From b9fb01b714d531729b8c7d9df46bdd869bb6dede Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 15:48:29 -0700 Subject: [PATCH 1/3] winbind: Only use unixid2sid mapping when module reports ID_MAPPED Only consider a mapping to be valid when the idmap module reports ID_MAPPED. Otherwise return the null SID. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke (cherry picked from commit db2afa57e4aa926b478db1be4d693edbdf4d2a23) --- source3/winbindd/winbindd_dual_srv.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index b8694db3db9..22315ab8c91 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -276,8 +276,10 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p, } for (i=0; iin.num_ids; i++) { - r->out.xids[i] = maps[i]->xid; - sid_copy(&r->out.sids[i], maps[i]->sid); + if (maps[i]->status == ID_MAPPED) { + r->out.xids[i] = maps[i]->xid; + sid_copy(&r->out.sids[i], maps[i]->sid); + } } TALLOC_FREE(maps); -- 2.27.0 From c225850a1ebd1309deb2c4a365d592049a43968a Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 16:01:13 -0700 Subject: [PATCH 2/3] idmap_rfc2307: Do not return SID from unixids_to_sids on type mismatch The call to winbind_lookup_name already wrote the result in the id_map array. The later check for the type detected a mismatch, but that did not remove the SID from the result struct. Change this by first assigning the SID to a temporary variable and only write it to the id_map array after the type checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663 Signed-off-by: Christof Schmitt (cherry picked from commit 79dd4b133c37451c98fe7f7c45da881e89e91ffc) --- source3/winbindd/idmap_rfc2307.c | 4 +++- source3/winbindd/winbindd_dual_srv.c | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/idmap_rfc2307.c b/source3/winbindd/idmap_rfc2307.c index e3bf58d8165..2fffaec6cca 100644 --- a/source3/winbindd/idmap_rfc2307.c +++ b/source3/winbindd/idmap_rfc2307.c @@ -228,6 +228,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx, for (i = 0; i < count; i++) { char *name; + struct dom_sid sid; enum lsa_SidType lsa_type; struct id_map *map; uint32_t id; @@ -276,7 +277,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx, the following call will not recurse so this is safe */ (void)winbind_on(); /* Lookup name from PDC using lsa_lookup_names() */ - b = winbind_lookup_name(dom_name, name, map->sid, &lsa_type); + b = winbind_lookup_name(dom_name, name, &sid, &lsa_type); (void)winbind_off(); if (!b) { @@ -300,6 +301,7 @@ static void idmap_rfc2307_map_sid_results(struct idmap_rfc2307_context *ctx, } map->status = ID_MAPPED; + sid_copy(map->sid, &sid); } } diff --git a/source3/winbindd/winbindd_dual_srv.c b/source3/winbindd/winbindd_dual_srv.c index 22315ab8c91..610195d9fb4 100644 --- a/source3/winbindd/winbindd_dual_srv.c +++ b/source3/winbindd/winbindd_dual_srv.c @@ -279,6 +279,8 @@ NTSTATUS _wbint_UnixIDs2Sids(struct pipes_struct *p, if (maps[i]->status == ID_MAPPED) { r->out.xids[i] = maps[i]->xid; sid_copy(&r->out.sids[i], maps[i]->sid); + } else { + r->out.sids[i] = (struct dom_sid) { 0 }; } } -- 2.27.0 From 1b4943e7343f3ef403f55585da02b35678522a17 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 16:07:54 -0700 Subject: [PATCH 3/3] idmap_nss: Do not return SID from unixids_to_sids on type mismatch The call to winbind_lookup_name already wrote the result in the id_map array. The later check for the type detected a mismatch, but that did not remove the SID from the result struct. Change this by first assigning the SID to a temporary variable and only write it to the id_map array after the type checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663 Signed-off-by: Christof Schmitt Reviewed-by: Volker Lendecke Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184 (cherry picked from commit 0e789ba1802ca22e5a01abd6e93ef66cd45566a7) --- source3/winbindd/idmap_nss.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c index 3fe98cbc729..16f5a74bc0f 100644 --- a/source3/winbindd/idmap_nss.c +++ b/source3/winbindd/idmap_nss.c @@ -25,6 +25,7 @@ #include "nsswitch/winbind_client.h" #include "idmap.h" #include "lib/winbind_util.h" +#include "libcli/security/dom_sid.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_IDMAP @@ -55,6 +56,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma struct passwd *pw; struct group *gr; const char *name; + struct dom_sid sid; enum lsa_SidType type; bool ret; @@ -86,7 +88,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma the following call will not recurse so this is safe */ (void)winbind_on(); /* Lookup name from PDC using lsa_lookup_names() */ - ret = winbind_lookup_name(dom->name, name, ids[i]->sid, &type); + ret = winbind_lookup_name(dom->name, name, &sid, &type); (void)winbind_off(); if (!ret) { @@ -99,6 +101,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma switch (type) { case SID_NAME_USER: if (ids[i]->xid.type == ID_TYPE_UID) { + sid_copy(ids[i]->sid, &sid); ids[i]->status = ID_MAPPED; } break; @@ -107,6 +110,7 @@ static NTSTATUS idmap_nss_unixids_to_sids(struct idmap_domain *dom, struct id_ma case SID_NAME_ALIAS: case SID_NAME_WKN_GRP: if (ids[i]->xid.type == ID_TYPE_GID) { + sid_copy(ids[i]->sid, &sid); ids[i]->status = ID_MAPPED; } break; -- 2.27.0