Problems with get_group_alias_entries

[Andrew Bartlett]

Kai Krueger wrote:
> I've noticed two problems with enumerating aliases in srv_samr_nt.c.

I was getting similar problems with Samba HEAD when I was messing with 
some stuff.  I probably should have chased this down...

> The first problem is, that local unix groups only appear as aliases in win2k user manager 
> if I have a debug level bigger than 2. I assume this is not a feature ?!? ;-)
> The problem seams to be that the smb.conf parameter "winbind gid" is not properly
> initialised if not specified in smb.conf. Therefore the variables winbind_gid_low and
> winbind_gid_high contain nonsense values that even seam to be dependant on "log level"
> causing "if ((grp->gr_gid >= winbind_gid_low)&&(grp->gr_gid <= winbind_gid_high))"
> not to function correctly. Is it possible to give the parameter default values?

Not really, but you can disable the test when they don't exist.  Fixed 
in current HEAD CVS.

> The second problem is that enumeration of aliases in the builtin domain returns all
> aliases that are in the mapping tdb. So local groups that are explicitly mapped, for
> example to change the comment to something other than "Local unix group", turn up
> in both the builtin domain and the normal domain. This especially causes problems in
> user manager as that enumerates the domain aliases first and then the builtin aliases.
> As both versions of the local group have the same name and rid, user manager
> only displays the one in the builtin domain which shouldn't be there in the first place
> covering up the correct, mapped alias in the normal domain.
> 
> This can be stopped by simply checking the sid instead of just returning the rid, but
> IMHO there are some confusions between, the mapping, well-known aliases in the
> builtin domain and the local groups so some more changes would be sensible. 

We are looking at getting more code to use SIDs rather then just RIDs, 
so this should be a little easier to fix shortly.

> Do all local groups really have to be returned or wouldn't it be enough if only the
> mapped groups are returned? I think that it doesn't make much sense returning all 
> local (system) unix groups as they don't have much to do with NT. Apart from that
> the enumeration code would be simpler if not all local groups would be returned.
> Do other people see this similar, or is this a needed feature?

Thanks for looking at this,

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net