From 5964266fbde53fd2b1b0674085c97ffdfe49d4e4 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Wed, 25 Sep 2019 17:19:27 -0700 Subject: [PATCH 1/2] selftest: Test ID_TYPE_BOTH with idmap_rid module ID_TYPE_BOTH means that each user and group has two mappings, a uid and gid. In addition the calls to getpwent, getpwuid, getgrent and getgrgid always return some information, so that uid and gid can be mapped to a name. Establish a test to verify that the expected information is returned. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14141 Signed-off-by: Christof Schmitt Reviewed-by: Stefan Metzmacher (cherry picked from commit 485874d6bb328c50c9a98785e85270f28ade7497) --- nsswitch/tests/test_idmap_rid.sh | 132 +++++++++++++++++++++++ selftest/knownfail.d/passwd-id-type-both | 4 + 2 files changed, 136 insertions(+) create mode 100644 selftest/knownfail.d/passwd-id-type-both diff --git a/nsswitch/tests/test_idmap_rid.sh b/nsswitch/tests/test_idmap_rid.sh index 8209a50a4fc..4e6477f666e 100755 --- a/nsswitch/tests/test_idmap_rid.sh +++ b/nsswitch/tests/test_idmap_rid.sh @@ -63,4 +63,136 @@ test "$out" = "$SID -> unmapped" ret=$? testit "Bogus SID returns unmapped" test $ret -eq 0 || failed=$(expr $failed + 1) +# +# Test 3: ID_TYPE_BOTH mappings for group +# + +GROUP="$DOMAIN/Domain Users" +GROUP_SID=$($wbinfo --name-to-sid="$GROUP" | sed -e 's/ .*//') + +uid=$($wbinfo --sid-to-uid=$GROUP_SID) +ret=$? +testit "ID_TYPE_BOTH group map to uid succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +testit "ID_TYPE_BOTH group map to uid has result" test -n $uid ||\ + failed=$(expr $failed + 1) + +gid=$($wbinfo --sid-to-gid=$GROUP_SID) +ret=$? +testit "ID_TYPE_BOTH group map to gid succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +testit "ID_TYPE_BOTH group map to gid has result" test -n $gid ||\ + failed=$(expr $failed + 1) + +testit "ID_TYPE_BOTH group uid equals gid" test $uid -eq $gid ||\ + failed=$(expr $failed + 1) + +group_pw="$DOMAIN/domain users:*:$uid:$gid::/home/$DOMAIN/domain users:/bin/false" + +out=$(getent passwd "$GROUP") +ret=$? +testit "getpwnam for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +test "$out" = "$group_pw" +ret=$? +testit "getpwnam for ID_TYPE_BOTH group output" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +out=$(getent passwd $uid) +ret=$? +testit "getpwuid for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +test "$out" = "$group_pw" +ret=$? +testit "getpwuid for ID_TYPE_BOTH group output" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +group_gr="$DOMAIN/domain users:x:$gid:" + +out=$(getent group "$GROUP") +ret=$? +testit "getgrnam for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +test "$out" = "$group_gr" +ret=$? +testit "getgrnam for ID_TYPE_BOTH group output" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +out=$(getent group "$gid") +ret=$? +testit "getgrgid for ID_TYPE_BOTH group succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +test "$out" = "$group_gr" +ret=$? +testit "getgrgid for ID_TYPE_BOTH group output" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +# +# Test 4: ID_TYPE_BOTH mappings for user +# + +dom_users_gid=$gid + +USER="$DOMAIN/Administrator" +USER_SID=$($wbinfo --name-to-sid="$USER" | sed -e 's/ .*//') + +uid=$($wbinfo --sid-to-uid=$USER_SID) +ret=$? +testit "ID_TYPE_BOTH user map to uid succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +testit "ID_TYPE_BOTH user map to uid has result" test -n $uid ||\ + failed=$(expr $failed + 1) + +gid=$($wbinfo --sid-to-gid=$USER_SID) +ret=$? +testit "ID_TYPE_BOTH user map to gid succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +testit "ID_TYPE_BOTH user map to gid has result" test -n $gid ||\ + failed=$(expr $failed + 1) + +testit "ID_TYPE_BOTH user uid equals gid" test $uid -eq $gid ||\ + failed=$(expr $failed + 1) + +user_pw="$DOMAIN/administrator:*:$uid:$dom_users_gid::/home/$DOMAIN/administrator:/bin/false" + +out=$(getent passwd "$USER") +ret=$? +testit "getpwnam for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +test "$out" = "$user_pw" +ret=$? +testit "getpwnam for ID_TYPE_BOTH user output" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +out=$(getent passwd $uid) +ret=$? +testit "getpwuid for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +test "$out" = "$user_pw" +ret=$? +testit "getpwuid for ID_TYPE_BOTH user output" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +user_gr="$DOMAIN/administrator:x:$gid:$DOMAIN/administrator" + +out=$(getent group "$USER") +ret=$? +testit "getgrnam for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +test "$out" = "$user_gr" +ret=$? +testit "getgrnam for ID_TYPE_BOTH user output" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + +out=$(getent group "$gid") +ret=$? +testit "getgrgid for ID_TYPE_BOTH user succeeds" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) +test "$out" = "$user_gr" +ret=$? +testit "getgrgid for ID_TYPE_BOTH user output" test $ret -eq 0 ||\ + failed=$(expr $failed + 1) + exit $failed diff --git a/selftest/knownfail.d/passwd-id-type-both b/selftest/knownfail.d/passwd-id-type-both new file mode 100644 index 00000000000..e969ef8d165 --- /dev/null +++ b/selftest/knownfail.d/passwd-id-type-both @@ -0,0 +1,4 @@ +idmap\.rid.getpwnam for ID_TYPE_BOTH group succeeds\(ad_member_idmap_rid\) +idmap\.rid.getpwnam for ID_TYPE_BOTH group output\(ad_member_idmap_rid\) +idmap\.rid.getpwuid for ID_TYPE_BOTH group succeeds\(ad_member_idmap_rid\) +idmap\.rid.getpwuid for ID_TYPE_BOTH group output\(ad_member_idmap_rid\) -- 2.17.0 From bd7248aa7bb0ca08c19396f5bc15c397de04347d Mon Sep 17 00:00:00 2001 From: Michael Adam Date: Fri, 11 Jan 2019 10:44:30 +0100 Subject: [PATCH 2/2] winbind: provide passwd struct for group sid with ID_TYPE_BOTH mapping (again) https://git.samba.org/?p=samba.git;a=commitdiff;h=394622ef8c916cf361f8596dba4664dc8d6bfc9e originally introduced the above feature. This functionality was undone as part of "winbind: Restructure get_pwsid" https://git.samba.org/?p=samba.git;a=commitdiff;h=bce19a6efe11980933531f0349c8f5212419366a I think that this semantic change was accidential. This patch undoes the semantic change and re-establishes the functionality. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14141 Signed-off-by: Michael Adam Reviewed-by: Christof Schmitt Reviewed-by: Stefan Metzmacher Autobuild-User(master): Christof Schmitt Autobuild-Date(master): Fri Sep 27 17:25:29 UTC 2019 on sn-devel-184 (cherry picked from commit 63c9147f8631d73b52bdd36ff407e0361dcf5178) --- selftest/knownfail.d/passwd-id-type-both | 4 ---- source3/winbindd/wb_queryuser.c | 18 ++++++++++++++++-- 2 files changed, 16 insertions(+), 6 deletions(-) delete mode 100644 selftest/knownfail.d/passwd-id-type-both diff --git a/selftest/knownfail.d/passwd-id-type-both b/selftest/knownfail.d/passwd-id-type-both deleted file mode 100644 index e969ef8d165..00000000000 --- a/selftest/knownfail.d/passwd-id-type-both +++ /dev/null @@ -1,4 +0,0 @@ -idmap\.rid.getpwnam for ID_TYPE_BOTH group succeeds\(ad_member_idmap_rid\) -idmap\.rid.getpwnam for ID_TYPE_BOTH group output\(ad_member_idmap_rid\) -idmap\.rid.getpwuid for ID_TYPE_BOTH group succeeds\(ad_member_idmap_rid\) -idmap\.rid.getpwuid for ID_TYPE_BOTH group output\(ad_member_idmap_rid\) diff --git a/source3/winbindd/wb_queryuser.c b/source3/winbindd/wb_queryuser.c index 17170c3352a..2eb61406fc5 100644 --- a/source3/winbindd/wb_queryuser.c +++ b/source3/winbindd/wb_queryuser.c @@ -166,8 +166,22 @@ static void wb_queryuser_got_domain(struct tevent_req *subreq) return; } - if (type != SID_NAME_USER) { - /* allow SID_NAME_COMPUTER? */ + switch (type) { + case SID_NAME_USER: + case SID_NAME_COMPUTER: + /* + * user case: we only need the account name from lookup_sids + */ + break; + case SID_NAME_DOM_GRP: + case SID_NAME_ALIAS: + case SID_NAME_WKN_GRP: + /* + * also treat group-type SIDs (they might map to ID_TYPE_BOTH) + */ + sid_copy(&info->group_sid, &info->user_sid); + break; + default: tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); return; } -- 2.17.0