Support builtin Windows groups

This maps the gid (gidNumber) to an AD SID for builtin groups when searching a group by gid (RID) between 544 and 552. In that case the SID prefix is not the domain's prefix (S-1-5-21-dddddd-dddddd-dddddd) but the BUILTIN SID prefix (1-5-32). For example, if you add a user to the Administrators builtin group (S-1-5-32-544), now you should be able to get this group through nslcd, instead of receiving an error message.
author: Davy Defaud <davy.defaud@free.fr> 2014-01-30 14:48:24 +0100
committer: Arthur de Jong <arthur@arthurdejong.org> 2014-01-31 21:27:07 +0100
commit: 4211961e35501ef89b2897dd1e633f2a983447a7 (patch)
tree: f1ce38beb11bc2e57376630dc7f807d32c1ec8b4
parent: f6a067594d2527f0ce950c3117138df09413c007 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/nslcd/group.c b/nslcd/group.c
index ffaeb80..390e398 100644
--- a/nslcd/group.c
+++ b/nslcd/group.c
@@ -72,6 +72,11 @@ const char *attmap_group_member       = "member";
    (these are already LDAP-escaped strings) */
 static char *gidSid = NULL;
 
+/* BUILTIN SID definitions */
+static char *builtinSid = NULL;
+const gid_t min_builtin_rid = 544;
+const gid_t max_builtin_rid = 552;
+
 /* default values for attributes */
 static const char *default_group_userPassword = "*"; /* unmatchable */
 
@@ -99,8 +104,15 @@ static int mkfilter_group_byname(const char *name,
    by gid, return -1 on errors */
 static int mkfilter_group_bygid(gid_t gid, char *buffer, size_t buflen)
 {
+  /* if searching for a Windows domain SID */
   if (gidSid != NULL)
   {
+    /* the given gid is a BUILTIN gid, the SID prefix is not the domain SID */
+    if ((gid >= min_builtin_rid) && (gid <= max_builtin_rid))
+      return mysnprintf(buffer, buflen, "(&%s(%s=%s\\%02x\\%02x\\%02x\\%02x))",
+                        group_filter, attmap_group_gidNumber, builtinSid,
+                        (int)(gid & 0xff), (int)((gid >> 8) & 0xff),
+                        (int)((gid >> 16) & 0xff), (int)((gid >> 24) & 0xff));
     return mysnprintf(buffer, buflen, "(&%s(%s=%s\\%02x\\%02x\\%02x\\%02x))",
                       group_filter, attmap_group_gidNumber, gidSid,
                       (int)(gid & 0xff), (int)((gid >> 8) & 0xff),
@@ -168,6 +180,7 @@ void group_init(void)
   if (strncasecmp(attmap_group_gidNumber, "objectSid:", 10) == 0)
   {
     gidSid = sid2search(attmap_group_gidNumber + 10);
+    builtinSid = sid2search("S-1-5-32");
     attmap_group_gidNumber = strndup(attmap_group_gidNumber, 9);
   }
   /* set up attribute list */
author	Davy Defaud <davy.defaud@free.fr>	2014-01-30 14:48:24 +0100
committer	Arthur de Jong <arthur@arthurdejong.org>	2014-01-31 21:27:07 +0100
commit	4211961e35501ef89b2897dd1e633f2a983447a7 (patch)
tree	f1ce38beb11bc2e57376630dc7f807d32c1ec8b4
parent	f6a067594d2527f0ce950c3117138df09413c007 (diff)