lib/param: Create a seperate server role for "active directory domain controller"

This will allow us to detect from the smb.conf if this is a Samba4 AD
DC which will allow smarter handling of (for example) accidentially
starting smbd rather than samba.

To cope with upgrades from existing Samba4 installs, 'domain
controller' is a synonym of 'active directory domain controller' and
new parameters 'classic primary domain controller' and 'classic backup
domain controller' are added.

Andrew Bartlett

23 files changed, 48 insertions, 39 deletions

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index 58a12fbc535..d0ff50afc6e 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -630,6 +630,7 @@ const char **auth_methods_from_lp(TALLOC_CTX *mem_ctx, struct loadparm_context *
 		break;
 	case ROLE_DOMAIN_BDC:
 	case ROLE_DOMAIN_PDC:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		auth_methods = str_list_make(mem_ctx, "anonymous sam_ignoredomain winbind", NULL);
 		break;
 	}
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 87a7d275596..4a4307c895f 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -341,7 +341,7 @@ static NTSTATUS authsam_want_check(struct auth_method_context *ctx,
 			}
 			return NT_STATUS_OK;
 
-		case ROLE_DOMAIN_CONTROLLER:
+		case ROLE_ACTIVE_DIRECTORY_DC:
 			if (!is_local_name && !is_my_domain) {
 				DEBUG(6,("authsam_check_password: %s is not one of my local names or domain name (DC)\n",
 					user_info->mapped.domain_name));
diff --git a/source4/cldap_server/cldap_server.c b/source4/cldap_server/cldap_server.c
index 78712bfecfd..a6248d44930 100644
--- a/source4/cldap_server/cldap_server.c
+++ b/source4/cldap_server/cldap_server.c
@@ -205,7 +205,7 @@ static void cldapd_task_init(struct task_server *task)
 		task_server_terminate(task, "cldap_server: no CLDAP server required in member server configuration",
 				      false);
 		return;
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* Yes, we want an CLDAP server */
 		break;
 	}
diff --git a/source4/dns_server/dns_server.c b/source4/dns_server/dns_server.c
index 34e4fe36ba5..3592258a8b2 100644
--- a/source4/dns_server/dns_server.c
+++ b/source4/dns_server/dns_server.c
@@ -698,7 +698,7 @@ static void dns_task_init(struct task_server *task)
 	case ROLE_DOMAIN_MEMBER:
 		task_server_terminate(task, "dns: no DNS required in member server configuration", false);
 		return;
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* Yes, we want a DNS */
 		break;
 	}
diff --git a/source4/dsdb/dns/dns_update.c b/source4/dsdb/dns/dns_update.c
index 9ab56f7d9f0..3e10447f0fc 100644
--- a/source4/dsdb/dns/dns_update.c
+++ b/source4/dsdb/dns/dns_update.c
@@ -594,7 +594,7 @@ static void dnsupdate_task_init(struct task_server *task)
 	NTSTATUS status;
 	struct dnsupdate_service *service;
 
-	if (lpcfg_server_role(task->lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+	if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
 		/* not useful for non-DC */
 		return;
 	}
diff --git a/source4/dsdb/kcc/kcc_service.c b/source4/dsdb/kcc/kcc_service.c
index ac195226986..8b35d6f01a5 100644
--- a/source4/dsdb/kcc/kcc_service.c
+++ b/source4/dsdb/kcc/kcc_service.c
@@ -183,7 +183,7 @@ static void kccsrv_task_init(struct task_server *task)
 	case ROLE_DOMAIN_MEMBER:
 		task_server_terminate(task, "kccsrv: no KCC required in domain member configuration", false);
 		return;
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* Yes, we want a KCC */
 		break;
 	}
diff --git a/source4/dsdb/repl/drepl_service.c b/source4/dsdb/repl/drepl_service.c
index e12ff1e8196..3d28676b8f2 100644
--- a/source4/dsdb/repl/drepl_service.c
+++ b/source4/dsdb/repl/drepl_service.c
@@ -434,7 +434,7 @@ static void dreplsrv_task_init(struct task_server *task)
 		task_server_terminate(task, "dreplsrv: no DSDB replication required in domain member configuration",
 				      false);
 		return;
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* Yes, we want DSDB replication */
 		break;
 	}
diff --git a/source4/echo_server/echo_server.c b/source4/echo_server/echo_server.c
index 60729d8535c..3501c8993f4 100644
--- a/source4/echo_server/echo_server.c
+++ b/source4/echo_server/echo_server.c
@@ -303,7 +303,7 @@ static void echo_task_init(struct task_server *task)
 		task_server_terminate(task, "echo: Not starting echo server " \
 				      "for domain members", false);
 		return;
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* Yes, we want to run the echo server */
 		break;
 	}
diff --git a/source4/kdc/kdc.c b/source4/kdc/kdc.c
index 5424d213e89..a8939069aa4 100644
--- a/source4/kdc/kdc.c
+++ b/source4/kdc/kdc.c
@@ -871,7 +871,11 @@ static void kdc_task_init(struct task_server *task)
 	case ROLE_DOMAIN_MEMBER:
 		task_server_terminate(task, "kdc: no KDC required in member server configuration", false);
 		return;
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_DOMAIN_PDC:
+	case ROLE_DOMAIN_BDC:
+		task_server_terminate(task, "Cannot start KDC as a 'classic Samba' DC", true);
+		return;
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* Yes, we want a KDC */
 		break;
 	}
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index b773716bd21..886c684ff33 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -907,7 +907,7 @@ static void ldapsrv_task_init(struct task_server *task)
 		task_server_terminate(task, "ldap_server: no LDAP server required in member server configuration", 
 				      false);
 		return;
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* Yes, we want an LDAP server */
 		break;
 	}
diff --git a/source4/nbt_server/dgram/netlogon.c b/source4/nbt_server/dgram/netlogon.c
index f99f195d031..3f0fa542fea 100644
--- a/source4/nbt_server/dgram/netlogon.c
+++ b/source4/nbt_server/dgram/netlogon.c
@@ -54,7 +54,7 @@ static void nbtd_netlogon_getdc(struct dgram_mailslot_handler *dgmslot,
 
 	samctx = iface->nbtsrv->sam_ctx;
 
-	if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_DOMAIN_CONTROLLER
+	if (lpcfg_server_role(iface->nbtsrv->task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC
 	    || !samdb_is_pdc(samctx)) {
 		DEBUG(2, ("Not a PDC, so not processing LOGON_PRIMARY_QUERY\n"));
 		return;		
diff --git a/source4/nbt_server/register.c b/source4/nbt_server/register.c
index fb2f9913c51..f5517b249a5 100644
--- a/source4/nbt_server/register.c
+++ b/source4/nbt_server/register.c
@@ -289,7 +289,7 @@ void nbtd_register_names(struct nbtd_server *nbtsrv)
 		aliases++;
 	}
 
-	if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)	{
+	if (lpcfg_server_role(nbtsrv->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC)	{
 		bool is_pdc = samdb_is_pdc(nbtsrv->sam_ctx);
 		if (is_pdc) {
 			nbtd_register_name(nbtsrv, lpcfg_workgroup(nbtsrv->task->lp_ctx),
diff --git a/source4/param/tests/loadparm.c b/source4/param/tests/loadparm.c
index fd4885ef7d8..f375bb42384 100644
--- a/source4/param/tests/loadparm.c
+++ b/source4/param/tests/loadparm.c
@@ -157,7 +157,7 @@ static bool test_server_role_dc_specified(struct torture_context *tctx)
 {
 	struct loadparm_context *lp_ctx = loadparm_init(tctx);
 	torture_assert(tctx, lpcfg_set_option(lp_ctx, "server role=domain controller"), "lpcfg_set_option failed");
-	torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_DOMAIN_CONTROLLER, "ROLE should be DC");
+	torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_ACTIVE_DIRECTORY_DC, "ROLE should be DC");
 	torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_USER, "security should be USER");
 	return true;
 }
diff --git a/source4/rpc_server/backupkey/dcesrv_backupkey.c b/source4/rpc_server/backupkey/dcesrv_backupkey.c
index 2aee678bd4b..87799db595e 100644
--- a/source4/rpc_server/backupkey/dcesrv_backupkey.c
+++ b/source4/rpc_server/backupkey/dcesrv_backupkey.c
@@ -1269,7 +1269,7 @@ static WERROR dcesrv_bkrp_BackupKey(struct dcesrv_call_state *dce_call,
 		}
 	}
 
-	if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_DOMAIN_CONTROLLER) {
+	if (lpcfg_server_role(dce_call->conn->dce_ctx->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
 		return WERR_NOT_SUPPORTED;
 	}
 
diff --git a/source4/rpc_server/common/server_info.c b/source4/rpc_server/common/server_info.c
index 68985d81aa5..afbbb23e362 100644
--- a/source4/rpc_server/common/server_info.c
+++ b/source4/rpc_server/common/server_info.c
@@ -75,7 +75,7 @@ uint32_t dcesrv_common_get_server_type(TALLOC_CTX *mem_ctx, struct tevent_contex
 		case ROLE_DOMAIN_MEMBER:
 			default_server_announce |= SV_TYPE_DOMAIN_MEMBER;
 			break;
-		case ROLE_DOMAIN_CONTROLLER:
+		case ROLE_ACTIVE_DIRECTORY_DC:
 		{
 			struct ldb_context *samctx;
 			TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index f1b8740078e..cece2b7523b 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -420,7 +420,7 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal
 		case ROLE_DOMAIN_MEMBER:
 			role		= DS_ROLE_MEMBER_SERVER;
 			break;
-		case ROLE_DOMAIN_CONTROLLER:
+		case ROLE_ACTIVE_DIRECTORY_DC:
 			if (samdb_is_pdc(state->sam_ldb)) {
 				role	= DS_ROLE_PRIMARY_DC;
 			} else {
@@ -439,7 +439,7 @@ static WERROR dcesrv_dssetup_DsRoleGetPrimaryDomainInformation(struct dcesrv_cal
 			W_ERROR_HAVE_NO_MEMORY(domain);
 			/* TODO: what is with dns_domain and forest and guid? */
 			break;
-		case ROLE_DOMAIN_CONTROLLER:
+		case ROLE_ACTIVE_DIRECTORY_DC:
 			flags		= DS_ROLE_PRIMARY_DS_RUNNING;
 
 			if (state->mixed_domain == 1) {
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index cc3b2c8bce6..d987fbaaef7 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -500,7 +500,7 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state
 	info->sequence_num = ldb_msg_find_attr_as_uint64(dom_msgs[0], "modifiedCount",
 						 0);
 	switch (state->role) {
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* This pulls the NetBIOS name from the
 		   cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
 		   string */
@@ -511,8 +511,8 @@ static NTSTATUS dcesrv_samr_info_DomGeneralInformation(struct samr_domain_state
 		}
 		break;
 	case ROLE_DOMAIN_PDC:
-		info->role = SAMR_ROLE_DOMAIN_PDC;
-		break;
+	case ROLE_DOMAIN_BDC:
+		return NT_STATUS_INTERNAL_ERROR;
 	case ROLE_DOMAIN_MEMBER:
 		info->role = SAMR_ROLE_DOMAIN_MEMBER;
 		break;
@@ -606,7 +606,7 @@ static NTSTATUS dcesrv_samr_info_DomInfo7(struct samr_domain_state *state,
 {
 
 	switch (state->role) {
-	case ROLE_DOMAIN_CONTROLLER:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		/* This pulls the NetBIOS name from the
 		   cn=NTDS Settings,cn=<NETBIOS name of PDC>,....
 		   string */
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index 65835ce00cb..343e33e355c 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -532,7 +532,7 @@ def guess_names(lp=None, hostname=None, domain=None, dnsdomain=None,
     if lp.get("server role").lower() != serverrole:
         raise ProvisioningError("guess_names: 'server role=%s' in %s must match chosen server role '%s'!  Please remove the smb.conf file and let provision generate it" % (lp.get("server role"), lp.configfile, serverrole))
 
-    if serverrole == "domain controller":
+    if serverrole == "active directory domain controller":
         if domain is None:
             # This will, for better or worse, default to 'WORKGROUP'
             domain = lp.get("workgroup")
@@ -658,7 +658,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
             lp.set("xattr_tdb:file", os.path.abspath(os.path.join(statedir, "xattr.tdb")))
 
     shares = {}
-    if serverrole == "domain controller":
+    if serverrole == "active directory domain controller":
         shares["sysvol"] = os.path.join(lp.get("state directory"), "sysvol")
         shares["netlogon"] = os.path.join(shares["sysvol"], realm.lower(),
             "scripts")
@@ -1489,7 +1489,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
                        dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
                        next_rid=next_rid, dc_rid=dc_rid)
 
-    if serverrole == "domain controller":
+    if serverrole == "active directory domain controller":
         # Set up group policies (domain policy and domain controller
         # policy)
         create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
@@ -1568,11 +1568,12 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
 _ROLES_MAP = {
     "ROLE_STANDALONE": "standalone",
     "ROLE_DOMAIN_MEMBER": "member server",
-    "ROLE_DOMAIN_BDC": "domain controller",
-    "ROLE_DOMAIN_PDC": "domain controller",
-    "dc": "domain controller",
+    "ROLE_DOMAIN_BDC": "active directory domain controller",
+    "ROLE_DOMAIN_PDC": "active directory domain controller",
+    "dc": "active directory domain controller",
     "member": "member server",
-    "domain controller": "domain controller",
+    "domain controller": "active directory domain controller",
+    "active directory domain controller": "active directory domain controller",
     "member server": "member server",
     "standalone": "standalone",
     }
@@ -1584,7 +1585,7 @@ def sanitize_server_role(role):
     :param role: Server role
     :raise ValueError: If the role can not be interpreted
     :return: Sanitized server role (one of "member server",
-        "domain controller", "standalone")
+        "active directory domain controller", "standalone")
     """
     try:
         return  _ROLES_MAP[role]
@@ -1614,7 +1615,7 @@ def provision(logger, session_info, credentials, smbconf=None,
     try:
         serverrole = sanitize_server_role(serverrole)
     except ValueError:
-        raise ProvisioningError('server role (%s) should be one of "domain controller", "member server", "standalone"' % serverrole)
+        raise ProvisioningError('server role (%s) should be one of "active directory domain controller", "member server", "standalone"' % serverrole)
 
     if ldapadminpass is None:
         # Make a new, random password between Samba and it's LDAP server
@@ -1735,7 +1736,7 @@ def provision(logger, session_info, credentials, smbconf=None,
     if paths.sysvol and not os.path.exists(paths.sysvol):
         os.makedirs(paths.sysvol, 0775)
 
-    if not use_ntvfs and serverrole == "domain controller":
+    if not use_ntvfs and serverrole == "active directory domain controller":
         if paths.sysvol is None:
             raise MissingShareError("sysvol", paths.smbconf)
 
@@ -1813,7 +1814,7 @@ def provision(logger, session_info, credentials, smbconf=None,
                             serverrole=serverrole,
                             schema=schema, fill=samdb_fill, am_rodc=am_rodc)
 
-        if serverrole == "domain controller":
+        if serverrole == "active directory domain controller":
             if paths.netlogon is None:
                 raise MissingShareError("netlogon", paths.smbconf)
 
@@ -1848,7 +1849,7 @@ def provision(logger, session_info, credentials, smbconf=None,
         logger.info("A Kerberos configuration suitable for Samba 4 has been "
                     "generated at %s", paths.krb5conf)
 
-        if serverrole == "domain controller":
+        if serverrole == "active directory domain controller":
             create_dns_update_list(lp, logger, paths)
 
         backend_result = provision_backend.post_setup()
@@ -1913,7 +1914,7 @@ def provision_become_dc(smbconf=None, targetdir=None,
         realm=realm, rootdn=rootdn, domaindn=domaindn, schemadn=schemadn,
         configdn=configdn, serverdn=serverdn, domain=domain,
         hostname=hostname, hostip=None, domainsid=domainsid,
-        machinepass=machinepass, serverrole="domain controller",
+        machinepass=machinepass, serverrole="active directory domain controller",
         sitename=sitename, dns_backend=dns_backend, dnspass=dnspass)
     res.lp.set("debuglevel", str(debuglevel))
     return res
diff --git a/source4/smb_server/smb/signing.c b/source4/smb_server/smb/signing.c
index ecbb220d8f2..d632e87ea7b 100644
--- a/source4/smb_server/smb/signing.c
+++ b/source4/smb_server/smb/signing.c
@@ -98,7 +98,7 @@ bool smbsrv_init_signing(struct smbsrv_connection *smb_conn)
 		 * on non-DCs
 		 */
 
-		if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_DOMAIN_CONTROLLER) {
+		if (lpcfg_server_role(smb_conn->lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) {
 			signing_setting = SMB_SIGNING_REQUIRED;
 		} else {
 			signing_setting = SMB_SIGNING_OFF;
diff --git a/source4/smb_server/smb2/negprot.c b/source4/smb_server/smb2/negprot.c
index 1a3bc9ce352..83cae18bf31 100644
--- a/source4/smb_server/smb2/negprot.c
+++ b/source4/smb_server/smb2/negprot.c
@@ -136,7 +136,7 @@ static NTSTATUS smb2srv_negprot_backend(struct smb2srv_request *req, struct smb2
 		 * on non-DCs
 		 */
 
-		if (lpcfg_server_role(lp_ctx) >= ROLE_DOMAIN_CONTROLLER) {
+		if (lpcfg_server_role(lp_ctx) >= ROLE_ACTIVE_DIRECTORY_DC) {
 			signing_setting = SMB_SIGNING_REQUIRED;
 		} else {
 			signing_setting = SMB_SIGNING_OFF;
diff --git a/source4/smbd/server.c b/source4/smbd/server.c
index b877e29b98f..21560f981f8 100644
--- a/source4/smbd/server.c
+++ b/source4/smbd/server.c
@@ -392,7 +392,7 @@ static int binary_smbd_main(const char *binary_name, int argc, const char *argv[
 		return 1;
 	}
 
-	if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_DOMAIN_CONTROLLER) {
+	if (lpcfg_server_role(cmdline_lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC) {
 		if (!open_schannel_session_store(talloc_autofree_context(), cmdline_lp_ctx)) {
 			DEBUG(0,("ERROR: Samba cannot open schannel store for secured NETLOGON operations.\n"));
 			exit(1);
diff --git a/source4/winbind/wb_init_domain.c b/source4/winbind/wb_init_domain.c
index 4d6177bdc76..45a4b98f311 100644
--- a/source4/winbind/wb_init_domain.c
+++ b/source4/winbind/wb_init_domain.c
@@ -162,7 +162,7 @@ struct composite_context *wb_init_domain_send(TALLOC_CTX *mem_ctx,
 
 	if ((!cli_credentials_is_anonymous(state->domain->libnet_ctx->cred)) &&
 	    ((lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_MEMBER) ||
-	     (lpcfg_server_role(service->task->lp_ctx) == ROLE_DOMAIN_CONTROLLER)) &&
+	     (lpcfg_server_role(service->task->lp_ctx) == ROLE_ACTIVE_DIRECTORY_DC)) &&
 	    (dom_sid_equal(state->domain->info->sid,
 			   state->service->primary_sid))) {
 		state->domain->netlogon_binding->flags |= DCERPC_SCHANNEL | DCERPC_SCHANNEL_AUTO;
diff --git a/source4/winbind/wb_server.c b/source4/winbind/wb_server.c
index 7bed235ae6b..a904470e193 100644
--- a/source4/winbind/wb_server.c
+++ b/source4/winbind/wb_server.c
@@ -264,8 +264,7 @@ static void winbind_task_init(struct task_server *task)
 			return;
 		}
 		break;
-	case ROLE_DOMAIN_CONTROLLER:
-	case ROLE_DOMAIN_PDC:
+	case ROLE_ACTIVE_DIRECTORY_DC:
 		primary_sid = secrets_get_domain_sid(service,
 						     service->task->lp_ctx,
 						     lpcfg_workgroup(service->task->lp_ctx),
@@ -279,6 +278,10 @@ static void winbind_task_init(struct task_server *task)
 			return;
 		}
 		break;
+	case ROLE_DOMAIN_PDC:
+	case ROLE_DOMAIN_BDC:
+		task_server_terminate(task, "Cannot start 'samba' winbindd as a 'classic samba' DC: use winbindd instead", true);
+		return;
 	}
 	service->primary_sid = primary_sid;