Globally replace 'global_sam_sid' with get_global_sam_sid(), a self

initialising function.  This patch thanks to the work of
"Stefan (metze) Metzmacher" <metze@metzemix.de>

This is partly to enable the transition to SIDs in the the passdb.

Andrew Bartlett

source/groupdb/mapping.c

@@ -21,8 +21,6 @@
 
 #include "includes.h"
 
-extern DOM_SID global_sam_sid;
-
 static TDB_CONTEXT *tdb; /* used for driver files */
 
 #define DATABASE_VERSION_V1 1 /* native byte format. */
@@ -186,17 +184,17 @@ static BOOL default_group_mapping(void)
 
 	/* Add the defaults domain groups */
 
-	sid_copy(&sid_admins, &global_sam_sid);
+	sid_copy(&sid_admins, get_global_sam_sid());
 	sid_append_rid(&sid_admins, DOMAIN_GROUP_RID_ADMINS);
 	sid_to_string(str_admins, &sid_admins);
 	add_initial_entry(-1, str_admins, SID_NAME_DOM_GRP, "Domain Admins", "", privilege_all, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
 
-	sid_copy(&sid_users,  &global_sam_sid);
+	sid_copy(&sid_users,  get_global_sam_sid());
 	sid_append_rid(&sid_users,  DOMAIN_GROUP_RID_USERS);
 	sid_to_string(str_users, &sid_users);
 	add_initial_entry(-1, str_users,  SID_NAME_DOM_GRP, "Domain Users",  "", privilege_none, PR_ACCESS_FROM_NETWORK|PR_LOG_ON_LOCALLY);
 
-	sid_copy(&sid_guests, &global_sam_sid);
+	sid_copy(&sid_guests, get_global_sam_sid());
 	sid_append_rid(&sid_guests, DOMAIN_GROUP_RID_GUESTS);
 	sid_to_string(str_guests, &sid_guests);
 	add_initial_entry(-1, str_guests, SID_NAME_DOM_GRP, "Domain Guests", "", privilege_none, PR_ACCESS_FROM_NETWORK);
@@ -1070,7 +1068,7 @@ BOOL get_group_from_gid(gid_t gid, GROUP_MAP *map, BOOL with_priv)
 
 		/* interim solution until we have a last RID allocated */
 
-		sid_copy(&map->sid, &global_sam_sid);
+		sid_copy(&map->sid, get_global_sam_sid());
 		sid_append_rid(&map->sid, pdb_gid_to_group_rid(gid));
 
 		fstrcpy(map->nt_name, grp->gr_name);

source/include/sids.h

@@ -23,7 +23,7 @@
 #ifndef _SIDS_H
 #define _SIDS_H 
 
-extern DOM_SID global_sam_sid;
+extern DOM_SID *global_sam_sid;
 extern fstring global_sam_name;
 
 extern DOM_SID global_member_sid;

source/lib/util_sid.c

@@ -22,10 +22,6 @@
 
 #include "includes.h"
 
-/* NOTE! the global_sam_sid is the SID of our local SAM. This is only
-   equal to the domain SID when we are a DC, otherwise its our
-   workstation SID */
-extern DOM_SID global_sam_sid;
 extern pstring global_myname;
 extern fstring global_myworkgroup;
 

source/passdb/machine_sid.c

@@ -4,6 +4,7 @@
    Copyright (C) Jeremy Allison 		1996-2002
    Copyright (C) Andrew Tridgell		2002
    Copyright (C) Gerald (Jerry) Carter		2000
+   Copyright (C) Stefan (metze) Metzmacher	2002
       
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -22,6 +23,11 @@
 
 #include "includes.h"
 
+/* NOTE! the global_sam_sid is the SID of our local SAM. This is only
+   equal to the domain SID when we are a DC, otherwise its our
+   workstation SID */
+static DOM_SID *global_sam_sid=NULL;
+
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_PASSDB
 
@@ -70,13 +76,17 @@ static void generate_random_sid(DOM_SID *sid)
  Generate the global machine sid.
 ****************************************************************************/
 
-BOOL pdb_generate_sam_sid(void)
+static BOOL pdb_generate_sam_sid(void)
 {
 	char *fname = NULL;
 	extern pstring global_myname;
 	extern fstring global_myworkgroup;
 	BOOL is_dc = False;
 
+	if(global_sam_sid==NULL)
+		if(!(global_sam_sid=(DOM_SID *)malloc(sizeof(DOM_SID))))
+			return False;
+			
 	generate_wellknown_sids();
 
 	switch (lp_server_role()) {
@@ -89,7 +99,7 @@ BOOL pdb_generate_sam_sid(void)
 		break;
 	}
 
-	if (secrets_fetch_domain_sid(global_myname, &global_sam_sid)) {
+	if (secrets_fetch_domain_sid(global_myname, global_sam_sid)) {
 		DOM_SID domain_sid;
 
 		/* We got our sid. If not a pdc/bdc, we're done. */
@@ -100,19 +110,19 @@ BOOL pdb_generate_sam_sid(void)
 
 			/* No domain sid and we're a pdc/bdc. Store it */
 
-			if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
+			if (!secrets_store_domain_sid(global_myworkgroup, global_sam_sid)) {
 				DEBUG(0,("pdb_generate_sam_sid: Can't store domain SID as a pdc/bdc.\n"));
 				return False;
 			}
 			return True;
 		}
 
-		if (!sid_equal(&domain_sid, &global_sam_sid)) {
+		if (!sid_equal(&domain_sid, global_sam_sid)) {
 
 			/* Domain name sid doesn't match global sam sid. Re-store global sam sid as domain sid. */
 
 			DEBUG(0,("pdb_generate_sam_sid: Mismatched SIDs as a pdc/bdc.\n"));
-			if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
+			if (!secrets_store_domain_sid(global_myworkgroup, global_sam_sid)) {
 				DEBUG(0,("pdb_generate_sam_sid: Can't re-store domain SID as a pdc/bdc.\n"));
 				return False;
 			}
@@ -126,24 +136,23 @@ BOOL pdb_generate_sam_sid(void)
 	/* check for an old MACHINE.SID file for backwards compatibility */
 	asprintf(&fname, "%s/MACHINE.SID", lp_private_dir());
 
-	if (read_sid_from_file(fname, &global_sam_sid)) {
+	if (read_sid_from_file(fname, global_sam_sid)) {
 		/* remember it for future reference and unlink the old MACHINE.SID */
-		if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) {
+		if (!secrets_store_domain_sid(global_myname, global_sam_sid)) {
 			DEBUG(0,("pdb_generate_sam_sid: Failed to store SID from file.\n"));
 			SAFE_FREE(fname);
 			return False;
 		}
 		unlink(fname);
 		if (is_dc) {
-			if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
+			if (!secrets_store_domain_sid(global_myworkgroup, global_sam_sid)) {
 				DEBUG(0,("pdb_generate_sam_sid: Failed to store domain SID from file.\n"));
 				SAFE_FREE(fname);
 				return False;
 			}
 		}
 
-		/* Stored the old sid from MACHINE.SID successfully.
+		/* Stored the old sid from MACHINE.SID successfully.*/
-			Patch from Stefan "metze" Metzmacher <metze@metzemix.de>*/
 		SAFE_FREE(fname);
 		return True;
 	}
@@ -152,14 +161,14 @@ BOOL pdb_generate_sam_sid(void)
 
 	/* we don't have the SID in secrets.tdb, we will need to
            generate one and save it */
-	generate_random_sid(&global_sam_sid);
+	generate_random_sid(global_sam_sid);
 
-	if (!secrets_store_domain_sid(global_myname, &global_sam_sid)) {
+	if (!secrets_store_domain_sid(global_myname, global_sam_sid)) {
 		DEBUG(0,("pdb_generate_sam_sid: Failed to store generated machine SID.\n"));
 		return False;
 	}
 	if (is_dc) {
-		if (!secrets_store_domain_sid(global_myworkgroup, &global_sam_sid)) {
+		if (!secrets_store_domain_sid(global_myworkgroup, global_sam_sid)) {
 			DEBUG(0,("pdb_generate_sam_sid: Failed to store generated domain SID.\n"));
 			return False;
 		}
@@ -167,3 +176,19 @@ BOOL pdb_generate_sam_sid(void)
 
 	return True;
 }   
+
+/* return our global_sam_sid */
+DOM_SID *get_global_sam_sid(void)
+{
+	if (global_sam_sid != NULL)
+		return global_sam_sid;
+	
+	/* memory for global_sam_sid is allocated in 
+	   pdb_generate_sam_sid() is needed*/
+
+	if (!pdb_generate_sam_sid())
+		global_sam_sid=NULL;	
+	
+	return global_sam_sid;
+}
+

source/passdb/passdb.c

@@ -32,7 +32,6 @@
  * responsible.
  */
 
-extern DOM_SID global_sam_sid;
 extern pstring global_myname;
 
 /************************************************************
@@ -699,7 +698,7 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 
 	fstrcpy(user, c_user);
 
-	sid_copy(&local_sid, &global_sam_sid);
+	sid_copy(&local_sid, get_global_sam_sid());
 
 	/*
 	 * Special case for MACHINE\Everyone. Map to the world_sid.
@@ -787,12 +786,11 @@ BOOL local_lookup_name(const char *c_user, DOM_SID *psid, enum SID_NAME_USE *psi
 
 DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
 {
-	extern DOM_SID global_sam_sid;
 	struct passwd *pass;
 	SAM_ACCOUNT *sam_user = NULL;
 	fstring str; /* sid string buffer */
 
-	sid_copy(psid, &global_sam_sid);
+	sid_copy(psid, get_global_sam_sid());
 
 	if((pass = getpwuid_alloc(uid))) {
 
@@ -830,8 +828,6 @@ DOM_SID *local_uid_to_sid(DOM_SID *psid, uid_t uid)
 
 BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 {
-	extern DOM_SID global_sam_sid;
-
 	DOM_SID dom_sid;
 	uint32 rid;
 	fstring str;
@@ -846,7 +842,7 @@ BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 	 * We can only convert to a uid if this is our local
 	 * Domain SID (ie. we are the controling authority).
 	 */
-	if (!sid_equal(&global_sam_sid, &dom_sid))
+	if (!sid_equal(get_global_sam_sid(), &dom_sid))
 		return False;
 
 	if (NT_STATUS_IS_ERR(pdb_init_sam(&sam_user)))
@@ -878,10 +874,9 @@ BOOL local_sid_to_uid(uid_t *puid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 
 DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
 {
-	extern DOM_SID global_sam_sid;
 	GROUP_MAP map;
 
-	sid_copy(psid, &global_sam_sid);
+	sid_copy(psid, get_global_sam_sid());
 	
 	if (get_group_map_from_gid(gid, &map, MAPPING_WITHOUT_PRIV)) {
 		sid_copy(psid, &map.sid);
@@ -899,7 +894,6 @@ DOM_SID *local_gid_to_sid(DOM_SID *psid, gid_t gid)
 
 BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 {
-	extern DOM_SID global_sam_sid;
 	DOM_SID dom_sid;
 	uint32 rid;
 	fstring str;
@@ -917,7 +911,7 @@ BOOL local_sid_to_gid(gid_t *pgid, DOM_SID *psid, enum SID_NAME_USE *name_type)
 	 * Or in the Builtin SID too. JFM, 11/30/2001
 	 */
 
-	if (!sid_equal(&global_sam_sid, &dom_sid))
+	if (!sid_equal(get_global_sam_sid(), &dom_sid))
 		return False;
 
 	if (get_group_map_from_sid(*psid, &map, MAPPING_WITHOUT_PRIV)) {

source/passdb/util_sam_sid.c

@@ -22,14 +22,9 @@
 
 #include "includes.h"
 
-DOM_SID global_sam_sid;
 extern pstring global_myname;
 extern fstring global_myworkgroup;
 
-/* NOTE! the global_sam_sid is the SID of our local SAM. This is only
-   equal to the domain SID when we are a DC, otherwise its our
-   workstation SID */
-
 #define MAX_SID_NAMES	7
 
 typedef struct _known_sid_users {
@@ -99,17 +94,17 @@ static void init_sid_name_map (void)
 	generate_wellknown_sids();
 
 	if ((lp_security() == SEC_USER) && lp_domain_logons()) {
-		sid_name_map[i].sid = &global_sam_sid;
+		sid_name_map[i].sid = get_global_sam_sid();
 		sid_name_map[i].name = global_myworkgroup;
 		sid_name_map[i].known_users = NULL;
 		i++;
-		sid_name_map[i].sid = &global_sam_sid;
+		sid_name_map[i].sid = get_global_sam_sid();
 		sid_name_map[i].name = global_myname;
 		sid_name_map[i].known_users = NULL;
 		i++;
 	}
 	else {
-		sid_name_map[i].sid = &global_sam_sid;
+		sid_name_map[i].sid = get_global_sam_sid();
 		sid_name_map[i].name = global_myname;
 		sid_name_map[i].known_users = NULL;
 		i++;
@@ -224,14 +219,14 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain)
 
 	if (nt_domain == NULL) {
 		DEBUG(5,("map_domain_name_to_sid: mapping NULL domain to our SID.\n"));
-		sid_copy(sid, &global_sam_sid);
+		sid_copy(sid, get_global_sam_sid());
 		return True;
 	}
 
 	if (nt_domain[0] == 0) {
 		fstrcpy(nt_domain, global_myname);
 		DEBUG(5,("map_domain_name_to_sid: overriding blank name to %s\n", nt_domain));
-		sid_copy(sid, &global_sam_sid);
+		sid_copy(sid, get_global_sam_sid());
 		return True;
 	}
 
@@ -261,7 +256,7 @@ BOOL map_domain_name_to_sid(DOM_SID *sid, char *nt_domain)
 *****************************************************************/  
 BOOL sid_check_is_domain(const DOM_SID *sid)
 {
-	return sid_equal(sid, &global_sam_sid);
+	return sid_equal(sid, get_global_sam_sid());
 }
 
 /*****************************************************************
@@ -275,6 +270,6 @@ BOOL sid_check_is_in_our_domain(const DOM_SID *sid)
 	sid_copy(&dom_sid, sid);
 	sid_split_rid(&dom_sid, &rid);
 	
-	return sid_equal(&dom_sid, &global_sam_sid);
+	return sid_equal(&dom_sid, get_global_sam_sid());
 }
 

source/printing/nt_printing.c

@@ -3683,7 +3683,6 @@ WERROR nt_printing_setsec(char *printername, SEC_DESC_BUF *secdesc_ctr)
 
 static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
 {
-	extern DOM_SID global_sam_sid;
 	SEC_ACE ace[3];
 	SEC_ACCESS sa;
 	SEC_ACL *psa = NULL;
@@ -3709,7 +3708,7 @@ static SEC_DESC_BUF *construct_default_printer_sdb(TALLOC_CTX *ctx)
  		   This should emulate a lanman printer as security
  		   settings can't be changed. */
 
-		sid_copy(&owner_sid, &global_sam_sid);
+		sid_copy(&owner_sid, get_global_sam_sid());
 		sid_append_rid(&owner_sid, DOMAIN_USER_RID_ADMIN);
 	}
 

source/rpc_server/srv_lsa_nt.c

@@ -26,7 +26,6 @@
 
 #include "includes.h"
 
-extern DOM_SID global_sam_sid;
 extern fstring global_myworkgroup;
 extern pstring global_myname;
 extern PRIVS privs[];
@@ -320,7 +319,7 @@ static NTSTATUS lsa_get_generic_sd(TALLOC_CTX *mem_ctx, SEC_DESC **sd, size_t *s
 	init_sec_access(&mask, POLICY_EXECUTE);
 	init_sec_ace(&ace[0], &global_sid_World, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
 
-	sid_copy(&adm_sid, &global_sam_sid);
+	sid_copy(&adm_sid, get_global_sam_sid());
 	sid_append_rid(&adm_sid, DOMAIN_GROUP_RID_ADMINS);
 	init_sec_access(&mask, POLICY_ALL_ACCESS);
 	init_sec_ace(&ace[1], &adm_sid, SEC_ACE_TYPE_ACCESS_ALLOWED, mask, 0);
@@ -367,7 +366,7 @@ NTSTATUS _lsa_open_policy2(pipes_struct *p, LSA_Q_OPEN_POL2 *q_u, LSA_R_OPEN_POL
 		return NT_STATUS_NO_MEMORY;
 
 	ZERO_STRUCTP(info);
-	info->sid = global_sam_sid;
+	sid_copy(&info->sid,get_global_sam_sid());
 	info->access = acc_granted;
 
 	/* set up the LSA QUERY INFO response */
@@ -405,7 +404,7 @@ NTSTATUS _lsa_open_policy(pipes_struct *p, LSA_Q_OPEN_POL *q_u, LSA_R_OPEN_POL *
 		return NT_STATUS_NO_MEMORY;
 
 	ZERO_STRUCTP(info);
-	info->sid = global_sam_sid;
+	sid_copy(&info->sid,get_global_sam_sid());
 	info->access = acc_granted;
 
 	/* set up the LSA QUERY INFO response */
@@ -502,7 +501,7 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF
 			case ROLE_DOMAIN_PDC:
 			case ROLE_DOMAIN_BDC:
 				name = global_myworkgroup;
-				sid = &global_sam_sid;
+				sid = get_global_sam_sid();
 				break;
 			case ROLE_DOMAIN_MEMBER:
 				name = global_myworkgroup;
@@ -532,15 +531,15 @@ NTSTATUS _lsa_query_info(pipes_struct *p, LSA_Q_QUERY_INFO *q_u, LSA_R_QUERY_INF
 			case ROLE_DOMAIN_PDC:
 			case ROLE_DOMAIN_BDC:
 				name = global_myworkgroup;
-				sid = &global_sam_sid;
+				sid = get_global_sam_sid();
 				break;
 			case ROLE_DOMAIN_MEMBER:
 				name = global_myname;
-				sid = &global_sam_sid;
+				sid = get_global_sam_sid();
 				break;
 			case ROLE_STANDALONE:
 				name = global_myname;
-				sid = &global_sam_sid;
+				sid = get_global_sam_sid();
 				break;
 			default:
 				return NT_STATUS_CANT_ACCESS_DOMAIN_INFO;

source/rpc_server/srv_netlog_nt.c

@@ -27,7 +27,6 @@
 #include "includes.h"
 
 extern pstring global_myname;
-extern DOM_SID global_sam_sid;
 
 /*************************************************************************
  init_net_r_req_chal:
@@ -705,7 +704,9 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
 				    NULL, /* uchar sess_key[16] */
 				    my_name     , /* char *logon_srv */
 				    my_workgroup, /* char *logon_dom */
-				    &global_sam_sid,     /* DOM_SID *dom_sid */
+				    get_global_sam_sid(),     /* DOM_SID *dom_sid */  
+				    /* Should be users domain sid, not servers - for trusted domains */
+				  
 				    NULL); /* char *other_sids */
 	}
 	free_server_info(&server_info);

source/rpc_server/srv_samr_nt.c

@@ -31,7 +31,6 @@
 
 extern fstring global_myworkgroup;
 extern pstring global_myname;
-extern DOM_SID global_sam_sid;
 extern DOM_SID global_sid_Builtin;
 
 extern rid_name domain_group_rids[];
@@ -684,7 +683,7 @@ static NTSTATUS get_group_alias_entries(TALLOC_CTX *ctx, DOMAIN_GRP **d_grp, DOM
 		}
 		SAFE_FREE(map);
 		
-	} else if (sid_equal(sid, &global_sam_sid) && !lp_hide_local_users()) {
+	} else if (sid_equal(sid, get_global_sam_sid()) && !lp_hide_local_users()) {
 		struct sys_grent *glist;
 		struct sys_grent *grp;
 		struct passwd *pw;
@@ -1386,7 +1385,7 @@ NTSTATUS _samr_lookup_rids(pipes_struct *p, SAMR_Q_LOOKUP_RIDS *q_u, SAMR_R_LOOK
 		group_attrs[i] = SID_NAME_UNKNOWN;
 		*group_names[i] = '\0';
 
-		if (sid_equal(&pol_sid, &global_sam_sid)) {
+		if (sid_equal(&pol_sid, get_global_sam_sid())) {
 			sid_copy(&sid, &pol_sid);
 			sid_append_rid(&sid, q_u->rid[i]);
 
@@ -1841,7 +1840,7 @@ NTSTATUS _samr_query_dom_info(pipes_struct *p, SAMR_Q_QUERY_DOMAIN_INFO *q_u, SA
 			num_users=info->disp_info.num_user_account;
 			free_samr_db(info);
 			
-			r_u->status=load_group_domain_entries(info, &global_sam_sid);
+			r_u->status=load_group_domain_entries(info, get_global_sam_sid());
 			if (!NT_STATUS_IS_OK(r_u->status)) {
 				DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
 				return r_u->status;
@@ -2770,7 +2769,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_
 		if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV))
 			return NT_STATUS_NO_SUCH_ALIAS;
 	} else {
-		if (sid_equal(&alias_sid, &global_sam_sid)) {
+		if (sid_equal(&alias_sid, get_global_sam_sid())) {
 			DEBUG(10, ("lookup on Server SID\n"));
 			if(!get_local_group_from_sid(als_sid, &map, MAPPING_WITHOUT_PRIV))
 				return NT_STATUS_NO_SUCH_ALIAS;
@@ -2789,7 +2788,7 @@ NTSTATUS _samr_query_aliasmem(pipes_struct *p, SAMR_Q_QUERY_ALIASMEM *q_u, SAMR_
 		struct passwd *pass;
 		uint32 rid;
 
-		sid_copy(&temp_sid, &global_sam_sid);
+		sid_copy(&temp_sid, get_global_sam_sid());
 
 		pass = getpwuid_alloc(uid[i]);
 		if (!pass) continue;
@@ -2863,7 +2862,7 @@ NTSTATUS _samr_query_groupmem(pipes_struct *p, SAMR_Q_QUERY_GROUPMEM *q_u, SAMR_
 	DEBUG(10, ("sid is %s\n", group_sid_str));
 
 	/* can we get a query for an SID outside our domain ? */
-	if (!sid_equal(&group_sid, &global_sam_sid))
+	if (!sid_equal(&group_sid, get_global_sam_sid()))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	sid_append_rid(&group_sid, group_rid);
@@ -2946,7 +2945,7 @@ NTSTATUS _samr_add_aliasmem(pipes_struct *p, SAMR_Q_ADD_ALIASMEM *q_u, SAMR_R_AD
 	sid_to_string(alias_sid_str, &alias_sid);
 	DEBUG(10, ("sid is %s\n", alias_sid_str));
 
-	if (sid_compare(&alias_sid, &global_sam_sid)>0) {
+	if (sid_compare(&alias_sid, get_global_sam_sid())>0) {
 		DEBUG(10, ("adding member on Server SID\n"));
 		if(!get_local_group_from_sid(alias_sid, &map, MAPPING_WITHOUT_PRIV))
 			return NT_STATUS_NO_SUCH_ALIAS;
@@ -3095,7 +3094,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD
 	sid_to_string(group_sid_str, &group_sid);
 	DEBUG(10, ("sid is %s\n", group_sid_str));
 
-	if (sid_compare(&group_sid, &global_sam_sid)<=0)
+	if (sid_compare(&group_sid, get_global_sam_sid())<=0)
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	DEBUG(10, ("lookup on Domain SID\n"));
@@ -3103,7 +3102,7 @@ NTSTATUS _samr_add_groupmem(pipes_struct *p, SAMR_Q_ADD_GROUPMEM *q_u, SAMR_R_AD
 	if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
 		return NT_STATUS_NO_SUCH_GROUP;
 
-	sid_copy(&user_sid, &global_sam_sid);
+	sid_copy(&user_sid, get_global_sam_sid());
 	sid_append_rid(&user_sid, q_u->rid);
 
 	ret = pdb_init_sam(&sam_user);
@@ -3182,7 +3181,7 @@ NTSTATUS _samr_del_groupmem(pipes_struct *p, SAMR_Q_DEL_GROUPMEM *q_u, SAMR_R_DE
 	if(!sid_check_is_in_our_domain(&group_sid))
 		return NT_STATUS_NO_SUCH_GROUP;
 
-	sid_copy(&user_sid, &global_sam_sid);
+	sid_copy(&user_sid, get_global_sam_sid());
 	sid_append_rid(&user_sid, q_u->rid);
 
 	if(!get_domain_group_from_sid(group_sid, &map, MAPPING_WITHOUT_PRIV))
@@ -3315,7 +3314,7 @@ NTSTATUS _samr_delete_dom_group(pipes_struct *p, SAMR_Q_DELETE_DOM_GROUP *q_u, S
 	DEBUG(10, ("sid is %s\n", group_sid_str));
 
 	/* we check if it's our SID before deleting */
-	if (!sid_equal(&dom_sid, &global_sam_sid))
+	if (!sid_equal(&dom_sid, get_global_sam_sid()))
 		return NT_STATUS_NO_SUCH_GROUP;
 
 	DEBUG(10, ("lookup on Domain SID\n"));
@@ -3372,7 +3371,7 @@ NTSTATUS _samr_delete_dom_alias(pipes_struct *p, SAMR_Q_DELETE_DOM_ALIAS *q_u, S
 	DEBUG(10, ("sid is %s\n", alias_sid_str));
 
 	/* we check if it's our SID before deleting */
-	if (!sid_equal(&dom_sid, &global_sam_sid))
+	if (!sid_equal(&dom_sid, get_global_sam_sid()))
 		return NT_STATUS_NO_SUCH_ALIAS;
 
 	DEBUG(10, ("lookup on Local SID\n"));
@@ -3422,7 +3421,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S
 	if (!get_lsa_policy_samr_sid(p, &q_u->pol, &dom_sid)) 
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!sid_equal(&dom_sid, &global_sam_sid))
+	if (!sid_equal(&dom_sid, get_global_sam_sid()))
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* TODO: check if allowed to create group and add a become_root/unbecome_root pair.*/
@@ -3443,7 +3442,7 @@ NTSTATUS _samr_create_dom_group(pipes_struct *p, SAMR_Q_CREATE_DOM_GROUP *q_u, S
 	r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
 
 	/* add the group to the mapping table */
-	sid_copy(&info_sid, &global_sam_sid);
+	sid_copy(&info_sid, get_global_sam_sid());
 	sid_append_rid(&info_sid, r_u->rid);
 	sid_to_string(sid_string, &info_sid);
 
@@ -3480,7 +3479,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S
 	if (!get_lsa_policy_samr_sid(p, &q_u->dom_pol, &dom_sid)) 
 		return NT_STATUS_INVALID_HANDLE;
 
-	if (!sid_equal(&dom_sid, &global_sam_sid))
+	if (!sid_equal(&dom_sid, get_global_sam_sid()))
 		return NT_STATUS_ACCESS_DENIED;
 
 	/* TODO: check if allowed to create group  and add a become_root/unbecome_root pair.*/
@@ -3500,7 +3499,7 @@ NTSTATUS _samr_create_dom_alias(pipes_struct *p, SAMR_Q_CREATE_DOM_ALIAS *q_u, S
 
 	r_u->rid=pdb_gid_to_group_rid(grp->gr_gid);
 
-	sid_copy(&info_sid, &global_sam_sid);
+	sid_copy(&info_sid, get_global_sam_sid());
 	sid_append_rid(&info_sid, r_u->rid);
 	sid_to_string(sid_string, &info_sid);
 
@@ -3686,10 +3685,10 @@ NTSTATUS _samr_open_group(pipes_struct *p, SAMR_Q_OPEN_GROUP *q_u, SAMR_R_OPEN_G
 		return NT_STATUS_INVALID_HANDLE;
 
 	/* this should not be hard-coded like this */
-	if (!sid_equal(&sid, &global_sam_sid))
+	if (!sid_equal(&sid, get_global_sam_sid()))
 		return NT_STATUS_ACCESS_DENIED;
 
-	sid_copy(&info_sid, &global_sam_sid);
+	sid_copy(&info_sid, get_global_sam_sid());
 	sid_append_rid(&info_sid, q_u->rid_group);
 	sid_to_string(sid_string, &info_sid);
 
@@ -3778,7 +3777,7 @@ NTSTATUS _samr_unknown_2e(pipes_struct *p, SAMR_Q_UNKNOWN_2E *q_u, SAMR_R_UNKNOW
 			num_users=info->disp_info.num_user_account;
 			free_samr_db(info);
 			
-			r_u->status=load_group_domain_entries(info, &global_sam_sid);
+			r_u->status=load_group_domain_entries(info, get_global_sam_sid());
 			if (NT_STATUS_IS_ERR(r_u->status)) {
 				DEBUG(5, ("_samr_query_dispinfo: load_group_domain_entries failed\n"));
 				return r_u->status;

source/smbd/groupname.c

@@ -21,7 +21,6 @@
 #ifdef USING_GROUPNAME_MAP
 
 #include "includes.h"
-extern DOM_SID global_sam_sid;
 
 /**************************************************************************
  Groupname map functionality. The code loads a groupname map file and
@@ -160,7 +159,7 @@ Error was %s.\n", unixname, strerror(errno) ));
        * It's not a well known name, convert the UNIX gid_t
        * to a rid within this domain SID.
        */
-      tmp_sid = global_sam_sid;
+      sid_copy(&tmp_sid,get_global_sam_sid());
       tmp_sid.sub_auths[tmp_sid.num_auths++] = 
                     pdb_gid_to_group_rid(gid);
     }
@@ -228,7 +227,7 @@ void map_gid_to_sid( gid_t gid, DOM_SID *psid)
    * If there's no map, convert the UNIX gid_t
    * to a rid within this domain SID.
    */
-  *psid = global_sam_sid;
+  sid_copy(psid,get_global_sam_sid());
   psid->sub_auths[psid->num_auths++] = pdb_gid_to_group_rid(gid);
 
   return;

source/smbd/server.c

@@ -860,7 +860,7 @@ static void usage(char *pname)
 	/* possibly reload the services file. */
 	reload_services(True);
 
-	if(!pdb_generate_sam_sid()) {
+	if(!get_global_sam_sid()) {
 		DEBUG(0,("ERROR: Samba cannot create a SAM SID.\n"));
 		exit(1);
 	}

source/smbd/uid.c

@@ -504,7 +504,7 @@ BOOL lookup_sid(DOM_SID *sid, fstring dom_name, fstring name, enum SID_NAME_USE
 		sid_copy(&tmp_sid, sid);
 		sid_split_rid(&tmp_sid, &rid);
 
-		if (sid_equal(&global_sam_sid, &tmp_sid)) {
+		if (sid_equal(get_global_sam_sid(), &tmp_sid)) {
 
 			return map_domain_sid_to_name(&tmp_sid, dom_name) &&
 				local_lookup_sid(sid, name, name_type);
@@ -598,7 +598,7 @@ BOOL sid_to_uid(DOM_SID *psid, uid_t *puid, enum SID_NAME_USE *sidtype)
 	fstring sid_str;
 
 	/* if we know its local then don't try winbindd */
-	if (sid_compare_domain(&global_sam_sid, psid) == 0) {
+	if (sid_compare_domain(get_global_sam_sid(), psid) == 0) {
 		return local_sid_to_uid(puid, psid, sidtype);
 	}
 

source/utils/smbgroupedit.c

@@ -23,7 +23,6 @@
 
 extern pstring global_myname;
 extern pstring global_myworkgroup;
-extern DOM_SID global_sam_sid;
 
 /*
  * Next two lines needed for SunOS and don't
@@ -306,7 +305,7 @@ int main (int argc, char **argv)
 		exit(1);
 	}
 	
-	if(pdb_generate_sam_sid()==False) {
+	if(get_global_sam_sid()==False) {
 		fprintf(stderr, "Can not read machine SID\n");
 		return 0;
 	}