+++ /dev/null
-diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/auth/auth_util.c samba-3.0.23b-patched/source/auth/auth_util.c
---- samba-3.0.23b/source/auth/auth_util.c 2006-08-07 11:46:33.000000000 -0500
-+++ samba-3.0.23b-patched/source/auth/auth_util.c 2006-08-22 11:09:19.000000000 -0500
-@@ -562,6 +562,10 @@
- struct passwd *pwd;
- gid_t *gids;
- auth_serversupplied_info *result;
-+ int i;
-+ size_t num_gids;
-+ DOM_SID unix_group_sid;
-+
-
- if ( !(pwd = getpwnam_alloc(NULL, pdb_get_username(sampass))) ) {
- DEBUG(1, ("User %s in passdb, but getpwnam() fails!\n",
-@@ -592,10 +596,29 @@
- TALLOC_FREE(result);
- return status;
- }
-+
-+ /* Add the "Unix Group" SID for each gid to catch mapped groups
-+ and their Unix equivalent. This is to solve the backwards
-+ compatibility problem of 'valid users = +ntadmin' where
-+ ntadmin has been paired with "Domain Admins" in the group
-+ mapping table. Otherwise smb.conf would need to be changed
-+ to 'valid user = "Domain Admins"'. --jerry */
-+
-+ num_gids = result->num_sids;
-+ for ( i=0; i<num_gids; i++ ) {
-+ if ( !gid_to_unix_groups_sid( gids[i], &unix_group_sid ) ) {
-+ DEBUG(1,("make_server_info_sam: Failed to create SID "
-+ "for gid %d!\n", gids[i]));
-+ continue;
-+ }
-+ add_sid_to_array_unique( result, &unix_group_sid,
-+ &result->sids, &result->num_sids );
-+ }
-
- /* For now we throw away the gids and convert via sid_to_gid
- * later. This needs fixing, but I'd like to get the code straight and
- * simple first. */
-+
- TALLOC_FREE(gids);
-
- DEBUG(5,("make_server_info_sam: made server info for user %s -> %s\n",
-@@ -873,7 +896,7 @@
- become_root();
- status = create_builtin_administrators( );
- if ( !NT_STATUS_IS_OK(status) ) {
-- DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
-+ DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
- /* don't fail, just log the message */
- }
- unbecome_root();
-@@ -900,7 +923,7 @@
- become_root();
- status = create_builtin_users( );
- if ( !NT_STATUS_IS_OK(status) ) {
-- DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
-+ DEBUG(2,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
- /* don't fail, just log the message */
- }
- unbecome_root();
-diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/groupdb/mapping.c samba-3.0.23b-patched/source/groupdb/mapping.c
---- samba-3.0.23b/source/groupdb/mapping.c 2006-04-19 21:29:21.000000000 -0500
-+++ samba-3.0.23b-patched/source/groupdb/mapping.c 2006-08-22 11:09:00.000000000 -0500
-@@ -195,7 +195,7 @@
- fstrcpy(map.nt_name, grpname);
-
- if (pdb_rid_algorithm()) {
-- rid = pdb_gid_to_group_rid( grp->gr_gid );
-+ rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
- } else {
- if (!pdb_new_rid(&rid)) {
- DEBUG(3, ("Could not get a new RID for %s\n",
-diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/include/smb.h samba-3.0.23b-patched/source/include/smb.h
---- samba-3.0.23b/source/include/smb.h 2006-07-10 11:27:52.000000000 -0500
-+++ samba-3.0.23b-patched/source/include/smb.h 2006-08-22 11:09:00.000000000 -0500
-@@ -272,7 +272,7 @@
- #define LOOKUP_NAME_REMOTE 2 /* Ask others */
- #define LOOKUP_NAME_ALL (LOOKUP_NAME_ISOLATED|LOOKUP_NAME_REMOTE)
-
--#define LOOKUP_NAME_GROUP 4 /* This is a NASTY hack for valid users = @foo
-+#define LOOKUP_NAME_GROUP 4 /* (unused) This is a NASTY hack for valid users = @foo
- * where foo also exists in as user. */
-
- /**
-diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/passdb/lookup_sid.c samba-3.0.23b-patched/source/passdb/lookup_sid.c
---- samba-3.0.23b/source/passdb/lookup_sid.c 2006-08-07 11:46:33.000000000 -0500
-+++ samba-3.0.23b-patched/source/passdb/lookup_sid.c 2006-08-22 11:09:14.000000000 -0500
-@@ -43,7 +43,6 @@
- DOM_SID sid;
- enum SID_NAME_USE type;
- TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
-- struct group *grp;
-
- if (tmp_ctx == NULL) {
- DEBUG(0, ("talloc_new failed\n"));
-@@ -120,63 +119,6 @@
- goto failed;
- }
-
-- /*
-- * Nasty hack necessary for too common scenarios:
-- *
-- * For 'valid users = +users' we know "users" is most probably not
-- * BUILTIN\users but the unix group users. This hack requires the
-- * admin to explicitly qualify BUILTIN if BUILTIN\users is meant.
-- *
-- * Please note that LOOKUP_NAME_GROUP can not be requested via for
-- * example lsa_lookupnames, it only comes into this routine via
-- * the expansion of group names coming in from smb.conf
-- */
--
-- if ((flags & LOOKUP_NAME_GROUP) && ((grp = getgrnam(name)) != NULL)) {
--
-- GROUP_MAP map;
--
-- if (pdb_getgrgid(&map, grp->gr_gid)) {
-- /* The hack gets worse. Handle the case where we have
-- * 'force group = +unixgroup' but "unixgroup" has a
-- * group mapping */
--
-- if (sid_check_is_in_builtin(&map.sid)) {
-- domain = talloc_strdup(
-- tmp_ctx, builtin_domain_name());
-- } else {
-- domain = talloc_strdup(
-- tmp_ctx, get_global_sam_name());
-- }
--
-- sid_copy(&sid, &map.sid);
-- type = map.sid_name_use;
-- goto ok;
-- }
--
-- /* If we are using the smbpasswd backend, we need to use the
-- * algorithmic mapping for the unix group we find. This is
-- * necessary because when creating the NT token from the unix
-- * gid list we got from initgroups() we use gid_to_sid() that
-- * uses algorithmic mapping if pdb_rid_algorithm() is true. */
--
-- if (pdb_rid_algorithm() &&
-- (grp->gr_gid < max_algorithmic_gid())) {
-- domain = talloc_strdup(tmp_ctx, get_global_sam_name());
-- sid_compose(&sid, get_global_sam_sid(),
-- pdb_gid_to_group_rid(grp->gr_gid));
-- type = SID_NAME_DOM_GRP;
-- goto ok;
-- }
--
-- if (lookup_unix_group_name(name, &sid)) {
-- domain = talloc_strdup(tmp_ctx,
-- unix_groups_domain_name());
-- type = SID_NAME_DOM_GRP;
-- goto ok;
-- }
-- }
--
- /* Now the guesswork begins, we haven't been given an explicit
- * domain. Try the sequence as documented on
- * http://msdn.microsoft.com/library/en-us/secmgmt/security/lsalookupnames.asp
-@@ -1138,14 +1080,9 @@
- goto done;
- }
-
-- if (pdb_rid_algorithm() && (uid < max_algorithmic_uid())) {
-- sid_copy(psid, get_global_sam_sid());
-- sid_append_rid(psid, algorithmic_pdb_uid_to_user_rid(uid));
-- goto done;
-- } else {
-- uid_to_unix_users_sid(uid, psid);
-- goto done;
-- }
-+ /* This is an unmapped user */
-+
-+ uid_to_unix_users_sid(uid, psid);
-
- done:
- DEBUG(10,("uid_to_sid: local %u -> %s\n", (unsigned int)uid,
-@@ -1180,16 +1117,10 @@
- /* This is a mapped group */
- goto done;
- }
-+
-+ /* This is an unmapped group */
-
-- if (pdb_rid_algorithm() && (gid < max_algorithmic_gid())) {
-- sid_copy(psid, get_global_sam_sid());
-- sid_append_rid(psid, pdb_gid_to_group_rid(gid));
-- goto done;
-- } else {
-- sid_copy(psid, &global_sid_Unix_Groups);
-- sid_append_rid(psid, gid);
-- goto done;
-- }
-+ gid_to_unix_groups_sid(gid, psid);
-
- done:
- DEBUG(10,("gid_to_sid: local %u -> %s\n", (unsigned int)gid,
-@@ -1235,14 +1166,9 @@
- *puid = id.uid;
- goto done;
- }
-- if (pdb_rid_algorithm() &&
-- algorithmic_pdb_rid_is_user(rid)) {
-- *puid = algorithmic_pdb_user_rid_to_uid(rid);
-- goto done;
-- }
-
-- /* This was ours, but it was neither mapped nor
-- * algorithmic. Fail */
-+ /* This was ours, but it was not mapped. Fail */
-+
- return False;
- }
-
-@@ -1323,14 +1249,9 @@
- *pgid = id.gid;
- goto done;
- }
-- if (pdb_rid_algorithm() &&
-- !algorithmic_pdb_rid_is_user(rid)) {
-- /* This must be a group, presented as alias */
-- *pgid = pdb_group_rid_to_gid(rid);
-- goto done;
-- }
-- /* This was ours, but it was neither mapped nor
-- * algorithmic. Fail. */
-+
-+ /* This was ours, but it was not mapped. Fail */
-+
- return False;
- }
-
-diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/passdb/passdb.c samba-3.0.23b-patched/source/passdb/passdb.c
---- samba-3.0.23b/source/passdb/passdb.c 2006-07-10 11:27:52.000000000 -0500
-+++ samba-3.0.23b-patched/source/passdb/passdb.c 2006-08-22 11:09:00.000000000 -0500
-@@ -505,7 +505,7 @@
- there is not anymore a direct link between the gid and the rid.
- ********************************************************************/
-
--uint32 pdb_gid_to_group_rid(gid_t gid)
-+uint32 algorithmic_pdb_gid_to_group_rid(gid_t gid)
- {
- int rid_offset = algorithmic_rid_base();
- return (((((uint32)gid)*RID_MULTIPLIER) + rid_offset) | GROUP_RID_TYPE);
-diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/passdb/pdb_interface.c samba-3.0.23b-patched/source/passdb/pdb_interface.c
---- samba-3.0.23b/source/passdb/pdb_interface.c 2006-07-21 11:22:57.000000000 -0500
-+++ samba-3.0.23b-patched/source/passdb/pdb_interface.c 2006-08-22 11:09:00.000000000 -0500
-@@ -595,7 +595,7 @@
- }
-
- if (pdb_rid_algorithm()) {
-- *rid = pdb_gid_to_group_rid( grp->gr_gid );
-+ *rid = algorithmic_pdb_gid_to_group_rid( grp->gr_gid );
- } else {
- if (!pdb_new_rid(rid)) {
- return NT_STATUS_ACCESS_DENIED;
-diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/passdb/util_unixsids.c samba-3.0.23b-patched/source/passdb/util_unixsids.c
---- samba-3.0.23b/source/passdb/util_unixsids.c 2006-07-10 11:27:52.000000000 -0500
-+++ samba-3.0.23b-patched/source/passdb/util_unixsids.c 2006-08-22 11:09:14.000000000 -0500
-@@ -42,6 +42,12 @@
- return sid_append_rid(sid, uid);
- }
-
-+BOOL gid_to_unix_groups_sid(gid_t gid, DOM_SID *sid)
-+{
-+ sid_copy(sid, &global_sid_Unix_Groups);
-+ return sid_append_rid(sid, gid);
-+}
-+
- const char *unix_users_domain_name(void)
- {
- return "Unix User";
-diff -urN --exclude-from=/home/drizzt/jerry/tmp/diff.excludes samba-3.0.23b/source/utils/net_groupmap.c samba-3.0.23b-patched/source/utils/net_groupmap.c
---- samba-3.0.23b/source/utils/net_groupmap.c 2006-04-19 21:29:41.000000000 -0500
-+++ samba-3.0.23b-patched/source/utils/net_groupmap.c 2006-08-22 11:09:00.000000000 -0500
-@@ -275,7 +275,7 @@
- if ( (rid == 0) && (string_sid[0] == '\0') ) {
- d_printf("No rid or sid specified, choosing a RID\n");
- if (pdb_rid_algorithm()) {
-- rid = pdb_gid_to_group_rid(gid);
-+ rid = algorithmic_pdb_gid_to_group_rid(gid);
- } else {
- if (!pdb_new_rid(&rid)) {
- d_printf("Could not get new RID\n");
-@@ -555,7 +555,14 @@
- map.gid = grp->gr_gid;
-
- if (opt_rid == 0) {
-- opt_rid = pdb_gid_to_group_rid(map.gid);
-+ if ( pdb_rid_algorithm() )
-+ opt_rid = algorithmic_pdb_gid_to_group_rid(map.gid);
-+ else {
-+ if ( !pdb_new_rid((uint32*)&opt_rid) ) {
-+ d_fprintf( stderr, "Could not allocate new RID\n");
-+ return -1;
-+ }
-+ }
- }
-
- sid_copy(&map.sid, get_global_sam_sid());