s4:dsdb - Store SID as string in FDS.

source4/dsdb/samdb/ldb_modules/extended_dn_out.c

@@ -35,7 +35,9 @@
 #include "ldb/include/ldb.h"
 #include "ldb/include/ldb_errors.h"
 #include "ldb/include/ldb_module.h"
+#include "libcli/security/dom_sid.h"
 #include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_security.h"
 #include "librpc/ndr/libndr.h"
 #include "dsdb/samdb/samdb.h"
 
@@ -278,9 +280,27 @@ static int handle_dereference_fds(struct ldb_dn *dn,
 	
 	/* Look for the objectSID */
 
-	sidBlob = ldb_msg_find_ldb_val(&fake_msg, "objectSID");
+	sidBlob = ldb_msg_find_ldb_val(&fake_msg, "sambaSID");
 	if (sidBlob) {
-		ldb_dn_set_extended_component(dn, "SID", sidBlob);
+		enum ndr_err_code ndr_err;
+
+		struct ldb_val sid_blob;
+        	struct dom_sid *sid;
+
+        	sid = dom_sid_parse_length(NULL, sidBlob);
+
+        	if (sid == NULL) {
+			return LDB_ERR_INVALID_DN_SYNTAX;
+        	}
+
+        	ndr_err = ndr_push_struct_blob(&sid_blob, NULL, NULL, sid,
+						(ndr_push_flags_fn_t)ndr_push_dom_sid);
+        	talloc_free(sid);
+        	if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+			return LDB_ERR_INVALID_DN_SYNTAX;
+        	}
+
+		ldb_dn_set_extended_component(dn, "SID", &sid_blob);
 	}
 	return LDB_SUCCESS;
 }

source4/dsdb/samdb/ldb_modules/simple_ldap_map.c

@@ -33,6 +33,7 @@
 #include "librpc/gen_ndr/ndr_misc.h"
 #include "librpc/ndr/libndr.h"
 #include "dsdb/samdb/samdb.h"
+#include "../../../lib/ldb/include/ldb_handlers.h"
 
 struct entryuuid_private {
 	struct ldb_context *ldb;
@@ -122,6 +123,25 @@ static struct ldb_val sid_always_binary(struct ldb_module *module, TALLOC_CTX *c
 	return out;
 }
 
+/* Ensure we always convert sids into string, so the backend doesn't have to know about both forms */
+static struct ldb_val sid_always_string(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
+{
+	struct ldb_context *ldb = ldb_module_get_ctx(module);
+	struct ldb_val out = data_blob(NULL, 0);
+
+	if (ldif_comparision_objectSid_isString(val)) {
+		if (ldb_handler_copy(ldb, ctx, val, &out) != LDB_SUCCESS) {
+			return data_blob(NULL, 0);
+		}
+
+	} else {
+		if (ldif_write_objectSid(ldb, ctx, val, &out) != LDB_SUCCESS) {
+			return data_blob(NULL, 0);
+		}
+	}
+	return out;
+}
+
 /* Ensure we always convert objectCategory into a DN */
 static struct ldb_val objectCategory_always_dn(struct ldb_module *module, TALLOC_CTX *ctx, const struct ldb_val *val)
 {
@@ -470,9 +490,9 @@ static const struct ldb_map_attribute nsuniqueid_attributes[] =
 		.type = LDB_MAP_CONVERT,
 		.u = {
 			.convert = {
-				.remote_name = "objectSid", 
-				.convert_local = sid_always_binary,
-				.convert_remote = val_copy,
+				.remote_name = "sambaSID", 
+				.convert_local = sid_always_string,
+				.convert_remote = sid_always_binary,
 			}
 		}
 	},

source4/lib/ldb-samba/ldif_handlers.c

@@ -92,7 +92,7 @@ static int ldif_read_objectSid(struct ldb_context *ldb, void *mem_ctx,
 /*
   convert a NDR formatted blob to a ldif formatted objectSid
 */
-static int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx,
+int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx,
 				const struct ldb_val *in, struct ldb_val *out)
 {
 	struct dom_sid *sid;
@@ -116,7 +116,7 @@ static int ldif_write_objectSid(struct ldb_context *ldb, void *mem_ctx,
 	return 0;
 }
 
-static bool ldif_comparision_objectSid_isString(const struct ldb_val *v)
+bool ldif_comparision_objectSid_isString(const struct ldb_val *v)
 {
 	if (v->length < 3) {
 		return false;

source4/setup/schema-map-fedora-ds-1.0

@@ -75,6 +75,8 @@ nextRid
 nextRid:sambaNextRid
 privilegeDisplayName
 privilegeDisplayName:sambaPrivName
+objectSid
+objectSid:sambaSID
 
 #Resolve conflicting attributes
 1.2.840.113556.1.4.484:fRSDirectoryFilter-oid