From 9c6226e60a32ab707da7d32690d12b63023ed6c2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 2 Mar 2012 05:08:17 +0100 Subject: [PATCH 1/4] s3:winbindd: discard the expired gid cache if we're online (bug #9002) This matches the uid case... metze --- source3/winbindd/winbindd_sids_to_xids.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/source3/winbindd/winbindd_sids_to_xids.c b/source3/winbindd/winbindd_sids_to_xids.c index 9c38b5a..b3699d0 100644 --- a/source3/winbindd/winbindd_sids_to_xids.c +++ b/source3/winbindd/winbindd_sids_to_xids.c @@ -135,7 +135,7 @@ static bool winbindd_sids_to_xids_in_cache(struct dom_sid *sid, * sids. So we check groups before users. */ if (idmap_cache_find_sid2gid(sid, &gid, &expired)) { - if (expired && is_domain_offline(find_our_domain())) { + if (expired && is_domain_online(find_our_domain())) { return false; } map->sid = sid; -- 1.7.4.1 From 20d2576d6e39cc75f2b1ced90616b43730e5bd40 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 May 2012 09:08:21 +0200 Subject: [PATCH 2/4] s3:winbindd: do not expose negative cache idmap entries as valid mappings (bug #9002) metze --- source3/winbindd/winbindd_sids_to_xids.c | 22 +++++++++++----------- 1 files changed, 11 insertions(+), 11 deletions(-) diff --git a/source3/winbindd/winbindd_sids_to_xids.c b/source3/winbindd/winbindd_sids_to_xids.c index b3699d0..5b0f0ac 100644 --- a/source3/winbindd/winbindd_sids_to_xids.c +++ b/source3/winbindd/winbindd_sids_to_xids.c @@ -255,11 +255,13 @@ NTSTATUS winbindd_sids_to_xids_recv(struct tevent_req *req, num_non_cached = 0; for (i=0; inum_sids; i++) { - char type; + char type = 'x'; uint64_t unix_id = (uint64_t)-1; bool found = true; + struct dom_sid *sid; if (state->cached[i].sid != NULL) { + sid = state->cached[i].sid; unix_id = state->cached[i].xid.id; if (state->cached[i].xid.type == ID_TYPE_UID) { type = 'U'; @@ -267,28 +269,26 @@ NTSTATUS winbindd_sids_to_xids_recv(struct tevent_req *req, type = 'G'; } } else { + sid = &state->non_cached[num_non_cached]; unix_id = state->ids.ids[num_non_cached].unix_id; - if (unix_id == -1) { - found = false; - } switch(state->ids.ids[num_non_cached].type) { case WBC_ID_TYPE_UID: type = 'U'; - idmap_cache_set_sid2uid( - &state->non_cached[num_non_cached], - unix_id); + idmap_cache_set_sid2uid(sid, unix_id); break; case WBC_ID_TYPE_GID: type = 'G'; - idmap_cache_set_sid2gid( - &state->non_cached[num_non_cached], - unix_id); + idmap_cache_set_sid2gid(sid, unix_id); break; default: - found = false; + unix_id = (uint64_t)-1; + break; } num_non_cached += 1; } + if (unix_id == -1) { + found = false; + } if (found) { result = talloc_asprintf_append_buffer( -- 1.7.4.1 From bff771210a0fe86e139e9d9a0c12d48cc1e28d14 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 19 Jun 2012 17:57:19 +0200 Subject: [PATCH 3/4] s3:passdb: don't turn negative cache entries into valid idmappings (bug #9002) It's typical that some file operations set a NTACL, which tries sid2uid() before sid2gid(), this will create a negative cache entry. Negative SID2UID entries cause that a valid SID2GID mapping is ignored and the group is ignored in the UNIX Token. metze --- source3/passdb/lookup_sid.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index 2afa86e..64a181e 100644 --- a/source3/passdb/lookup_sid.c +++ b/source3/passdb/lookup_sid.c @@ -1437,13 +1437,13 @@ bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids, } if (idmap_cache_find_sid2uid(&sids[i], &ids[i].id.uid, &expired) - && !expired) { + && !expired && ids[i].id.uid != (uid_t)-1) { ids[i].type = WBC_ID_TYPE_UID; continue; } if (idmap_cache_find_sid2gid(&sids[i], &ids[i].id.gid, &expired) - && !expired) { + && !expired && ids[i].id.gid != (gid_t)-1) { ids[i].type = WBC_ID_TYPE_GID; continue; } -- 1.7.4.1 From 13baee251f77ca6f72d1c36b7f41f725c2663dc5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 19 Jun 2012 17:57:19 +0200 Subject: [PATCH 4/4] s3:winbindd: don't turn negative cache entries into valid idmappings (bug #9002) It's typical that some file operations set a NTACL, which tries sid2uid() before sid2gid(), this will create a negative cache entry. Negative SID2UID entries cause that a valid SID2GID mapping is ignored and the group is ignored in the UNIX Token. metze --- source3/winbindd/winbindd_sids_to_xids.c | 12 ++++++++++-- 1 files changed, 10 insertions(+), 2 deletions(-) diff --git a/source3/winbindd/winbindd_sids_to_xids.c b/source3/winbindd/winbindd_sids_to_xids.c index 5b0f0ac..55880b0 100644 --- a/source3/winbindd/winbindd_sids_to_xids.c +++ b/source3/winbindd/winbindd_sids_to_xids.c @@ -140,7 +140,11 @@ static bool winbindd_sids_to_xids_in_cache(struct dom_sid *sid, } map->sid = sid; map->xid.id = gid; - map->xid.type = ID_TYPE_GID; + if (gid == -1) { + map->xid.type = ID_TYPE_NOT_SPECIFIED; + } else { + map->xid.type = ID_TYPE_GID; + } map->status = ID_MAPPED; return true; } @@ -150,7 +154,11 @@ static bool winbindd_sids_to_xids_in_cache(struct dom_sid *sid, } map->sid = sid; map->xid.id = uid; - map->xid.type = ID_TYPE_UID; + if (uid == -1) { + map->xid.type = ID_TYPE_NOT_SPECIFIED; + } else { + map->xid.type = ID_TYPE_UID; + } map->status = ID_MAPPED; return true; } -- 1.7.4.1