From 27ad4bf6f1b04897afc0e6e6448e1cfcd6320c4d Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 21 Jun 2011 15:59:40 -0700 Subject: [PATCH] Try and fix bug #7841 - WINBINDD_LOOKUPRIDS asks the wrong domain When looking up a domain for a RID query, we must always contact the relevent DC that is authoritative for the SID containing the RID. We can't just fallback to our primary DC as it only gets the RID on the query. Thanks to Volodymyr_Khomenko@dell.com for finding this. --- source3/winbindd/winbindd_lookuprids.c | 2 +- source3/winbindd/winbindd_proto.h | 1 + source3/winbindd/winbindd_util.c | 27 ++++++++++++++++++++++++++- 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/source3/winbindd/winbindd_lookuprids.c b/source3/winbindd/winbindd_lookuprids.c index e1ac26c..c93eb43 100644 --- a/source3/winbindd/winbindd_lookuprids.c +++ b/source3/winbindd/winbindd_lookuprids.c @@ -61,7 +61,7 @@ struct tevent_req *winbindd_lookuprids_send(TALLOC_CTX *mem_ctx, return tevent_req_post(req, ev); } - domain = find_lookup_domain_from_sid(&sid); + domain = find_lookup_domain_from_rid(&sid); if (domain == NULL) { DEBUG(5, ("Domain for sid %s not found\n", sid_string_dbg(&sid))); diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 62fbc8e..10ec13c 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -430,6 +430,7 @@ struct winbindd_domain *find_our_domain(void); struct winbindd_domain *find_root_domain(void); struct winbindd_domain *find_builtin_domain(void); struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid); +struct winbindd_domain *find_lookup_domain_from_rid(const struct dom_sid *sid); struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name); bool parse_domain_user(const char *domuser, fstring domain, fstring user); bool parse_domain_user_talloc(TALLOC_CTX *mem_ctx, const char *domuser, diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c index 15a3575..8acb26b 100644 --- a/source3/winbindd/winbindd_util.c +++ b/source3/winbindd/winbindd_util.c @@ -822,7 +822,7 @@ struct winbindd_domain *find_builtin_domain(void) return domain; } -/* Find the appropriate domain to lookup a name or SID */ +/* Find the appropriate domain to lookup a name given a SID */ struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid) { @@ -854,6 +854,31 @@ struct winbindd_domain *find_lookup_domain_from_sid(const DOM_SID *sid) return find_our_domain(); } +/* Find the appropriate domain to lookup a RID given a SID. */ + +struct winbindd_domain *find_lookup_domain_from_rid(const struct dom_sid *sid) +{ + /* RIDs in the S-1-22-{1,2} domain should be handled by our passdb */ + + if ( sid_check_is_in_unix_groups(sid) || + sid_check_is_unix_groups(sid) || + sid_check_is_in_unix_users(sid) || + sid_check_is_unix_users(sid) ) + { + return find_domain_from_sid(get_global_sam_sid()); + } + + /* When looking up a domain for a RID query, we must always + contact the relevent DC that is authoritative for the + SID containing the RID. We can't just fallback to our + primary DC as it only gets the RID on the query. */ + + DEBUG(10, ("calling find_our_domain_from_sid\n")); + return find_domain_from_sid(sid); +} + +/* Find the appropriate domain to lookup a SID given a name */ + struct winbindd_domain *find_lookup_domain_from_name(const char *domain_name) { if ( strequal(domain_name, unix_users_domain_name() ) || -- 1.7.1