From ec5b18f9a30cae9b2fa9050361221fd0479591eb Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Thu, 4 Jun 2015 12:11:27 -0700
Subject: [PATCH 1/2] idmap_rfc2307: Fix wbinfo --gid-to-sid query

Fix syntax error in LDAP query for gidNumber.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11313

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 835c278e43b9dec98834de0fb12445720e9df2e5)
---
 source3/winbindd/idmap_rfc2307.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c
index db8bab6..f2fcd98 100644
--- a/source3/winbindd/idmap_rfc2307.c
+++ b/source3/winbindd/idmap_rfc2307.c
@@ -374,7 +374,7 @@ again:
 			break;
 		case ID_TYPE_GID:
 			fltr_grp = talloc_asprintf_append_buffer(fltr_grp,
-					"(gidNumber=%d))", ids[idx]->xid.id);
+					"(gidNumber=%d)", ids[idx]->xid.id);
 			cnt_grp++;
 			break;
 		default:
-- 
1.7.1


From a6de25dd46c0e59796c596c673db324bea592579 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Fri, 5 Jun 2015 08:26:43 -0700
Subject: [PATCH 2/2] nsswitch: Extend idmap_rfc2307 testcase for reverse lookup

Also test the codepaths to map UID and GID back to SID and names.  Use
different user and group to avoid returning results cached from the
previous lookups.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11313

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jun  5 01:24:32 CEST 2015 on sn-devel-104
(cherry picked from commit c1c07b462058f863e706127203e6f30dba89a2a9)
---
 nsswitch/tests/test_idmap_rfc2307.sh |   72 +++++++++++++++++++++++++++++----
 source3/selftest/tests.py            |    2 +-
 2 files changed, 64 insertions(+), 10 deletions(-)

diff --git a/nsswitch/tests/test_idmap_rfc2307.sh b/nsswitch/tests/test_idmap_rfc2307.sh
index b9efd34..fc4c383 100755
--- a/nsswitch/tests/test_idmap_rfc2307.sh
+++ b/nsswitch/tests/test_idmap_rfc2307.sh
@@ -1,21 +1,24 @@
 #!/bin/sh
 # Test id mapping through idmap_rfc2307 module
 if [ $# -lt 9 ]; then
-	echo Usage: $0 DOMAIN USERNAME UID GROUPNAME GID LDAPPREFIX DC_SERVER DC_USERNAME DC_PASSWORD
+	echo Usage: $0 DOMAIN USERNAME UID USERNAME2 UID2 GROUPNAME GID GROUPNAME2 GID2 LDAPPREFIX DC_SERVER DC_USERNAME DC_PASSWORD
 	exit 1
 fi
 
 DOMAIN="$1"
 USERNAME="$2"
 USERUID="$3"
-GROUPNAME="$4"
-GROUPGID="$5"
-LDAPPREFIX="$6"
-DC_SERVER="$7"
-DC_USERNAME="$8"
-DC_PASSWORD="$9"
-
-echo called with: $1 $2 $3 $4 $5 $6 $7 $8 $9
+USERNAME2="$4"
+USERUID2="$5"
+GROUPNAME="$6"
+GROUPGID="$7"
+GROUPNAME2="$8"
+GROUPGID2="$9"
+shift 9
+LDAPPREFIX="$1"
+DC_SERVER="$2"
+DC_USERNAME="$3"
+DC_PASSWORD="$4"
 
 wbinfo="$VALGRIND $BINDIR/wbinfo"
 ldbadd="$BINDIR/ldbadd"
@@ -26,7 +29,9 @@ failed=0
 
 # Delete LDAP records
 $VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "cn=$USERNAME,$LDAPPREFIX"
+$VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "cn=$USERNAME2,$LDAPPREFIX"
 $VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "cn=$GROUPNAME,$LDAPPREFIX"
+$VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "cn=$GROUPNAME2,$LDAPPREFIX"
 $VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "$LDAPPREFIX"
 
 # Add id mapping information to LDAP
@@ -53,6 +58,20 @@ EOF
 testit "add ldap user mapping record" $VALGRIND $ldbadd -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD $PREFIX/tmpldb
 
 cat > $PREFIX/tmpldb <<EOF
+dn: cn=$USERNAME2,$LDAPPREFIX
+objectClass: organizationalPerson
+objectClass: posixAccount
+ou: People
+cn: $USERNAME2
+uid: $USERNAME2
+uidNumber: $USERUID2
+gidNumber: 2
+homeDirectory: /home/admin
+EOF
+
+testit "add second ldap user mapping record" $VALGRIND $ldbadd -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD $PREFIX/tmpldb
+
+cat > $PREFIX/tmpldb <<EOF
 dn: cn=$GROUPNAME,$LDAPPREFIX
 objectClass: posixGroup
 objectClass: groupOfNames
@@ -63,6 +82,17 @@ EOF
 
 testit "add ldap group mapping record" $VALGRIND $ldbadd -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD $PREFIX/tmpldb
 
+cat > $PREFIX/tmpldb <<EOF
+dn: cn=$GROUPNAME2,$LDAPPREFIX
+objectClass: posixGroup
+objectClass: groupOfNames
+cn: $GROUPNAME2
+gidNumber: $GROUPGID2
+member: cn=$USERNAME,$LDAPPREFIX
+EOF
+
+testit "add second ldap group mapping record" $VALGRIND $ldbadd -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD $PREFIX/tmpldb
+
 rm -f $PREFIX/tmpldbmodify
 
 testit "wbinfo --name-to-sid" $wbinfo --name-to-sid "$DOMAIN\\$USERNAME" || failed=$(expr $failed + 1)
@@ -86,9 +116,33 @@ echo "$DOMAIN\\$GROUPNAME resolved to $group_gid"
 
 testit "test $group_gid -eq $GROUPGID" test $group_gid -eq $GROUPGID || failed=$(expr $failed + 1)
 
+# Use different user and group for reverse lookup to not read from cache
+
+testit "$wbinfo --uid-to-sid=$USERUID2" $wbinfo --uid-to-sid=$USERUID2 || failed=$(expr $failed + 1)
+user_sid2=$($wbinfo --uid-to-sid=$USERUID2 | cut -d " " -f1)
+echo "UID $USERUID2 resolved to SID $user_sid2"
+
+testit "$wbinfo --sid-to-name=$user_sid2" $wbinfo --sid-to-name=$user_sid2 || failed=$(expr $failed + 1)
+user_name2=$($wbinfo --sid-to-name=$user_sid2 | cut -d " " -f1)
+echo "SID $user_sid2 resolved to $user_name2"
+
+testit "test $user_name2 = $DOMAIN\\$USERNAME2" test "$(echo $user_name2 | tr A-Z a-z)" = "$(echo $DOMAIN\\$USERNAME2 | tr A-Z a-z)" || failed=$(expr $failed + 1)
+
+testit "$wbinfo --gid-to-sid=$GROUPGID2" $wbinfo --gid-to-sid=$GROUPGID2 || failed=$(expr $failed + 1)
+group_sid2=$($wbinfo --gid-to-sid=$GROUPGID2 | cut -d " " -f1)
+echo "GID $GROUPGID2 resolved to SID $group_sid2"
+
+testit "$wbinfo --sid-to-name=$group_sid2" $wbinfo --sid-to-name=$group_sid2 || failed=$(expr $failed + 1)
+group_name2=$($wbinfo --sid-to-name=$group_sid2 | cut -d " " -f1)
+echo "SID $group_sid2 resolved to $group_name2"
+
+testit "test $group_name2 = $DOMAIN\\$GROUPNAME2" test "$(echo $group_name2 | tr A-Z a-z)" = "$(echo $DOMAIN\\$GROUPNAME2 | tr A-Z a-z)" || failed=$(expr $failed + 1)
+
 # Delete LDAP records
 $VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "cn=$USERNAME,$LDAPPREFIX"
+$VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "cn=$USERNAME2,$LDAPPREFIX"
 $VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "cn=$GROUPNAME,$LDAPPREFIX"
+$VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "cn=$GROUPNAME2,$LDAPPREFIX"
 $VALGRIND $ldbdel -H ldap://$DC_SERVER -U$DOMAIN/$DC_USERNAME%$DC_PASSWORD "$LDAPPREFIX"
 
 exit $failed
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 85d67d6..a926e1e 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -343,7 +343,7 @@ for t in tests:
         plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/write-list-tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "plugin_s4_dc", '//$SERVER/tmp -U$USERNAME%$PASSWORD')
     elif t == "idmap.rfc2307":
-        plantestsuite(t, "s3member_rfc2307", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_rfc2307.sh"), '$DOMAIN', 'Administrator', '2000000', '"Domain Users"', '2000001', 'ou=idmap,dc=samba,dc=example,dc=com', '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD'])
+        plantestsuite(t, "s3member_rfc2307", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_rfc2307.sh"), '$DOMAIN', 'Administrator', '2000000', 'Guest', '2000001', '"Domain Users"', '2000002', 'DnsAdmins', '2000003', 'ou=idmap,dc=samba,dc=example,dc=com', '$DC_SERVER', '$DC_USERNAME', '$DC_PASSWORD'])
     elif t == "raw.acls":
         plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "s3dc", '//$SERVER_IP/nfs4acl_simple -U$USERNAME%$PASSWORD', description='nfs4acl_xattr-simple')
-- 
1.7.1