14 files changed, 253 insertions, 131 deletions
diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c
index 14aaa4c5ee2..5b889452844 100644
--- a/source/auth/auth_util.c
+++ b/source/auth/auth_util.c
@@ -677,9 +677,68 @@ static NTSTATUS log_nt_token(TALLOC_CTX *tmp_ctx, NT_USER_TOKEN *token)
 	return NT_STATUS_OK;
 }
 
-/*
- * Create a NT token for the user, expanding local aliases
- */
+/*******************************************************************
+*******************************************************************/
+
+static NTSTATUS add_builtin_administrators( TALLOC_CTX *ctx, struct nt_user_token *token )
+{
+	return NT_STATUS_OK;
+}
+
+/*******************************************************************
+*******************************************************************/
+
+static NTSTATUS create_builtin_administrators( void )
+{
+	NTSTATUS status;
+	DOM_SID dom_admins, root_sid;
+	fstring root_name;
+	enum SID_NAME_USE type;		
+	TALLOC_CTX *ctx;
+	BOOL ret;
+
+	status = pdb_create_builtin_alias( BUILTIN_ALIAS_RID_ADMINS );
+	if ( !NT_STATUS_IS_OK(status) ) {
+		DEBUG(0,("create_builtin_administrators: Failed to create Administrators\n"));
+		return status;
+	}
+	
+	/* add domain admins */
+	if ((IS_DC || (lp_server_role() == ROLE_DOMAIN_MEMBER)) 
+		&& secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))
+	{
+		sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
+		status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &dom_admins );
+		if ( !NT_STATUS_IS_OK(status) ) {
+			DEBUG(0,("create_builtin_administrators: Failed to add Domain Admins"
+				" Administrators\n"));
+			return status;
+		}
+	}
+			
+	/* add root */
+	if ( (ctx = talloc_init(NULL)) == NULL ) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	fstr_sprintf( root_name, "%s\\root", get_global_sam_name() );
+	ret = lookup_name( ctx, root_name, 0, NULL, NULL, &root_sid, &type );
+	TALLOC_FREE( ctx );
+
+	if ( ret ) {
+		status = pdb_add_aliasmem( &global_sid_Builtin_Administrators, &root_sid );
+		if ( !NT_STATUS_IS_OK(status) ) {
+			DEBUG(0,("create_builtin_administrators: Failed to add root"
+				" Administrators\n"));
+			return status;
+		}
+	}
+	
+	return NT_STATUS_OK;
+}		
+
+/*******************************************************************
+ Create a NT token for the user, expanding local aliases
+*******************************************************************/
 
 static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 						   const DOM_SID *user_sid,
@@ -692,6 +751,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 	struct nt_user_token *result = NULL;
 	int i;
 	NTSTATUS status;
+	gid_t gid;
 
 	tmp_ctx = talloc_new(mem_ctx);
 	if (tmp_ctx == NULL) {
@@ -705,12 +765,15 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 		goto done;
 	}
 
-	/* First create the default SIDs */
+	/* Add the user and primary group sid */
 
 	add_sid_to_array(result, user_sid,
 			 &result->user_sids, &result->num_sids);
 	add_sid_to_array(result, group_sid,
 			 &result->user_sids, &result->num_sids);
+			 
+	/* Add in BUILTIN sids */
+	
 	add_sid_to_array(result, &global_sid_World,
 			 &result->user_sids, &result->num_sids);
 	add_sid_to_array(result, &global_sid_Network,
@@ -723,7 +786,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 		add_sid_to_array(result, &global_sid_Authenticated_Users,
 				 &result->user_sids, &result->num_sids);
 	}
-
+	
 	/* Now the SIDs we got from authentication. These are the ones from
 	 * the info3 struct or from the pdb_enum_group_memberships, depending
 	 * on who authenticated the user. */
@@ -732,7 +795,35 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 		add_sid_to_array_unique(result, &groupsids[i],
 					&result->user_sids, &result->num_sids);
 	}
+	
+	/* Deal with the BUILTIN\Administrators group.  If the SID can
+	   be resolved then assume that the add_aliasmem( S-1-5-32 ) 
+	   handled it. */
+
+	if ( !sid_to_gid( &global_sid_Builtin_Administrators, &gid ) ) {
+		/* We can only create a mapping if winbind is running 
+		   and the nested group functionality has been enabled */
+		   
+		if ( lp_winbind_nested_groups() ) {
+			become_root();
+			status = create_builtin_administrators( );
+			if ( !NT_STATUS_IS_OK(status) ) {
+				DEBUG(0,("create_local_nt_token: Failed to create BUILTIN\\Administrators group!\n"));
+				/* don't fail, just log the message */
+			}
+			unbecome_root();
+		}
+		else {
+			status = add_builtin_administrators( tmp_ctx, result );	
+			if ( !NT_STATUS_IS_OK(status) ) {			
+				result = NULL;
+				goto done;
+			}			
+		}		
+	}
 
+	/* Deal with local groups */
+	
 	if (lp_winbind_nested_groups()) {
 
 		/* Now add the aliases. First the one from our local SAM */
@@ -752,40 +843,8 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx,
 			result = NULL;
 			goto done;
 		}
-	} else {
-
-		/* Play jerry's trick to auto-add local admins if we're a
-		 * domain admin. */
-
-		DOM_SID dom_admins;
-		BOOL domain_mode = False;
-
-		if (IS_DC) {
-			sid_compose(&dom_admins, get_global_sam_sid(),
-				    DOMAIN_GROUP_RID_ADMINS);
-			domain_mode = True;
-		}
-		if ((lp_server_role() == ROLE_DOMAIN_MEMBER) &&
-		    (secrets_fetch_domain_sid(lp_workgroup(), &dom_admins))) {
-			sid_append_rid(&dom_admins, DOMAIN_GROUP_RID_ADMINS);
-			domain_mode = True;
-		}
+	} 
 
-		if (domain_mode) {
-			for (i=0; i<result->num_sids; i++) {
-				if (sid_equal(&dom_admins,
-					      &result->user_sids[i])) {
-					add_sid_to_array_unique(
-						result,
-						&global_sid_Builtin_Administrators,
-						&result->user_sids,
-						&result->num_sids);
-					break;
-				}
-			}
-			
-		}
-	}
 
 	get_privileges_for_sids(&result->privileges, result->user_sids,
 				result->num_sids);
diff --git a/source/groupdb/mapping.c b/source/groupdb/mapping.c
index 93e7169204a..04471f9d433 100644
--- a/source/groupdb/mapping.c
+++ b/source/groupdb/mapping.c
@@ -3,6 +3,8 @@
  *  RPC Pipe client / server routines
  *  Copyright (C) Andrew Tridgell              1992-2000,
  *  Copyright (C) Jean Fran�ois Micouleau      1998-2001.
+ *  Copyright (C) Volker Lendecke              2006.
+ *  Copyright (C) Gerald Carter                2006.
  *  
  *  This program is free software; you can redistribute it and/or modify
  *  it under the terms of the GNU General Public License as published by
@@ -35,50 +37,11 @@ static TDB_CONTEXT *tdb; /* used for driver files */
  */
 #define MEMBEROF_PREFIX "MEMBEROF/"
 
-/****************************************************************************
-initialise first time the mapping list - called from init_group_mapping()
-****************************************************************************/
-static BOOL default_group_mapping(void)
-{
-	DOM_SID sid_admins;
-	DOM_SID sid_users;
-	DOM_SID sid_guests;
-	fstring str_admins;
-	fstring str_users;
-	fstring str_guests;
-
-	/* Add the Wellknown groups */
-
-	add_initial_entry(-1, "S-1-5-32-544", SID_NAME_WKN_GRP, "Administrators", "");
-	add_initial_entry(-1, "S-1-5-32-545", SID_NAME_WKN_GRP, "Users", "");
-	add_initial_entry(-1, "S-1-5-32-546", SID_NAME_WKN_GRP, "Guests", "");
-	add_initial_entry(-1, "S-1-5-32-547", SID_NAME_WKN_GRP, "Power Users", "");
-	add_initial_entry(-1, "S-1-5-32-548", SID_NAME_WKN_GRP, "Account Operators", "");
-	add_initial_entry(-1, "S-1-5-32-549", SID_NAME_WKN_GRP, "System Operators", "");
-	add_initial_entry(-1, "S-1-5-32-550", SID_NAME_WKN_GRP, "Print Operators", "");
-	add_initial_entry(-1, "S-1-5-32-551", SID_NAME_WKN_GRP, "Backup Operators", "");
-	add_initial_entry(-1, "S-1-5-32-552", SID_NAME_WKN_GRP, "Replicators", "");
-
-	/* Add the defaults domain groups */
-
-	sid_copy(&sid_admins, get_global_sam_sid());
-	sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
-	sid_to_string(str_admins, &sid_admins);
-	add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "");
-
-	sid_copy(&sid_users,  get_global_sam_sid());
-	sid_append_rid(&sid_users,  DOMAIN_GROUP_RID_USERS);
-	sid_to_string(str_users, &sid_users);
-	add_initial_entry(-1, str_users,  SID_NAME_DOM_GRP, "Domain Users",  "");
-
-	sid_copy(&sid_guests, get_global_sam_sid());
-	sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
-	sid_to_string(str_guests, &sid_guests);
-	add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "");
-
-	return True;
-}
 
+static BOOL enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+                               size_t *p_num_entries, BOOL unix_only);
+static BOOL group_map_remove(const DOM_SID *sid);
+			
 /****************************************************************************
  Open the group mapping tdb.
 ****************************************************************************/
@@ -87,9 +50,12 @@ static BOOL init_group_mapping(void)
 {
 	const char *vstring = "INFO/version";
 	int32 vers_id;
+	GROUP_MAP *map_table = NULL;
+	size_t num_entries = 0;
 	
 	if (tdb)
 		return True;
+		
 	tdb = tdb_open_log(lock_path("group_mapping.tdb"), 0, TDB_DEFAULT, O_RDWR|O_CREAT, 0600);
 	if (!tdb) {
 		DEBUG(0,("Failed to open group mapping database\n"));
@@ -107,6 +73,8 @@ static BOOL init_group_mapping(void)
 		vers_id = DATABASE_VERSION_V2;
 	}
 
+	/* if its an unknown version we remove everthing in the db */
+	
 	if (vers_id != DATABASE_VERSION_V2) {
 		tdb_traverse(tdb, tdb_traverse_delete_fn, NULL);
 		tdb_store_int32(tdb, vstring, DATABASE_VERSION_V2);
@@ -114,9 +82,20 @@ static BOOL init_group_mapping(void)
 
 	tdb_unlock_bystring(tdb, vstring);
 
-	/* write a list of default groups */
-	if(!default_group_mapping())
-		return False;
+	/* cleanup any map entries with a gid == -1 */
+	
+	if ( enum_group_mapping( NULL, SID_NAME_UNKNOWN, &map_table, &num_entries, False ) ) {
+		int i;
+		
+		for ( i=0; i<num_entries; i++ ) {
+			if ( map_table[i].gid == -1 ) {
+				group_map_remove( &map_table[i].sid );
+			}
+		}
+		
+		SAFE_FREE( map_table );
+	}
+
 
 	return True;
 }
@@ -274,7 +253,7 @@ static BOOL get_group_map_from_sid(DOM_SID sid, GROUP_MAP *map)
 		DEBUG(3,("get_group_map_from_sid: tdb_unpack failure\n"));
 		return False;
 	}
-
+	
 	sid_copy(&map->sid, &sid);
 	
 	return True;
@@ -371,7 +350,7 @@ static BOOL get_group_map_from_ntname(const char *name, GROUP_MAP *map)
 			return False;
 		}
 
-		if (StrCaseCmp(name, map->nt_name)==0) {
+		if ( strequal(name, map->nt_name) ) {
 			SAFE_FREE(kbuf.dptr);
 			return True;
 		}
@@ -419,7 +398,7 @@ static BOOL group_map_remove(const DOM_SID *sid)
  Enumerate the group mapping.
 ****************************************************************************/
 
-static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+static BOOL enum_group_mapping(const DOM_SID *domsid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
 			size_t *p_num_entries, BOOL unix_only)
 {
 	TDB_DATA kbuf, dbuf, newkey;
@@ -428,6 +407,8 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rm
 	GROUP_MAP *mapt;
 	int ret;
 	size_t entries=0;
+	DOM_SID grpsid;
+	uint32 rid;
 
 	if(!init_group_mapping()) {
 		DEBUG(0,("failed to initialize group mapping\n"));
@@ -471,8 +452,19 @@ static BOOL enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rm
 			continue;
 		}
 
-		string_to_sid(&map.sid, string_sid);
+		string_to_sid(&grpsid, string_sid);
+		sid_copy( &map.sid, &grpsid );
 		
+		sid_split_rid( &grpsid, &rid );
+
+		/* Only check the domain if we were given one */
+
+		if ( domsid && !sid_equal( domsid, &grpsid ) ) {
+			DEBUG(11,("enum_group_mapping: group %s is not in domain %s\n", 
+				string_sid, sid_string_static(domsid)));
+			continue;
+		}
+
 		DEBUG(11,("enum_group_mapping: returning group %s of "
 			  "type %s\n", map.nt_name,
 			  sid_type_lookup(map.sid_name_use)));
@@ -1032,11 +1024,11 @@ NTSTATUS pdb_default_delete_group_mapping_entry(struct pdb_methods *methods,
 }
 
 NTSTATUS pdb_default_enum_group_mapping(struct pdb_methods *methods,
-					   enum SID_NAME_USE sid_name_use,
+					   const DOM_SID *sid, enum SID_NAME_USE sid_name_use,
 					   GROUP_MAP **pp_rmap, size_t *p_num_entries,
 					   BOOL unix_only)
 {
-	return enum_group_mapping(sid_name_use, pp_rmap, p_num_entries, unix_only) ?
+	return enum_group_mapping(sid, sid_name_use, pp_rmap, p_num_entries, unix_only) ?
 		NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
 }
 
@@ -1301,4 +1293,62 @@ BOOL pdb_set_dom_grp_info(const DOM_SID *sid, const struct acct_info *info)
 	return NT_STATUS_IS_OK(pdb_update_group_mapping_entry(&map));
 }
 
+/********************************************************************
+ Really just intended to be called by smbd
+********************************************************************/
+
+NTSTATUS pdb_create_builtin_alias(uint32 rid)
+{
+	DOM_SID sid;
+	enum SID_NAME_USE type;
+	gid_t gid;
+	GROUP_MAP map;
+	TALLOC_CTX *mem_ctx;
+	NTSTATUS status;
+	const char *name = NULL;
+	fstring groupname;
+
+	DEBUG(10, ("Trying to create builtin alias %d\n", rid));
+	
+	if ( !sid_compose( &sid, &global_sid_Builtin, rid ) ) {
+		return NT_STATUS_NO_SUCH_ALIAS;
+	}
+	
+	if ( (mem_ctx = talloc_new(NULL)) == NULL ) {
+		return NT_STATUS_NO_MEMORY;
+	}
+	
+	if ( !lookup_sid(mem_ctx, &sid, NULL, &name, &type) ) {
+		TALLOC_FREE( mem_ctx );
+		return NT_STATUS_NO_SUCH_ALIAS;
+	}
+	
+	/* validate RID so copy the name and move on */
+		
+	fstrcpy( groupname, name );
+	TALLOC_FREE( mem_ctx );
+
+	if (!winbind_allocate_gid(&gid)) {
+		DEBUG(3, ("pdb_create_builtin_alias: Could not get a gid out of winbind\n"));
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+	DEBUG(10,("Creating alias %s with gid %d\n", name, gid));
+
+	map.gid = gid;
+	sid_copy(&map.sid, &sid);
+	map.sid_name_use = SID_NAME_ALIAS;
+	fstrcpy(map.nt_name, name);
+	fstrcpy(map.comment, "");
+
+	status = pdb_add_group_mapping_entry(&map);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		DEBUG(0, ("pdb_create_builtin_alias: Could not add group mapping entry for alias %d "
+			  "(%s)\n", rid, nt_errstr(status)));
+	}
+
+	return status;
+}
+
 
diff --git a/source/include/passdb.h b/source/include/passdb.h
index a9688c6f818..432976412db 100644
--- a/source/include/passdb.h
+++ b/source/include/passdb.h
@@ -242,7 +242,7 @@ struct pdb_search {
  * the pdb module. Remove the latter, this might happen more often. VL.
  */
 
-#define PASSDB_INTERFACE_VERSION 12
+#define PASSDB_INTERFACE_VERSION 13
 
 struct pdb_methods 
 {
@@ -298,7 +298,7 @@ struct pdb_methods
 					       DOM_SID sid);
 
 	NTSTATUS (*enum_group_mapping)(struct pdb_methods *methods,
-				       enum SID_NAME_USE sid_name_use,
+				       const DOM_SID *sid, enum SID_NAME_USE sid_name_use,
 				       GROUP_MAP **pp_rmap, size_t *p_num_entries,
 				       BOOL unix_only);
 
diff --git a/source/nsswitch/winbindd_dual.c b/source/nsswitch/winbindd_dual.c
index d1ad3330d4c..14e0ef4ce24 100644
--- a/source/nsswitch/winbindd_dual.c
+++ b/source/nsswitch/winbindd_dual.c
@@ -559,7 +559,6 @@ static void child_msg_offline(int msg_type, struct process_id src, void *buf, si
 static void child_msg_online(int msg_type, struct process_id src, void *buf, size_t len)
 {
 	struct winbindd_domain *domain;
-	int ret;
 
 	DEBUG(5,("child_msg_online received.\n"));
 
diff --git a/source/nsswitch/winbindd_group.c b/source/nsswitch/winbindd_group.c
index 38d47ca3d7e..6e7a2423799 100644
--- a/source/nsswitch/winbindd_group.c
+++ b/source/nsswitch/winbindd_group.c
@@ -41,8 +41,8 @@ static BOOL fill_grent(struct winbindd_gr *gr, const char *dom_name,
 		       const char *gr_name, gid_t unix_gid)
 {
 	fstring full_group_name;
-	/* Fill in uid/gid */
-	fill_domain_username(full_group_name, dom_name, gr_name);
+
+	fill_domain_username( full_group_name, dom_name, gr_name, False);
 
 	gr->gr_gid = unix_gid;
     
@@ -146,7 +146,7 @@ static BOOL fill_grent_mem(struct winbindd_domain *domain,
 
 		/* Append domain name */
 
-		fill_domain_username(name, domain->name, the_name);
+		fill_domain_username(name, domain->name, the_name, False);
 
 		len = strlen(name);
 		
@@ -201,7 +201,8 @@ done:
 
 void winbindd_getgrnam(struct winbindd_cli_state *state)
 {
-	DOM_SID group_sid;
+	DOM_SID group_sid, tmp_sid;
+	uint32 grp_rid;
 	struct winbindd_domain *domain;
 	enum SID_NAME_USE name_type;
 	fstring name_domain, name_group;
@@ -270,6 +271,20 @@ void winbindd_getgrnam(struct winbindd_cli_state *state)
 		return;
 	}
 
+	/* Make sure that the group SID is within the domain of the
+	   original domain */
+
+	sid_copy( &tmp_sid, &group_sid );
+	sid_split_rid( &tmp_sid, &grp_rid );
+	if ( !sid_equal( &tmp_sid, &domain->sid ) ) {
+		DEBUG(3,("winbindd_getgrnam: group %s resolves to a SID in the wrong domain [%s]\n", 
+			state->request.data.groupname, sid_string_static(&group_sid)));
+		request_error(state);
+		return;
+	}
+
+	
+
 	/* Try to get the GID */
 
 	status = idmap_sid_to_gid(&group_sid, &gid, 0);
@@ -731,7 +746,7 @@ void winbindd_getgrent(struct winbindd_cli_state *state)
 		/* Fill in group entry */
 
 		fill_domain_username(domain_group_name, ent->domain_name, 
-			 name_list[ent->sam_entry_index].acct_name);
+			 name_list[ent->sam_entry_index].acct_name, False);
 
 		result = fill_grent(&group_list[group_list_ndx], 
 				    ent->domain_name,
@@ -905,7 +920,7 @@ void winbindd_list_groups(struct winbindd_cli_state *state)
 					    groups.sam_entries)[i].acct_name; 
 			fstring name;
 
-			fill_domain_username(name, domain->name, group_name);
+			fill_domain_username(name, domain->name, group_name, False);
 			/* Append to extra data */			
 			memcpy(&extra_data[extra_data_len], name, 
                                strlen(name));
diff --git a/source/nsswitch/winbindd_pam.c b/source/nsswitch/winbindd_pam.c
index 3e30d705225..d460c147699 100644
--- a/source/nsswitch/winbindd_pam.c
+++ b/source/nsswitch/winbindd_pam.c
@@ -1515,7 +1515,7 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 				nt_domain = name_domain;
 			}
 
-			fill_domain_username(username_out, nt_domain, nt_username);
+			fill_domain_username(username_out, nt_domain, nt_username, True);
 
 			DEBUG(5, ("Setting unix username to [%s]\n", username_out));
 
diff --git a/source/nsswitch/winbindd_passdb.c b/source/nsswitch/winbindd_passdb.c
index 96a85a4f3a0..73020cd6bcd 100644
--- a/source/nsswitch/winbindd_passdb.c
+++ b/source/nsswitch/winbindd_passdb.c
@@ -33,7 +33,7 @@ static void add_member(const char *domain, const char *user,
 {
 	fstring name;
 
-	fill_domain_username(name, domain, user);
+	fill_domain_username(name, domain, user, True);
 	safe_strcat(name, ",", sizeof(name)-1);
 	string_append(pp_members, name);
 	*p_num_members += 1;
@@ -248,10 +248,7 @@ static NTSTATUS name_to_sid(struct winbindd_domain *domain,
 	if (!pdb_find_alias(name, sid))
 		return NT_STATUS_NONE_MAPPED;
 
-	if (sid_check_is_in_builtin(sid))
-		*type = SID_NAME_WKN_GRP;
-	else
-		*type = SID_NAME_ALIAS;
+	*type = SID_NAME_ALIAS;
 
 	return NT_STATUS_OK;
 }
diff --git a/source/nsswitch/winbindd_user.c b/source/nsswitch/winbindd_user.c
index b48284a031d..9b0796fb670 100644
--- a/source/nsswitch/winbindd_user.c
+++ b/source/nsswitch/winbindd_user.c
@@ -97,7 +97,7 @@ static BOOL winbindd_fill_pwent(char *dom_name, char *user_name,
 
 	/* Username */
 
-	fill_domain_username(output_username, dom_name, user_name); 
+	fill_domain_username(output_username, dom_name, user_name, True); 
 
 	safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
 	
@@ -289,7 +289,7 @@ static void getpwsid_sid2gid_recv(void *private_data, BOOL success, gid_t gid)
 	pw = &s->state->response.data.pw;
 	pw->pw_uid = s->uid;
 	pw->pw_gid = s->gid;
-	fill_domain_username(output_username, s->domain->name, s->username); 
+	fill_domain_username(output_username, s->domain->name, s->username, True); 
 	safe_strcpy(pw->pw_name, output_username, sizeof(pw->pw_name) - 1);
 	safe_strcpy(pw->pw_gecos, s->fullname, sizeof(pw->pw_gecos) - 1);
 
@@ -781,7 +781,7 @@ void winbindd_list_users(struct winbindd_cli_state *state)
 				fstrcpy(acct_name, info[i].acct_name);
 			}
 			
-			fill_domain_username(name, domain->name, acct_name);
+			fill_domain_username(name, domain->name, acct_name, True);
 			
 				/* Append to extra data */
 			memcpy(&extra_data[extra_data_len], name, 
diff --git a/source/nsswitch/winbindd_util.c b/source/nsswitch/winbindd_util.c
index 0678376e8f5..64b4dd27a39 100644
--- a/source/nsswitch/winbindd_util.c
+++ b/source/nsswitch/winbindd_util.c
@@ -877,14 +877,14 @@ BOOL parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser,
     username is then unqualified in unix
 	 
 */
-void fill_domain_username(fstring name, const char *domain, const char *user)
+void fill_domain_username(fstring name, const char *domain, const char *user, BOOL can_assume)
 {
 	fstring tmp_user;
 
 	fstrcpy(tmp_user, user);
 	strlower_m(tmp_user);
 
-	if (assume_domain(domain)) {
+	if (can_assume && assume_domain(domain)) {
 		strlcpy(name, user, sizeof(fstring));
 	} else {
 		slprintf(name, sizeof(fstring) - 1, "%s%c%s",
diff --git a/source/passdb/pdb_interface.c b/source/passdb/pdb_interface.c
index 8645c12bcec..4061e7b5db9 100644
--- a/source/passdb/pdb_interface.c
+++ b/source/passdb/pdb_interface.c
@@ -715,7 +715,7 @@ NTSTATUS pdb_delete_group_mapping_entry(DOM_SID sid)
 	return pdb->delete_group_mapping_entry(pdb, sid);
 }
 
-BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
+BOOL pdb_enum_group_mapping(const DOM_SID *sid, enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
 			    size_t *p_num_entries, BOOL unix_only)
 {
 	struct pdb_methods *pdb = pdb_get_methods();
@@ -724,7 +724,7 @@ BOOL pdb_enum_group_mapping(enum SID_NAME_USE sid_name_use, GROUP_MAP **pp_rmap,
 		return False;
 	}
 
-	return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid_name_use,
+	return NT_STATUS_IS_OK(pdb-> enum_group_mapping(pdb, sid, sid_name_use,
 		pp_rmap, p_num_entries, unix_only));
 }
 
@@ -1631,7 +1631,7 @@ static BOOL lookup_global_sam_rid(TALLOC_CTX *mem_ctx, uint32 rid,
 	
 	if ( rid == DOMAIN_GROUP_RID_USERS ) {
 		*name = talloc_strdup(mem_ctx, "None" );
-		*psid_name_use = IS_DC ? SID_NAME_DOM_GRP : SID_NAME_ALIAS;
+		*psid_name_use = SID_NAME_DOM_GRP;
 		
 		return True;
 	}
@@ -1919,7 +1919,7 @@ static void search_end_groups(struct pdb_search *search)
 }
 
 static BOOL pdb_search_grouptype(struct pdb_search *search,
-				 enum SID_NAME_USE type)
+				 const DOM_SID *sid, enum SID_NAME_USE type)
 {
 	struct group_search *state;
 
@@ -1929,7 +1929,7 @@ static BOOL pdb_search_grouptype(struct pdb_search *search,
 		return False;
 	}
 
-	if (!pdb_enum_group_mapping(type, &state->groups, &state->num_groups,
+	if (!pdb_enum_group_mapping(sid, type, &state->groups, &state->num_groups,
 				    True)) {
 		DEBUG(0, ("Could not enum groups\n"));
 		return False;
@@ -1945,7 +1945,7 @@ static BOOL pdb_search_grouptype(struct pdb_search *search,
 static BOOL pdb_default_search_groups(struct pdb_methods *methods,
 				      struct pdb_search *search)
 {
-	return pdb_search_grouptype(search, SID_NAME_DOM_GRP);
+	return pdb_search_grouptype(search, get_global_sam_sid(), SID_NAME_DOM_GRP);
 }
 
 static BOOL pdb_default_search_aliases(struct pdb_methods *methods,
@@ -1953,14 +1953,7 @@ static BOOL pdb_default_search_aliases(struct pdb_methods *methods,
 				       const DOM_SID *sid)
 {
 
-	if (sid_equal(sid, get_global_sam_sid()))
-		return pdb_search_grouptype(search, SID_NAME_ALIAS);
-
-	if (sid_equal(sid, &global_sid_Builtin))
-		return pdb_search_grouptype(search, SID_NAME_WKN_GRP);
-
-	DEBUG(3, ("unknown domain sid: %s\n", sid_string_static(sid)));
-	return False;
+	return pdb_search_grouptype(search, sid, SID_NAME_ALIAS);
 }
 
 static struct samr_displayentry *pdb_search_getentry(struct pdb_search *search,
diff --git a/source/passdb/pdb_ldap.c b/source/passdb/pdb_ldap.c
index 72ec883aca6..b4f7e2b55cd 100644
--- a/source/passdb/pdb_ldap.c
+++ b/source/passdb/pdb_ldap.c
@@ -3070,7 +3070,7 @@ static NTSTATUS ldapsam_getsamgrent(struct pdb_methods *my_methods,
  *********************************************************************/
 
 static NTSTATUS ldapsam_enum_group_mapping(struct pdb_methods *methods,
-					   enum SID_NAME_USE sid_name_use,
+					   const DOM_SID *domsid, enum SID_NAME_USE sid_name_use,
 					   GROUP_MAP **pp_rmap,
 					   size_t *p_num_entries,
 					   BOOL unix_only)
diff --git a/source/rpc_server/srv_lsa_nt.c b/source/rpc_server/srv_lsa_nt.c
index 80c86a30798..7fe42efefb2 100644
--- a/source/rpc_server/srv_lsa_nt.c
+++ b/source/rpc_server/srv_lsa_nt.c
@@ -1071,7 +1071,7 @@ NTSTATUS _lsa_lookup_names(pipes_struct *p,LSA_Q_LOOKUP_NAMES *q_u, LSA_R_LOOKUP
 
 done:
 
-	if (NT_STATUS_IS_OK(r_u->status)) {
+	if (NT_STATUS_IS_OK(r_u->status) && (num_entries != 0) ) {
 		if (mapped_count == 0)
 			r_u->status = NT_STATUS_NONE_MAPPED;
 		else if (mapped_count != num_entries)
diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index e4dc92c08d4..6a4c9f7133a 100644
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -1650,6 +1650,10 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK
 				      names, attrs);
 	unbecome_root();
 
+	if ( NT_STATUS_EQUAL(r_u->status, NT_STATUS_NONE_MAPPED) && (num_rids == 0) ) {
+		r_u->status = NT_STATUS_OK;
+	}
+
 	if(!make_samr_lookup_rids(p->mem_ctx, num_rids, names,
 				  &hdr_name, &uni_name))
 		return NT_STATUS_NO_MEMORY;
@@ -2914,6 +2918,7 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A
 		/* Check we actually have the requested alias */
 		enum SID_NAME_USE type;
 		BOOL result;
+		gid_t gid;
 
 		become_root();
 		result = lookup_sid(NULL, &sid, NULL, NULL, &type);
@@ -2922,6 +2927,13 @@ NTSTATUS _samr_open_alias(pipes_struct *p, SAMR_Q_OPEN_ALIAS *q_u, SAMR_R_OPEN_A
 		if (!result || (type != SID_NAME_ALIAS)) {
 			return NT_STATUS_NO_SUCH_ALIAS;
 		}
+
+		/* make sure there is a mapping */
+		
+		if ( !sid_to_gid( &sid, &gid ) ) {
+			return NT_STATUS_NO_SUCH_ALIAS;
+		}
+
 	}
 
 	/* associate the alias SID with the new handle. */
diff --git a/source/utils/net_groupmap.c b/source/utils/net_groupmap.c
index fa60fcbd083..a96ac526bfc 100644
--- a/source/utils/net_groupmap.c
+++ b/source/utils/net_groupmap.c
@@ -163,7 +163,7 @@ static int net_groupmap_list(int argc, const char **argv)
 	else {
 		GROUP_MAP *map=NULL;
 		/* enumerate all group mappings */
-		if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
+		if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries, ENUM_ALL_MAPPED))
 			return -1;
 	
 		for (i=0; i<entries; i++) {
@@ -612,7 +612,7 @@ static int net_groupmap_cleanup(int argc, const char **argv)
 	GROUP_MAP *map = NULL;
 	size_t i, entries;
 
-	if (!pdb_enum_group_mapping(SID_NAME_UNKNOWN, &map, &entries,
+	if (!pdb_enum_group_mapping(NULL, SID_NAME_UNKNOWN, &map, &entries,
 				    ENUM_ALL_MAPPED)) {
 		d_fprintf(stderr, "Could not list group mappings\n");
 		return -1;
@@ -620,9 +620,6 @@ static int net_groupmap_cleanup(int argc, const char **argv)
 
 	for (i=0; i<entries; i++) {
 
-		if (map[i].sid_name_use == SID_NAME_WKN_GRP)
-			continue;
-
 		if (map[i].gid == -1)
 			printf("Group %s is not mapped\n", map[i].nt_name);