Bug 12597 - rid idmap backend maps junk sids to ids (possible regression in 4.4.6)
Summary: rid idmap backend maps junk sids to ids (possible regression in 4.4.6)
Status: RESOLVED DUPLICATE of bug 11961
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.4.7
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-02-22 16:26 UTC by John Mulligan (dead mail address)
Modified: 2017-04-05 08:31 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Mulligan (dead mail address) 2017-02-22 16:26:00 UTC
Samba bug 11961 fixes an issue with idmap backend autorid but I think it may trigger an issue with the rid backend. To reproduce I have my domains configured like follows:

        realm = ENGWIN2K8.EXAMPLE.NET

        idmap config *: backend = tdb
        idmap config *: read only = yes
        idmap config *: range = 200000-210000

        idmap config engwin2k8: read only = no
        idmap config engwin2k8: backend = rid
        idmap config engwin2k8: range = 400000-8000000


With this configuration running Samba 4.4.7 I then run the following commands.

(good - proper domain sid)
# wbinfo --sid-to-gid S-1-5-21-2711066360-1593264842-223442985-513
400513

(bad - made up domain sid)
# wbinfo --sid-to-gid S-1-5-21-1999999999-1993264842-923442985-786
400786

I expected something like what I got on older versions of Samba:
# wbinfo --sid-to-gid S-1-5-21-1999999999-1993264842-923442985-786
failed to call wbcSidToGid: WBC_ERR_DOMAIN_NOT_FOUND
Could not convert sid S-1-5-21-1999999999-1993264842-923442985-786 to gid

And indeed when I build a custom version of Samba with the patch from that bug reverted (git change d5af3f3b6565da624fe6f6e4cbea818392c0c68f) I get the desired behavior.

This is an issue on systems that have migrated data, especially those preserving old nt acls, across systems and domains. It appears that the cache gets "polluted" with some of these entries and may be causing file access issues.


Please let me know if there in any additional information I can provide. Thank you.
Comment 1 Ralph Böhme 2017-04-05 08:31:29 UTC

*** This bug has been marked as a duplicate of bug 11961 ***