The Samba-Bugzilla – Attachment 10321 Details for
Bug 10838
Invalid id mappings for users/groups migrated from another domain
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Backport of patches to 4.1 branch
4-1-patches (text/plain), 10.41 KB, created by
Christof Schmitt
on 2014-09-29 23:10:10 UTC
(
hide
)
Description:
Backport of patches to 4.1 branch
Filename:
MIME Type:
Creator:
Christof Schmitt
Created:
2014-09-29 23:10:10 UTC
Size:
10.41 KB
patch
obsolete
>From cdd913ed6c34cabac045e01bb44d03e674ca7fc6 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Thu, 11 Sep 2014 16:11:06 -0700 >Subject: [PATCH 1/2] s3: Move init_lsa_ref_domain_list to lib > >This will be used in the next patch in winbind. > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> > >(cherry picked from commit 16594e7fc0a46249a48d0d0635de0c1050ecd340) >--- > source3/include/lsa.h | 25 +++++++++++++ > source3/lib/lsa.c | 67 +++++++++++++++++++++++++++++++++++ > source3/rpc_server/lsa/srv_lsa_nt.c | 48 +------------------------ > source3/rpc_server/wscript_build | 2 +- > source3/wscript_build | 4 ++ > 5 files changed, 98 insertions(+), 48 deletions(-) > create mode 100644 source3/include/lsa.h > create mode 100644 source3/lib/lsa.c > >diff --git a/source3/include/lsa.h b/source3/include/lsa.h >new file mode 100644 >index 0000000..7681aed >--- /dev/null >+++ b/source3/include/lsa.h >@@ -0,0 +1,25 @@ >+/* >+ * Helper functions related to the LSA server >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program; if not, see <http://www.gnu.org/licenses/>. >+ */ >+#ifndef LSA_H >+#define LSA_H >+ >+int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx, >+ struct lsa_RefDomainList *ref, >+ const char *dom_name, >+ struct dom_sid *dom_sid); >+ >+#endif >diff --git a/source3/lib/lsa.c b/source3/lib/lsa.c >new file mode 100644 >index 0000000..0046fda >--- /dev/null >+++ b/source3/lib/lsa.c >@@ -0,0 +1,67 @@ >+/* >+ * Helper functions related to the LSA server >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program; if not, see <http://www.gnu.org/licenses/>. >+ */ >+ >+/*************************************************************************** >+ init_lsa_ref_domain_list - adds a domain if it's not already in, returns index. >+***************************************************************************/ >+ >+#include "includes.h" >+#include "libcli/security/dom_sid.h" >+#include "librpc/gen_ndr/lsa.h" >+#include "lsa.h" >+ >+int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx, >+ struct lsa_RefDomainList *ref, >+ const char *dom_name, >+ struct dom_sid *dom_sid) >+{ >+ int num = 0; >+ >+ if (dom_name != NULL) { >+ for (num = 0; num < ref->count; num++) { >+ if (dom_sid_equal(dom_sid, ref->domains[num].sid)) { >+ return num; >+ } >+ } >+ } else { >+ num = ref->count; >+ } >+ >+ if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) { >+ /* index not found, already at maximum domain limit */ >+ return -1; >+ } >+ >+ ref->count = num + 1; >+ ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER; >+ >+ ref->domains = talloc_realloc(mem_ctx, ref->domains, >+ struct lsa_DomainInfo, ref->count); >+ if (!ref->domains) { >+ return -1; >+ } >+ >+ ZERO_STRUCT(ref->domains[num]); >+ >+ ref->domains[num].name.string = dom_name; >+ ref->domains[num].sid = dom_sid_dup(mem_ctx, dom_sid); >+ if (!ref->domains[num].sid) { >+ return -1; >+ } >+ >+ return num; >+} >diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c >index f4dc4af..46f42d5 100644 >--- a/source3/rpc_server/lsa/srv_lsa_nt.c >+++ b/source3/rpc_server/lsa/srv_lsa_nt.c >@@ -49,6 +49,7 @@ > #include "../librpc/gen_ndr/ndr_wkssvc.h" > #include "../libcli/auth/libcli_auth.h" > #include "../libcli/lsarpc/util_lsarpc.h" >+#include "lsa.h" > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_RPC_SRV >@@ -98,53 +99,6 @@ const struct generic_mapping lsa_trusted_domain_mapping = { > }; > > /*************************************************************************** >- init_lsa_ref_domain_list - adds a domain if it's not already in, returns the index. >-***************************************************************************/ >- >-static int init_lsa_ref_domain_list(TALLOC_CTX *mem_ctx, >- struct lsa_RefDomainList *ref, >- const char *dom_name, >- struct dom_sid *dom_sid) >-{ >- int num = 0; >- >- if (dom_name != NULL) { >- for (num = 0; num < ref->count; num++) { >- if (dom_sid_equal(dom_sid, ref->domains[num].sid)) { >- return num; >- } >- } >- } else { >- num = ref->count; >- } >- >- if (num >= LSA_REF_DOMAIN_LIST_MULTIPLIER) { >- /* index not found, already at maximum domain limit */ >- return -1; >- } >- >- ref->count = num + 1; >- ref->max_size = LSA_REF_DOMAIN_LIST_MULTIPLIER; >- >- ref->domains = talloc_realloc(mem_ctx, ref->domains, >- struct lsa_DomainInfo, ref->count); >- if (!ref->domains) { >- return -1; >- } >- >- ZERO_STRUCT(ref->domains[num]); >- >- init_lsa_StringLarge(&ref->domains[num].name, dom_name); >- ref->domains[num].sid = dom_sid_dup(mem_ctx, dom_sid); >- if (!ref->domains[num].sid) { >- return -1; >- } >- >- return num; >-} >- >- >-/*************************************************************************** > initialize a lsa_DomainInfo structure. > ***************************************************************************/ > >diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build >index bd96b92..65daec4 100755 >--- a/source3/rpc_server/wscript_build >+++ b/source3/rpc_server/wscript_build >@@ -68,7 +68,7 @@ bld.SAMBA3_SUBSYSTEM('RPC_SAMR', > > bld.SAMBA3_SUBSYSTEM('RPC_LSARPC', > source=RPC_LSARPC_SRC, >- deps='SRV_ACCESS_CHECK', >+ deps='SRV_ACCESS_CHECK LIBLSA', > vars=locals()) > > bld.SAMBA3_SUBSYSTEM('RPC_WINREG', >diff --git a/source3/wscript_build b/source3/wscript_build >index 9461b05..c849604 100755 >--- a/source3/wscript_build >+++ b/source3/wscript_build >@@ -1171,6 +1171,9 @@ bld.SAMBA3_SUBSYSTEM('INIT_SAMR', > source='rpc_client/init_samr.c', > deps='samba-util') > >+bld.SAMBA3_SUBSYSTEM('LIBLSA', >+ source='lib/lsa.c') >+ > ########################## BINARIES ################################# > > bld.SAMBA3_BINARY('smbd/smbd', >@@ -1214,6 +1217,7 @@ bld.SAMBA3_BINARY('winbindd/winbindd', > RPC_NCACN_NP > RPC_PIPE_REGISTER > WB_REQTRANS >+ LIBLSA > ''', > enabled=bld.env.build_winbind, > install_path='${SBINDIR}', >-- >1.7.1 > > >From 67dd524782d8d215d62c09697fe8381682b874d9 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Thu, 11 Sep 2014 16:39:21 -0700 >Subject: [PATCH 2/2] s3-winbindd: Do not use domain SID from LookupSids for Sids2UnixIDs call > >Create a new lsa_RefDomainList and populate it with the domain SID from >the original query. That avoids the problem that for migrated objects, >LookupSids returns the SID of the new domain, and combining that with >the RID from the input results in an invalid SID. > >A better fix would be querying the RID of the user in the new domain, >but the approach here at least avoids id mappings entries for invalid >SIDs. > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Volker Lendecke <vl@samba.org> > >Autobuild-User(master): Volker Lendecke <vl@samba.org> >Autobuild-Date(master): Mon Sep 29 13:15:18 CEST 2014 on sn-devel-104 > >(cherry picked from commit 9c9216410faf707edc4ba05f2b715d45f7f51ca4) >--- > source3/winbindd/wb_sids2xids.c | 33 ++++++++++++++++++++++++++++++--- > 1 files changed, 30 insertions(+), 3 deletions(-) > >diff --git a/source3/winbindd/wb_sids2xids.c b/source3/winbindd/wb_sids2xids.c >index cbd4444..5b0dbbb 100644 >--- a/source3/winbindd/wb_sids2xids.c >+++ b/source3/winbindd/wb_sids2xids.c >@@ -23,6 +23,7 @@ > #include "../libcli/security/security.h" > #include "idmap_cache.h" > #include "librpc/gen_ndr/ndr_wbint_c.h" >+#include "lsa.h" > > struct wb_sids2xids_state { > struct tevent_context *ev; >@@ -38,6 +39,19 @@ struct wb_sids2xids_state { > struct lsa_RefDomainList *domains; > struct lsa_TransNameArray *names; > >+ /* >+ * Domain array to use for the idmap call. The output from >+ * lookupsids cannot be used directly since for migrated >+ * objects the returned domain SID can be different that the >+ * original one. The new domain SID cannot be combined with >+ * the RID from the previous domain. >+ * >+ * The proper way would be asking for the correct RID in the >+ * new domain, but this approach avoids id mappings for >+ * invalid SIDs. >+ */ >+ struct lsa_RefDomainList *idmap_doms; >+ > struct wbint_TransIDArray ids; > }; > >@@ -162,13 +176,26 @@ static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq) > return; > } > >+ state->idmap_doms = talloc_zero(state, struct lsa_RefDomainList); >+ if (tevent_req_nomem(state->idmap_doms, req)) { >+ return; >+ } >+ > for (i=0; i<state->num_non_cached; i++) { >+ struct dom_sid dom_sid; >+ struct lsa_DomainInfo *info; > struct lsa_TranslatedName *n = &state->names->names[i]; > struct wbint_TransID *t = &state->ids.ids[i]; > >+ sid_copy(&dom_sid, &state->non_cached[i]); >+ sid_split_rid(&dom_sid, &t->rid); >+ >+ info = &state->domains->domains[n->sid_index]; > t->type = lsa_SidType_to_id_type(n->sid_type); >- t->domain_index = n->sid_index; >- sid_peek_rid(&state->non_cached[i], &t->rid); >+ t->domain_index = init_lsa_ref_domain_list(state, >+ state->idmap_doms, >+ info->name.string, >+ &dom_sid); > t->xid.id = UINT32_MAX; > t->xid.type = t->type; > } >@@ -176,7 +203,7 @@ static void wb_sids2xids_lookupsids_done(struct tevent_req *subreq) > child = idmap_child(); > > subreq = dcerpc_wbint_Sids2UnixIDs_send( >- state, state->ev, child->binding_handle, state->domains, >+ state, state->ev, child->binding_handle, state->idmap_doms, > &state->ids); > if (tevent_req_nomem(subreq, req)) { > return; >-- >1.7.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
cs
:
review+
vl
:
review+
Actions:
View
Attachments on
bug 10838
:
10320
| 10321