The Samba-Bugzilla – Attachment 14904 Details for
Bug 13813
idmap cache pollution with S-1-22- IDs on winbind hickup
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch v3 for 4.10.rcNext
bug-13813-v3-4.10.x.patch (text/plain), 53.60 KB, created by
Jeremy Allison
on 2019-03-06 20:07:13 UTC
(
hide
)
Description:
Patch v3 for 4.10.rcNext
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2019-03-06 20:07:13 UTC
Size:
53.60 KB
patch
obsolete
>From 9789ca6359c85489a524c2affd3a9790ff028000 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Mon, 25 Feb 2019 14:38:50 +0100 >Subject: [PATCH 01/13] lib: Make idmap_cache return negative mappings > >Without this we'd query non-existent mappings over and over >again. > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit d9303e8eb90d48f09f2e2e8bdf01f4a7c3c21d11) >--- > source3/lib/idmap_cache.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > >diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c >index 77618dd5aa1..244a727e01b 100644 >--- a/source3/lib/idmap_cache.c >+++ b/source3/lib/idmap_cache.c >@@ -215,7 +215,12 @@ static void idmap_cache_xid2sid_parser(const struct gencache_timeout *timeout, > > value = (char *)blob.data; > >- if (value[0] != '-') { >+ if ((value[0] == '-') && (value[1] == '\0')) { >+ /* >+ * Return NULL SID, see comment to uid2sid >+ */ >+ state->ret = true; >+ } else { > state->ret = string_to_sid(state->sid, value); > } > if (state->ret) { >-- >2.21.0.352.gf09ad66450-goog > > >From 40320cc7c6d3ed7a5c208945e76404b54e795dbe Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 26 Feb 2019 12:46:39 +0100 >Subject: [PATCH 02/13] idmap_cache: Only touch "sid" on success in > find_xid_to_sid > >Why? This makes the negative mapping condition (is_null_sid) more >explicit in the code. > >The callers in lookup_sid initialized "psid" anyway before, and the ones >in wb_xids2sids now do as well. This is more in line with other APIs we >have: Only touch output parameters if you have something to say. > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit 4faf3e9f6da7515fc263d79f77226d105c2f8524) >--- > source3/lib/idmap_cache.c | 5 ++--- > source3/winbindd/wb_xids2sids.c | 2 +- > 2 files changed, 3 insertions(+), 4 deletions(-) > >diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c >index 244a727e01b..10c1e8b1e7a 100644 >--- a/source3/lib/idmap_cache.c >+++ b/source3/lib/idmap_cache.c >@@ -203,13 +203,11 @@ static void idmap_cache_xid2sid_parser(const struct gencache_timeout *timeout, > (struct idmap_cache_xid2sid_state *)private_data; > char *value; > >- ZERO_STRUCTP(state->sid); >- state->ret = false; >- > if ((blob.length == 0) || (blob.data[blob.length-1] != 0)) { > /* > * Not a string, can't be a valid mapping > */ >+ state->ret = false; > return; > } > >@@ -219,6 +217,7 @@ static void idmap_cache_xid2sid_parser(const struct gencache_timeout *timeout, > /* > * Return NULL SID, see comment to uid2sid > */ >+ *state->sid = (struct dom_sid) {0}; > state->ret = true; > } else { > state->ret = string_to_sid(state->sid, value); >diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c >index fdd98a3d9bf..4aaabc1c15b 100644 >--- a/source3/winbindd/wb_xids2sids.c >+++ b/source3/winbindd/wb_xids2sids.c >@@ -465,7 +465,7 @@ struct tevent_req *wb_xids2sids_send(TALLOC_CTX *mem_ctx, > uint32_t i; > > for (i=0; i<num_xids; i++) { >- struct dom_sid sid; >+ struct dom_sid sid = {0}; > bool ok, expired; > > switch (xids[i].type) { >-- >2.21.0.352.gf09ad66450-goog > > >From 28980d1eaabc42171fd19d5b72ec31257e92fcf0 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 26 Feb 2019 12:52:28 +0100 >Subject: [PATCH 03/13] winbind: Initialize "expired" parameter to > idmap_cache_xid2sid > >The code in idmap_cache only touches its output parameters upon success > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit 8c28c12702c0935a852c7fed6565987623f09fee) >--- > source3/winbindd/wb_xids2sids.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c >index 4aaabc1c15b..3267dfa0e81 100644 >--- a/source3/winbindd/wb_xids2sids.c >+++ b/source3/winbindd/wb_xids2sids.c >@@ -466,7 +466,7 @@ struct tevent_req *wb_xids2sids_send(TALLOC_CTX *mem_ctx, > > for (i=0; i<num_xids; i++) { > struct dom_sid sid = {0}; >- bool ok, expired; >+ bool ok, expired = true; > > switch (xids[i].type) { > case ID_TYPE_UID: >-- >2.21.0.352.gf09ad66450-goog > > >From 4170e7656f2d50d73cdbdf909a9b9b6664307b87 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Mon, 25 Feb 2019 14:55:00 +0100 >Subject: [PATCH 04/13] winbind: Now we explicitly track if we got ids from > cache > >This now properly makes us use negative cache entries > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit 95d33ca79cc315f1a2e41cd60859ef01d6548c77) >--- > source3/winbindd/wb_xids2sids.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) > >diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c >index 3267dfa0e81..2ba574664bf 100644 >--- a/source3/winbindd/wb_xids2sids.c >+++ b/source3/winbindd/wb_xids2sids.c >@@ -246,6 +246,7 @@ static NTSTATUS wb_xids2sids_init_dom_maps_recv(struct tevent_req *req) > struct wb_xids2sids_dom_state { > struct tevent_context *ev; > struct unixid *all_xids; >+ const bool *cached; > size_t num_all_xids; > struct dom_sid *all_sids; > struct wb_xids2sids_dom_map *dom_map; >@@ -262,7 +263,10 @@ static void wb_xids2sids_dom_gotdc(struct tevent_req *subreq); > static struct tevent_req *wb_xids2sids_dom_send( > TALLOC_CTX *mem_ctx, struct tevent_context *ev, > struct wb_xids2sids_dom_map *dom_map, >- struct unixid *xids, size_t num_xids, struct dom_sid *sids) >+ struct unixid *xids, >+ const bool *cached, >+ size_t num_xids, >+ struct dom_sid *sids) > { > struct tevent_req *req, *subreq; > struct wb_xids2sids_dom_state *state; >@@ -276,6 +280,7 @@ static struct tevent_req *wb_xids2sids_dom_send( > } > state->ev = ev; > state->all_xids = xids; >+ state->cached = cached; > state->num_all_xids = num_xids; > state->all_sids = sids; > state->dom_map = dom_map; >@@ -296,7 +301,7 @@ static struct tevent_req *wb_xids2sids_dom_send( > /* out of range */ > continue; > } >- if (!is_null_sid(&state->all_sids[i])) { >+ if (state->cached[i]) { > /* already mapped */ > continue; > } >@@ -363,7 +368,7 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq) > /* out of range */ > continue; > } >- if (!is_null_sid(&state->all_sids[i])) { >+ if (state->cached[i]) { > /* already mapped */ > continue; > } >@@ -520,7 +525,7 @@ static void wb_xids2sids_init_dom_maps_done(struct tevent_req *subreq) > > subreq = wb_xids2sids_dom_send( > state, state->ev, &dom_maps[state->dom_idx], >- state->xids, state->num_xids, state->sids); >+ state->xids, state->cached, state->num_xids, state->sids); > if (tevent_req_nomem(subreq, req)) { > return; > } >@@ -551,6 +556,7 @@ static void wb_xids2sids_done(struct tevent_req *subreq) > state->ev, > &dom_maps[state->dom_idx], > state->xids, >+ state->cached, > state->num_xids, > state->sids); > if (tevent_req_nomem(subreq, req)) { >-- >2.21.0.352.gf09ad66450-goog > > >From fbcb6cd1dabaac887b31e6d4c604e7e9c63b9a7a Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 26 Feb 2019 14:32:52 +0100 >Subject: [PATCH 05/13] idmap_cache: Introduce idmap_cache_find_xid2sid > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit bb8122dd8c53bb307819a79b7888cc0940a7c13b) >--- > source3/lib/idmap_cache.c | 36 ++++++++++++++++++++++++++++++++++++ > source3/lib/idmap_cache.h | 2 ++ > 2 files changed, 38 insertions(+) > >diff --git a/source3/lib/idmap_cache.c b/source3/lib/idmap_cache.c >index 10c1e8b1e7a..9d2149844ed 100644 >--- a/source3/lib/idmap_cache.c >+++ b/source3/lib/idmap_cache.c >@@ -277,6 +277,42 @@ bool idmap_cache_find_gid2sid(gid_t gid, struct dom_sid *sid, bool *expired) > return state.ret; > } > >+/** >+ * Find a xid2sid mapping >+ * @param[in] id the unix id to map >+ * @param[out] sid where to put the result >+ * @param[out] expired is the cache entry expired? >+ * @retval Was anything in the cache at all? >+ * >+ * If "is_null_sid(sid)", this was a negative mapping. >+ */ >+bool idmap_cache_find_xid2sid( >+ const struct unixid *id, struct dom_sid *sid, bool *expired) >+{ >+ struct idmap_cache_xid2sid_state state = { >+ .sid = sid, .expired = expired >+ }; >+ fstring key; >+ char c; >+ >+ switch (id->type) { >+ case ID_TYPE_UID: >+ c = 'U'; >+ break; >+ case ID_TYPE_GID: >+ c = 'G'; >+ break; >+ default: >+ return false; >+ } >+ >+ fstr_sprintf(key, "IDMAP/%cID2SID/%d", c, (int)id->id); >+ >+ gencache_parse(key, idmap_cache_xid2sid_parser, &state); >+ return state.ret; >+} >+ >+ > /** > * Store a mapping in the idmap cache > * @param[in] sid the sid to map >diff --git a/source3/lib/idmap_cache.h b/source3/lib/idmap_cache.h >index dc497022e3b..d5afa170e1a 100644 >--- a/source3/lib/idmap_cache.h >+++ b/source3/lib/idmap_cache.h >@@ -31,6 +31,8 @@ bool idmap_cache_find_sid2gid(const struct dom_sid *sid, gid_t *pgid, > bool *expired); > bool idmap_cache_find_uid2sid(uid_t uid, struct dom_sid *sid, bool *expired); > bool idmap_cache_find_gid2sid(gid_t gid, struct dom_sid *sid, bool *expired); >+bool idmap_cache_find_xid2sid( >+ const struct unixid *id, struct dom_sid *sid, bool *expired); > void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); > > bool idmap_cache_del_uid(uid_t uid); >-- >2.21.0.352.gf09ad66450-goog > > >From 364b3cb00c22596b2c848e0f1f3cb68204c4d8df Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Wed, 27 Feb 2019 14:54:12 +0100 >Subject: [PATCH 06/13] torture: Add tests for idmap cache > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit e5a903bab6eda8f7ff2a7c8149d51022d9d8aede) >--- > source3/selftest/tests.py | 1 + > source3/torture/proto.h | 1 + > source3/torture/test_idmap_cache.c | 122 +++++++++++++++++++++++++++++ > source3/torture/torture.c | 1 + > source3/wscript_build | 1 + > 5 files changed, 126 insertions(+) > create mode 100644 source3/torture/test_idmap_cache.c > >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 5d7e4969e59..e8d516573dd 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -200,6 +200,7 @@ local_tests = [ > "LOCAL-G-LOCK5", > "LOCAL-G-LOCK6", > "LOCAL-NAMEMAP-CACHE1", >+ "LOCAL-IDMAP-CACHE1", > "LOCAL-hex_encode_buf", > "LOCAL-remove_duplicate_addrs2"] > >diff --git a/source3/torture/proto.h b/source3/torture/proto.h >index 669e077051e..b4a2007fa77 100644 >--- a/source3/torture/proto.h >+++ b/source3/torture/proto.h >@@ -137,6 +137,7 @@ bool run_g_lock5(int dummy); > bool run_g_lock6(int dummy); > bool run_g_lock_ping_pong(int dummy); > bool run_local_namemap_cache1(int dummy); >+bool run_local_idmap_cache1(int dummy); > bool run_hidenewfiles(int dummy); > > #endif /* __TORTURE_H__ */ >diff --git a/source3/torture/test_idmap_cache.c b/source3/torture/test_idmap_cache.c >new file mode 100644 >index 00000000000..b9cba3b4a53 >--- /dev/null >+++ b/source3/torture/test_idmap_cache.c >@@ -0,0 +1,122 @@ >+/* >+ * Unix SMB/CIFS implementation. >+ * Test dbwrap_watch API >+ * Copyright (C) Volker Lendecke 2017 >+ * >+ * This program is free software; you can redistribute it and/or modify >+ * it under the terms of the GNU General Public License as published by >+ * the Free Software Foundation; either version 3 of the License, or >+ * (at your option) any later version. >+ * >+ * This program is distributed in the hope that it will be useful, >+ * but WITHOUT ANY WARRANTY; without even the implied warranty of >+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the >+ * GNU General Public License for more details. >+ * >+ * You should have received a copy of the GNU General Public License >+ * along with this program. If not, see <http://www.gnu.org/licenses/>. >+ */ >+ >+#include "includes.h" >+#include "torture/proto.h" >+#include "lib/idmap_cache.h" >+#include "librpc/gen_ndr/idmap.h" >+#include "libcli/security/dom_sid.h" >+ >+bool run_local_idmap_cache1(int dummy) >+{ >+ struct dom_sid sid, found_sid; >+ struct unixid xid, found_xid; >+ bool ret = false; >+ bool expired = false; >+ >+ xid = (struct unixid) { .id = 1234, .type = ID_TYPE_UID }; >+ dom_sid_parse("S-1-5-21-2864185242-3846410404-2398417794-1235", &sid); >+ idmap_cache_set_sid2unixid(&sid, &xid); >+ >+ ret = idmap_cache_find_sid2unixid(&sid, &found_xid, &expired); >+ if (!ret) { >+ fprintf(stderr, "idmap_cache_find_sid2unixid failed\n"); >+ goto done; >+ } >+ if (expired) { >+ fprintf(stderr, >+ "idmap_cache_find_sid2unixid returned an expired " >+ "value\n"); >+ goto done; >+ } >+ if ((xid.type != found_xid.type) || (xid.id != found_xid.id)) { >+ fprintf(stderr, >+ "idmap_cache_find_sid2unixid returned wrong " >+ "values\n"); >+ goto done; >+ } >+ >+ ret = idmap_cache_find_xid2sid(&xid, &found_sid, &expired); >+ if (!ret) { >+ fprintf(stderr, "idmap_cache_find_xid2sid failed\n"); >+ goto done; >+ } >+ if (expired) { >+ fprintf(stderr, >+ "idmap_cache_find_xid2sid returned an expired " >+ "value\n"); >+ goto done; >+ } >+ if (!dom_sid_equal(&sid, &found_sid)) { >+ fprintf(stderr, >+ "idmap_cache_find_xid2sid returned wrong sid\n"); >+ goto done; >+ } >+ >+ xid.type = ID_TYPE_GID; >+ >+ ret = idmap_cache_find_xid2sid(&xid, &found_sid, &expired); >+ if (ret) { >+ fprintf(stderr, >+ "idmap_cache_find_xid2sid found a GID where it " >+ "should not\n"); >+ goto done; >+ } >+ >+ idmap_cache_del_sid(&sid); >+ >+ xid.type = ID_TYPE_UID; >+ ret = idmap_cache_find_xid2sid(&xid, &found_sid, &expired); >+ if (ret) { >+ fprintf(stderr, >+ "idmap_cache_find_xid2sid found a UID where it " >+ "should not\n"); >+ goto done; >+ } >+ >+ /* >+ * Test that negative mappings can also be cached >+ */ >+ sid = (struct dom_sid) {0}; >+ xid = (struct unixid) { .id = 1234, .type = ID_TYPE_UID }; >+ idmap_cache_set_sid2unixid(&sid, &xid); >+ >+ ret = idmap_cache_find_xid2sid(&xid, &found_sid, &expired); >+ if (!ret) { >+ fprintf(stderr, >+ "idmap_cache_find_xid2sid failed to find " >+ "negative mapping\n"); >+ goto done; >+ } >+ if (expired) { >+ fprintf(stderr, >+ "idmap_cache_find_xid2sid returned an expired " >+ "value\n"); >+ goto done; >+ } >+ if (!dom_sid_equal(&sid, &found_sid)) { >+ fprintf(stderr, >+ "idmap_cache_find_xid2sid returned wrong sid\n"); >+ goto done; >+ } >+ >+ ret = true; >+done: >+ return ret; >+} >diff --git a/source3/torture/torture.c b/source3/torture/torture.c >index 0d00f1f84d2..018ebba6c52 100644 >--- a/source3/torture/torture.c >+++ b/source3/torture/torture.c >@@ -12081,6 +12081,7 @@ static struct { > { "LOCAL-G-LOCK-PING-PONG", run_g_lock_ping_pong, 0 }, > { "LOCAL-CANONICALIZE-PATH", run_local_canonicalize_path, 0 }, > { "LOCAL-NAMEMAP-CACHE1", run_local_namemap_cache1, 0 }, >+ { "LOCAL-IDMAP-CACHE1", run_local_idmap_cache1, 0 }, > { "qpathinfo-bufsize", run_qpathinfo_bufsize, 0 }, > { "hide-new-files-timeout", run_hidenewfiles, 0 }, > {NULL, NULL, 0}}; >diff --git a/source3/wscript_build b/source3/wscript_build >index 1ae91057f24..8d29db51f77 100644 >--- a/source3/wscript_build >+++ b/source3/wscript_build >@@ -1198,6 +1198,7 @@ bld.SAMBA3_BINARY('smbtorture' + bld.env.suffix3, > torture/wbc_async.c > torture/test_g_lock.c > torture/test_namemap_cache.c >+ torture/test_idmap_cache.c > torture/test_hidenewfiles.c > ''', > deps=''' >-- >2.21.0.352.gf09ad66450-goog > > >From f692ff098e5d12b843cd5e2f552e70c2bbb596f6 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 26 Feb 2019 14:34:56 +0100 >Subject: [PATCH 07/13] winbind: Use idmap_cache_find_xid2sid > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit bc9824bd42d9370279819ea0d927e236f6041324) >--- > source3/winbindd/wb_xids2sids.c | 15 ++------------- > 1 file changed, 2 insertions(+), 13 deletions(-) > >diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c >index 2ba574664bf..c5a35275d53 100644 >--- a/source3/winbindd/wb_xids2sids.c >+++ b/source3/winbindd/wb_xids2sids.c >@@ -473,19 +473,8 @@ struct tevent_req *wb_xids2sids_send(TALLOC_CTX *mem_ctx, > struct dom_sid sid = {0}; > bool ok, expired = true; > >- switch (xids[i].type) { >- case ID_TYPE_UID: >- ok = idmap_cache_find_uid2sid( >- xids[i].id, &sid, &expired); >- break; >- case ID_TYPE_GID: >- ok = idmap_cache_find_gid2sid( >- xids[i].id, &sid, &expired); >- break; >- default: >- ok = false; >- } >- >+ ok = idmap_cache_find_xid2sid( >+ &xids[i], &sid, &expired); > if (ok && !expired) { > sid_copy(&state->sids[i], &sid); > state->cached[i] = true; >-- >2.21.0.352.gf09ad66450-goog > > >From 68f0a667f53f423d5588415836dff337af5d5ec2 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 26 Feb 2019 14:45:32 +0100 >Subject: [PATCH 08/13] lib: Introduce winbind_xid_to_sid > >This does not merge a winbind communication error into >"global_sid_NULL" (S-1-0-0), which by the way non-intuitively does not >go along with is_null_sid(). Instead, this just touches the output sid >when winbind returned success. This success might well be a negative >mapping indicated by S-0-0, which *is* is_null_sid()... > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit ef706a3e63b3e25edd27e0f99c3e2d8ff7209cb6) >--- > source3/lib/winbind_util.c | 30 ++++++++++++++++++++++++++++++ > source3/lib/winbind_util.h | 2 ++ > 2 files changed, 32 insertions(+) > >diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c >index a072166ce18..46c95ca3a28 100644 >--- a/source3/lib/winbind_util.c >+++ b/source3/lib/winbind_util.c >@@ -198,6 +198,36 @@ bool winbind_gid_to_sid(struct dom_sid *sid, gid_t gid) > return (result == WBC_ERR_SUCCESS); > } > >+bool winbind_xid_to_sid(struct dom_sid *sid, const struct unixid *xid) >+{ >+ struct wbcUnixId wbc_xid; >+ struct wbcDomainSid dom_sid; >+ wbcErr result; >+ >+ switch (xid->type) { >+ case ID_TYPE_UID: >+ wbc_xid = (struct wbcUnixId) { >+ .type = WBC_ID_TYPE_UID, .id.uid = xid->id >+ }; >+ break; >+ case ID_TYPE_GID: >+ wbc_xid = (struct wbcUnixId) { >+ .type = WBC_ID_TYPE_GID, .id.gid = xid->id >+ }; >+ break; >+ default: >+ return false; >+ } >+ >+ result = wbcUnixIdsToSids(&wbc_xid, 1, &dom_sid); >+ if (result != WBC_ERR_SUCCESS) { >+ return false; >+ } >+ >+ memcpy(sid, &dom_sid, sizeof(struct dom_sid)); >+ return true; >+} >+ > /* Check for a trusted domain */ > > wbcErr wb_is_trusted_domain(const char *domain) >diff --git a/source3/lib/winbind_util.h b/source3/lib/winbind_util.h >index c2bf0e02d76..5ecda5a7b09 100644 >--- a/source3/lib/winbind_util.h >+++ b/source3/lib/winbind_util.h >@@ -22,6 +22,7 @@ > #define __LIB__WINBIND_UTIL_H__ > > #include "../librpc/gen_ndr/lsa.h" >+#include "librpc/gen_ndr/idmap.h" > > /* needed for wbcErr below */ > #include "nsswitch/libwbclient/wbclient.h" >@@ -38,6 +39,7 @@ bool winbind_sid_to_uid(uid_t *puid, const struct dom_sid *sid); > bool winbind_uid_to_sid(struct dom_sid *sid, uid_t uid); > bool winbind_sid_to_gid(gid_t *pgid, const struct dom_sid *sid); > bool winbind_gid_to_sid(struct dom_sid *sid, gid_t gid); >+bool winbind_xid_to_sid(struct dom_sid *sid, const struct unixid *xid); > struct passwd * winbind_getpwnam(const char * sname); > struct passwd * winbind_getpwsid(const struct dom_sid *sid); > wbcErr wb_is_trusted_domain(const char *domain); >-- >2.21.0.352.gf09ad66450-goog > > >From 681c613c5f88403ccc476c8cd9ebfeaa7252439b Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 26 Feb 2019 15:10:21 +0100 >Subject: [PATCH 09/13] passdb: Introduce xid_to_sid > >This explicitly avoids the legacy_[ug]id_to_sid calls, which create >long-term cache entries to S-1-22-x-y if anthing fails. We can't do >this, because this will turn temporary winbind communication failures >into long-term problems: A short hickup in winbind_uid_to_sid will >create a mapping to S-1-22-1-uid for a week. It should be up to the >lower layers to do the caching. > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit 92f27ebb14c0c18b1d0fd49544ad851aeb14781c) >--- > source3/passdb/lookup_sid.c | 74 +++++++++++++++++++++++++++++++++++++ > source3/passdb/lookup_sid.h | 1 + > 2 files changed, 75 insertions(+) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index 6bda783fa03..fe0ba51b413 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -1349,6 +1349,80 @@ void gid_to_sid(struct dom_sid *psid, gid_t gid) > return; > } > >+void xid_to_sid(struct dom_sid *psid, const struct unixid *xid) >+{ >+ bool expired = true; >+ bool ret; >+ struct dom_sid_buf buf; >+ >+ SMB_ASSERT(xid->type == ID_TYPE_UID || xid->type == ID_TYPE_GID); >+ >+ *psid = (struct dom_sid) {0}; >+ >+ ret = idmap_cache_find_xid2sid(xid, psid, &expired); >+ if (ret && !expired) { >+ DBG_DEBUG("%cID %"PRIu32" -> %s from cache\n", >+ xid->type == ID_TYPE_UID ? 'U' : 'G', >+ xid->id, >+ dom_sid_str_buf(psid, &buf)); >+ goto done; >+ } >+ >+ ret = winbind_xid_to_sid(psid, xid); >+ if (ret) { >+ /* >+ * winbind can return an explicit negative mapping >+ * here. It's up to winbind to prime the cache either >+ * positively or negatively, don't mess with the cache >+ * here. >+ */ >+ DBG_DEBUG("%cID %"PRIu32" -> %s from cache\n", >+ xid->type == ID_TYPE_UID ? 'U' : 'G', >+ xid->id, >+ dom_sid_str_buf(psid, &buf)); >+ goto done; >+ } >+ >+ { >+ /* >+ * Make a copy, pdb_id_to_sid might want to turn >+ * xid->type into ID_TYPE_BOTH, which we ignore here. >+ */ >+ struct unixid rw_xid = *xid; >+ >+ become_root(); >+ ret = pdb_id_to_sid(&rw_xid, psid); >+ unbecome_root(); >+ } >+ >+ if (ret) { >+ DBG_DEBUG("%cID %"PRIu32" -> %s from passdb\n", >+ xid->type == ID_TYPE_UID ? 'U' : 'G', >+ xid->id, >+ dom_sid_str_buf(psid, &buf)); >+ goto done; >+ } >+ >+done: >+ if (is_null_sid(psid)) { >+ /* >+ * Nobody found anything: Return S-1-22-xx-yy. Don't >+ * store that in caches, this is up to the layers >+ * beneath us. >+ */ >+ if (xid->type == ID_TYPE_UID) { >+ uid_to_unix_users_sid(xid->id, psid); >+ } else { >+ gid_to_unix_groups_sid(xid->id, psid); >+ } >+ >+ DBG_DEBUG("%cID %"PRIu32" -> %s fallback\n", >+ xid->type == ID_TYPE_UID ? 'U' : 'G', >+ xid->id, >+ dom_sid_str_buf(psid, &buf)); >+ } >+} >+ > bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, > struct unixid *ids) > { >diff --git a/source3/passdb/lookup_sid.h b/source3/passdb/lookup_sid.h >index 8b5edf6bcb8..8a21cca2a4d 100644 >--- a/source3/passdb/lookup_sid.h >+++ b/source3/passdb/lookup_sid.h >@@ -83,6 +83,7 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, > enum lsa_SidType *ret_type); > void uid_to_sid(struct dom_sid *psid, uid_t uid); > void gid_to_sid(struct dom_sid *psid, gid_t gid); >+void xid_to_sid(struct dom_sid *psid, const struct unixid *xid); > bool sid_to_uid(const struct dom_sid *psid, uid_t *puid); > bool sid_to_gid(const struct dom_sid *psid, gid_t *pgid); > bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, >-- >2.21.0.352.gf09ad66450-goog > > >From 156985696064b2b317d5932414e380d26c640b0a Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Tue, 26 Feb 2019 15:17:36 +0100 >Subject: [PATCH 10/13] passdb: Make [ug]id_to_sid use xid_to_sid > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Bug: https://bugzilla.samba.org/show_bug.cgi?id=13813 >(cherry picked from commit 40de67f1fcc46b7a64a7364c91dcedb474826d51) >--- > source3/passdb/lookup_sid.c | 205 +++--------------------------------- > 1 file changed, 12 insertions(+), 193 deletions(-) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index fe0ba51b413..2281bd0b64d 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -1108,99 +1108,6 @@ bool lookup_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid, > return ret; > } > >-/***************************************************************** >- Id mapping cache. This is to avoid Winbind mappings already >- seen by smbd to be queried too frequently, keeping winbindd >- busy, and blocking smbd while winbindd is busy with other >- stuff. Written by Michael Steffens <michael.steffens@hp.com>, >- modified to use linked lists by jra. >-*****************************************************************/ >- >- >-/***************************************************************** >- *THE LEGACY* convert uid_t to SID function. >-*****************************************************************/ >- >-static void legacy_uid_to_sid(struct dom_sid *psid, uid_t uid) >-{ >- bool ret; >- struct unixid id; >- struct dom_sid_buf buf; >- >- ZERO_STRUCTP(psid); >- >- id.id = uid; >- id.type = ID_TYPE_UID; >- >- become_root(); >- ret = pdb_id_to_sid(&id, psid); >- unbecome_root(); >- >- if (ret) { >- /* This is a mapped user */ >- goto done; >- } >- >- /* This is an unmapped user */ >- >- uid_to_unix_users_sid(uid, psid); >- >- { >- struct unixid xid = { >- .id = uid, .type = ID_TYPE_UID >- }; >- idmap_cache_set_sid2unixid(psid, &xid); >- } >- >- done: >- DEBUG(10,("LEGACY: uid %u -> sid %s\n", (unsigned int)uid, >- dom_sid_str_buf(psid, &buf))); >- >- return; >-} >- >-/***************************************************************** >- *THE LEGACY* convert gid_t to SID function. >-*****************************************************************/ >- >-static void legacy_gid_to_sid(struct dom_sid *psid, gid_t gid) >-{ >- bool ret; >- struct unixid id; >- struct dom_sid_buf buf; >- >- ZERO_STRUCTP(psid); >- >- id.id = gid; >- id.type = ID_TYPE_GID; >- >- become_root(); >- ret = pdb_id_to_sid(&id, psid); >- unbecome_root(); >- >- if (ret) { >- /* This is a mapped group */ >- goto done; >- } >- >- /* This is an unmapped group */ >- >- gid_to_unix_groups_sid(gid, psid); >- >- { >- struct unixid xid = { >- .id = gid, .type = ID_TYPE_GID >- }; >- idmap_cache_set_sid2unixid(psid, &xid); >- } >- >- done: >- DEBUG(10,("LEGACY: gid %u -> sid %s\n", (unsigned int)gid, >- dom_sid_str_buf(psid, &buf))); >- >- return; >-} >- > /***************************************************************** > *THE LEGACY* convert SID to id function. > *****************************************************************/ >@@ -1249,106 +1156,6 @@ static bool legacy_sid_to_uid(const struct dom_sid *psid, uid_t *puid) > return false; > } > >-/***************************************************************** >- *THE CANONICAL* convert uid_t to SID function. >-*****************************************************************/ >- >-void uid_to_sid(struct dom_sid *psid, uid_t uid) >-{ >- bool expired = true; >- bool ret; >- struct dom_sid_buf buf; >- ZERO_STRUCTP(psid); >- >- /* Check the winbindd cache directly. */ >- ret = idmap_cache_find_uid2sid(uid, psid, &expired); >- >- if (ret && !expired && is_null_sid(psid)) { >- /* >- * Negative cache entry, we already asked. >- * do legacy. >- */ >- legacy_uid_to_sid(psid, uid); >- return; >- } >- >- if (!ret || expired) { >- /* Not in cache. Ask winbindd. */ >- if (!winbind_uid_to_sid(psid, uid)) { >- /* >- * We shouldn't return the NULL SID >- * here if winbind was running and >- * couldn't map, as winbind will have >- * added a negative entry that will >- * cause us to go though the >- * legacy_uid_to_sid() >- * function anyway in the case above >- * the next time we ask. >- */ >- DEBUG(5, ("uid_to_sid: winbind failed to find a sid " >- "for uid %u\n", (unsigned int)uid)); >- >- legacy_uid_to_sid(psid, uid); >- return; >- } >- } >- >- DEBUG(10,("uid %u -> sid %s\n", (unsigned int)uid, >- dom_sid_str_buf(psid, &buf))); >- >- return; >-} >- >-/***************************************************************** >- *THE CANONICAL* convert gid_t to SID function. >-*****************************************************************/ >- >-void gid_to_sid(struct dom_sid *psid, gid_t gid) >-{ >- bool expired = true; >- bool ret; >- struct dom_sid_buf buf; >- ZERO_STRUCTP(psid); >- >- /* Check the winbindd cache directly. */ >- ret = idmap_cache_find_gid2sid(gid, psid, &expired); >- >- if (ret && !expired && is_null_sid(psid)) { >- /* >- * Negative cache entry, we already asked. >- * do legacy. >- */ >- legacy_gid_to_sid(psid, gid); >- return; >- } >- >- if (!ret || expired) { >- /* Not in cache. Ask winbindd. */ >- if (!winbind_gid_to_sid(psid, gid)) { >- /* >- * We shouldn't return the NULL SID >- * here if winbind was running and >- * couldn't map, as winbind will have >- * added a negative entry that will >- * cause us to go though the >- * legacy_gid_to_sid() >- * function anyway in the case above >- * the next time we ask. >- */ >- DEBUG(5, ("gid_to_sid: winbind failed to find a sid " >- "for gid %u\n", (unsigned int)gid)); >- >- legacy_gid_to_sid(psid, gid); >- return; >- } >- } >- >- DEBUG(10,("gid %u -> sid %s\n", (unsigned int)gid, >- dom_sid_str_buf(psid, &buf))); >- >- return; >-} >- > void xid_to_sid(struct dom_sid *psid, const struct unixid *xid) > { > bool expired = true; >@@ -1423,6 +1230,18 @@ done: > } > } > >+void uid_to_sid(struct dom_sid *psid, uid_t uid) >+{ >+ struct unixid xid = { .type = ID_TYPE_UID, .id = uid}; >+ xid_to_sid(psid, &xid); >+} >+ >+void gid_to_sid(struct dom_sid *psid, gid_t gid) >+{ >+ struct unixid xid = { .type = ID_TYPE_GID, .id = gid}; >+ xid_to_sid(psid, &xid); >+} >+ > bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, > struct unixid *ids) > { >-- >2.21.0.352.gf09ad66450-goog > > >From bf5db4bebfa9e58673b4f53a80d3098ddf1a3f74 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Wed, 6 Mar 2019 11:55:32 -0800 >Subject: [PATCH 11/13] passdb: Update ABI to 0.27.2 > >This change is for the backport only. The change in master increased the >ABI version to 0.28.0 and removed some functions; this should not happen >in a backport. > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/passdb/ABI/samba-passdb-0.27.2.sigs | 311 ++++++++++++++++++++ > source3/wscript_build | 2 +- > 2 files changed, 312 insertions(+), 1 deletion(-) > create mode 100644 source3/passdb/ABI/samba-passdb-0.27.2.sigs > >diff --git a/source3/passdb/ABI/samba-passdb-0.27.2.sigs b/source3/passdb/ABI/samba-passdb-0.27.2.sigs >new file mode 100644 >index 00000000000..17876abac16 >--- /dev/null >+++ b/source3/passdb/ABI/samba-passdb-0.27.2.sigs >@@ -0,0 +1,311 @@ >+PDB_secrets_clear_domain_protection: bool (const char *) >+PDB_secrets_fetch_domain_guid: bool (const char *, struct GUID *) >+PDB_secrets_fetch_domain_sid: bool (const char *, struct dom_sid *) >+PDB_secrets_mark_domain_protected: bool (const char *) >+PDB_secrets_store_domain_guid: bool (const char *, struct GUID *) >+PDB_secrets_store_domain_sid: bool (const char *, const struct dom_sid *) >+account_policy_get: bool (enum pdb_policy_type, uint32_t *) >+account_policy_get_default: bool (enum pdb_policy_type, uint32_t *) >+account_policy_get_desc: const char *(enum pdb_policy_type) >+account_policy_name_to_typenum: enum pdb_policy_type (const char *) >+account_policy_names_list: void (TALLOC_CTX *, const char ***, int *) >+account_policy_set: bool (enum pdb_policy_type, uint32_t) >+add_initial_entry: NTSTATUS (gid_t, const char *, enum lsa_SidType, const char *, const char *) >+algorithmic_pdb_gid_to_group_rid: uint32_t (gid_t) >+algorithmic_pdb_rid_is_user: bool (uint32_t) >+algorithmic_pdb_uid_to_user_rid: uint32_t (uid_t) >+algorithmic_pdb_user_rid_to_uid: uid_t (uint32_t) >+algorithmic_rid_base: int (void) >+builtin_domain_name: const char *(void) >+cache_account_policy_get: bool (enum pdb_policy_type, uint32_t *) >+cache_account_policy_set: bool (enum pdb_policy_type, uint32_t) >+create_builtin_administrators: NTSTATUS (const struct dom_sid *) >+create_builtin_guests: NTSTATUS (const struct dom_sid *) >+create_builtin_users: NTSTATUS (const struct dom_sid *) >+decode_account_policy_name: const char *(enum pdb_policy_type) >+get_account_pol_db: struct db_context *(void) >+get_account_policy_attr: const char *(enum pdb_policy_type) >+get_domain_group_from_sid: bool (struct dom_sid, GROUP_MAP *) >+get_primary_group_sid: NTSTATUS (TALLOC_CTX *, const char *, struct passwd **, struct dom_sid **) >+get_privileges_for_sid_as_set: NTSTATUS (TALLOC_CTX *, PRIVILEGE_SET **, struct dom_sid *) >+get_privileges_for_sids: bool (uint64_t *, struct dom_sid *, int) >+get_trust_pw_clear: bool (const char *, char **, const char **, enum netr_SchannelType *) >+get_trust_pw_hash: bool (const char *, uint8_t *, const char **, enum netr_SchannelType *) >+gid_to_sid: void (struct dom_sid *, gid_t) >+gid_to_unix_groups_sid: void (gid_t, struct dom_sid *) >+grab_named_mutex: struct named_mutex *(TALLOC_CTX *, const char *, int) >+grant_all_privileges: bool (const struct dom_sid *) >+grant_privilege_by_name: bool (const struct dom_sid *, const char *) >+grant_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *) >+groupdb_tdb_init: const struct mapping_backend *(void) >+init_account_policy: bool (void) >+init_buffer_from_samu: uint32_t (uint8_t **, struct samu *, bool) >+init_samu_from_buffer: bool (struct samu *, uint32_t, uint8_t *, uint32_t) >+initialize_password_db: bool (bool, struct tevent_context *) >+is_dc_trusted_domain_situation: bool (const char *) >+is_privileged_sid: bool (const struct dom_sid *) >+local_password_change: NTSTATUS (const char *, int, const char *, char **, char **) >+login_cache_delentry: bool (const struct samu *) >+login_cache_init: bool (void) >+login_cache_read: bool (struct samu *, struct login_cache *) >+login_cache_shutdown: bool (void) >+login_cache_write: bool (const struct samu *, const struct login_cache *) >+lookup_builtin_name: bool (const char *, uint32_t *) >+lookup_builtin_rid: bool (TALLOC_CTX *, uint32_t, const char **) >+lookup_global_sam_name: bool (const char *, int, uint32_t *, enum lsa_SidType *) >+lookup_name: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *) >+lookup_name_smbconf: bool (TALLOC_CTX *, const char *, int, const char **, const char **, struct dom_sid *, enum lsa_SidType *) >+lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *) >+lookup_sids: NTSTATUS (TALLOC_CTX *, int, const struct dom_sid **, int, struct lsa_dom_info **, struct lsa_name_info **) >+lookup_wellknown_name: bool (TALLOC_CTX *, const char *, struct dom_sid *, const char **) >+lookup_wellknown_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **) >+make_pdb_method: NTSTATUS (struct pdb_methods **) >+make_pdb_method_name: NTSTATUS (struct pdb_methods **, const char *) >+max_algorithmic_gid: gid_t (void) >+max_algorithmic_uid: uid_t (void) >+pdb_add_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *) >+pdb_add_group_mapping_entry: NTSTATUS (GROUP_MAP *) >+pdb_add_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t) >+pdb_add_sam_account: NTSTATUS (struct samu *) >+pdb_build_fields_present: uint32_t (struct samu *) >+pdb_capabilities: uint32_t (void) >+pdb_copy_sam_account: bool (struct samu *, struct samu *) >+pdb_create_alias: NTSTATUS (const char *, uint32_t *) >+pdb_create_builtin: NTSTATUS (uint32_t) >+pdb_create_builtin_alias: NTSTATUS (uint32_t, gid_t) >+pdb_create_dom_group: NTSTATUS (TALLOC_CTX *, const char *, uint32_t *) >+pdb_create_user: NTSTATUS (TALLOC_CTX *, const char *, uint32_t, uint32_t *) >+pdb_decode_acct_ctrl: uint32_t (const char *) >+pdb_default_add_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *) >+pdb_default_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) >+pdb_default_alias_memberships: NTSTATUS (struct pdb_methods *, TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) >+pdb_default_create_alias: NTSTATUS (struct pdb_methods *, const char *, uint32_t *) >+pdb_default_del_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, const struct dom_sid *) >+pdb_default_delete_alias: NTSTATUS (struct pdb_methods *, const struct dom_sid *) >+pdb_default_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid) >+pdb_default_enum_aliasmem: NTSTATUS (struct pdb_methods *, const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *) >+pdb_default_enum_group_mapping: NTSTATUS (struct pdb_methods *, const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool) >+pdb_default_get_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *) >+pdb_default_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t) >+pdb_default_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *) >+pdb_default_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid) >+pdb_default_set_aliasinfo: NTSTATUS (struct pdb_methods *, const struct dom_sid *, struct acct_info *) >+pdb_default_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) >+pdb_del_aliasmem: NTSTATUS (const struct dom_sid *, const struct dom_sid *) >+pdb_del_groupmem: NTSTATUS (TALLOC_CTX *, uint32_t, uint32_t) >+pdb_del_trusted_domain: NTSTATUS (const char *) >+pdb_del_trusteddom_pw: bool (const char *) >+pdb_delete_alias: NTSTATUS (const struct dom_sid *) >+pdb_delete_dom_group: NTSTATUS (TALLOC_CTX *, uint32_t) >+pdb_delete_group_mapping_entry: NTSTATUS (struct dom_sid) >+pdb_delete_sam_account: NTSTATUS (struct samu *) >+pdb_delete_secret: NTSTATUS (const char *) >+pdb_delete_user: NTSTATUS (TALLOC_CTX *, struct samu *) >+pdb_element_is_changed: bool (const struct samu *, enum pdb_elements) >+pdb_element_is_set_or_changed: bool (const struct samu *, enum pdb_elements) >+pdb_encode_acct_ctrl: char *(uint32_t, size_t) >+pdb_enum_alias_memberships: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, const struct dom_sid *, size_t, uint32_t **, size_t *) >+pdb_enum_aliasmem: NTSTATUS (const struct dom_sid *, TALLOC_CTX *, struct dom_sid **, size_t *) >+pdb_enum_group_mapping: bool (const struct dom_sid *, enum lsa_SidType, GROUP_MAP ***, size_t *, bool) >+pdb_enum_group_members: NTSTATUS (TALLOC_CTX *, const struct dom_sid *, uint32_t **, size_t *) >+pdb_enum_group_memberships: NTSTATUS (TALLOC_CTX *, struct samu *, struct dom_sid **, gid_t **, uint32_t *) >+pdb_enum_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct pdb_trusted_domain ***) >+pdb_enum_trusteddoms: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) >+pdb_enum_upn_suffixes: NTSTATUS (TALLOC_CTX *, uint32_t *, char ***) >+pdb_find_backend_entry: struct pdb_init_function_entry *(const char *) >+pdb_get_account_policy: bool (enum pdb_policy_type, uint32_t *) >+pdb_get_acct_ctrl: uint32_t (const struct samu *) >+pdb_get_acct_desc: const char *(const struct samu *) >+pdb_get_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *) >+pdb_get_backend_private_data: void *(const struct samu *, const struct pdb_methods *) >+pdb_get_backends: const struct pdb_init_function_entry *(void) >+pdb_get_bad_password_count: uint16_t (const struct samu *) >+pdb_get_bad_password_time: time_t (const struct samu *) >+pdb_get_code_page: uint16_t (const struct samu *) >+pdb_get_comment: const char *(const struct samu *) >+pdb_get_country_code: uint16_t (const struct samu *) >+pdb_get_dir_drive: const char *(const struct samu *) >+pdb_get_domain: const char *(const struct samu *) >+pdb_get_domain_info: struct pdb_domain_info *(TALLOC_CTX *) >+pdb_get_fullname: const char *(const struct samu *) >+pdb_get_group_rid: uint32_t (struct samu *) >+pdb_get_group_sid: const struct dom_sid *(struct samu *) >+pdb_get_homedir: const char *(const struct samu *) >+pdb_get_hours: const uint8_t *(const struct samu *) >+pdb_get_hours_len: uint32_t (const struct samu *) >+pdb_get_init_flags: enum pdb_value_state (const struct samu *, enum pdb_elements) >+pdb_get_kickoff_time: time_t (const struct samu *) >+pdb_get_lanman_passwd: const uint8_t *(const struct samu *) >+pdb_get_logoff_time: time_t (const struct samu *) >+pdb_get_logon_count: uint16_t (const struct samu *) >+pdb_get_logon_divs: uint16_t (const struct samu *) >+pdb_get_logon_script: const char *(const struct samu *) >+pdb_get_logon_time: time_t (const struct samu *) >+pdb_get_munged_dial: const char *(const struct samu *) >+pdb_get_nt_passwd: const uint8_t *(const struct samu *) >+pdb_get_nt_username: const char *(const struct samu *) >+pdb_get_pass_can_change: bool (const struct samu *) >+pdb_get_pass_can_change_time: time_t (const struct samu *) >+pdb_get_pass_can_change_time_noncalc: time_t (const struct samu *) >+pdb_get_pass_last_set_time: time_t (const struct samu *) >+pdb_get_pass_must_change_time: time_t (const struct samu *) >+pdb_get_plaintext_passwd: const char *(const struct samu *) >+pdb_get_profile_path: const char *(const struct samu *) >+pdb_get_pw_history: const uint8_t *(const struct samu *, uint32_t *) >+pdb_get_secret: NTSTATUS (TALLOC_CTX *, const char *, DATA_BLOB *, NTTIME *, DATA_BLOB *, NTTIME *, struct security_descriptor **) >+pdb_get_seq_num: bool (time_t *) >+pdb_get_tevent_context: struct tevent_context *(void) >+pdb_get_trust_credentials: NTSTATUS (const char *, const char *, TALLOC_CTX *, struct cli_credentials **) >+pdb_get_trusted_domain: NTSTATUS (TALLOC_CTX *, const char *, struct pdb_trusted_domain **) >+pdb_get_trusted_domain_by_sid: NTSTATUS (TALLOC_CTX *, struct dom_sid *, struct pdb_trusted_domain **) >+pdb_get_trusteddom_creds: NTSTATUS (const char *, TALLOC_CTX *, struct cli_credentials **) >+pdb_get_trusteddom_pw: bool (const char *, char **, struct dom_sid *, time_t *) >+pdb_get_unknown_6: uint32_t (const struct samu *) >+pdb_get_user_rid: uint32_t (const struct samu *) >+pdb_get_user_sid: const struct dom_sid *(const struct samu *) >+pdb_get_username: const char *(const struct samu *) >+pdb_get_workstations: const char *(const struct samu *) >+pdb_getgrgid: bool (GROUP_MAP *, gid_t) >+pdb_getgrnam: bool (GROUP_MAP *, const char *) >+pdb_getgrsid: bool (GROUP_MAP *, struct dom_sid) >+pdb_gethexhours: bool (const char *, unsigned char *) >+pdb_gethexpwd: bool (const char *, unsigned char *) >+pdb_getsampwnam: bool (struct samu *, const char *) >+pdb_getsampwsid: bool (struct samu *, const struct dom_sid *) >+pdb_group_rid_to_gid: gid_t (uint32_t) >+pdb_id_to_sid: bool (struct unixid *, struct dom_sid *) >+pdb_increment_bad_password_count: bool (struct samu *) >+pdb_is_password_change_time_max: bool (time_t) >+pdb_is_responsible_for_builtin: bool (void) >+pdb_is_responsible_for_everything_else: bool (void) >+pdb_is_responsible_for_our_sam: bool (void) >+pdb_is_responsible_for_unix_groups: bool (void) >+pdb_is_responsible_for_unix_users: bool (void) >+pdb_is_responsible_for_wellknown: bool (void) >+pdb_lookup_rids: NTSTATUS (const struct dom_sid *, int, uint32_t *, const char **, enum lsa_SidType *) >+pdb_new_rid: bool (uint32_t *) >+pdb_nop_add_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) >+pdb_nop_delete_group_mapping_entry: NTSTATUS (struct pdb_methods *, struct dom_sid) >+pdb_nop_enum_group_mapping: NTSTATUS (struct pdb_methods *, enum lsa_SidType, GROUP_MAP **, size_t *, bool) >+pdb_nop_getgrgid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, gid_t) >+pdb_nop_getgrnam: NTSTATUS (struct pdb_methods *, GROUP_MAP *, const char *) >+pdb_nop_getgrsid: NTSTATUS (struct pdb_methods *, GROUP_MAP *, struct dom_sid) >+pdb_nop_update_group_mapping_entry: NTSTATUS (struct pdb_methods *, GROUP_MAP *) >+pdb_rename_sam_account: NTSTATUS (struct samu *, const char *) >+pdb_search_aliases: struct pdb_search *(TALLOC_CTX *, const struct dom_sid *) >+pdb_search_entries: uint32_t (struct pdb_search *, uint32_t, uint32_t, struct samr_displayentry **) >+pdb_search_groups: struct pdb_search *(TALLOC_CTX *) >+pdb_search_users: struct pdb_search *(TALLOC_CTX *, uint32_t) >+pdb_set_account_policy: bool (enum pdb_policy_type, uint32_t) >+pdb_set_acct_ctrl: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_acct_desc: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_aliasinfo: NTSTATUS (const struct dom_sid *, struct acct_info *) >+pdb_set_backend_private_data: bool (struct samu *, void *, void (*)(void **), const struct pdb_methods *, enum pdb_value_state) >+pdb_set_bad_password_count: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_bad_password_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_code_page: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_comment: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_country_code: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_dir_drive: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_domain: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_fullname: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_group_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) >+pdb_set_group_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_homedir: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_hours: bool (struct samu *, const uint8_t *, int, enum pdb_value_state) >+pdb_set_hours_len: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_init_flags: bool (struct samu *, enum pdb_elements, enum pdb_value_state) >+pdb_set_kickoff_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_lanman_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state) >+pdb_set_logoff_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_logon_count: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_logon_divs: bool (struct samu *, uint16_t, enum pdb_value_state) >+pdb_set_logon_script: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_logon_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_munged_dial: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_nt_passwd: bool (struct samu *, const uint8_t *, enum pdb_value_state) >+pdb_set_nt_username: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_pass_can_change: bool (struct samu *, bool) >+pdb_set_pass_can_change_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_pass_last_set_time: bool (struct samu *, time_t, enum pdb_value_state) >+pdb_set_plaintext_passwd: bool (struct samu *, const char *) >+pdb_set_plaintext_pw_only: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_profile_path: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_pw_history: bool (struct samu *, const uint8_t *, uint32_t, enum pdb_value_state) >+pdb_set_secret: NTSTATUS (const char *, DATA_BLOB *, DATA_BLOB *, struct security_descriptor *) >+pdb_set_trusted_domain: NTSTATUS (const char *, const struct pdb_trusted_domain *) >+pdb_set_trusteddom_pw: bool (const char *, const char *, const struct dom_sid *) >+pdb_set_unix_primary_group: NTSTATUS (TALLOC_CTX *, struct samu *) >+pdb_set_unknown_6: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_upn_suffixes: NTSTATUS (uint32_t, const char **) >+pdb_set_user_sid: bool (struct samu *, const struct dom_sid *, enum pdb_value_state) >+pdb_set_user_sid_from_rid: bool (struct samu *, uint32_t, enum pdb_value_state) >+pdb_set_user_sid_from_string: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_username: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_set_workstations: bool (struct samu *, const char *, enum pdb_value_state) >+pdb_sethexhours: void (char *, const unsigned char *) >+pdb_sethexpwd: void (char *, const unsigned char *, uint32_t) >+pdb_sid_to_id: bool (const struct dom_sid *, struct unixid *) >+pdb_sid_to_id_unix_users_and_groups: bool (const struct dom_sid *, struct unixid *) >+pdb_update_autolock_flag: bool (struct samu *, bool *) >+pdb_update_bad_password_count: bool (struct samu *, bool *) >+pdb_update_group_mapping_entry: NTSTATUS (GROUP_MAP *) >+pdb_update_history: bool (struct samu *, const uint8_t *) >+pdb_update_login_attempts: NTSTATUS (struct samu *, bool) >+pdb_update_sam_account: NTSTATUS (struct samu *) >+privilege_create_account: NTSTATUS (const struct dom_sid *) >+privilege_delete_account: NTSTATUS (const struct dom_sid *) >+privilege_enum_sids: NTSTATUS (enum sec_privilege, TALLOC_CTX *, struct dom_sid **, int *) >+privilege_enumerate_accounts: NTSTATUS (struct dom_sid **, int *) >+revoke_all_privileges: bool (const struct dom_sid *) >+revoke_privilege_by_name: bool (const struct dom_sid *, const char *) >+revoke_privilege_set: bool (const struct dom_sid *, struct lsa_PrivilegeSet *) >+samu_alloc_rid_unix: NTSTATUS (struct pdb_methods *, struct samu *, const struct passwd *) >+samu_new: struct samu *(TALLOC_CTX *) >+samu_set_unix: NTSTATUS (struct samu *, const struct passwd *) >+secrets_trusted_domains: NTSTATUS (TALLOC_CTX *, uint32_t *, struct trustdom_info ***) >+sid_check_is_builtin: bool (const struct dom_sid *) >+sid_check_is_for_passdb: bool (const struct dom_sid *) >+sid_check_is_in_builtin: bool (const struct dom_sid *) >+sid_check_is_in_unix_groups: bool (const struct dom_sid *) >+sid_check_is_in_unix_users: bool (const struct dom_sid *) >+sid_check_is_in_wellknown_domain: bool (const struct dom_sid *) >+sid_check_is_unix_groups: bool (const struct dom_sid *) >+sid_check_is_unix_users: bool (const struct dom_sid *) >+sid_check_is_wellknown_builtin: bool (const struct dom_sid *) >+sid_check_is_wellknown_domain: bool (const struct dom_sid *, const char **) >+sid_check_object_is_for_passdb: bool (const struct dom_sid *) >+sid_to_gid: bool (const struct dom_sid *, gid_t *) >+sid_to_uid: bool (const struct dom_sid *, uid_t *) >+sids_to_unixids: bool (const struct dom_sid *, uint32_t, struct unixid *) >+smb_add_user_group: int (const char *, const char *) >+smb_create_group: int (const char *, gid_t *) >+smb_delete_group: int (const char *) >+smb_delete_user_group: int (const char *, const char *) >+smb_nscd_flush_group_cache: void (void) >+smb_nscd_flush_user_cache: void (void) >+smb_register_passdb: NTSTATUS (int, const char *, pdb_init_function) >+smb_set_primary_group: int (const char *, const char *) >+uid_to_sid: void (struct dom_sid *, uid_t) >+uid_to_unix_users_sid: void (uid_t, struct dom_sid *) >+unix_groups_domain_name: const char *(void) >+unix_users_domain_name: const char *(void) >+unixid_from_both: void (struct unixid *, uint32_t) >+unixid_from_gid: void (struct unixid *, uint32_t) >+unixid_from_uid: void (struct unixid *, uint32_t) >+wb_is_trusted_domain: wbcErr (const char *) >+winbind_allocate_gid: bool (gid_t *) >+winbind_allocate_uid: bool (uid_t *) >+winbind_getpwnam: struct passwd *(const char *) >+winbind_getpwsid: struct passwd *(const struct dom_sid *) >+winbind_gid_to_sid: bool (struct dom_sid *, gid_t) >+winbind_lookup_name: bool (const char *, const char *, struct dom_sid *, enum lsa_SidType *) >+winbind_lookup_rids: bool (TALLOC_CTX *, const struct dom_sid *, int, uint32_t *, const char **, const char ***, enum lsa_SidType **) >+winbind_lookup_sid: bool (TALLOC_CTX *, const struct dom_sid *, const char **, const char **, enum lsa_SidType *) >+winbind_lookup_usersids: bool (TALLOC_CTX *, const struct dom_sid *, uint32_t *, struct dom_sid **) >+winbind_ping: bool (void) >+winbind_sid_to_gid: bool (gid_t *, const struct dom_sid *) >+winbind_sid_to_uid: bool (uid_t *, const struct dom_sid *) >+winbind_uid_to_sid: bool (struct dom_sid *, uid_t) >+winbind_xid_to_sid: bool (struct dom_sid *, const struct unixid *) >+xid_to_sid: void (struct dom_sid *, const struct unixid *) >diff --git a/source3/wscript_build b/source3/wscript_build >index 8d29db51f77..f0d85969692 100644 >--- a/source3/wscript_build >+++ b/source3/wscript_build >@@ -149,7 +149,7 @@ bld.SAMBA3_LIBRARY('samba-passdb', > ''', > abi_match=private_pdb_match, > abi_directory='passdb/ABI', >- vnum='0.27.1') >+ vnum='0.27.2') > > bld.SAMBA3_SUBSYSTEM('pdb', > source=''' >-- >2.21.0.352.gf09ad66450-goog > > >From cbd91b9a82674bf807b338d24551991ebf0269c4 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Tue, 5 Mar 2019 11:50:48 -0700 >Subject: [PATCH 12/13] lib/winbind_util: Move include out of ifdef > >This fixes compile errors about missing prototypes with >--picky-developer and --without-winbind > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 4b1e4c22128bdefe549a58b181e9b755854f4c3e) >--- > source3/lib/winbind_util.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c >index 46c95ca3a28..de72042cfa4 100644 >--- a/source3/lib/winbind_util.c >+++ b/source3/lib/winbind_util.c >@@ -23,10 +23,10 @@ > #include "../lib/util/util_pw.h" > #include "nsswitch/libwbclient/wbclient.h" > >-#if defined(WITH_WINBIND) >- > #include "lib/winbind_util.h" > >+#if defined(WITH_WINBIND) >+ > struct passwd * winbind_getpwnam(const char * name) > { > wbcErr result; >-- >2.21.0.352.gf09ad66450-goog > > >From e99b7f0d8d14f2981335c05916841ae6e88493f9 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Tue, 5 Mar 2019 11:56:49 -0700 >Subject: [PATCH 13/13] lib/winbind_util: Add winbind_xid_to_sid for > --without-winbind > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13813 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed Mar 6 01:53:16 UTC 2019 on sn-devel-144 > >(cherry picked from commit 4125ff89e44a3e98882cfc38c06e559a6e1e56a5) >--- > source3/lib/winbind_util.c | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source3/lib/winbind_util.c b/source3/lib/winbind_util.c >index de72042cfa4..0c1f2c2552a 100644 >--- a/source3/lib/winbind_util.c >+++ b/source3/lib/winbind_util.c >@@ -401,6 +401,13 @@ bool winbind_gid_to_sid(struct dom_sid *sid, gid_t gid) > return false; > } > >+/* Call winbindd to convert uid or gid to SID */ >+ >+bool winbind_xid_to_sid(struct dom_sid *sid, const struct unixid *xid) >+{ >+ return false; >+} >+ > /* Check for a trusted domain */ > > wbcErr wb_is_trusted_domain(const char *domain) >-- >2.21.0.352.gf09ad66450-goog >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14904">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
cs
:
review+
ab
:
review+
Actions:
View
Attachments on
bug 13813
:
14884
|
14885
|
14886
|
14897
|
14898
|
14899
|
14901
|
14902
|
14903
| 14904