The Samba-Bugzilla – Attachment 7661 Details for
Bug 9002
don't turn negative cache entries into valid idmappings
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for v3-6-test
tmp36.diff (text/plain), 5.62 KB, created by
Stefan Metzmacher
on 2012-06-19 17:09:25 UTC
(
hide
)
Description:
Patch for v3-6-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-06-19 17:09:25 UTC
Size:
5.62 KB
patch
obsolete
>From 9c6226e60a32ab707da7d32690d12b63023ed6c2 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 2 Mar 2012 05:08:17 +0100 >Subject: [PATCH 1/4] s3:winbindd: discard the expired gid cache if we're online (bug #9002) > >This matches the uid case... > >metze >--- > source3/winbindd/winbindd_sids_to_xids.c | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > >diff --git a/source3/winbindd/winbindd_sids_to_xids.c b/source3/winbindd/winbindd_sids_to_xids.c >index 9c38b5a..b3699d0 100644 >--- a/source3/winbindd/winbindd_sids_to_xids.c >+++ b/source3/winbindd/winbindd_sids_to_xids.c >@@ -135,7 +135,7 @@ static bool winbindd_sids_to_xids_in_cache(struct dom_sid *sid, > * sids. So we check groups before users. > */ > if (idmap_cache_find_sid2gid(sid, &gid, &expired)) { >- if (expired && is_domain_offline(find_our_domain())) { >+ if (expired && is_domain_online(find_our_domain())) { > return false; > } > map->sid = sid; >-- >1.7.4.1 > > >From 20d2576d6e39cc75f2b1ced90616b43730e5bd40 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 24 May 2012 09:08:21 +0200 >Subject: [PATCH 2/4] s3:winbindd: do not expose negative cache idmap entries as valid mappings (bug #9002) > >metze >--- > source3/winbindd/winbindd_sids_to_xids.c | 22 +++++++++++----------- > 1 files changed, 11 insertions(+), 11 deletions(-) > >diff --git a/source3/winbindd/winbindd_sids_to_xids.c b/source3/winbindd/winbindd_sids_to_xids.c >index b3699d0..5b0f0ac 100644 >--- a/source3/winbindd/winbindd_sids_to_xids.c >+++ b/source3/winbindd/winbindd_sids_to_xids.c >@@ -255,11 +255,13 @@ NTSTATUS winbindd_sids_to_xids_recv(struct tevent_req *req, > num_non_cached = 0; > > for (i=0; i<state->num_sids; i++) { >- char type; >+ char type = 'x'; > uint64_t unix_id = (uint64_t)-1; > bool found = true; >+ struct dom_sid *sid; > > if (state->cached[i].sid != NULL) { >+ sid = state->cached[i].sid; > unix_id = state->cached[i].xid.id; > if (state->cached[i].xid.type == ID_TYPE_UID) { > type = 'U'; >@@ -267,28 +269,26 @@ NTSTATUS winbindd_sids_to_xids_recv(struct tevent_req *req, > type = 'G'; > } > } else { >+ sid = &state->non_cached[num_non_cached]; > unix_id = state->ids.ids[num_non_cached].unix_id; >- if (unix_id == -1) { >- found = false; >- } > switch(state->ids.ids[num_non_cached].type) { > case WBC_ID_TYPE_UID: > type = 'U'; >- idmap_cache_set_sid2uid( >- &state->non_cached[num_non_cached], >- unix_id); >+ idmap_cache_set_sid2uid(sid, unix_id); > break; > case WBC_ID_TYPE_GID: > type = 'G'; >- idmap_cache_set_sid2gid( >- &state->non_cached[num_non_cached], >- unix_id); >+ idmap_cache_set_sid2gid(sid, unix_id); > break; > default: >- found = false; >+ unix_id = (uint64_t)-1; >+ break; > } > num_non_cached += 1; > } >+ if (unix_id == -1) { >+ found = false; >+ } > > if (found) { > result = talloc_asprintf_append_buffer( >-- >1.7.4.1 > > >From bff771210a0fe86e139e9d9a0c12d48cc1e28d14 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 19 Jun 2012 17:57:19 +0200 >Subject: [PATCH 3/4] s3:passdb: don't turn negative cache entries into valid idmappings (bug #9002) > >It's typical that some file operations set a NTACL, which tries >sid2uid() before sid2gid(), this will create a negative cache entry. > >Negative SID2UID entries cause that a valid SID2GID mapping is ignored >and the group is ignored in the UNIX Token. > >metze >--- > source3/passdb/lookup_sid.c | 4 ++-- > 1 files changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c >index 2afa86e..64a181e 100644 >--- a/source3/passdb/lookup_sid.c >+++ b/source3/passdb/lookup_sid.c >@@ -1437,13 +1437,13 @@ bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids, > } > if (idmap_cache_find_sid2uid(&sids[i], &ids[i].id.uid, > &expired) >- && !expired) { >+ && !expired && ids[i].id.uid != (uid_t)-1) { > ids[i].type = WBC_ID_TYPE_UID; > continue; > } > if (idmap_cache_find_sid2gid(&sids[i], &ids[i].id.gid, > &expired) >- && !expired) { >+ && !expired && ids[i].id.gid != (gid_t)-1) { > ids[i].type = WBC_ID_TYPE_GID; > continue; > } >-- >1.7.4.1 > > >From 13baee251f77ca6f72d1c36b7f41f725c2663dc5 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 19 Jun 2012 17:57:19 +0200 >Subject: [PATCH 4/4] s3:winbindd: don't turn negative cache entries into valid idmappings (bug #9002) > >It's typical that some file operations set a NTACL, which tries >sid2uid() before sid2gid(), this will create a negative cache entry. > >Negative SID2UID entries cause that a valid SID2GID mapping is ignored >and the group is ignored in the UNIX Token. > >metze >--- > source3/winbindd/winbindd_sids_to_xids.c | 12 ++++++++++-- > 1 files changed, 10 insertions(+), 2 deletions(-) > >diff --git a/source3/winbindd/winbindd_sids_to_xids.c b/source3/winbindd/winbindd_sids_to_xids.c >index 5b0f0ac..55880b0 100644 >--- a/source3/winbindd/winbindd_sids_to_xids.c >+++ b/source3/winbindd/winbindd_sids_to_xids.c >@@ -140,7 +140,11 @@ static bool winbindd_sids_to_xids_in_cache(struct dom_sid *sid, > } > map->sid = sid; > map->xid.id = gid; >- map->xid.type = ID_TYPE_GID; >+ if (gid == -1) { >+ map->xid.type = ID_TYPE_NOT_SPECIFIED; >+ } else { >+ map->xid.type = ID_TYPE_GID; >+ } > map->status = ID_MAPPED; > return true; > } >@@ -150,7 +154,11 @@ static bool winbindd_sids_to_xids_in_cache(struct dom_sid *sid, > } > map->sid = sid; > map->xid.id = uid; >- map->xid.type = ID_TYPE_UID; >+ if (uid == -1) { >+ map->xid.type = ID_TYPE_NOT_SPECIFIED; >+ } else { >+ map->xid.type = ID_TYPE_UID; >+ } > map->status = ID_MAPPED; > return true; > } >-- >1.7.4.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
obnox
:
review-
Actions:
View
Attachments on
bug 9002
:
7661
|
7662
|
7663
|
7667