[Patch] Enable domain groups to be added to builtin groups at domain join time

[Tim Prouty]

Hi,

This patch enables domain groups to be added to builtin groups at  
domain join time.  Previously this was done at token creation time if  
the Administrators and Users builtins hadn't been created yet.  A  
major drawback to this approach is that if a customer is joined to a  
domain and decides they want to join a different domain, the domain  
groups from this new domain will not be added to the builtins.

It would be ideal if these groups could be added exclusively at domain  
join time, but we can't rely solely on that because there are cases  
where winbindd must be running to allocate new gids for the builtins.

The patch is against 3-3-test and includes the following changes:
- Refactored code in token_util to make it callable from the  
libnet_join without changing the behavior of create_local_nt_token.
- Tightened up the become_root()/unbecome_root() pairs.
- Reduced the number of times the domain sid is fetched from  
secrets.tdb.
- Added a wrapper in libnet_join to do its best to add the domain  
groups to the builtins during the domain join post processing.  If the  
builtins are already mapped to gids, then it should work.  Otherwise,  
winbindd must be running to allocate a new gid.  The join will not  
fail if the groups could not be added.

-Tim

Tim Prouty | Software Development Engineer
Isilon Systems
www.isilon.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Enable-domain-groups-to-be-added-to-builtin-groups-a.patch
Type: application/octet-stream
Size: 12983 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20080716/c14ea1cb/0001-Enable-domain-groups-to-be-added-to-builtin-groups-a.obj
-------------- next part --------------