			default:
 				return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;
diff -Nur HEAD/source/rpc_server/srv_netlog_nt.c HEAD-fix/source/rpc_server/srv_netlog_nt.c
--- HEAD/source/rpc_server/srv_netlog_nt.c	Tue May 21 14:07:20 2002
+++ HEAD-fix/source/rpc_server/srv_netlog_nt.c	Wed May 29 15:18:31 2002
@@ -27,7 +27,6 @@
 #include "includes.h"
 
 extern pstring global_myname;
-extern DOM_SID global_sam_sid;
 
 /*************************************************************************
  init_net_r_req_chal:
@@ -705,7 +704,7 @@
 				    NULL, /* uchar sess_key[16] */
 				    my_name     , /* char *logon_srv */
 				    my_workgroup, /* char *logon_dom */
-				    &global_sam_sid,     /* DOM_SID *dom_sid */
+				    get_global_sam_sid(),     /* DOM_SID *dom_sid */
 				    NULL); /* char *other_sids */
 	}
 	free_server_info(&server_info);
diff -Nur HEAD/source/rpc_server/srv_samr_nt.c HEAD-fix/source/rpc_server/srv_samr_nt.c
--- HEAD/source/rpc_server/srv_samr_nt.c	Mon Jun  3 09:20:28 2002
+++ HEAD-fix/source/rpc_server/srv_samr_nt.c	Mon Jun  3 09:20:55 2002
@@ -31,7 +31,6 @@
 
 extern fstring global_myworkgroup;
 extern pstring global_myname;
-extern DOM_SID global_sam_sid;
 extern DOM_SID global_sid_Builtin;
 
 extern rid_name domain_group_rids[];
@@ -654,7 +653,7 @@
 		}
 		SAFE_FREE(map);
 		
-	} else if (sid_equal(sid, &global_sam_sid) && !lp_hide_local_users()) {
+	} else if (sid_equal(sid, get_global_sam_sid()) && !lp_hide_local_users()) {
 		struct sys_grent *glist;
 		struct sys_grent *grp;
 		struct passwd *pw;
@@ -1356,7 +1355,7 @@
 		group_attrs[i] = SID_NAME_UNKNOWN;
 		*group_names[i] = '\0';
 
-		if (sid_equal(&pol_sid, &global_sam_sid)) {
+		if (sid_equal(&pol_sid, get_global_sam_sid())) {
 			sid_copy(&sid, &pol_sid);
 			sid_append_rid(&sid, q_u->rid[i]);
 
@@ -1796,7 +1795,7 @@
 			num_users=info->disp_info.num_user_account;
 			free_samr_db(info);
 			
-			r_u->status=load_group_domain_entries(info, &global_sam_sid);
+			r_u->status=load_group_domain_entries(info, get_global_sam_sid());
 			if (NT_STATUS_IS_ERR(r_u->status)) {
 				DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
 				return r_u->status;
@@ -1982,19 +1981,10 @@
  			  account));
  		return NT_STATUS_ACCESS_DENIED;		
  	}
- 	
- 	/* Get the domain SID stored in the domain policy */
-  	if(!get_lsa_policy_samr_sid(p, &dom_pol, &sid)) {
-  		pdb_free_sam(&sam_pass);
-		return NT_STATUS_INVALID_HANDLE;
-	}
-
-	/* append the user's RID to it */
-	if(!sid_append_rid(&sid, pdb_get_user_rid(sam_pass) )) {
-		pdb_free_sam(&sam_pass);
-		return NT_STATUS_NO_SUCH_USER;
-	}
 
+	/* Get the user's SID */
+	sid_copy(&sid,(DOM_SID *)pdb_get_user_sid(sam_pass));
+	
 	/* associate the user's SID with the new handle. */
 	if ((info = get_samr_info_by_sid(&sid)) == NULL) {
 		pdb_free_sam(&sam_pass);
@@ -2725,7 +2715,7 @@
 		if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV))
 			return NT_STATUS_NO_SUCH_ALIAS;
 	} else {
-		if (sid_equal(&alias_sid, &global_sam_sid)) {
+		if (sid_equal(&alias_sid, get_global_sam_sid())) {
 			DEBUG(10, ("lookup on Server SID\n"));
 			if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV))
 				return NT_STATUS_NO_SUCH_ALIAS;
@@ -2744,7 +2734,7 @@
 		struct passwd *pass;
 		uint32 rid;
 
-		sid_copy(&temp_sid, &global_sam_sid);
+		sid_copy(&temp_sid, get_global_sam_sid());
 
 		pass = getpwuid_alloc(uid[i]);
 		if (!pass) continue;
@@ -2818,7 +2808,7 @@
 	DEBUG(10, ("sid is %s\n", group_sid_str));
 
 	/* can we get a query for an SID outside our domain ? */
-	if (!sid_equal(&group_sid, &global_sam_sid))
+	if (!sid_equal(&group_sid, get_global_sam_sid()))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	sid_append_rid(&group_sid, group_rid);
@@ -2901,7 +2891,7 @@
 	sid_to_string(alias_sid_str, &alias_sid);
 	DEBUG(10, ("sid is %s\n", alias_sid_str));
 
-	if (sid_compare(&alias_sid, &global_sam_sid)>0) {
+	if (sid_compare(&alias_sid, get_global_sam_sid())>0) {
 		DEBUG(10, ("adding member on Server SID\n"));
 		if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV))
 			return NT_STATUS_NO_SUCH_ALIAS;
@@ -3050,7 +3040,7 @@
 	sid_to_string(group_sid_str, &group_sid);
 	DEBUG(10, ("sid is %s\n", group_sid_str));
 
-	if (sid_compare(&group_sid, &global_sam_sid)<=0)
+	if (sid_compare(&group_sid, get_global_sam_sid())<=0)
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	DEBUG(10, ("lookup on Domain SID\n"));
@@ -3058,7 +3048,7 @@
 	if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
 		return NT_STATUS_NO_SUCH_GROUP;
 
-	sid_copy(&user_sid, &global_sam_sid);
+	sid_copy(&user_sid, get_global_sam_sid());
 	sid_append_rid(&user_sid, q_u->rid);
 
 	ret = pdb_init_sam(&sam_user);
@@ -3137,7 +3127,7 @@
 	if(!sid_check_is_in_our_domain(&group_sid))
 		return NT_STATUS_NO_SUCH_GROUP;
 
-	sid_copy(&user_sid, &global_sam_sid);
+	sid_copy(&user_sid, get_global_sam_sid());
 	sid_append_rid(&user_sid, q_u->rid);
 
 	if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
@@ -3270,7 +3260,7 @@
 	DEBUG(10, ("sid is %s\n", group_sid_str));
 
 	/* we check if it's our SID before deleting */
-	if (!sid_equal(&dom_sid, &global_sam_sid))
+	if (!sid_equal(&dom_sid, get_global_sam_sid()))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	DEBUG(10, ("lookup on Domain SID\n"));
@@ -3327,7 +3317,7 @@
 	DEBUG(10, ("sid is %s\n", alias_sid_str));
 
 	/* we check if it's our SID before deleting */
-	if (!sid_equal(&dom_sid, &global_sam_sid))
+	if (!sid_equal(&dom_sid, get_global_sam_sid()))
 		return NT_STATUS_NO_SUCH_ALIAS;
 
 	DEBUG(10, ("lookup on Local SID\n"));
@@ -3377,7 +3367,7 @@
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid)) 
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!sid_equal(&dom_sid, &global_sam_sid))
+	if (!sid_equal(&dom_sid, get_global_sam_sid()))
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
@@ -3398,7 +3388,7 @@
 	r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
 
 	/* add the group to the mapping table */
-	sid_copy(&info_sid, &global_sam_sid);
+	sid_copy(&info_sid, get_global_sam_sid());
 	sid_append_rid(&info_sid, r_u->rid);
 	sid_to_string(sid_string, &info_sid);
 
@@ -3435,7 +3425,7 @@
 	if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid)) 
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!sid_equal(&dom_sid, &global_sam_sid))
+	if (!sid_equal(&dom_sid, get_global_sam_sid()))
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* TODO: check if allowed to create group  and add a become_root/unbecome_root pair.*/
@@ -3455,7 +3445,7 @@
 
 	r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
 
-	sid_copy(&info_sid, &global_sam_sid);
+	sid_copy(&info_sid, get_global_sam_sid());
 	sid_append_rid(&info_sid, r_u->rid);
 	sid_to_string(sid_string, &info_sid);
 
@@ -3641,10 +3631,10 @@
 		return NT_STATUS_INVALID_HANDLE;
 
 	/* this should not be hard-coded like this */
-	if (!sid_equal(&sid, &global_sam_sid))
+	if (!sid_equal(&sid, get_global_sam_sid()))
 		return NT_STATUS_ACCESS_DENIED;
 
-	sid_copy(&info_sid, &global_sam_sid);
+	sid_copy(&info_sid, get_global_sam_sid());
 	sid_append_rid(&info_sid, q_u->rid_group);
 	sid_to_string(sid_string, &info_sid);
 
@@ -3733,7 +3723,7 @@
 			num_users=info->disp_info.num_user_account;
 			free_samr_db(info);
 			
-			r_u->status=load_group_domain_entries(info, &global_sam_sid);
+			r_u->status=load_group_domain_entries(info, get_global_sam_sid());
 			if (NT_STATUS_IS_ERR(r_u->status)) {
 				DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
 				return r_u->status;
diff -Nur HEAD/source/rpc_server/srv_util.c HEAD-fix/source/rpc_server/srv_util.c
--- HEAD/source/rpc_server/srv_util.c	Mon May 27 13:11:02 2002
+++ HEAD-fix/source/rpc_server/srv_util.c	Fri May 31 11:55:04 2002
@@ -181,7 +181,8 @@
 				}
 				rids=new_rids;
 				
-				sid_peek_rid(&map.sid, &(rids[cur_rid]));
+				if(!sid_peek_rid(NULL,&map.sid, &(rids[cur_rid])))
+					return NT_STATUS_NO_SUCH_USER;
 				DEBUG(10,("get_alias_user_groups: user found in group %s\n", map.nt_name));
 				cur_rid++;
 				break;
@@ -243,7 +244,8 @@
 	}
 	rids=new_rids;
 
- 	sid_peek_rid(&map.sid, &(rids[cur_rid]));
+ 	if(!sid_peek_rid(NULL,&map.sid, &(rids[cur_rid])))
+		return NT_STATUS_NO_SUCH_USER;
 	cur_rid++;
 
 done:
@@ -298,7 +300,8 @@
 		for(num=0; grp->gr_mem[num]!=NULL; num++) {
 			if(strcmp(grp->gr_mem[num], user_name)==0) {
 				/* we found the user, add the group to the list */
-				sid_peek_rid(&map[i].sid, &(gids[cur_gid].g_rid));
+				if(!sid_peek_rid(NULL,&map[i].sid, &(gids[cur_gid].g_rid)))
+					return False;
 				gids[cur_gid].attr=7;
 				DEBUG(10,("get_domain_user_groups: user found in group %s\n", map[i].nt_name));
 				cur_gid++;
@@ -324,7 +327,8 @@
 	}
 
 	for(i=0; i<num_entries; i++) {
-		sid_peek_rid(&map[i].sid, &tmp_rid);
+		if(!sid_peek_rid(NULL,&map[i].sid, &tmp_rid))
+			return False;
 		if (tmp_rid==grid) {
 			/* 
 			 * the primary group of the user but be the first one in the list
diff -Nur HEAD/source/smbd/groupname.c HEAD-fix/source/smbd/groupname.c
--- HEAD/source/smbd/groupname.c	Wed Jan 30 07:08:38 2002
+++ HEAD-fix/source/smbd/groupname.c	Wed May 29 15:26:38 2002
@@ -21,7 +21,6 @@
 #ifdef USING_GROUPNAME_MAP
 
 #include "includes.h"
-extern DOM_SID global_sam_sid;
 
 /**************************************************************************
  Groupname map functionality. The code loads a groupname map file and
@@ -160,7 +159,7 @@
        * It's not a well known name, convert the UNIX gid_t
        * to a rid within this domain SID.
        */
-      tmp_sid = global_sam_sid;
+      tmp_sid = *(get_global_sam_sid());
       tmp_sid.sub_auths[tmp_sid.num_auths++] = 
                     pdb_gid_to_group_rid(gid);
     }
@@ -228,7 +227,7 @@
    * If there's no map, convert the UNIX gid_t
    * to a rid within this domain SID.
    */
-  *psid = global_sam_sid;
+  sid_copy(psid,get_global_sam_sid());
   psid->sub_auths[psid->num_auths++] = pdb_gid_to_group_rid(gid);
 
   return;
diff -Nur HEAD/source/smbd/uid.c HEAD-fix/source/smbd/uid.c
--- HEAD/source/smbd/uid.c	Mon Apr 15 10:33:07 2002
+++ HEAD-fix/source/smbd/uid.c	Wed May 29 12:09:31 2002
@@ -504,7 +504,7 @@
 		sid_copy(&tmp_sid, sid);
 		sid_split_rid(&tmp_sid, &rid);
 
-		if (sid_equal(&global_sam_sid, &tmp_sid)) {
+		if (sid_equal(get_global_sam_sid(), &tmp_sid)) {
 
 			return map_domain_sid_to_name(&tmp_sid, dom_name) &&
 				local_lookup_sid(sid, name, name_type);
@@ -598,7 +598,7 @@
 	fstring sid_str;
 
 	/* if we know its local then don't try winbindd */
-	if (sid_compare_domain(&global_sam_sid, psid) == 0) {
+	if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
 		return local_sid_to_uid(puid, psid, sidtype);
 	}
 
diff -Nur HEAD/source/utils/pdbedit.c HEAD-fix/source/utils/pdbedit.c
--- HEAD/source/utils/pdbedit.c	Mon May 27 13:11:03 2002
+++ HEAD-fix/source/utils/pdbedit.c	Wed May 29 13:19:29 2002
@@ -81,10 +81,12 @@
 		if (IS_SAM_UNIX_USER(sam_pwent)) {
 			uid = pdb_get_uid(sam_pwent);
 			gid = pdb_get_gid(sam_pwent);
-			printf ("user ID/Group:        %d/%d\n", uid, gid);
+			printf ("User ID/Group ID:     %d/%d\n", uid, gid);
 		}
-		printf ("user RID/GRID:        %u/%u\n", (unsigned int)pdb_get_user_rid(sam_pwent),
-			(unsigned int)pdb_get_group_rid(sam_pwent));
+		printf ("User SID:             %s\n",
+			sid_string_static((DOM_SID *)pdb_get_user_sid(sam_pwent)));
+		printf ("Primary Group SID:    %s\n",
+			sid_string_static((DOM_SID *)pdb_get_group_sid(sam_pwent)));
 		printf ("Full Name:            %s\n", pdb_get_fullname(sam_pwent));
 		printf ("Home Directory:       %s\n", pdb_get_homedir(sam_pwent));
 		printf ("HomeDir Drive:        %s\n", pdb_get_dirdrive(sam_pwent));
@@ -329,7 +331,7 @@
 	
 	pdb_set_acct_ctrl (sam_pwent, ACB_WSTRUST);
 	
-	pdb_set_group_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS);
+	pdb_set_group_sid_from_rid(sam_pwent, DOMAIN_GROUP_RID_COMPUTERS);
 	
 	if (in->pdb_add_sam_account (in, sam_pwent)) {
 		print_user_info (in, name, True, False);
diff -Nur HEAD/source/utils/smbgroupedit.c HEAD-fix/source/utils/smbgroupedit.c
--- HEAD/source/utils/smbgroupedit.c	Fri Apr 19 00:56:34 2002
+++ HEAD-fix/source/utils/smbgroupedit.c	Wed May 29 15:27:46 2002
@@ -23,7 +23,6 @@
 
 extern pstring global_myname;
 extern pstring global_myworkgroup;
-extern DOM_SID global_sam_sid;
 
 /*
  * Next two lines needed for SunOS and don't
diff -Nur HEAD/source/lib/util_sid.c HEAD-fix/source/lib/util_sid.c
--- HEAD/source/lib/util_sid.c	Mon Apr 15 10:32:58 2002
+++ HEAD-fix/source/lib/util_sid.c	Mon Jun  3 09:54:09 2002
@@ -4,6 +4,7 @@
    Copyright (C) Andrew Tridgell 1992-1998
    Copyright (C) Luke Kenneth Caseson Leighton 1998-1999
    Copyright (C) Jeremy Allison  1999
+   Copyright (C) Stefan (metze) Metzmacher 2002
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -25,7 +26,7 @@
 /* NOTE! the global_sam_sid is the SID of our local SAM. This is only
    equal to the domain SID when we are a DC, otherwise its our
    workstation SID */
-DOM_SID global_sam_sid;
+DOM_SID *global_sam_sid=NULL;
 extern pstring global_myname;
 extern fstring global_myworkgroup;
 
@@ -120,17 +121,17 @@
 	
 
 	if ((lp_security() == SEC_USER) && lp_domain_logons()) {
-		sid_name_map[i].sid = &global_sam_sid;
+		sid_name_map[i].sid = get_global_sam_sid();
 		sid_name_map[i].name = global_myworkgroup;
 		sid_name_map[i].known_users = NULL;
 		i++;
-		sid_name_map[i].sid = &global_sam_sid;
+		sid_name_map[i].sid = get_global_sam_sid();
 		sid_name_map[i].name = global_myname;
 		sid_name_map[i].known_users = NULL;
 		i++;
 	}
 	else {
-		sid_name_map[i].sid = &global_sam_sid;
+		sid_name_map[i].sid = get_global_sam_sid();
 		sid_name_map[i].name = global_myname;
 		sid_name_map[i].known_users = NULL;
 		i++;
@@ -270,14 +271,14 @@
 
 	if (nt_domain == NULL) {
 		DEBUG(5,("map_domain_name_to_sid: mapping NULL domain to our SID.\n"));
-		sid_copy(sid, &global_sam_sid);
+		sid_copy(sid, get_global_sam_sid());
 		return True;
 	}
 
 	if (nt_domain[0] == 0) {
 		fstrcpy(nt_domain, global_myname);
 		DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n", nt_domain));
-		sid_copy(sid, &global_sam_sid);
+		sid_copy(sid, get_global_sam_sid());
 		return True;
 	}
 
@@ -473,8 +474,24 @@
  Return the last rid from the end of a sid
 *****************************************************************/  
 
-BOOL sid_peek_rid(DOM_SID *sid, uint32 *rid)
+BOOL sid_peek_rid(DOM_SID *exp_dom_sid,DOM_SID *sid, uint32 *rid)
 {
+	DOM_SID *_exp_dom_sid=exp_dom_sid;
+	
+	if(!sid||!rid)
+		return False;
+			
+	if(!_exp_dom_sid)
+		if(!(_exp_dom_sid=get_global_sam_sid())){
+			*rid=(-1);
+			return False;
+		}
+			
+	if(sid_compare_domain(_exp_dom_sid,sid)!=0){
+		*rid=(-1);
+		return False;
+	}
+	
 	if (sid->num_auths > 0) {
 		*rid = sid->sub_auths[sid->num_auths - 1];
 		return True;
@@ -631,7 +648,7 @@
 *****************************************************************/  
 BOOL sid_check_is_domain(const DOM_SID *sid)
 {
-	return sid_equal(sid, &global_sam_sid);
+	return sid_equal(sid, get_global_sam_sid());
 }
 
 
@@ -655,7 +672,7 @@
 	sid_copy(&dom_sid, sid);
 	sid_split_rid(&dom_sid, &rid);
 	
-	return sid_equal(&dom_sid, &global_sam_sid);
+	return sid_equal(&dom_sid, get_global_sam_sid());
 }
 
 /*****************************************************************
diff -Nur HEAD/source/groupdb/mapping.c HEAD-fix/source/groupdb/mapping.c
--- HEAD/source/groupdb/mapping.c	Mon Apr 29 08:26:39 2002
+++ HEAD-fix/source/groupdb/mapping.c	Mon Jun  3 10:51:15 2002
@@ -21,7 +21,6 @@
 
 #include "includes.h"
 
-extern DOM_SID global_sam_sid;
 
 static TDB_CONTEXT *tdb; /* used for driver files */
 
@@ -186,17 +185,17 @@
 
 	/* Add the defaults domain groups */
 
-	sid_copy(&sid_admins, &global_sam_sid);
+	sid_copy(&sid_admins, get_global_sam_sid());
 	sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
 	sid_to_string(str_admins, &sid_admins);
 	add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
 
-	sid_copy(&sid_users,  &global_sam_sid);
+	sid_copy(&sid_users,  get_global_sam_sid());
 	sid_append_rid(&sid_users,  DOMAIN_GROUP_RID_USERS);
 	sid_to_string(str_users, &sid_users);
 	add_initial_entry(-1, str_users,  SID_NAME_DOM_GRP, "Domain Users",  "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
 
-	sid_copy(&sid_guests, &global_sam_sid);
+	sid_copy(&sid_guests, get_global_sam_sid());
 	sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
 	sid_to_string(str_guests, &sid_guests);
 	add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
@@ -987,7 +986,12 @@
 		 * make one based on the unix information */
 		uint32 alias_rid;
 
-		sid_peek_rid(&sid, &alias_rid);
+		if(!sid_peek_rid(NULL,&sid, &alias_rid)) {
+			DEBUG(0,("sid_peek_rid return False!\n SID: %s\n",
+				sid_string_static(&sid)));
+			return False;
+		}
+			
 		map->gid=pdb_group_rid_to_gid(alias_rid);
 
 		if ((grp=getgrgid(map->gid)) == NULL)
@@ -1070,7 +1074,7 @@
 
 		/* interim solution until we have a last RID allocated */
 
-		sid_copy(&map->sid, &global_sam_sid);
+		sid_copy(&map->sid, get_global_sam_sid());
 		sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));
 
 		fstrcpy(map->nt_name, grp->gr_name);


More information about the samba-technical mailing list