The Samba-Bugzilla – Attachment 15090 Details for
Bug 13903
Overlapping idmap ranges with idmap_ad no longer work
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patches for 4.10
patches-4.10 (text/plain), 14.76 KB, created by
Christof Schmitt
on 2019-04-24 16:44:11 UTC
(
hide
)
Description:
patches for 4.10
Filename:
MIME Type:
Creator:
Christof Schmitt
Created:
2019-04-24 16:44:11 UTC
Size:
14.76 KB
patch
obsolete
>From 34d7bfe8dc6f61b767b311f6c9d6728fcc76503b Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Mon, 22 Apr 2019 16:15:20 -0700 >Subject: [PATCH 1/7] selftest: Add gid-to-sid lookup to idmap_ad test > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit d7b5ad5e6159c224f70bea782bbdc46059e67978) >--- > nsswitch/tests/test_idmap_ad.sh | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > >diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh >index 7450ae06059..3e36498efcb 100755 >--- a/nsswitch/tests/test_idmap_ad.sh >+++ b/nsswitch/tests/test_idmap_ad.sh >@@ -49,6 +49,13 @@ add: gidNumber > gidNumber: 2000001 > EOF > >+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD" >+dn: CN=Domain Admins,CN=Users,$BASE_DN >+changetype: modify >+add: gidNumber >+gidNumber: 2000002 >+EOF >+ > # > # Test 1: Test uid of Administrator, should be 2000000 > # >@@ -79,6 +86,16 @@ test "$out" = "$DOMAIN/administrator:*:2000000:2000001::/home/$DOMAIN/administra > ret=$? > testit "Test get userinfo for Administrator works" test $ret -eq 0 || failed=$(expr $failed + 1) > >+# >+# Test 4: Test lookup from gid to sid >+# >+ >+out="$($wbinfo -G 2000002)" >+echo "wbinfo returned: \"$out\", expecting \"$DOMAIN_SID-512\"" >+test "$out" = "$DOMAIN_SID-512" >+ret=$? >+testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1) >+ > # > # Remove POSIX ids from AD > # >@@ -96,4 +113,11 @@ delete: gidNumber > gidNumber: 2000001 > EOF > >+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD" >+dn: CN=Domain Admins,CN=Users,$BASE_DN >+changetype: modify >+delete: gidNumber >+gidNumber: 2000002 >+EOF >+ > exit $failed >-- >2.17.0 > > >From d7881063f197206d27ebfe1ff93979c7629e377e Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Wed, 17 Apr 2019 16:12:27 -0700 >Subject: [PATCH 2/7] selftest: Use fl2008r2dc for ad_member_idmap_ad > >fl2008r2dc already has a trusted domain. That will be used to use >idmap_ad for querying idmap attributes from the trusted domain. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 8266bd1f45d1b5b2a61d84006ab8e8e1ed0e52a9) >--- > selftest/target/Samba3.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index f11bb9312df..aef179e17ed 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -184,7 +184,7 @@ sub check_env($$) > ad_member => ["ad_dc"], > ad_member_rfc2307 => ["ad_dc_ntvfs"], > ad_member_idmap_rid => ["ad_dc"], >- ad_member_idmap_ad => ["ad_dc"], >+ ad_member_idmap_ad => ["fl2008r2dc"], > ); > > sub setup_nt4_dc >-- >2.17.0 > > >From 419bdbc034e2bdedf2219be731098e691dff225a Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Thu, 18 Apr 2019 13:04:09 -0700 >Subject: [PATCH 3/7] selftest: Make trusted domain information available for > idmap_ad environment > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 281fb81ab1c72831c752be44fd1bfdcfd10bd798) >--- > selftest/target/Samba3.pm | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index aef179e17ed..cdaf9e5080b 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -764,6 +764,13 @@ sub setup_ad_member_idmap_ad > $ret->{DC_USERNAME} = $dcvars->{USERNAME}; > $ret->{DC_PASSWORD} = $dcvars->{PASSWORD}; > >+ $ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER}; >+ $ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME}; >+ $ret->{TRUST_PASSWORD} = $dcvars->{TRUST_PASSWORD}; >+ $ret->{TRUST_DOMAIN} = $dcvars->{TRUST_DOMAIN}; >+ $ret->{TRUST_REALM} = $dcvars->{TRUST_REALM}; >+ $ret->{TRUST_DOMSID} = $dcvars->{TRUST_DOMSID}; >+ > return $ret; > } > >-- >2.17.0 > > >From bca71b12b8aa9707775cd39a9089bfdb12e49b49 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Mon, 22 Apr 2019 16:07:02 -0700 >Subject: [PATCH 4/7] selftest: Add idmap configuration for trusted domain for > idmap_ad > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 65e1d783cb17904cd117d896569e7cbe79a3131b) >--- > selftest/target/Samba3.pm | 2 ++ > 1 file changed, 2 insertions(+) > >diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm >index cdaf9e5080b..892a6a15e2d 100755 >--- a/selftest/target/Samba3.pm >+++ b/selftest/target/Samba3.pm >@@ -698,6 +698,8 @@ sub setup_ad_member_idmap_ad > idmap config * : range = 1000000-1999999 > idmap config $dcvars->{DOMAIN} : backend = ad > idmap config $dcvars->{DOMAIN} : range = 2000000-2999999 >+ idmap config $dcvars->{TRUST_DOMAIN} : backend = ad >+ idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999 > "; > > my $ret = $self->provision($prefix, $dcvars->{DOMAIN}, >-- >2.17.0 > > >From 62afe2a252a99f72abb491e31446819d32abfe95 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Mon, 22 Apr 2019 16:38:11 -0700 >Subject: [PATCH 5/7] selftest: Pass trusted domain information to idmap_ad > test > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit ac0f8656eed39a4527a5336cf93aa1508666f79b) >--- > nsswitch/tests/test_idmap_ad.sh | 7 +++++-- > source3/selftest/tests.py | 2 +- > 2 files changed, 6 insertions(+), 3 deletions(-) > >diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh >index 3e36498efcb..d89ed20a799 100755 >--- a/nsswitch/tests/test_idmap_ad.sh >+++ b/nsswitch/tests/test_idmap_ad.sh >@@ -3,14 +3,17 @@ > # Basic testing of id mapping with idmap_ad > # > >-if [ $# -ne 3 ]; then >- echo Usage: $0 DOMAIN DC_SERVER DC_PASSWORD >+if [ $# -ne 6 ]; then >+ echo Usage: $0 DOMAIN DC_SERVER DC_PASSWORD TRUST_DOMAIN TRUST_SERVER TRUST_PASSWORD > exit 1 > fi > > DOMAIN="$1" > DC_SERVER="$2" > DC_PASSWORD="$3" >+TRUST_DOMAIN="$4" >+TRUST_SERVER="$5" >+TRUST_PASSWORD="$6" > > wbinfo="$VALGRIND $BINDIR/wbinfo" > ldbmodify="$VALGRIND $BINDIR/ldbmodify" >diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py >index 1eb220ddcce..7067abc5fb4 100755 >--- a/source3/selftest/tests.py >+++ b/source3/selftest/tests.py >@@ -564,7 +564,7 @@ for t in tests: > elif t == "idmap.rid": > plantestsuite(t, "ad_member_idmap_rid", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_rid.sh"), '$DOMAIN', '2000000']) > elif t == "idmap.ad": >- plantestsuite(t, "ad_member_idmap_ad", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_ad.sh"), '$DOMAIN', '$DC_SERVER', '$DC_PASSWORD']) >+ plantestsuite(t, "ad_member_idmap_ad", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_ad.sh"), '$DOMAIN', '$DC_SERVER', '$DC_PASSWORD', '$TRUST_DOMAIN', '$TRUST_SERVER', '$TRUST_PASSWORD']) > elif t == "raw.acls": > plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD') > plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/nfs4acl_simple_40 -U$USERNAME%$PASSWORD', description='nfs4acl_xattr-simple-40') >-- >2.17.0 > > >From bdbd39b6ab7f84b98527c7e3f599a8de1f563b01 Mon Sep 17 00:00:00 2001 >From: Christof Schmitt <cs@samba.org> >Date: Mon, 22 Apr 2019 16:41:42 -0700 >Subject: [PATCH 6/7] selftest: Add trusted domain tests for idmap_ad > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903 > >Signed-off-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> >(cherry picked from commit 2577f43a133f8b8eb997b9529a38e21c77b5da22) >--- > nsswitch/tests/test_idmap_ad.sh | 106 ++++++++++++++++++++++++++++++++ > selftest/knownfail | 1 + > 2 files changed, 107 insertions(+) > >diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh >index d89ed20a799..d919dcd09e2 100755 >--- a/nsswitch/tests/test_idmap_ad.sh >+++ b/nsswitch/tests/test_idmap_ad.sh >@@ -29,12 +29,24 @@ if [ $? -ne 0 ] ; then > exit 1 > fi > >+TRUST_DOMAIN_SID=$($wbinfo -n "$TRUST_DOMAIN/" | cut -f 1 -d " ") >+if [ $? -ne 0 ] ; then >+ echo "Could not find trusted domain SID" | subunit_fail_test "test_idmap_ad" >+ exit 1 >+fi >+ > BASE_DN=$($ldbsearch -H ldap://$DC_SERVER -b "" -s base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}') > if [ $? -ne 0 ] ; then > echo "Could not find base DB" | subunit_fail_test "test_idmap_ad" > exit 1 > fi > >+TRUST_BASE_DN=$($ldbsearch -H ldap://$TRUST_SERVER -b "" -s base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}') >+if [ $? -ne 0 ] ; then >+ echo "Could not find trusted base DB" | subunit_fail_test "test_idmap_ad" >+ exit 1 >+fi >+ > # > # Add POSIX ids to AD > # >@@ -59,6 +71,33 @@ add: gidNumber > gidNumber: 2000002 > EOF > >+# >+# Add POSIX ids to trusted domain >+# >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN >+changetype: modify >+add: uidNumber >+uidNumber: 2500000 >+EOF >+ >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN >+changetype: modify >+add: gidNumber >+gidNumber: 2500001 >+EOF >+ >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN >+changetype: modify >+add: gidNumber >+gidNumber: 2500002 >+EOF >+ > # > # Test 1: Test uid of Administrator, should be 2000000 > # >@@ -99,6 +138,46 @@ test "$out" = "$DOMAIN_SID-512" > ret=$? > testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1) > >+# >+# Trusted domain test 1: Test uid of Administrator, should be 2500000 >+# >+ >+out="$($wbinfo -S $TRUST_DOMAIN_SID-500)" >+echo "wbinfo returned: \"$out\", expecting \"2500000\"" >+test "$out" = "2500000" >+ret=$? >+testit "Test uid of Administrator in trusted domain is 2500000" test $ret -eq 0 || failed=$(expr $failed + 1) >+ >+# >+# Trusted domain test 2: Test gid of Domain Users, should be 2500001 >+# >+ >+out="$($wbinfo -Y $TRUST_DOMAIN_SID-513)" >+echo "wbinfo returned: \"$out\", expecting \"2500001\"" >+test "$out" = "2500001" >+ret=$? >+testit "Test uid of Domain Users in trusted domain is 2500001" test $ret -eq 0 || failed=$(expr $failed + 1) >+ >+# >+# Trusted domain test 3: Test get userinfo for Administrator works >+# >+ >+out="$($wbinfo -i $TRUST_DOMAIN/Administrator)" >+echo "wbinfo returned: \"$out\", expecting \"$TRUST_DOMAIN/administrator:*:2500000:2500001::/home/$TRUST_DOMAIN/administrator:/bin/false\"" >+test "$out" = "$TRUST_DOMAIN/administrator:*:2500000:2500001::/home/$TRUST_DOMAIN/administrator:/bin/false" >+ret=$? >+testit "Test get userinfo for Administrator works" test $ret -eq 0 || failed=$(expr $failed + 1) >+ >+# >+# Trusted domain test 4: Test lookup from gid to sid >+# >+ >+out="$($wbinfo -G 2500002)" >+echo "wbinfo returned: \"$out\", expecting \"$TRUST_DOMAIN_SID-512\"" >+test "$out" = "$TRUST_DOMAIN_SID-512" >+ret=$? >+testit "Test gid lookup of Domain Admins in trusted domain." test $ret -eq 0 || failed=$(expr $failed + 1) >+ > # > # Remove POSIX ids from AD > # >@@ -123,4 +202,31 @@ delete: gidNumber > gidNumber: 2000002 > EOF > >+# >+# Remove POSIX ids from trusted domain >+# >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN >+changetype: modify >+delete: uidNumber >+uidNumber: 2500000 >+EOF >+ >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN >+changetype: modify >+delete: gidNumber >+gidNumber: 2500001 >+EOF >+ >+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \ >+ -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD" >+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN >+changetype: modify >+delete: gidNumber >+gidNumber: 2500002 >+EOF >+ > exit $failed >diff --git a/selftest/knownfail b/selftest/knownfail >index 7176e097eb2..80f99540755 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -360,3 +360,4 @@ > ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) > ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) > ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) >+^idmap.ad.Test gid lookup of Domain Admins in trusted domain.\(ad_member_idmap_ad\) >-- >2.17.0 > > >From 3193f6c163f09ed43d5c21bb914ba46b4d8889c1 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 12 Apr 2019 16:56:45 +0200 >Subject: [PATCH 7/7] winbind: Fix overlapping id ranges > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Christof Schmitt <cs@samba.org> >Reviewed-by: Jeremy Allison <jra@samba.org> > >Autobuild-User(master): Jeremy Allison <jra@samba.org> >Autobuild-Date(master): Wed Apr 24 02:25:56 UTC 2019 on sn-devel-184 > >(cherry picked from commit 3020050bdf9df077ec9a0e962a689557187174ac) >--- > selftest/knownfail | 1 - > source3/winbindd/wb_xids2sids.c | 12 ++++++++++-- > 2 files changed, 10 insertions(+), 3 deletions(-) > >diff --git a/selftest/knownfail b/selftest/knownfail >index 80f99540755..7176e097eb2 100644 >--- a/selftest/knownfail >+++ b/selftest/knownfail >@@ -360,4 +360,3 @@ > ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) > ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) > ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) >-^idmap.ad.Test gid lookup of Domain Admins in trusted domain.\(ad_member_idmap_ad\) >diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c >index c5a35275d53..9ddc71f3796 100644 >--- a/source3/winbindd/wb_xids2sids.c >+++ b/source3/winbindd/wb_xids2sids.c >@@ -302,7 +302,11 @@ static struct tevent_req *wb_xids2sids_dom_send( > continue; > } > if (state->cached[i]) { >- /* already mapped */ >+ /* already found in cache */ >+ continue; >+ } >+ if (!is_null_sid(&state->all_sids[i])) { >+ /* already mapped in a previously asked domain */ > continue; > } > state->dom_xids[state->num_dom_xids++] = id; >@@ -369,7 +373,11 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq) > continue; > } > if (state->cached[i]) { >- /* already mapped */ >+ /* already found in cache */ >+ continue; >+ } >+ if (!is_null_sid(&state->all_sids[i])) { >+ /* already mapped in a previously asked domain */ > continue; > } > >-- >2.17.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 13903
: 15090 |
15091