From fe42792bc1f5126f1345d0f094026b64091504f1 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Mon, 22 Apr 2019 16:15:20 -0700
Subject: [PATCH 1/7] selftest: Add gid-to-sid lookup to idmap_ad test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit d7b5ad5e6159c224f70bea782bbdc46059e67978)
---
 nsswitch/tests/test_idmap_ad.sh | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index 7450ae06059..3e36498efcb 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -49,6 +49,13 @@ add: gidNumber
 gidNumber: 2000001
 EOF
 
+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
+dn: CN=Domain Admins,CN=Users,$BASE_DN
+changetype: modify
+add: gidNumber
+gidNumber: 2000002
+EOF
+
 #
 # Test 1: Test uid of Administrator, should be 2000000
 #
@@ -79,6 +86,16 @@ test "$out" = "$DOMAIN/administrator:*:2000000:2000001::/home/$DOMAIN/administra
 ret=$?
 testit "Test get userinfo for Administrator works" test $ret -eq 0 || failed=$(expr $failed + 1)
 
+#
+# Test 4: Test lookup from gid to sid
+#
+
+out="$($wbinfo -G 2000002)"
+echo "wbinfo returned: \"$out\", expecting \"$DOMAIN_SID-512\""
+test "$out" = "$DOMAIN_SID-512"
+ret=$?
+testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1)
+
 #
 # Remove POSIX ids from AD
 #
@@ -96,4 +113,11 @@ delete: gidNumber
 gidNumber: 2000001
 EOF
 
+cat <<EOF | $ldbmodify -H ldap://$DC_SERVER -U "$DOMAIN\Administrator%$DC_PASSWORD"
+dn: CN=Domain Admins,CN=Users,$BASE_DN
+changetype: modify
+delete: gidNumber
+gidNumber: 2000002
+EOF
+
 exit $failed
-- 
2.17.0


From 744b2de6d871076f423d15fbaf6b9b3ef32e86ef Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Wed, 17 Apr 2019 16:12:27 -0700
Subject: [PATCH 2/7] selftest: Use fl2008r2dc for ad_member_idmap_ad

fl2008r2dc already has a trusted domain. That will be used to use
idmap_ad for querying idmap attributes from the trusted domain.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 8266bd1f45d1b5b2a61d84006ab8e8e1ed0e52a9)
---
 selftest/target/Samba3.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 47b9c8cbc48..9d64c5fc677 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -181,7 +181,7 @@ sub check_env($$)
 	ad_member           => ["ad_dc"],
 	ad_member_rfc2307   => ["ad_dc_ntvfs"],
 	ad_member_idmap_rid => ["ad_dc"],
-	ad_member_idmap_ad  => ["ad_dc"],
+	ad_member_idmap_ad  => ["fl2008r2dc"],
 );
 
 sub setup_nt4_dc
-- 
2.17.0


From a5cd28b9df69b2dfff5a3e2816a6029d24998c55 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Thu, 18 Apr 2019 13:04:09 -0700
Subject: [PATCH 3/7] selftest: Make trusted domain information available for
 idmap_ad environment

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 281fb81ab1c72831c752be44fd1bfdcfd10bd798)
---
 selftest/target/Samba3.pm | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 9d64c5fc677..7b6ea7dbaef 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -748,6 +748,13 @@ sub setup_ad_member_idmap_ad
 	$ret->{DC_USERNAME} = $dcvars->{USERNAME};
 	$ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
 
+	$ret->{TRUST_SERVER} = $dcvars->{TRUST_SERVER};
+	$ret->{TRUST_USERNAME} = $dcvars->{TRUST_USERNAME};
+	$ret->{TRUST_PASSWORD} = $dcvars->{TRUST_PASSWORD};
+	$ret->{TRUST_DOMAIN} = $dcvars->{TRUST_DOMAIN};
+	$ret->{TRUST_REALM} = $dcvars->{TRUST_REALM};
+	$ret->{TRUST_DOMSID} = $dcvars->{TRUST_DOMSID};
+
 	return $ret;
 }
 
-- 
2.17.0


From 7e1fba821da95875c2801fce53a43b0c9f2ff221 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Mon, 22 Apr 2019 16:07:02 -0700
Subject: [PATCH 4/7] selftest: Add idmap configuration for trusted domain for
 idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 65e1d783cb17904cd117d896569e7cbe79a3131b)
---
 selftest/target/Samba3.pm | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 7b6ea7dbaef..75e4585ce67 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -684,6 +684,8 @@ sub setup_ad_member_idmap_ad
 	idmap config * : range = 1000000-1999999
 	idmap config $dcvars->{DOMAIN} : backend = ad
 	idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
+	idmap config $dcvars->{TRUST_DOMAIN} : backend = ad
+	idmap config $dcvars->{TRUST_DOMAIN} : range = 2000000-2999999
 ";
 
 	my $ret = $self->provision($prefix, $dcvars->{DOMAIN},
-- 
2.17.0


From 28a7ee1bf7618cd14e75bf2b7d2097cec8b22543 Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Mon, 22 Apr 2019 16:38:11 -0700
Subject: [PATCH 5/7] selftest: Pass trusted domain information to idmap_ad
 test

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit ac0f8656eed39a4527a5336cf93aa1508666f79b)
---
 nsswitch/tests/test_idmap_ad.sh | 7 +++++--
 source3/selftest/tests.py       | 2 +-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index 3e36498efcb..d89ed20a799 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -3,14 +3,17 @@
 # Basic testing of id mapping with idmap_ad
 #
 
-if [ $# -ne 3 ]; then
-	echo Usage: $0 DOMAIN DC_SERVER DC_PASSWORD
+if [ $# -ne 6 ]; then
+	echo Usage: $0 DOMAIN DC_SERVER DC_PASSWORD TRUST_DOMAIN TRUST_SERVER TRUST_PASSWORD
 	exit 1
 fi
 
 DOMAIN="$1"
 DC_SERVER="$2"
 DC_PASSWORD="$3"
+TRUST_DOMAIN="$4"
+TRUST_SERVER="$5"
+TRUST_PASSWORD="$6"
 
 wbinfo="$VALGRIND $BINDIR/wbinfo"
 ldbmodify="$VALGRIND $BINDIR/ldbmodify"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 8b99407ba8a..f7abda05dea 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -507,7 +507,7 @@ for t in tests:
     elif t == "idmap.rid":
         plantestsuite(t, "ad_member_idmap_rid", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_rid.sh"), '$DOMAIN', '2000000'])
     elif t == "idmap.ad":
-        plantestsuite(t, "ad_member_idmap_ad", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_ad.sh"), '$DOMAIN', '$DC_SERVER', '$DC_PASSWORD'])
+        plantestsuite(t, "ad_member_idmap_ad", [os.path.join(samba3srcdir, "../nsswitch/tests/test_idmap_ad.sh"), '$DOMAIN', '$DC_SERVER', '$DC_PASSWORD', '$TRUST_DOMAIN', '$TRUST_SERVER', '$TRUST_PASSWORD'])
     elif t == "raw.acls":
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD')
         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/nfs4acl_simple_40 -U$USERNAME%$PASSWORD', description='nfs4acl_xattr-simple-40')
-- 
2.17.0


From 78f32ac9cabe9a8b7f143ac26c6e03472555f1fe Mon Sep 17 00:00:00 2001
From: Christof Schmitt <cs@samba.org>
Date: Mon, 22 Apr 2019 16:41:42 -0700
Subject: [PATCH 6/7] selftest: Add trusted domain tests for idmap_ad

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 2577f43a133f8b8eb997b9529a38e21c77b5da22)
---
 nsswitch/tests/test_idmap_ad.sh | 106 ++++++++++++++++++++++++++++++++
 selftest/knownfail              |   1 +
 2 files changed, 107 insertions(+)

diff --git a/nsswitch/tests/test_idmap_ad.sh b/nsswitch/tests/test_idmap_ad.sh
index d89ed20a799..d919dcd09e2 100755
--- a/nsswitch/tests/test_idmap_ad.sh
+++ b/nsswitch/tests/test_idmap_ad.sh
@@ -29,12 +29,24 @@ if [ $? -ne 0 ] ; then
     exit 1
 fi
 
+TRUST_DOMAIN_SID=$($wbinfo -n "$TRUST_DOMAIN/" | cut -f 1 -d " ")
+if [ $? -ne 0 ] ; then
+    echo "Could not find trusted domain SID" | subunit_fail_test "test_idmap_ad"
+    exit 1
+fi
+
 BASE_DN=$($ldbsearch -H ldap://$DC_SERVER -b "" -s base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}')
 if [ $? -ne 0 ] ; then
     echo "Could not find base DB" | subunit_fail_test "test_idmap_ad"
     exit 1
 fi
 
+TRUST_BASE_DN=$($ldbsearch -H ldap://$TRUST_SERVER -b "" -s base defaultNamingContext | awk '/^defaultNamingContext/ {print $2}')
+if [ $? -ne 0 ] ; then
+    echo "Could not find trusted base DB" | subunit_fail_test "test_idmap_ad"
+    exit 1
+fi
+
 #
 # Add POSIX ids to AD
 #
@@ -59,6 +71,33 @@ add: gidNumber
 gidNumber: 2000002
 EOF
 
+#
+# Add POSIX ids to trusted domain
+#
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+		       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN
+changetype: modify
+add: uidNumber
+uidNumber: 2500000
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+		       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN
+changetype: modify
+add: gidNumber
+gidNumber: 2500001
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+		       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN
+changetype: modify
+add: gidNumber
+gidNumber: 2500002
+EOF
+
 #
 # Test 1: Test uid of Administrator, should be 2000000
 #
@@ -99,6 +138,46 @@ test "$out" = "$DOMAIN_SID-512"
 ret=$?
 testit "Test gid lookup of Domain Admins" test $ret -eq 0 || failed=$(expr $failed + 1)
 
+#
+# Trusted domain test 1: Test uid of Administrator, should be 2500000
+#
+
+out="$($wbinfo -S $TRUST_DOMAIN_SID-500)"
+echo "wbinfo returned: \"$out\", expecting \"2500000\""
+test "$out" = "2500000"
+ret=$?
+testit "Test uid of Administrator in trusted domain is 2500000" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Trusted domain test 2: Test gid of Domain Users, should be 2500001
+#
+
+out="$($wbinfo -Y $TRUST_DOMAIN_SID-513)"
+echo "wbinfo returned: \"$out\", expecting \"2500001\""
+test "$out" = "2500001"
+ret=$?
+testit "Test uid of Domain Users in trusted domain is 2500001" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Trusted domain test 3: Test get userinfo for Administrator works
+#
+
+out="$($wbinfo -i $TRUST_DOMAIN/Administrator)"
+echo "wbinfo returned: \"$out\", expecting \"$TRUST_DOMAIN/administrator:*:2500000:2500001::/home/$TRUST_DOMAIN/administrator:/bin/false\""
+test "$out" = "$TRUST_DOMAIN/administrator:*:2500000:2500001::/home/$TRUST_DOMAIN/administrator:/bin/false"
+ret=$?
+testit "Test get userinfo for Administrator works" test $ret -eq 0 || failed=$(expr $failed + 1)
+
+#
+# Trusted domain test 4: Test lookup from gid to sid
+#
+
+out="$($wbinfo -G 2500002)"
+echo "wbinfo returned: \"$out\", expecting \"$TRUST_DOMAIN_SID-512\""
+test "$out" = "$TRUST_DOMAIN_SID-512"
+ret=$?
+testit "Test gid lookup of Domain Admins in trusted domain." test $ret -eq 0 || failed=$(expr $failed + 1)
+
 #
 # Remove POSIX ids from AD
 #
@@ -123,4 +202,31 @@ delete: gidNumber
 gidNumber: 2000002
 EOF
 
+#
+# Remove POSIX ids from trusted domain
+#
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+		       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Administrator,CN=Users,$TRUST_BASE_DN
+changetype: modify
+delete: uidNumber
+uidNumber: 2500000
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+		       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Domain Users,CN=Users,$TRUST_BASE_DN
+changetype: modify
+delete: gidNumber
+gidNumber: 2500001
+EOF
+
+cat <<EOF | $ldbmodify -H ldap://$TRUST_SERVER \
+		       -U "$TRUST_DOMAIN\Administrator%$TRUST_PASSWORD"
+dn: CN=Domain Admins,CN=Users,$TRUST_BASE_DN
+changetype: modify
+delete: gidNumber
+gidNumber: 2500002
+EOF
+
 exit $failed
diff --git a/selftest/knownfail b/selftest/knownfail
index baf3d57a31a..b990dd90e15 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -349,3 +349,4 @@
 # Disabling NTLM means you can't use samr to change the password
 ^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
+^idmap.ad.Test gid lookup of Domain Admins in trusted domain.\(ad_member_idmap_ad\)
-- 
2.17.0


From d425bd601d9ce472fa1b9c7b01968a36d4a63310 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Fri, 12 Apr 2019 16:56:45 +0200
Subject: [PATCH 7/7] winbind: Fix overlapping id ranges

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13903

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Apr 24 02:25:56 UTC 2019 on sn-devel-184

(cherry picked from commit 3020050bdf9df077ec9a0e962a689557187174ac)
---
 selftest/knownfail              |  1 -
 source3/winbindd/wb_xids2sids.c | 12 ++++++++++--
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/selftest/knownfail b/selftest/knownfail
index b990dd90e15..baf3d57a31a 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -349,4 +349,3 @@
 # Disabling NTLM means you can't use samr to change the password
 ^samba.tests.ntlmdisabled.python\(ktest\).ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\)
 ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\)
-^idmap.ad.Test gid lookup of Domain Admins in trusted domain.\(ad_member_idmap_ad\)
diff --git a/source3/winbindd/wb_xids2sids.c b/source3/winbindd/wb_xids2sids.c
index 03690278856..3cccbcb2e56 100644
--- a/source3/winbindd/wb_xids2sids.c
+++ b/source3/winbindd/wb_xids2sids.c
@@ -299,7 +299,11 @@ static struct tevent_req *wb_xids2sids_dom_send(
 			continue;
 		}
 		if (state->cached[i]) {
-			/* already mapped */
+			/* already found in cache */
+			continue;
+		}
+		if (!is_null_sid(&state->all_sids[i])) {
+			/* already mapped in a previously asked domain */
 			continue;
 		}
 		state->dom_xids[state->num_dom_xids++] = id;
@@ -366,7 +370,11 @@ static void wb_xids2sids_dom_done(struct tevent_req *subreq)
 			continue;
 		}
 		if (state->cached[i]) {
-			/* already mapped */
+			/* already found in cache */
+			continue;
+		}
+		if (!is_null_sid(&state->all_sids[i])) {
+			/* already mapped in a previously asked domain */
 			continue;
 		}
 
-- 
2.17.0