Bug 13914 - windindd_rpc.c aborting on NULL SIDs received by winbindd
Summary: windindd_rpc.c aborting on NULL SIDs received by winbindd
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.6.15
Hardware: All Linux
: P5 major (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-25 22:38 UTC by vishwanath.eswarakrishnan
Modified: 2019-06-19 06:17 UTC (History)
3 users (show)

See Also:

Attachments
patch for winbind handling NULL sids (2.71 KB, patch)
2019-05-27 09:15 UTC, Amit Kumar 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description vishwanath.eswarakrishnan 2019-04-25 22:38:12 UTC 
hi,

We are using samba as a client and running winbindd for authenticating logins to Linux systems.
As per https://lists.samba.org/archive/samba-technical/2014-August/101931.html, the change to winbindd_rpc.c states that if the trusted domain has no SID, winbindd just aborts the session. We have seen this happening with MIT Kerberos realm added as trust to AD and winbindd just returns without processing further as there is no SID returned for the Linux system having kerberos support.
The request is to handle this.

Thanks,
Vishwanath
Comment 1 Amit Kumar 2019-04-30 07:17:27 UTC 
Hello vishwanath,
winbind is basically a service for connecting Linux, MAC, Solaris, Other OS to Windows. 
Now in an Active Directory environment, when new account (user, group, computer) is created, domain controller which holds RID Master (relative identifier) role generates a SID for the new account and writes to Active Directory database.
I believe during domain creation sid is allocated.

What's your requirement, when handling domain without sid. Do you want winbind not to abort and perform normal lookups with joined domain or something specific?
Comment 2 vishwanath.eswarakrishnan 2019-05-01 22:38:13 UTC 
hi Amit,

As you stated, that is the requirement. Winbindd instead of aborting the request, can it process the remaining trusted domain SIDs that it got. Leave out the one not received.
Comment 3 Amit Kumar 2019-05-27 09:15:44 UTC 
Created attachment 15193 [details]
patch for winbind handling NULL sids
Comment 4 Andrew Bartlett 2019-05-28 03:48:42 UTC 
Comment on attachment 15193 [details]
patch for winbind handling NULL sids

Can you please propose this patch as a merge request, so we can see the CI results and potentially merge it?

It would be great if we could have a test - presumably we can set up an MIT trust without the other realm actually existing because it doesn't speak any protocols winbindd knows anyway. 

That would be the best way to prevent a regression.

https://wiki.samba.org/index.php/Samba_CI_on_gitlab#Creating_a_merge_request
Comment 5 vishwanath.eswarakrishnan 2019-06-18 20:45:50 UTC 
@Andrew Bartlett, you had commented before as follows:
winbindd: Do not segfault if the trusted domain has no SID

Currently we abort, as skipping the domain would make the loop much more complex for a situation not yet seen in the real world.

https://github.com/samba-team/samba/commit/a348959088348560fe31fdc73b8482214c4021bf

Just wanted to make sure this patch wont be missing anything needed.