Bug 13052 - idmap_rid dependency on trusted domain list
idmap_rid dependency on trusted domain list
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind
unspecified
All All
: P5 normal
: ---
Assigned To: Ralph Böhme
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-26 04:01 UTC by Ralph Böhme
Modified: 2017-10-11 07:04 UTC (History)
2 users (show)

See Also:


Attachments
Patch for 4.6 and 4.7 cherry-picked from master (15.25 KB, patch)
2017-10-11 07:04 UTC, Ralph Böhme
slow: review? (vl)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2017-09-26 04:01:41 UTC
In the xid to SID mapping function idmap_rid uses the trusted domain list to get the SID for the mapping domain.

But the idmap child may lack trusted domains in the case when before trusted domains enumeration finished a winbindd idmapping request came in that triggered the idmap child fork.

When it forks, the idmap child inherits the trusted domain list of the parent which is not yet complete. Even after the parent finishes trusted domain enumeration, xid2sid idmapping requets will continue to fail, so a transient error becomes a permanent one.

A successful authentication otoh will prime the idmap caches, so xid2sid will work as long as the cache remains valid. But obviously after flushing the cache or just cache expiration the idmapping will fail again.

The fix is to pass the domain sid as an additional argument to the idmap xid2sid mapping functions. To get the sid, we call lsalookupnames on the domain name of all domains in the mapping request.

Have patch, need bugnumber.
Comment 1 Ralph Böhme 2017-10-11 07:04:13 UTC
Created attachment 13679 [details]
Patch for 4.6 and 4.7 cherry-picked from master