From 061fd03b04dbb433df87ce1514d172fbc05dca85 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 10 Jun 2016 15:07:43 +0200 Subject: [PATCH] winbindd: pass info about unknows SIDs to the idmap child When doing a SID to id mapping for a SID that is unkown in the SID's domain, the idmap child currrently doesn't know that it's processing an unknown SID. All it gets passed is a a lsa_RefDomainList with a NULL domain name. Thus the mapping requests ends up in the default idmap domain. Example request: wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs in: struct wbint_Sids2UnixIDs domains : * domains: struct lsa_RefDomainList count : 0x00000001 (1) domains : * domains: ARRAY(1) domains: struct lsa_DomainInfo name: struct lsa_StringLarge length : 0x0000 (0) size : 0x0002 (2) string : * string : '' sid : * sid : S-1-5-21-3152989960-574718769-2188965058 max_size : 0x00000020 (32) ids : * ids: struct wbint_TransIDArray num_ids : 0x00000001 (1) ids: ARRAY(1) ids: struct wbint_TransID type : ID_TYPE_NOT_SPECIFIED (0) domain_index : 0x00000000 (0) rid : 0x000029aa (66666) xid: struct unixid id : 0xffffffff (4294967295) type : ID_TYPE_NOT_SPECIFIED (0) The only indication that LsaLookupNames() for the SID returned "ENOENT" is in.domains[0].name.string = "". wbint_TransIDArray has no indication of this as well. Then in _wbint_Sids2UnixIDs() we call idmap_find_domain_with_sid() with a domain name "", this triggers use of the default idmap domain which in case of idmap_autorid will allocate an id from a idmap_autorid range. To fix this, add a checks whether domain name is "". Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961 Signed-off-by: Ralph Boehme --- source3/winbindd/winbindd_dual_srv.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index fb65e9d..eee688a 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -128,7 +128,7 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p, uint32_t num_ids; struct id_map **id_map_ptrs = NULL; - struct idmap_domain *dom; + struct idmap_domain *dom = NULL; NTSTATUS status = NT_STATUS_NO_MEMORY; if (r->in.domains->count != 1) { @@ -139,7 +139,19 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p, ids = r->in.ids->ids; num_ids = r->in.ids->num_ids; - dom = idmap_find_domain_with_sid(d->name.string, d->sid); + if (d->name.string[0] != '\0') { + /* + * LsaLookupNames for a SID qfailed, so we have the + * domain SID but not the name. This is currently the + * only clue we get from our caller for mapping + * requests for unknown SIDs. + * + * It would be possible to filter unknown SIDs early + * in the caller, but that would severely complicate + * the logic, so we do it here. + */ + dom = idmap_find_domain_with_sid(d->name.string, d->sid); + } if (dom == NULL) { DEBUG(10, ("idmap domain %s:%s not found\n", d->name.string, sid_string_dbg(d->sid))); -- 1.9.1