Given an Active Directory domain that has a user "abc" and a LDAP server that has two records: One for a user "abc" with the uid 12345 and one for the group "abc" with the gid 12345. In this scenario, asking idmap_rfc2307 to map the gid 12345 to a SID returns unexpectedly the SID for the user "abc". This is caused by idmap_rfc2307 calling winbind_lookup_name() with the SID pointer pointing to the result array. The later check for the correct type of the SID never removes the SID from the result array and it is passed back. wbint_UnixIDs2Sids does not check for the ID_MAPPED status and just passes the SID back to the main process. idmap_nss has the same problem. Patches to follow. For documentation, this is the wrong mapping. The error "Wrong type 2 for group name abc" still results in a SID being passed back: [2021/03/06 03:35:00.904162, 1, pid=28443, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids in: struct wbint_UnixIDs2Sids domain_name : * domain_name : 'win2019ipv6' domain_sid : S-1-5-21-3353793537-1545656638-3177689948 num_ids : 0x00000001 (1) xids: ARRAY(1) xids: struct unixid id : 0x00007ddc (12345) type : ID_TYPE_GID (2) [2021/03/06 03:35:00.904280, 10, pid=28443, effective(0, 0), real(0, 0), class=idmap] ../../source3/winbindd/idmap.c:520(idmap_find_domain) idmap_find_domain called for domain 'win2019ipv6' [2021/03/06 03:35:00.904320, 5, pid=28443, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1308(smbldap_search_ext) smbldap_search_ext: base => [ou=Group,dc=ldap,dc=ds,dc=local,dc=net], filter => [(&(objectClass=posixGroup)(|(gidNumber=12345)))], scope => [2] [2021/03/06 03:35:00.905768, 1, pid=28443, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/idmap_rfc2307.c:298(idmap_rfc2307_map_sid_results) Wrong type 2 for group name abc [2021/03/06 03:35:00.905846, 10, pid=28443, effective(0, 0), real(0, 0), class=idmap] ../../source3/winbindd/idmap.c:629(idmap_backend_unixids_to_sids) idmap_backend_unixids_to_sids: unixid_to_sids for domain win2019ipv6 returned NT_STATUS_OK [2021/03/06 03:35:00.905905, 1, pid=28443, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids out: struct wbint_UnixIDs2Sids xids: ARRAY(1) xids: struct unixid id : 0x00007ddc (12345) type : ID_TYPE_GID (2) sids: ARRAY(1) sids : S-1-5-21-3353793537-1545656638-3177689948-1130 result : NT_STATUS_OK
https://gitlab.com/samba-team/samba/-/merge_requests/1831 has a fix.
With the fix, the gid is no longer mapped to the (user) SID: [2021/03/10 08:05:10.355979, 1, pid=15862, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids in: struct wbint_UnixIDs2Sids domain_name : * domain_name : 'win2019ipv6' domain_sid : S-1-5-21-3353793537-1545656638-3177689948 num_ids : 0x00000001 (1) xids: ARRAY(1) xids: struct unixid id : 0x00007ddc (12345) type : ID_TYPE_GID (2) [2021/03/10 08:05:10.356020, 10, pid=15862, effective(0, 0), real(0, 0), class=idmap] ../../source3/winbindd/idmap.c:520(idmap_find_domain) idmap_find_domain called for domain 'win2019ipv6' [2021/03/10 08:05:10.356035, 5, pid=15862, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1308(smbldap_search_ext) smbldap_search_ext: base => [ou=Group,dc=ldap,dc=ds,dc=local,dc=net], filter => [(&(objectClass=posixGroup)(|(gidNumber=12345)))], scope => [2] [2021/03/10 08:05:10.361499, 1, pid=15862, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/idmap_rfc2307.c:299(idmap_rfc2307_map_sid_results) Wrong type 2 for group name abc [2021/03/10 08:05:10.361514, 10, pid=15862, effective(0, 0), real(0, 0), class=idmap] ../../source3/winbindd/idmap.c:629(idmap_backend_unixids_to_sids) idmap_backend_unixids_to_sids: unixid_to_sids for domain win2019ipv6 returned NT_STATUS_OK [2021/03/10 08:05:10.361530, 1, pid=15862, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug) wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids out: struct wbint_UnixIDs2Sids xids: ARRAY(1) xids: struct unixid id : 0x00007ddc (12345) type : ID_TYPE_GID (2) sids: ARRAY(1) sids : S-0-0 result : NT_STATUS_OK
This bug was referenced in samba master: db2afa57e4aa926b478db1be4d693edbdf4d2a23 79dd4b133c37451c98fe7f7c45da881e89e91ffc 0e789ba1802ca22e5a01abd6e93ef66cd45566a7
Created attachment 16523 [details] patches for 4.14
Created attachment 16524 [details] patches for 4.13
Pushed to autobuild-v4-{14,13}-test.
This bug was referenced in samba v4-13-test: 3aa06edf38bc4002f031476baa50712fd1a67f4d af37d5abae924d095e7b35620d850cf1f19021c4 3f366878d33cf977230137021f6376936b2a1862
This bug was referenced in samba v4-14-test: e7b1ee061eaa335d70dc354dfb3700f8344274c9 7628a27a96bf817dd1707b123b792e7e1689edd2 231342faf2f5f6ab2287967f317cb1a862083a7f
Pushed to both branches. Closing out bug report. Thanks!
This bug was referenced in samba v4-14-stable (Release samba-4.14.3): e7b1ee061eaa335d70dc354dfb3700f8344274c9 7628a27a96bf817dd1707b123b792e7e1689edd2 231342faf2f5f6ab2287967f317cb1a862083a7f
This bug was referenced in samba v4-13-stable: 3aa06edf38bc4002f031476baa50712fd1a67f4d af37d5abae924d095e7b35620d850cf1f19021c4 3f366878d33cf977230137021f6376936b2a1862