Bug 13052 - idmap_rid dependency on trusted domain list
Summary: idmap_rid dependency on trusted domain list
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Reported: 2017-09-26 04:01 UTC by Ralph Böhme
Modified: 2020-12-11 08:13 UTC (History)
6 users (show)

See Also:

Patch for 4.6 and 4.7 cherry-picked from master (15.25 KB, patch)
2017-10-11 07:04 UTC, Ralph Böhme
slow: review? (jra)
slow: review? (metze)
asn: review+
slow: review? (gd)

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2017-09-26 04:01:41 UTC
In the xid to SID mapping function idmap_rid uses the trusted domain list to get the SID for the mapping domain.

But the idmap child may lack trusted domains in the case when before trusted domains enumeration finished a winbindd idmapping request came in that triggered the idmap child fork.

When it forks, the idmap child inherits the trusted domain list of the parent which is not yet complete. Even after the parent finishes trusted domain enumeration, xid2sid idmapping requets will continue to fail, so a transient error becomes a permanent one.

A successful authentication otoh will prime the idmap caches, so xid2sid will work as long as the cache remains valid. But obviously after flushing the cache or just cache expiration the idmapping will fail again.

The fix is to pass the domain sid as an additional argument to the idmap xid2sid mapping functions. To get the sid, we call lsalookupnames on the domain name of all domains in the mapping request.

Have patch, need bugnumber.
Comment 1 Ralph Böhme 2017-10-11 07:04:13 UTC
Created attachment 13679 [details]
Patch for 4.6 and 4.7 cherry-picked from master
Comment 2 Ralph Böhme 2017-12-04 14:22:26 UTC
Comment on attachment 13679 [details]
Patch for 4.6 and 4.7 cherry-picked from master

Can someone please review the backports? Thansk!
Comment 3 Andreas Schneider 2017-12-13 13:38:01 UTC
Karolin, please add the patchset to 4.6 and 4.7. Thanks!
Comment 4 Karolin Seeger 2017-12-14 11:21:25 UTC
(In reply to Andreas Schneider from comment #3)
Pushed to autobuild-v4-{7,6}-test.
Comment 5 Karolin Seeger 2017-12-15 10:13:27 UTC
Pushed to both branches.
Closing out bug report.