The Samba-Bugzilla – Bug 11961
idmap_autorid allocates ids for unknown SIDs from other backends
Last modified: 2016-08-05 07:37:47 UTC
Given a config of
idmap config * : backend = autorid
idmap config * : range = 1000000-19999999
idmap config * : rangesize = 100000
idmap config HILLHOUSE : backend = ad
idmap config HILLHOUSE : schema_mode = rfc2307
idmap config HILLHOUSE : range = 100000-200000
$ ./bin/wbinfo -D HILLHOUSE | grep SID
Running wbinfo -S with a SID from the HILLHOUSE domain that doesn't exist...
$ ./bin/wbinfo -s S-1-5-21-3152989960-574718769-2188965058-66666
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-5-21-3152989960-574718769-2188965058-66666
...ends up in idmap_autorid, allocating a uid from the default autorid range:
$ ./bin/wbinfo -S S-1-5-21-3152989960-574718769-2188965058-66666
Have patch, need bugnumber. :)
Hold on, this was found in 4.3, still need to check whether the problem is still there in 4.4 and/or master.
Created attachment 12175 [details]
Patch for master
Created attachment 12176 [details]
Patch for master
Took me some time, but I think this patch uses a better approach: instead of trying to fix the damage done, just filter out unknown SIDs.
I guess it would be nice to have a test for this, so I'm going to take a stab at it.
(In reply to Ralph Böhme from comment #3)
I'm not sure relying on LsaLookupNames() is a good thing.
I wouldn't be surprised that we get SID_TYPE_UNKNOWN from our
DC if it is (temporary) unabled to contact a DC of a trusted domain.
We depend on the correct results of LsaLookupSids to determine the right winbind domain. If it fails, like in this case for an unknown SID in an existing domain, we use the default domain which can have unexpected results like in the config described above.
Created attachment 12228 [details]
Patch for 4.4 cherry-picked from master
Created attachment 12229 [details]
Patch for 4.3 cherry-picked from master
Pushed to autobuild-v4-[3|4]-test.
(In reply to Karolin Seeger from comment #8)
Pushed to both branches.
Closing out bug report.