From fb80e1158bb1a14f2602e65464909a213296cde1 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Thu, 10 Mar 2016 10:38:29 +0100 Subject: [PATCH 1/5] s3:winbindd:idmap: add domain_has_idmap_config() helper function. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 Pair-Programmed-With: Guenther Deschner Signed-off-by: Michael Adam Signed-off-by: Guenther Deschner Reviewed-by: Jeremy Allison --- source3/winbindd/idmap.c | 15 +++++++++++++++ source3/winbindd/winbindd_proto.h | 1 + 2 files changed, 16 insertions(+) diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c index 4012e70..39ee230 100644 --- a/source3/winbindd/idmap.c +++ b/source3/winbindd/idmap.c @@ -120,6 +120,21 @@ static bool idmap_init(void) return true; } +bool domain_has_idmap_config(const char *domname) +{ + int i; + + idmap_init(); + + for (i=0; iname, domname)) { + return true; + } + } + + return false; +} + static bool idmap_found_domain_backend( const char *string, regmatch_t matches[], void *private_data) { diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index dd389c2..12629ff 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -330,6 +330,7 @@ void init_idmap_child(void); struct winbindd_child *idmap_child(void); struct idmap_domain *idmap_find_domain_with_sid(const char *domname, const struct dom_sid *sid); +bool domain_has_idmap_config(const char *domname); /* The following definitions come from winbindd/winbindd_locator.c */ -- 2.5.5 From 55be1ee69743c94d33f4244ade848517fc98e264 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 10 Mar 2016 10:39:15 +0100 Subject: [PATCH 2/5] s3:winbindd:idmap_hash: skip domains that already have their own idmap configuration. Check if the domain from the list is not already configured to use another idmap backend. Not checking this makes the idmap_hash module map IDs for *all* domains implicitly. This is quite dangeorous in multi-idmap-config setups. Guenther BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 Pair-Programmed-With: Michael Adam Signed-off-by: Guenther Deschner Signed-off-by: Michael Adam Reviewed-by: Jeremy Allison --- source3/winbindd/idmap_hash/idmap_hash.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c index 51bbf5b..818d102 100644 --- a/source3/winbindd/idmap_hash/idmap_hash.c +++ b/source3/winbindd/idmap_hash/idmap_hash.c @@ -137,6 +137,19 @@ static NTSTATUS be_init(struct idmap_domain *dom) if (is_null_sid(&dom_list[i].sid)) continue; + + /* + * Check if the domain from the list is not already configured + * to use another idmap backend. Not checking this makes the + * idmap_hash module map IDs for *all* domains implicitly. This + * is quite dangerous in setups that use multiple idmap + * configurations. + */ + + if (domain_has_idmap_config(dom_list[i].domain_name)) { + continue; + } + if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0) continue; -- 2.5.5 From 4632ad98c4af5a4e0a2723c0cf716439e376e61f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 10 Mar 2016 12:21:52 +0100 Subject: [PATCH 3/5] s3:winbindd:idmap: check loadparm in domain_has_idmap_config() helper as well. Guenther BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 Pair-Programmed-With: Michael Adam Signed-off-by: Guenther Deschner Signed-off-by: Michael Adam Reviewed-by: Jeremy Allison --- source3/winbindd/idmap.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c index 39ee230..faf0df2 100644 --- a/source3/winbindd/idmap.c +++ b/source3/winbindd/idmap.c @@ -123,6 +123,9 @@ static bool idmap_init(void) bool domain_has_idmap_config(const char *domname) { int i; + char *config_option; + const char *range = NULL; + const char *backend = NULL; idmap_init(); @@ -132,6 +135,25 @@ bool domain_has_idmap_config(const char *domname) } } + /* fallback: also check loadparm */ + + config_option = talloc_asprintf(talloc_tos(), "idmap config %s", + domname); + if (config_option == NULL) { + DEBUG(0, ("out of memory\n")); + return false; + } + + range = lp_parm_const_string(-1, config_option, "range", NULL); + backend = lp_parm_const_string(-1, config_option, "backend", NULL); + if (range != NULL && backend != NULL) { + DEBUG(5, ("idmap configuration specified for domain '%s'\n", + domname)); + TALLOC_FREE(config_option); + return true; + } + + TALLOC_FREE(config_option); return false; } -- 2.5.5 From 4172491cbe7bb8ad2a7089efe15fbe46fcc123fb Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 14 Mar 2016 17:06:34 +0100 Subject: [PATCH 4/5] idmap_hash: rename be_init() --> idmap_hash_initialize() BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 Pair-Programmed-With: Guenther Deschner Signed-off-by: Michael Adam Signed-off-by: Guenther Deschner Reviewed-by: Jeremy Allison --- source3/winbindd/idmap_hash/idmap_hash.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c index 818d102..ed9cc20 100644 --- a/source3/winbindd/idmap_hash/idmap_hash.c +++ b/source3/winbindd/idmap_hash/idmap_hash.c @@ -104,7 +104,7 @@ static void separate_hashes(uint32_t id, /********************************************************************* ********************************************************************/ -static NTSTATUS be_init(struct idmap_domain *dom) +static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom) { struct sid_hash_table *hashed_domains; NTSTATUS nt_status = NT_STATUS_UNSUCCESSFUL; @@ -153,10 +153,10 @@ static NTSTATUS be_init(struct idmap_domain *dom) if ((hash = hash_domain_sid(&dom_list[i].sid)) == 0) continue; - DEBUG(5,("hash:be_init() Adding %s (%s) -> %d\n", + DBG_INFO("Adding %s (%s) -> %d\n", dom_list[i].domain_name, sid_string_dbg(&dom_list[i].sid), - hash)); + hash); hashed_domains[hash].sid = talloc(hashed_domains, struct dom_sid); sid_copy(hashed_domains[hash].sid, &dom_list[i].sid); @@ -189,7 +189,7 @@ static NTSTATUS unixids_to_sids(struct idmap_domain *dom, ids[i]->status = ID_UNKNOWN; } - nt_status = be_init(dom); + nt_status = idmap_hash_initialize(dom); BAIL_ON_NTSTATUS_ERROR(nt_status); for (i=0; ids[i]; i++) { @@ -239,7 +239,7 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom, ids[i]->status = ID_UNKNOWN; } - nt_status = be_init(dom); + nt_status = idmap_hash_initialize(dom); BAIL_ON_NTSTATUS_ERROR(nt_status); for (i=0; ids[i]; i++) { @@ -360,7 +360,7 @@ static NTSTATUS nss_hash_close(void) ********************************************************************/ static struct idmap_methods hash_idmap_methods = { - .init = be_init, + .init = idmap_hash_initialize, .unixids_to_sids = unixids_to_sids, .sids_to_unixids = sids_to_unixids, }; -- 2.5.5 From a16379c585a6f6e9470a8745b6043be8171eb615 Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Mon, 14 Mar 2016 17:07:34 +0100 Subject: [PATCH 5/5] idmap_hash: only allow the hash module for default idmap config. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11786 This module only makes sense as the default idmap config ("idmap config * : backend = hash" ...) Pair-Programmed-With: Guenther Deschner Signed-off-by: Michael Adam Signed-off-by: Guenther Deschner Reviewed-by: Jeremy Allison --- source3/winbindd/idmap_hash/idmap_hash.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c index ed9cc20..0aba36c 100644 --- a/source3/winbindd/idmap_hash/idmap_hash.c +++ b/source3/winbindd/idmap_hash/idmap_hash.c @@ -112,6 +112,13 @@ static NTSTATUS idmap_hash_initialize(struct idmap_domain *dom) size_t num_domains = 0; int i; + if (!strequal(dom->name, "*")) { + DBG_ERR("Error: idmap_hash configured for domain '%s'. " + "But the hash module can only be used for the default " + "idmap configuration.\n", dom->name); + return NT_STATUS_INVALID_PARAMETER; + } + /* If the domain SID hash table has been initialized, assume that we completed this function previously */ -- 2.5.5 From 5291462bd8a683b2d21b5f21ad73f84939aa2d67 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Tue, 22 Mar 2016 11:24:23 +0100 Subject: [PATCH] winbind: Fix CID 1357100 Unchecked return value MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Volker Lendecke Reviewed-by: Ralph Boehme Autobuild-User(master): Ralph Böhme Autobuild-Date(master): Tue Mar 22 15:49:14 CET 2016 on sn-devel-144 --- source3/winbindd/idmap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/idmap.c b/source3/winbindd/idmap.c index faf0df2..7eb7e58 100644 --- a/source3/winbindd/idmap.c +++ b/source3/winbindd/idmap.c @@ -126,8 +126,12 @@ bool domain_has_idmap_config(const char *domname) char *config_option; const char *range = NULL; const char *backend = NULL; + bool ok; - idmap_init(); + ok = idmap_init(); + if (!ok) { + return false; + } for (i=0; iname, domname)) { -- 2.5.5