The Samba-Bugzilla – Attachment 13144 Details for
Bug 12727
Lookup-domain for well-known SIDs on a DC
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for 4.5 and 4.6 cherry-picked from master
bug12727-v45,v46.patch (text/plain), 9.33 KB, created by
Ralph Böhme
on 2017-04-07 09:18:06 UTC
(
hide
)
Description:
Patch for 4.5 and 4.6 cherry-picked from master
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2017-04-07 09:18:06 UTC
Size:
9.33 KB
patch
obsolete
>From e7ebd291a81f2b0bd12cac1221e379c49406a858 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Thu, 30 Mar 2017 23:41:59 +0200 >Subject: [PATCH 1/5] winbindd: use passdb backend for well-known SIDs > >On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the >local domain, otherwise something simple like this fails with >WBC_ERR_DOMAIN_NOT_FOUND: > >$ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1 > >localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0 >failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND >Could not lookup sid S-1-1-0 > >On a member server asking our DC works and is what we're currently >doing, but changing it to ask passdb avoids the overhead. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 6b7a14b4b9c3411bd2e05383917e8fdedae51c90) >--- > selftest/knownfail | 2 -- > source3/winbindd/winbindd_util.c | 13 +++++++++---- > 2 files changed, 9 insertions(+), 6 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 6ca0244..d16d723 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -22,14 +22,12 @@ > ^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled > ^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled > ^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet. >-^samba3.raw.acls nfs4acl_xattr-simple.sd\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\) >-^samba3.raw.acls nfs4acl_xattr-special.sd\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\) > ^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\) >diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c >index d9a0d51..8a97e80 100644 >--- a/source3/winbindd/winbindd_util.c >+++ b/source3/winbindd/winbindd_util.c >@@ -1030,12 +1030,19 @@ struct winbindd_domain *find_root_domain(void) > > struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid) > { >- /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */ >+ DBG_DEBUG("SID [%s]\n", sid_string_dbg(sid)); >+ >+ /* >+ * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled >+ * by our passdb. >+ */ > > if ( sid_check_is_in_unix_groups(sid) || > sid_check_is_unix_groups(sid) || > sid_check_is_in_unix_users(sid) || >- sid_check_is_unix_users(sid) ) >+ sid_check_is_unix_users(sid) || >+ sid_check_is_wellknown_domain(sid, NULL) || >+ sid_check_is_in_wellknown_domain(sid) ) > { > return find_domain_from_sid(get_global_sam_sid()); > } >@@ -1044,8 +1051,6 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid) > * one to contact the external DC's. On member servers the internal > * domains are different: These are part of the local SAM. */ > >- DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid))); >- > if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) { > DEBUG(10, ("calling find_domain_from_sid\n")); > return find_domain_from_sid(sid); >-- >2.9.3 > > >From 005cd2d88c8e48638313d5e52f41c3e2314fbe00 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 31 Mar 2017 16:06:18 +0200 >Subject: [PATCH 2/5] selftest: wbinfo -s tests for wellknown SIDs > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 2150de3a73527850547263e853faf4f3fedca6e6) >--- > nsswitch/tests/test_wbinfo.sh | 20 ++++++++++++++++++++ > 1 file changed, 20 insertions(+) > >diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh >index cfe582d..819bc98 100755 >--- a/nsswitch/tests/test_wbinfo.sh >+++ b/nsswitch/tests/test_wbinfo.sh >@@ -88,6 +88,26 @@ else > echo "success: wbinfo -s check for sane mapping" > fi > >+WELL_KNOWN_SIDS="S-1-1-0\n /EVERYONE 5\n S-1-3-1\n /CREATOR GROUP 5\n S-1-5-1\n NT AUTHORITY/DIALUP 5" >+ >+printf "$WELL_KNOWN_SIDS" | while read SID ; do >+ read NAME >+ >+ testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=`expr $failed + 1` >+ >+ RESOLVED_NAME=`$wbinfo -s $SID | tr a-z A-Z` >+ echo "$SID resolved to $RESOLVED_NAME" >+ >+ echo "test: wbinfo -s $SID against $TARGET" >+ if test x"$RESOLVED_NAME" != x"$NAME" ; then >+ echo "$RESOLVED_NAME does not match $NAME" >+ echo "failure: wbinfo -s $SID against $TARGET" >+ failed=`expr $failed + 1` >+ else >+ echo "success: wbinfo -s $SID against $TARGET" >+ fi >+done >+ > testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=`expr $failed + 1` > test_sid=`$wbinfo -n $tested_name | cut -d " " -f1` > >-- >2.9.3 > > >From d9e150efd9254d21d17a50a2934a22d7b3390012 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 31 Mar 2017 16:24:05 +0200 >Subject: [PATCH 3/5] selftest: wbinfo --sids-to-unix-ids tests for wellknown > SIDs > >This test passes even without the fix, as in sids2xids we use the >lookupnames just to determine the mapping domain, using the default >idmap domain as fallback if that fails. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 8bd5f774fdc1f4ea012885262eb0f40640504de8) >--- > source3/script/tests/test_wbinfo_sids2xids_int.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/script/tests/test_wbinfo_sids2xids_int.py b/source3/script/tests/test_wbinfo_sids2xids_int.py >index f3dbed8..3ad3156 100755 >--- a/source3/script/tests/test_wbinfo_sids2xids_int.py >+++ b/source3/script/tests/test_wbinfo_sids2xids_int.py >@@ -29,7 +29,7 @@ domsid = domsid.split(' ')[0] > #print domain > #print domsid > >-sids=[ domsid + '-512', 'S-1-5-32-545', domsid + '-513' ] >+sids=[ domsid + '-512', 'S-1-5-32-545', domsid + '-513', 'S-1-1-0', 'S-1-3-1', 'S-1-5-1' ] > > flush_cache() > >-- >2.9.3 > > >From 39768bef2146f817a268b164c6d58b38600da4c6 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Sun, 2 Apr 2017 13:42:45 +0200 >Subject: [PATCH 4/5] winbindd: explicit check for well-known SIDs in > wb_lookupsids_bulk() > >Those are implicitly already catched by the > > if (sid->num_auths != 5) > >check, but I'd like to make the desired behaviour more obvious. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 167bb5ead8c7193d173fdba8a453279d422fa7ea) >--- > source3/winbindd/wb_lookupsids.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > >diff --git a/source3/winbindd/wb_lookupsids.c b/source3/winbindd/wb_lookupsids.c >index c395f54..1cbc4f7 100644 >--- a/source3/winbindd/wb_lookupsids.c >+++ b/source3/winbindd/wb_lookupsids.c >@@ -292,7 +292,10 @@ static bool wb_lookupsids_bulk(const struct dom_sid *sid) > sid_check_is_in_unix_users(sid) || > sid_check_is_unix_users(sid) || > sid_check_is_in_builtin(sid) || >- sid_check_is_builtin(sid)) { >+ sid_check_is_builtin(sid) || >+ sid_check_is_wellknown_domain(sid, NULL) || >+ sid_check_is_in_wellknown_domain(sid)) >+ { > /* > * These are locally done piece by piece anyway, no > * need for bulk optimizations. >-- >2.9.3 > > >From f5954691adc3909f382b0e172b9cc681fac30c1c Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 31 Mar 2017 16:06:18 +0200 >Subject: [PATCH 5/5] selftest: fix for wbinfo -s tests for wellknown SIDs > >Rework while loop to not use a pipe as that uses a subshell for the loop >which means assigning to the variable failed is not visible in the >main script. > >Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit d8fd56a8244a3010469c27eaa3b73a2c5fbbc41f) >--- > nsswitch/tests/test_wbinfo.sh | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > >diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh >index 819bc98..ff99a96 100755 >--- a/nsswitch/tests/test_wbinfo.sh >+++ b/nsswitch/tests/test_wbinfo.sh >@@ -88,9 +88,7 @@ else > echo "success: wbinfo -s check for sane mapping" > fi > >-WELL_KNOWN_SIDS="S-1-1-0\n /EVERYONE 5\n S-1-3-1\n /CREATOR GROUP 5\n S-1-5-1\n NT AUTHORITY/DIALUP 5" >- >-printf "$WELL_KNOWN_SIDS" | while read SID ; do >+while read SID ; do > read NAME > > testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=`expr $failed + 1` >@@ -106,7 +104,14 @@ printf "$WELL_KNOWN_SIDS" | while read SID ; do > else > echo "success: wbinfo -s $SID against $TARGET" > fi >-done >+done <<EOF >+S-1-1-0 >+/EVERYONE 5 >+S-1-3-1 >+/CREATOR GROUP 5 >+S-1-5-1 >+NT AUTHORITY/DIALUP 5 >+EOF > > testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=`expr $failed + 1` > test_sid=`$wbinfo -n $tested_name | cut -d " " -f1` >-- >2.9.3 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 12727
: 13144