idmap-add-apple-wellknown-sid [plain text]
Index: samba/source/passdb/machine_sid.c
===================================================================
--- samba/source/passdb/machine_sid.c.orig
+++ samba/source/passdb/machine_sid.c
@@ -206,7 +206,11 @@ void reset_global_sam_sid(void)
BOOL sid_check_is_domain(const DOM_SID *sid)
{
- return sid_equal(sid, get_global_sam_sid());
+ DOM_SID apple_wellknown =
+ { 1, 1, {0,0,0,0,0,5}, {21,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+ return sid_equal(sid, get_global_sam_sid()) ||
+ sid_equal(sid, &apple_wellknown);
}
/*****************************************************************
@@ -221,5 +225,5 @@ BOOL sid_check_is_in_our_domain(const DO
sid_copy(&dom_sid, sid);
sid_split_rid(&dom_sid, &rid);
- return sid_equal(&dom_sid, get_global_sam_sid());
+ return sid_check_is_domain(&dom_sid);
}
Index: samba/source/passdb/pdb_interface.c
===================================================================
--- samba/source/passdb/pdb_interface.c.orig
+++ samba/source/passdb/pdb_interface.c
@@ -1274,6 +1274,9 @@ static BOOL pdb_default_sid_to_id(struct
const char *name;
uint32 rid;
+ DOM_SID apple_wellknown =
+ { 1, 1, {0,0,0,0,0,5}, {21,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
@@ -1287,6 +1290,12 @@ static BOOL pdb_default_sid_to_id(struct
goto done;
}
+ if (sid_peek_check_rid(&apple_wellknown, sid, &rid)) {
+ /* Here we might have users as well as groups and aliases */
+ ret = lookup_global_sam_rid(mem_ctx, rid, &name, type, id);
+ goto done;
+ }
+
/* check for "Unix User" */
if ( sid_peek_check_rid(&global_sid_Unix_Users, sid, &rid) ) {
@@ -1307,8 +1316,8 @@ static BOOL pdb_default_sid_to_id(struct
/* BUILTIN */
-
- if (sid_peek_check_rid(&global_sid_Builtin, sid, &rid)) {
+ if (sid_check_is_in_builtin(sid) ||
+ sid_check_is_in_wellknown_domain(sid)) {
/* Here we only have aliases */
GROUP_MAP map;
if (!NT_STATUS_IS_OK(methods->getgrsid(methods, &map, *sid))) {
Index: samba/source/nsswitch/winbindd_util.c
===================================================================
--- samba/source/nsswitch/winbindd_util.c.orig
+++ samba/source/nsswitch/winbindd_util.c
@@ -589,12 +589,18 @@ struct winbindd_domain *find_domain_from
struct winbindd_domain *find_domain_from_sid_noinit(const DOM_SID *sid)
{
struct winbindd_domain *domain;
+ uint32_t discard;
/* Search through list */
for (domain = domain_list(); domain != NULL; domain = domain->next) {
- if (sid_compare_domain(sid, &domain->sid) == 0)
+ /* We need to use sid_peek_check_rid, because some systems, eg
+ * Open Directory, have allocated their own builtin SIDs.
+ * These need to get to the default idmap backend.
+ */
+ if (sid_peek_check_rid(&domain->sid, sid, &discard) == 0) {
return domain;
+ }
}
/* Not found */
Index: samba/source/nsswitch/winbindd_passdb.c
===================================================================
--- samba/source/nsswitch/winbindd_passdb.c.orig
+++ samba/source/nsswitch/winbindd_passdb.c
@@ -125,7 +125,8 @@ static NTSTATUS sid_to_name(struct winbi
/* Paranoia check */
if (!sid_check_is_in_builtin(sid) &&
- !sid_check_is_in_our_domain(sid)) {
+ !sid_check_is_in_our_domain(sid) &&
+ !sid_check_is_in_wellknown_domain(sid)) {
DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with "
"passdb backend\n", sid_string_static(sid)));
return NT_STATUS_NONE_MAPPED;
Index: samba/source/passdb/util_wellknown.c
===================================================================
--- samba/source/passdb/util_wellknown.c.orig
+++ samba/source/passdb/util_wellknown.c
@@ -64,10 +64,18 @@ static const struct rid_name_map nt_auth
{ 20, "Network Service"},
{ 0, NULL}};
+static const DOM_SID global_sid_NULL_Authority = /* NULL sid */
+{ 1, 0, {0,0,0,0,0,0}, {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0}};
+
+static const struct rid_name_map null_authority_users[] = {
+ { 0, "Nobody" },
+ { 0, NULL}};
+
static struct sid_name_map_info special_domains[] = {
{ &global_sid_World_Domain, "", everyone_users },
{ &global_sid_Creator_Owner_Domain, "", creator_owner_users },
{ &global_sid_NT_Authority, "NT Authority", nt_authority_users },
+ { &global_sid_NULL_Authority, "NULL Authority", null_authority_users },
{ NULL, NULL, NULL }};
BOOL sid_check_is_wellknown_domain(const DOM_SID *sid, const char **name)