From efcd16e61221169f41a531e82a42766133ef2fbd Mon Sep 17 00:00:00 2001
From: Gerald Carter <jerry@samba.org>
Date: Mon, 25 Oct 2004 21:00:00 +0000
Subject: r3222: rough draft of commit log -- still more updates for the
 release notes to come

---
 WHATSNEW.txt           | 238 ++++++++++++++++++++++-
 source/VERSION         |   2 +-
 source/sam/idmap_rid.c | 518 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 747 insertions(+), 11 deletions(-)
 create mode 100644 source/sam/idmap_rid.c

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 1f3f2d729e4..84394e293a0 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,6 +1,6 @@
                  =================================
-                 Release Notes for Samba 3.0.8pre1
-                           Sept 24, 2004
+                 Release Notes for Samba 3.0.8pre2
+                           Oct 25, 2004
                  =================================
 
 This is a preview release of the Samba 3.0.8 code base.
@@ -9,6 +9,232 @@ provided to allow people to test the bug fixes and new
 features in the upcoming 3.0.8 release.  Use at your own 
 risk.
 
+Common bugs fixed in 3.0.8pre2 include:
+
+  o 
+  
+New features included in the 3.0.8pre1 release are:
+
+  o 
+
+    
+Change in Username Map
+----------------------
+
+
+
+  
+######################################################################
+Changes
+#######
+
+Changes since 3.0.8pre1
+-----------------------
+
+smb.conf changes
+----------------
+
+    Parameter Name              	Action
+    --------------              	------
+    force printername			New
+
+commits
+-------
+
+o   Jeremy Allison <jra@samba.org>
+    * Ensure we set errno = E2BIG when we overflow in the 
+      fast-path character conversion code.
+    * Fix the roundup problem (returning 1mb roundup) for 
+      non-Windows clients.
+    * Added 'stat' command to smbclient to exercise the 
+      UNIX_FILE_BASIC info level.
+    * Fix bug where we could incorrectly set sparse attribute.
+    * Fix incorrect locks/unlocks in tdb_lockkeys()/tdb_unlockkeys()
+      (reported by Taj Khattra <taj.khattra@gmail.com>).
+    * Remove locked keys tdb code.
+    * BUG 1886: Prevent delete on close being set for readonly files 
+      (and return the correct error code).
+    * Ensure we pass most of the new lock tests except for the cancel 
+      lock which is yet to be addedd (merged from Samba 4 branch).
+    * BUG 1947: Fix incorrect use of getpwnam() etc. interface.
+    * BUG 1956: Ensure errno is saved and restored consistently on a normal_close.
+  
+
+o   Andrew Bartlett <abartlet@samba.org>
+    * Fix NTLMv2 for use with pam_winbind.
+    * Remove conversion to and from UTF8 on the winbind pipe.
+    * Allow 'require_membership_of' and 'require-membership-of'.
+    * Fix the error code for 'you didn't specify a domain' in 
+      ntlm_auth.
+    * Use sys_getgroups() rather than scnanning all groups 
+      when generating SAMR replies.
+
+
+o   Gerald Carter <jerry@samba.org>
+    * BUG 1519: Match Windows 2000 behavior when opening a 
+      printer using a servername in the form of an IP address or 
+      DNS name.
+    * BUG 1907: remove extra slashes from the printer name in 
+      getprinterdriverdir_1().  
+    * Fix standard_sub_snum() to use the current user's gid.
+    * Fix background queue update bug (based on Volker's initial work 
+      in 3.1.0).
+    * Add 'force printername' service parameter for people that want 
+      to enforce printername == sharename for spoolss printing.
+    * Ensure consistent usage of the username map.  Use the fully 
+      qualified DOMAIN\user format for 'security = domain|ads' and 
+      apply after authentication has succeeded.
+    * Cosmetic fix for getent output -- lowercase the username only 
+      and not the complete domain\username string.
+
+    
+o   Darren Chew <darrenc@vicscouts.asn.au>
+    * Solaris packaging fixes.
+    
+
+o   Guenther Deschner <gd@samba.org> 
+    * Fix typos in net's usage-output.
+    * Fix the paranoia-check to ensure the ldap-attribute and the
+      smb.conf-parameter for samba's "algorithmic rid base" in ldapsam 
+      are identical.
+    * Fix several bugs in the _samr_query_useraliases() rpc reply.
+    * Check correct string length when verifying password-policies 
+      and using extended characters (Thanks to Uwe Morgenroth from CC 
+      Compunet and Volker).
+    * Make 'password history'-behaviour in ldapsam more consistent. 
+    * Adding "Windows x64" as architecture string and driverdir "x64" 
+      for the 64bit AMD platform.
+    * BUG 1343: Readd WKGUID-binding to match the correct default-
+      locations of new User-, Group- and Machine-Accounts in Active 
+      Directory (this got lost during the last trunk-merge).
+    * Fix printer-migration w.r.t. to new naming-convention for
+      policy-handles.
+    * Allow to migrate win2k3/xp-drivers as well. 
+    * Add client-side support of triggering ads printer publishing 
+      over msrpc setprinter calls inside the net-tool. 
+    * Add the idmap_rid module (written in conjunction with 
+      Sumit Bose <sbose@suse.de>).
+
+
+o   Rob Foehl <rwf@loonybin.net>
+
+
+o   Steve French <sfrench@us.ibm.com>
+    * Fix ip address override in mount.cifs mount helper and clean 
+      up warning messages from the sparse tool and expand syntax help.
+    * Strip guest mount option off before sending to kernel mount 
+      routine to avoid logging spurious message.
+
+
+o   Satoh Fumiyasu <fumiya@samba.gr.jp>
+    * BUG 1732: Limit share names returned by RAP based on windows 
+      character width, not unix character width.
+
+
+o   Brett Funderburg
+    * Pass create options parameter to nt_create_andx() function
+      from the python bindings.
+    * BUG 1864: Add sd->type field to security descriptor Python 
+      representation.
+    * Return an error if a Netapp filer returns NT_STATUS_ACCESS_DENIED
+      when trying to return the security descriptor for a file.
+
+ 
+o   Michael Gravey <michel.gravey@optogone.com>
+    * BUG 1776: Fix warnings when building modules caused by 
+      certain versions of GNU ld not using the the default 
+      --allow-shlib-undefined flag.
+
+
+o   Chris Hertel <crh@samba.org>
+    * Fix bug where an invalid MAC address would be printed by 
+      a node status lookup from nmblookup.
+
+      
+o   Uli Iske <iske@elkb.de>
+    * Update the DNS/eDirectory LDAP schema file.
+
+
+o   Björn Jacke <bjacke@sernet.de>
+    * BUG 1766: Unify charset-handling in Content-Type:-headers to 
+      UTF-8.  Reformat msgstr in msg-files to UTF-8.
+    * Do not use display charset for swat output.
+    * Convert the share names correctly from unix encoding to web 
+      encoding and vice vera. 
+    * Convert files from statuspage from unix charset to UTF-8.
+
+
+o   Tom Lackemann <cessnatomny@yahoo.com>
+    BUG 1954: Fix memory leak in posix acl code.
+
+
+o   Volker Lendecke <vl@samba.org>
+    * BUG 1545, 1823: Only issue the ldap extended password change 
+      operation if the ldap server supports it.  Also ignore object 
+      class violation errors from the extended operation.
+    * Optimization for 'idmap backend = ldap': When asking sid2id 
+      for the wrong type, don't ask ldap when we have the opposite mapping 
+      in the local tdb.
+    * Fix ldapsam_compat homeDrive.
+    * Add usersidlist and allowedusers subcommands to the net tool
+      in order to support scanning a file server's share and list 
+      all users who have permission to connect there.
+    * Allow for multiple DC's to be named as #1c names in lmhosts.
+
+
+o   Love <lha@stacken.kth.se>
+    * BUG 1955: Inconsistent error return.
+
+
+o   Sorin Manolache <sorinm@gmail.com>
+    * Memory leak fix.
+
+
+o   Bill McGonigle <bill+samba@bfccomputing.com>
+    BUG 1926: Type in debug message.
+
+
+o   Sean McGrath
+    * BUG 1822: Add -D_REENTRANT to CPPFLAGS and -lthread to LDFLAGS
+      for libsmbclient.
+
+
+o   Tim Potter <tpot@samba.org>
+    * Fix bug in Python printerdata wrapper.
+    * BUG 1762: nss_winbind fixes on AIX 5.x (patch from 
+      <bugzilla-samba@thewrittenword.com>).
+    * Fix parameter confusion in priming of name-to-sid cache
+      (Found by Qiao Yang).
+    * BUG 1888: Remove '..' from all pre-processor commands.
+    * BUG 1903: Change some #if DEBUG_PASSWORD's to #ifdef 
+      DEBUG_PASSWORD.
+
+
+o   Richard Sharpe <rsharpe@samba.org>
+    * Ensure cli_write() can support writes >= 65536 bytes.
+
+
+o   Simo Sorce <idra@samba.org>
+    * Fix memory corruption bug caused in freeing static memory.
+
+
+o   Andrew Tridgell <tridge@samba.org>
+    * Reduces the number of tdb locking calls made on file IO.
+    
+
+o   Jelmer Vernooij <jelmer@samba.org>
+    * Complain if 'password chat' doesn't contain the %u variable
+      (based on a patch by Ronan Waide).
+
+
+Changes for older versions follow below:
+
+      --------------------------------------------------
+                 =================================
+                 Release Notes for Samba 3.0.8pre1
+                           Sept 24, 2004
+                 =================================
+
 Common bugs fixed in 3.0.8pre1 include:
 
   o Compile fixes for HP-UX
@@ -33,12 +259,6 @@ case (e.g. mv $name `echo $name | tr '[A-Z]' '[a-z]'`).  This may
 include mail spool files, home directories, valid user lines in 
 smb.conf, etc....
 
-
-  
-######################################################################
-Changes
-#######
-
 Changes since 3.0.7
 -------------------
 
@@ -225,8 +445,6 @@ o   Igor Zhbanov <bsg@uniyar.ac.ru>
       option.
 
 
-Changes for older versions follow below:
-
       --------------------------------------------------
                   =============================
                   Release Notes for Samba 3.0.7
diff --git a/source/VERSION b/source/VERSION
index 0f2d88c66ff..2a22988fd9d 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -51,7 +51,7 @@ SAMBA_VERSION_RC_RELEASE=
 # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes               #
 #  ->  "3.0.0-SVN-build-199"                           #
 ########################################################
-SAMBA_VERSION_IS_SVN_SNAPSHOT=yes
+SAMBA_VERSION_IS_SVN_SNAPSHOT=no
 
 ########################################################
 # This can be set by vendors if they want...           #
diff --git a/source/sam/idmap_rid.c b/source/sam/idmap_rid.c
new file mode 100644
index 00000000000..16784da12e5
--- /dev/null
+++ b/source/sam/idmap_rid.c
@@ -0,0 +1,518 @@
+/*
+ *  idmap_rid: static map between Active Directory/NT RIDs and RFC 2307 accounts
+ *  Copyright (C) Guenther Deschner, 2004
+ *  Copyright (C) Sumit Bose, 2004
+ *
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ *
+ */
+
+#include "includes.h"
+
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_IDMAP
+
+#define IDMAP_RID_SUPPORT_TRUSTED_DOMAINS 0
+
+NTSTATUS init_module(void);
+
+struct dom_entry {
+	fstring name;
+	fstring sid;
+	uint32 min_id;
+	uint32 max_id;
+};
+
+typedef struct trust_dom_array {
+	int number;
+	struct dom_entry *dom;
+} trust_dom_array;
+
+static trust_dom_array trust;
+
+static NTSTATUS rid_idmap_parse(const char *init_param, 
+				uint32 num_domains, 
+				fstring *domain_names, 
+				DOM_SID *domain_sids, 
+				uid_t u_low, 
+				uid_t u_high) 
+{
+	const char *p;
+	int i;
+	trust.number = 0;
+	fstring sid_str;
+	BOOL known_domain = False;
+	p = init_param;
+	fstring tok;
+
+	/* falling back to automatic mapping when there were no options given */
+	if (!*init_param) {
+
+		DEBUG(3,("rid_idmap_parse: no domain list given or trusted domain-support deactivated, falling back to automatic mapping for own domain:\n"));
+
+		sid_to_string(sid_str, &domain_sids[0]);
+
+		fstrcpy(trust.dom[0].name, domain_names[0]);
+		fstrcpy(trust.dom[0].sid, sid_str);
+		trust.dom[0].min_id = u_low; 
+		trust.dom[0].max_id = u_high;
+		trust.number = 1;
+
+		DEBUGADD(3,("rid_idmap_parse:\tdomain: [%s], sid: [%s], range=[%d-%d]\n", 
+				trust.dom[0].name, trust.dom[0].sid, trust.dom[0].min_id, trust.dom[0].max_id));
+		return NT_STATUS_OK;
+	}
+
+	/* scan through the init_param-list */
+	while (next_token(&init_param, tok, LIST_SEP, sizeof(tok))) {
+
+		p = tok;
+		DEBUG(3,("rid_idmap_parse: parsing entry: %d\n", trust.number));
+
+		/* reinit sizes */
+		trust.dom = (struct dom_entry *) realloc(trust.dom, sizeof(struct dom_entry)*(trust.number+1));
+
+		if ( trust.dom == NULL ) {
+			return NT_STATUS_NO_MEMORY;
+		}
+		
+		if (!next_token(&p, tok, "=", sizeof(tok))) {
+			DEBUG(0, ("rid_idmap_parse: no '=' sign found in domain list [%s]\n", init_param));
+			return NT_STATUS_UNSUCCESSFUL;
+		}
+
+		/* add the name */
+		fstrcpy(trust.dom[trust.number].name, tok);
+		DEBUGADD(3,("rid_idmap_parse:\tentry %d has name: [%s]\n", trust.number, trust.dom[trust.number].name));
+
+		/* add the domain-sid */
+		for (i=0; i<num_domains; i++) {
+
+			known_domain = False;
+
+			if (strequal(domain_names[i], trust.dom[trust.number].name)) {
+
+				sid_to_string(sid_str, &domain_sids[i]);
+				fstrcpy(trust.dom[trust.number].sid, sid_str);
+
+				DEBUGADD(3,("rid_idmap_parse:\tentry %d has sid: [%s]\n", trust.number, trust.dom[trust.number].sid));
+				known_domain = True;
+				break;
+			} 
+		}
+
+		if (!known_domain) {
+			DEBUG(0,("rid_idmap_parse: your DC does not know anything about domain: [%s]\n", trust.dom[trust.number].name));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		if (!next_token(&p, tok, "-", sizeof(tok))) {
+			DEBUG(0,("rid_idmap_parse: no mapping-range defined\n"));
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+
+		/* add min_id */
+		trust.dom[trust.number].min_id = atoi(tok);
+		DEBUGADD(3,("rid_idmap_parse:\tentry %d has min_id: [%d]\n", trust.number, trust.dom[trust.number].min_id));
+
+		/* add max_id */
+		trust.dom[trust.number].max_id = atoi(p);
+		DEBUGADD(3,("rid_idmap_parse:\tentry %d has max_id: [%d]\n", trust.number, trust.dom[trust.number].max_id));
+
+		trust.number++;
+	}
+
+	return NT_STATUS_OK;
+
+}
+
+static NTSTATUS rid_idmap_get_domains(uint32 *num_domains, fstring **domain_names, DOM_SID **domain_sids) 
+{
+	NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
+	struct cli_state *cli;
+	TALLOC_CTX *mem_ctx;
+	POLICY_HND pol;
+	uint32 des_access = SEC_RIGHTS_MAXIMUM_ALLOWED;
+	fstring dc_name;
+	struct in_addr dc_ip;
+	char *password = NULL;
+	char *username = NULL;
+	char *domain = NULL;
+	uint32 info_class = 5;
+	char *domain_name = NULL;
+	DOM_SID *domain_sid;
+	fstring sid_str;
+	int i;
+	uint32 trusted_num_domains = 0;
+	char **trusted_domain_names;
+	DOM_SID *trusted_domain_sids;
+	
+	/* create mem_ctx */
+	if (!(mem_ctx = talloc_init("rid_idmap_get_trusted_domains"))) {
+		DEBUG(0, ("rid_idmap_get_domains: talloc_init() failed\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	if (!get_dc_name(lp_workgroup(), 0, dc_name, &dc_ip)) {
+		DEBUG(1, ("rid_idmap_get_domains: could not get dc-name\n"));
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	/* open a connection to the dc */
+	username = secrets_fetch(SECRETS_AUTH_USER, NULL);
+	password = secrets_fetch(SECRETS_AUTH_PASSWORD, NULL);
+	domain =   secrets_fetch(SECRETS_AUTH_DOMAIN, NULL);
+
+	if (username) {
+
+		if (!domain)
+			domain = smb_xstrdup(lp_workgroup());
+
+		if (!password)
+			password = smb_xstrdup("");
+
+		DEBUG(3, ("rid_idmap_get_domains: IPC$ connections done by user %s\\%s\n", domain, username));
+
+	} else {
+
+		DEBUG(3, ("rid_idmap_get_domains: IPC$ connections done anonymously\n"));
+		username = "";
+		domain = "";
+		password = "";
+	}
+
+	DEBUG(10, ("rid_idmap_get_domains: opening connection to [%s]\n", dc_name));
+
+	status = cli_full_connection(&cli, global_myname(), dc_name, 
+			NULL, 0,
+			"IPC$", "IPC",
+			username,
+			lp_workgroup(),
+			password,
+			CLI_FULL_CONNECTION_ANNONYMOUS_FALLBACK, True, NULL);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("rid_idmap_get_domains: could not setup connection to dc\n"));
+		return status;
+	}	
+
+	/* query the lsa-pipe */
+	if (!cli_nt_session_open (cli, PI_LSARPC)) {
+		DEBUG(1, ("rid_idmap_get_domains: could not setup connection to dc\n"));
+		goto out;
+	}
+
+	/* query policies */
+	status = cli_lsa_open_policy(cli, mem_ctx, False, des_access, &pol);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto out;
+	}
+
+	status = cli_lsa_query_info_policy(cli, mem_ctx, &pol, info_class, &domain_name, &domain_sid);
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(1, ("rid_idmap_get_domains: cannot retrieve domain-info\n"));
+		goto out;
+	}
+
+	sid_to_string(sid_str, domain_sid);
+	DEBUG(10,("rid_idmap_get_domains: my domain: [%s], sid: [%s]\n", domain_name, sid_str));
+
+	if (lp_allow_trusted_domains()) {
+
+		uint32 enum_ctx = 0;
+
+		/* scan trusted domains */
+		DEBUG(10, ("rid_idmap_get_domains: enumerating trusted domains\n"));
+		status = cli_lsa_enum_trust_dom(cli, mem_ctx, &pol, &enum_ctx,
+				&trusted_num_domains,
+				&trusted_domain_names, 
+				&trusted_domain_sids);
+
+		if (!NT_STATUS_IS_OK(status) &&
+		    !NT_STATUS_EQUAL(status, NT_STATUS_NO_MORE_ENTRIES) &&
+		    !NT_STATUS_EQUAL(status, STATUS_MORE_ENTRIES)) {
+			DEBUG(1, ("rid_idmap_get_domains: could not enumerate trusted domains\n"));
+			goto out;
+		}
+
+		/* show trusted domains */
+		DEBUG(10,("rid_idmap_get_domains: scan for trusted domains gave %d results:\n", trusted_num_domains));
+		for (i=0; i<trusted_num_domains; i++) {
+			sid_to_string(sid_str, &trusted_domain_sids[i]);
+			DEBUGADD(10,("rid_idmap_get_domains:\t#%d\tDOMAIN: [%s], SID: [%s]\n", 
+						i, trusted_domain_names[i], sid_str));
+		}
+	}
+
+	/* put the results together */
+	*num_domains = trusted_num_domains + 1;
+	*domain_names = (fstring *) malloc(sizeof(fstring) * *num_domains);
+	*domain_sids = (DOM_SID *) malloc(sizeof(DOM_SID) * *num_domains); 
+
+	/* first add myself at the end*/
+	fstrcpy((*domain_names)[0], domain_name);
+	sid_copy(&(*domain_sids)[0], domain_sid);
+
+	/* add trusted domains */
+	for (i=0; i<trusted_num_domains; i++) {
+		fstrcpy((*domain_names)[i+1], trusted_domain_names[i]);
+		sid_copy(&((*domain_sids)[i+1]), &(trusted_domain_sids[i]));
+	}
+
+	/* show complete domain list */
+	DEBUG(5,("rid_idmap_get_domains: complete domain-list has %d entries:\n", *num_domains));
+	for (i=0; i<*num_domains; i++) {
+		sid_to_string(sid_str, &((*domain_sids)[i]));
+		DEBUGADD(5,("rid_idmap_get_domains:\t#%d\tdomain: [%s], sid: [%s]\n", 
+					i, (*domain_names)[i], sid_str ));
+	}
+
+	status = NT_STATUS_OK;
+
+out:
+	cli_lsa_close(cli, mem_ctx, &pol);
+	cli_nt_session_close(cli);
+	talloc_destroy(mem_ctx);
+	cli_shutdown(cli);
+
+	return status;
+}
+
+static NTSTATUS rid_idmap_init(char *init_param)
+{
+	int i, j;
+	uid_t u_low, u_high;
+	gid_t g_low, g_high;
+	uint32 num_domains = 0;
+	fstring *domain_names;
+	DOM_SID *domain_sids;
+	NTSTATUS nt_status = NT_STATUS_INVALID_PARAMETER;
+	trust.dom = NULL;
+
+	/* basic sanity checks */
+	if (!lp_idmap_uid(&u_low, &u_high) || !lp_idmap_gid(&g_low, &g_high)) {
+		DEBUG(0, ("rid_idmap_init: cannot get required global idmap-ranges.\n"));
+		return nt_status;
+	}
+
+	if (u_low != g_low || u_high != g_high) {
+		DEBUG(0, ("rid_idmap_init: range defined in \"idmap uid\" must match range of \"idmap gid\".\n"));
+		return nt_status;
+	}
+
+	if (lp_allow_trusted_domains()) {
+#if IDMAP_RID_SUPPORT_TRUSTED_DOMAINS
+		DEBUG(3,("rid_idmap_init: enabling trusted-domain-mapping\n"));
+#else
+		DEBUG(0,("rid_idmap_init: idmap_rid does not work with trusted domains\n"));
+		DEBUGADD(0,("rid_idmap_init: please set \"allow trusted domains\" to \"no\" when using idmap_rid\n"));
+		return nt_status;
+#endif
+	}
+
+	/* init sizes */
+	trust.dom = (struct dom_entry *) malloc(sizeof(struct dom_entry));
+	if (trust.dom == NULL) { 
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* retrieve full domain list */
+	nt_status = rid_idmap_get_domains(&num_domains, &domain_names, &domain_sids);
+	if (!NT_STATUS_IS_OK(nt_status) &&
+	    !NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MORE_ENTRIES) &&
+	    !NT_STATUS_EQUAL(nt_status, STATUS_MORE_ENTRIES)) {
+		DEBUG(0, ("rid_idmap_init: cannot fetch sids for domain and/or trusted-domains from domain-controller.\n"));
+		return nt_status;
+	}
+
+	/* parse the init string */
+	nt_status = rid_idmap_parse(init_param, num_domains, domain_names, domain_sids, u_low, u_high);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		DEBUG(0, ("rid_idmap_init: cannot parse module-configuration\n"));
+		goto out;
+	}
+
+	nt_status = NT_STATUS_INVALID_PARAMETER;
+
+	/* some basic sanity checks */
+	for (i=0; i<trust.number; i++) {
+
+		if (trust.dom[i].min_id > trust.dom[i].max_id) {
+			DEBUG(0, ("rid_idmap_init: min_id (%d) has to be smaller than max_id (%d) for domain [%s]\n", 
+						trust.dom[i].min_id, trust.dom[i].max_id, trust.dom[i].name));
+			goto out;
+		}
+
+		if (trust.dom[i].min_id < u_low || trust.dom[i].max_id > u_high) {
+			DEBUG(0, ("rid_idmap_init: mapping of domain [%s] (%d-%d) has to fit into global idmap range (%d-%d).\n",
+						trust.dom[i].name, trust.dom[i].min_id, trust.dom[i].max_id, u_low, u_high));
+			goto out;
+		}
+	}
+
+	/* check for overlaps */
+	for (i=0; i<trust.number-1; i++) {
+		for (j=i+1; j<trust.number; j++) {
+			if (trust.dom[i].min_id <= trust.dom[j].max_id && trust.dom[j].min_id <= trust.dom[i].max_id) {
+				DEBUG(0, ("rid_idmap_init: the ranges of domain [%s] and [%s] overlap\n", 
+							trust.dom[i+1].name, trust.dom[i].name));
+				goto out;
+			}
+		}
+	}
+	
+	DEBUG(3, ("rid_idmap_init: using %d mappings:\n", trust.number));
+	for (i=0; i<trust.number; i++) {
+		DEBUGADD(3, ("rid_idmap_init:\tdomain: [%s], sid: [%s], min_id: [%d], max_id: [%d]\n", 
+				trust.dom[i].name, trust.dom[i].sid, trust.dom[i].min_id, trust.dom[i].max_id));
+	}
+
+	nt_status = NT_STATUS_OK;
+
+out:
+	SAFE_FREE(domain_names);
+	SAFE_FREE(domain_sids);
+		
+	return nt_status;
+}
+
+static NTSTATUS rid_idmap_get_sid_from_id(DOM_SID *sid, unid_t unid, int id_type)
+{
+	fstring sid_string;
+	int i;
+	DOM_SID sidstr;
+
+	/* find range */
+	for (i=0; i<trust.number; i++) {
+		if (trust.dom[i].min_id <= unid.uid && trust.dom[i].max_id >= unid.uid ) 
+			break;
+	}
+
+	if (i == trust.number) {
+		DEBUG(0,("rid_idmap_get_sid_from_id: no suitable range available for id: %d\n", unid.uid));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	
+	/* use lower-end of idmap-range as offset for users and groups*/
+	unid.uid -= trust.dom[i].min_id;
+
+	if (!trust.dom[i].sid)
+		return NT_STATUS_INVALID_PARAMETER;
+
+	string_to_sid(&sidstr, trust.dom[i].sid);
+	sid_copy(sid, &sidstr);
+	if (!sid_append_rid( sid, (unsigned long)unid.uid )) {
+		DEBUG(0,("rid_idmap_get_sid_from_id: could not append rid to domain sid\n"));
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	DEBUG(3, ("rid_idmap_get_sid_from_id: mapped POSIX %s %d to SID [%s]\n",
+		(id_type == ID_GROUPID) ? "GID" : "UID", unid.uid,
+		sid_to_string(sid_string, sid)));
+
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS rid_idmap_get_id_from_sid(unid_t *unid, int *id_type, const DOM_SID *sid)
+{
+	fstring sid_string;
+	int i;
+	uint32 rid;
+	DOM_SID sidstr;
+
+	/* check if we have a mapping for the sid */
+	for (i=0; i<trust.number; i++) {
+		if (!trust.dom[i].sid) {
+			return NT_STATUS_INVALID_PARAMETER;
+		}
+		string_to_sid(&sidstr, trust.dom[i].sid);	
+		if ( sid_compare_domain(sid, &sidstr) == 0 )
+			break;
+	}
+	
+	if (i == trust.number) {
+		DEBUG(0,("rid_idmap_get_id_from_sid: no suitable range available for sid: %s\n",
+			sid_string_static(sid)));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	if (!sid_peek_rid(sid, &rid)) {
+		DEBUG(0,("rid_idmap_get_id_from_sid: could not peek rid\n"));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	/* use lower-end of idmap-range as offset for users and groups */
+	unid->uid = rid + trust.dom[i].min_id;
+
+	if (unid->uid > trust.dom[i].max_id) {
+		DEBUG(0,("rid_idmap_get_id_from_sid: rid: %d too high for mapping of domain: %s\n", rid, trust.dom[i].name));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	if (unid->uid < trust.dom[i].min_id) {
+		DEBUG(0,("rid_idmap_get_id_from_sid: rid: %d too low for mapping of domain: %s\n", rid, trust.dom[i].name));
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+
+	DEBUG(3,("rid_idmap_get_id_from_sid: mapped SID [%s] to POSIX %s %d\n",
+		sid_to_string(sid_string, sid),
+		(*id_type == ID_GROUPID) ? "GID" : "UID", unid->uid));
+
+	return NT_STATUS_OK;
+
+}
+
+static NTSTATUS rid_idmap_set_mapping(const DOM_SID *sid, unid_t id, int id_type)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS rid_idmap_close(void)
+{
+	SAFE_FREE(trust.dom);
+
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS rid_idmap_allocate_rid(uint32 *rid, int rid_type)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static NTSTATUS rid_idmap_allocate_id(unid_t *id, int id_type)
+{
+	return NT_STATUS_NOT_IMPLEMENTED;
+}
+
+static void rid_idmap_status(void)
+{
+	DEBUG(0, ("RID IDMAP Status not available\n"));      
+}
+
+static struct idmap_methods rid_methods = {
+	rid_idmap_init,
+	rid_idmap_allocate_rid,
+	rid_idmap_allocate_id,
+	rid_idmap_get_sid_from_id,
+	rid_idmap_get_id_from_sid,
+	rid_idmap_set_mapping,
+	rid_idmap_close,
+	rid_idmap_status
+};
+
+NTSTATUS init_module(void)
+{
+	return smb_register_idmap(SMB_IDMAP_INTERFACE_VERSION, "idmap_rid", &rid_methods);
+}
+
-- 
cgit v1.2.1