The Samba-Bugzilla – Attachment 16409 Details for
Bug 14539
winbindd should avoid lookupsids for idmapping if not required
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Additional patch for v4-14-test
tmp414.diff.txt (text/plain), 3.45 KB, created by
Stefan Metzmacher
on 2021-01-27 10:29:50 UTC
(
hide
)
Description:
Additional patch for v4-14-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2021-01-27 10:29:50 UTC
Size:
3.45 KB
patch
obsolete
>From 68f72f3dc25427cb1abe0875ec62ee7c05294f3a Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 23 Oct 2020 12:21:57 +0200 >Subject: [PATCH] s3:idmap_hash: reliable return ID_TYPE_BOTH > >idmap_hash used to bounce back the requested type, >which was ID_TYPE_UID, ID_TYPE_GID or ID_TYPE_NOT_SPECIFIED >before as the winbindd parent always used a lookupsids. >When the lookupsids failed because of an unknown domain, >the idmap child weren't requested at all and the caller >sees ID_TYPE_NOT_SPECIFIED. > >This module should have supported ID_TYPE_BOTH since >samba-4.1.0, similar to idmap_rid and idmap_autorid. > >Now that the winbindd parent will pass ID_TYPE_BOTH in order to >indicate that the domain exists, it's better to always return >ID_TYPE_BOTH instead of a random mix of ID_TYPE_UID, ID_TYPE_GID >or ID_TYPE_BOTH. In order to request a type_hint it will return >ID_REQUIRE_TYPE for ID_TYPE_NOT_SPECIFIED, which means that >the parent at least assures that the domain sid exists. >And the caller still gets ID_TYPE_NOT_SPECIFIED if the >domain doesn't exist. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14539 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> > >Autobuild-User(master): Stefan Metzmacher <metze@samba.org> >Autobuild-Date(master): Fri Jan 22 11:32:46 UTC 2021 on sn-devel-184 > >(cherry picked from commit d8339056eef2845805f573bd8b0f3323370ecc8f) >Reviewed-by: Ralph Boehme <slow@samba.org> >--- > source3/winbindd/idmap_hash/idmap_hash.c | 35 ++++++++++++++++++++++++ > 1 file changed, 35 insertions(+) > >diff --git a/source3/winbindd/idmap_hash/idmap_hash.c b/source3/winbindd/idmap_hash/idmap_hash.c >index be0ba45a0443..d0bed7631a61 100644 >--- a/source3/winbindd/idmap_hash/idmap_hash.c >+++ b/source3/winbindd/idmap_hash/idmap_hash.c >@@ -261,6 +261,25 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom, > > ids[i]->status = ID_UNMAPPED; > >+ if (ids[i]->xid.type == ID_TYPE_NOT_SPECIFIED) { >+ /* >+ * idmap_hash used to bounce back the requested type, >+ * which was ID_TYPE_UID, ID_TYPE_GID or >+ * ID_TYPE_NOT_SPECIFIED before as the winbindd parent >+ * always used a lookupsids. When the lookupsids >+ * failed because of an unknown domain, the idmap child >+ * weren't requested at all and the caller sees >+ * ID_TYPE_NOT_SPECIFIED. >+ * >+ * Now that the winbindd parent will pass ID_TYPE_BOTH >+ * in order to indicate that the domain exists. >+ * We should ask the parent to fallback to lookupsids >+ * if the domain is not known yet. >+ */ >+ ids[i]->status = ID_REQUIRE_TYPE; >+ continue; >+ } >+ > sid_copy(&sid, ids[i]->sid); > sid_split_rid(&sid, &rid); > >@@ -270,6 +289,22 @@ static NTSTATUS sids_to_unixids(struct idmap_domain *dom, > /* Check that both hashes are non-zero*/ > > if (h_domain && h_rid) { >+ /* >+ * idmap_hash used to bounce back the requested type, >+ * which was ID_TYPE_UID, ID_TYPE_GID or >+ * ID_TYPE_NOT_SPECIFIED before as the winbindd parent >+ * always used a lookupsids. >+ * >+ * This module should have supported ID_TYPE_BOTH since >+ * samba-4.1.0, similar to idmap_rid and idmap_autorid. >+ * >+ * Now that the winbindd parent will pass ID_TYPE_BOTH >+ * in order to indicate that the domain exists, it's >+ * better to always return ID_TYPE_BOTH instead of a >+ * random mix of ID_TYPE_UID, ID_TYPE_GID or >+ * ID_TYPE_BOTH. >+ */ >+ ids[i]->xid.type = ID_TYPE_BOTH; > ids[i]->xid.id = combine_hashes(h_domain, h_rid); > ids[i]->status = ID_MAPPED; > } >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 14539
:
16402
| 16409