r14451: In order to get pdb_ldap searching for SID_NAME_ALIAS

groups in the ${MACHINESID} and S_1-5-32 domains correctly,
I had to add a substr search on sambaSID.

* add substr matching rule to OpenLDAP schema
  (we need to update the other schema as will since this
  is a pretty important change).  Sites will need to
  - install the new schema
  - add 'indea sambaSID   sub' to slapd.conf
  - run slapindex

* remove uses of SID_NAME_WKN_GRP in pdb_ldap.c
(This used to be commit 2c0a46d73122e9000a900f7e16f9b010ad4b78e3)

2 files changed, 17 insertions, 43 deletions

diff --git a/examples/LDAP/samba.schema b/examples/LDAP/samba.schema
index e7ecc9e070..4e1556eba5 100644
--- a/examples/LDAP/samba.schema
+++ b/examples/LDAP/samba.schema
@@ -295,9 +295,9 @@ attributetype ( 1.3.6.1.4.1.7165.2.1.54 NAME 'sambaPasswordHistory'
 attributetype ( 1.3.6.1.4.1.7165.2.1.20 NAME 'sambaSID'
 	DESC 'Security ID'
 	EQUALITY caseIgnoreIA5Match
+	SUBSTR caseExactIA5SubstringsMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{64} SINGLE-VALUE )
 
-
 ##
 ## Primary group SID, compatible with ntSid
 ##
diff --git a/source3/passdb/pdb_ldap.c b/source3/passdb/pdb_ldap.c
index b4f7e2b55c..eb5d3c9c31 100644
--- a/source3/passdb/pdb_ldap.c
+++ b/source3/passdb/pdb_ldap.c
@@ -2740,19 +2740,10 @@ static NTSTATUS ldapsam_add_group_mapping_entry(struct pdb_methods *methods,
 		break;
 
 	case SID_NAME_ALIAS:
-		if (!sid_check_is_in_our_domain(&map->sid)) {
-			DEBUG(3, ("Refusing to map sid %s as an alias, not "
-				  "in our domain\n",
-				  sid_string_static(&map->sid)));
-			result = NT_STATUS_INVALID_PARAMETER;
-			goto done;
-		}
-		break;
-
-	case SID_NAME_WKN_GRP:
-		if (!sid_check_is_in_builtin(&map->sid)) {
-			DEBUG(3, ("Refusing to map sid %s as an alias, not "
-				  "in builtin domain\n",
+		if (!sid_check_is_in_our_domain(&map->sid) 
+			&& !sid_check_is_in_builtin(&map->sid) ) 
+		{
+			DEBUG(3, ("Refusing to map sid %s as an alias, not in our domain\n",
 				  sid_string_static(&map->sid)));
 			result = NT_STATUS_INVALID_PARAMETER;
 			goto done;
@@ -3137,7 +3128,7 @@ static NTSTATUS ldapsam_modify_aliasmem(struct pdb_methods *methods,
 	pstring filter;
 
 	if (sid_check_is_in_builtin(alias)) {
-		type = SID_NAME_WKN_GRP;
+		type = SID_NAME_ALIAS;
 	}
 
 	if (sid_check_is_in_our_domain(alias)) {
@@ -3250,7 +3241,7 @@ static NTSTATUS ldapsam_enum_aliasmem(struct pdb_methods *methods,
 	*p_num_members = 0;
 
 	if (sid_check_is_in_builtin(alias)) {
-		type = SID_NAME_WKN_GRP;
+		type = SID_NAME_ALIAS;
 	}
 
 	if (sid_check_is_in_our_domain(alias)) {
@@ -3346,7 +3337,7 @@ static NTSTATUS ldapsam_alias_memberships(struct pdb_methods *methods,
 	enum SID_NAME_USE type = SID_NAME_USE_NONE;
 
 	if (sid_check_is_builtin(domain_sid)) {
-		type = SID_NAME_WKN_GRP;
+		type = SID_NAME_ALIAS;
 	}
 
 	if (sid_check_is_domain(domain_sid)) {
@@ -3775,7 +3766,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods,
 		type = atol(attr);
 
 		/* Consistency checks */
-		if ((is_builtin && (type != SID_NAME_WKN_GRP)) ||
+		if ((is_builtin && (type != SID_NAME_ALIAS)) ||
 		    (!is_builtin && ((type != SID_NAME_ALIAS) &&
 				     (type != SID_NAME_DOM_GRP)))) {
 			DEBUG(2, ("Rejecting invalid group mapping entry %s\n", dn));
@@ -4261,25 +4252,15 @@ static BOOL ldapgroup2displayentry(struct ldap_search_state *state,
 		case SID_NAME_DOM_GRP:
 		case SID_NAME_ALIAS:
 
-			if (!sid_peek_check_rid(get_global_sam_sid(), &sid,
-						&result->rid)) {
+			if (!sid_peek_check_rid(get_global_sam_sid(), &sid, &result->rid) 
+				&& !sid_peek_check_rid(&global_sid_Builtin, &sid, &result->rid)) 
+			{
 				DEBUG(0, ("%s is not in our domain\n",
 					  sid_string_static(&sid)));
 				return False;
 			}
 			break;
 	
-		case SID_NAME_WKN_GRP:
-
-			if (!sid_peek_check_rid(&global_sid_Builtin, &sid,
-						&result->rid)) {
-
-				DEBUG(0, ("%s is not in builtin sid\n",
-					  sid_string_static(&sid)));
-				return False;
-			}
-			break;
-
 		default:
 			DEBUG(0,("unkown group type: %d\n", group_type));
 			return False;
@@ -4290,6 +4271,7 @@ static BOOL ldapgroup2displayentry(struct ldap_search_state *state,
 
 static BOOL ldapsam_search_grouptype(struct pdb_methods *methods,
 				     struct pdb_search *search,
+                                     const DOM_SID *sid,
 				     enum SID_NAME_USE type)
 {
 	struct ldapsam_privates *ldap_state = methods->private_data;
@@ -4308,7 +4290,8 @@ static BOOL ldapsam_search_grouptype(struct pdb_methods *methods,
 	state->scope = LDAP_SCOPE_SUBTREE;
 	state->filter =	talloc_asprintf(search->mem_ctx,
 					"(&(objectclass=sambaGroupMapping)"
-					"(sambaGroupType=%d))", type);
+					"(sambaGroupType=%d)(sambaSID=%s)", 
+					sid_string_static(sid), type);
 	state->attrs = talloc_attrs(search->mem_ctx, "cn", "sambaSid",
 				    "displayName", "description",
 				    "sambaGroupType", NULL);
@@ -4333,23 +4316,14 @@ static BOOL ldapsam_search_grouptype(struct pdb_methods *methods,
 static BOOL ldapsam_search_groups(struct pdb_methods *methods,
 				  struct pdb_search *search)
 {
-	return ldapsam_search_grouptype(methods, search, SID_NAME_DOM_GRP);
+	return ldapsam_search_grouptype(methods, search, get_global_sam_sid(), SID_NAME_DOM_GRP);
 }
 
 static BOOL ldapsam_search_aliases(struct pdb_methods *methods,
 				   struct pdb_search *search,
 				   const DOM_SID *sid)
 {
-	if (sid_check_is_domain(sid))
-		return ldapsam_search_grouptype(methods, search,
-						SID_NAME_ALIAS);
-
-	if (sid_check_is_builtin(sid))
-		return ldapsam_search_grouptype(methods, search,
-						SID_NAME_WKN_GRP);
-
-	DEBUG(5, ("Don't know SID %s\n", sid_string_static(sid)));
-	return False;
+	return ldapsam_search_grouptype(methods, search, sid, SID_NAME_ALIAS);
 }
 
 static BOOL ldapsam_rid_algorithm(struct pdb_methods *methods)