The Samba-Bugzilla – Attachment 12175 Details for
Bug 11961
idmap_autorid allocates ids for unknown SIDs from other backends
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for master
master-idmap.patch (text/plain), 3.90 KB, created by
Ralph Böhme
on 2016-06-10 16:15:53 UTC
(
hide
)
Description:
Patch for master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2016-06-10 16:15:53 UTC
Size:
3.90 KB
patch
obsolete
>From 061fd03b04dbb433df87ce1514d172fbc05dca85 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 10 Jun 2016 15:07:43 +0200 >Subject: [PATCH] winbindd: pass info about unknows SIDs to the idmap child > >When doing a SID to id mapping for a SID that is unkown in the SID's >domain, the idmap child currrently doesn't know that it's processing an >unknown SID. All it gets passed is a a lsa_RefDomainList with a NULL >domain name. Thus the mapping requests ends up in the default idmap >domain. > >Example request: > > wbint_Sids2UnixIDs: struct wbint_Sids2UnixIDs > in: struct wbint_Sids2UnixIDs > domains : * > domains: struct lsa_RefDomainList > count : 0x00000001 (1) > domains : * > domains: ARRAY(1) > domains: struct lsa_DomainInfo > name: struct lsa_StringLarge > length : 0x0000 (0) > size : 0x0002 (2) > string : * > string : '' > sid : * > sid : S-1-5-21-3152989960-574718769-2188965058 > max_size : 0x00000020 (32) > ids : * > ids: struct wbint_TransIDArray > num_ids : 0x00000001 (1) > ids: ARRAY(1) > ids: struct wbint_TransID > type : ID_TYPE_NOT_SPECIFIED (0) > domain_index : 0x00000000 (0) > rid : 0x000029aa (66666) > xid: struct unixid > id : 0xffffffff (4294967295) > type : ID_TYPE_NOT_SPECIFIED (0) > >The only indication that LsaLookupNames() for the SID returned "ENOENT" >is in.domains[0].name.string = "". wbint_TransIDArray has no indication >of this as well. > >Then in _wbint_Sids2UnixIDs() we call idmap_find_domain_with_sid() with >a domain name "", this triggers use of the default idmap domain which in >case of idmap_autorid will allocate an id from a idmap_autorid range. > >To fix this, add a checks whether domain name is "". > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=11961 > >Signed-off-by: Ralph Boehme <slow@samba.org> >--- > source3/winbindd/winbindd_dual_srv.c | 16 ++++++++++++++-- > 1 file changed, 14 insertions(+), 2 deletions(-) > >diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c >index fb65e9d..eee688a 100644 >--- a/source3/winbindd/winbindd_dual_srv.c >+++ b/source3/winbindd/winbindd_dual_srv.c >@@ -128,7 +128,7 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p, > uint32_t num_ids; > > struct id_map **id_map_ptrs = NULL; >- struct idmap_domain *dom; >+ struct idmap_domain *dom = NULL; > NTSTATUS status = NT_STATUS_NO_MEMORY; > > if (r->in.domains->count != 1) { >@@ -139,7 +139,19 @@ NTSTATUS _wbint_Sids2UnixIDs(struct pipes_struct *p, > ids = r->in.ids->ids; > num_ids = r->in.ids->num_ids; > >- dom = idmap_find_domain_with_sid(d->name.string, d->sid); >+ if (d->name.string[0] != '\0') { >+ /* >+ * LsaLookupNames for a SID qfailed, so we have the >+ * domain SID but not the name. This is currently the >+ * only clue we get from our caller for mapping >+ * requests for unknown SIDs. >+ * >+ * It would be possible to filter unknown SIDs early >+ * in the caller, but that would severely complicate >+ * the logic, so we do it here. >+ */ >+ dom = idmap_find_domain_with_sid(d->name.string, d->sid); >+ } > if (dom == NULL) { > DEBUG(10, ("idmap domain %s:%s not found\n", > d->name.string, sid_string_dbg(d->sid))); >-- >1.9.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 11961
:
12175
|
12176
|
12228
|
12229
|
13145