Bug 14663 - idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict.
Summary: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid conflict.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.14.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-03-10 16:12 UTC by Christof Schmitt
Modified: 2021-04-20 10:10 UTC (History)
1 user (show)

See Also:


Attachments
patches for 4.14 (6.00 KB, patch)
2021-03-11 16:06 UTC, Christof Schmitt
vl: review+
Details
patches for 4.13 (6.00 KB, patch)
2021-03-11 16:07 UTC, Christof Schmitt
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Christof Schmitt 2021-03-10 16:12:19 UTC
Given an Active Directory domain that has a user "abc" and a LDAP
server that has two records: One for a user "abc" with the uid 12345
and one for the group "abc" with the gid 12345. In this scenario,
asking idmap_rfc2307 to map the gid 12345 to a SID returns
unexpectedly the SID for the user "abc".

This is caused by idmap_rfc2307 calling winbind_lookup_name() with the
SID pointer pointing to the result array. The later check for the
correct type of the SID never removes the SID from the result array
and it is passed back. wbint_UnixIDs2Sids does not check for the
ID_MAPPED status and just passes the SID back to the main process.

idmap_nss has the same problem. Patches to follow.

For documentation, this is the wrong mapping. The error "Wrong type 2
for group name abc" still results in a SID being passed back:

[2021/03/06 03:35:00.904162,  1, pid=28443, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids
          in: struct wbint_UnixIDs2Sids
              domain_name              : *
                  domain_name              : 'win2019ipv6'
              domain_sid               : S-1-5-21-3353793537-1545656638-3177689948
              num_ids                  : 0x00000001 (1)
              xids: ARRAY(1)
                  xids: struct unixid
                      id                       : 0x00007ddc (12345)
                      type                     : ID_TYPE_GID (2)
[2021/03/06 03:35:00.904280, 10, pid=28443, effective(0, 0), real(0, 0), class=idmap] ../../source3/winbindd/idmap.c:520(idmap_find_domain)
  idmap_find_domain called for domain 'win2019ipv6'
[2021/03/06 03:35:00.904320,  5, pid=28443, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1308(smbldap_search_ext)
  smbldap_search_ext: base => [ou=Group,dc=ldap,dc=ds,dc=local,dc=net], filter => [(&(objectClass=posixGroup)(|(gidNumber=12345)))], scope => [2]
[2021/03/06 03:35:00.905768,  1, pid=28443, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/idmap_rfc2307.c:298(idmap_rfc2307_map_sid_results)
  Wrong type 2 for group name abc
[2021/03/06 03:35:00.905846, 10, pid=28443, effective(0, 0), real(0, 0), class=idmap] ../../source3/winbindd/idmap.c:629(idmap_backend_unixids_to_sids)
  idmap_backend_unixids_to_sids: unixid_to_sids for domain win2019ipv6 returned NT_STATUS_OK
[2021/03/06 03:35:00.905905,  1, pid=28443, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids
          out: struct wbint_UnixIDs2Sids
              xids: ARRAY(1)
                  xids: struct unixid
                      id                       : 0x00007ddc (12345)
                      type                     : ID_TYPE_GID (2)
              sids: ARRAY(1)
                  sids                     : S-1-5-21-3353793537-1545656638-3177689948-1130
              result                   : NT_STATUS_OK
Comment 1 Christof Schmitt 2021-03-10 18:04:20 UTC
https://gitlab.com/samba-team/samba/-/merge_requests/1831
has a fix.
Comment 2 Christof Schmitt 2021-03-10 18:05:44 UTC
With the fix, the gid is no longer mapped to the (user) SID:

[2021/03/10 08:05:10.355979,  1, pid=15862, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids
          in: struct wbint_UnixIDs2Sids
              domain_name              : *
                  domain_name              : 'win2019ipv6'
              domain_sid               : S-1-5-21-3353793537-1545656638-3177689948
              num_ids                  : 0x00000001 (1)
              xids: ARRAY(1)
                  xids: struct unixid
                      id                       : 0x00007ddc (12345)
                      type                     : ID_TYPE_GID (2)
[2021/03/10 08:05:10.356020, 10, pid=15862, effective(0, 0), real(0, 0), class=idmap] ../../source3/winbindd/idmap.c:520(idmap_find_domain)
  idmap_find_domain called for domain 'win2019ipv6'
[2021/03/10 08:05:10.356035,  5, pid=15862, effective(0, 0), real(0, 0)] ../../source3/lib/smbldap.c:1308(smbldap_search_ext)
  smbldap_search_ext: base => [ou=Group,dc=ldap,dc=ds,dc=local,dc=net], filter => [(&(objectClass=posixGroup)(|(gidNumber=12345)))], scope => [2]
[2021/03/10 08:05:10.361499,  1, pid=15862, effective(0, 0), real(0, 0), class=winbind] ../../source3/winbindd/idmap_rfc2307.c:299(idmap_rfc2307_map_sid_results)
  Wrong type 2 for group name abc
[2021/03/10 08:05:10.361514, 10, pid=15862, effective(0, 0), real(0, 0), class=idmap] ../../source3/winbindd/idmap.c:629(idmap_backend_unixids_to_sids)
  idmap_backend_unixids_to_sids: unixid_to_sids for domain win2019ipv6 returned NT_STATUS_OK
[2021/03/10 08:05:10.361530,  1, pid=15862, effective(0, 0), real(0, 0), class=rpc_parse] ../../librpc/ndr/ndr.c:471(ndr_print_function_debug)
       wbint_UnixIDs2Sids: struct wbint_UnixIDs2Sids
          out: struct wbint_UnixIDs2Sids
              xids: ARRAY(1)
                  xids: struct unixid
                      id                       : 0x00007ddc (12345)
                      type                     : ID_TYPE_GID (2)
              sids: ARRAY(1)
                  sids                     : S-0-0
              result                   : NT_STATUS_OK
Comment 3 Samba QA Contact 2021-03-11 08:39:03 UTC
This bug was referenced in samba master:

db2afa57e4aa926b478db1be4d693edbdf4d2a23
79dd4b133c37451c98fe7f7c45da881e89e91ffc
0e789ba1802ca22e5a01abd6e93ef66cd45566a7
Comment 4 Christof Schmitt 2021-03-11 16:06:47 UTC
Created attachment 16523 [details]
patches for 4.14
Comment 5 Christof Schmitt 2021-03-11 16:07:18 UTC
Created attachment 16524 [details]
patches for 4.13
Comment 6 Karolin Seeger 2021-03-31 09:06:49 UTC
Pushed to autobuild-v4-{14,13}-test.
Comment 7 Samba QA Contact 2021-03-31 10:14:29 UTC
This bug was referenced in samba v4-13-test:

3aa06edf38bc4002f031476baa50712fd1a67f4d
af37d5abae924d095e7b35620d850cf1f19021c4
3f366878d33cf977230137021f6376936b2a1862
Comment 8 Samba QA Contact 2021-03-31 11:11:36 UTC
This bug was referenced in samba v4-14-test:

e7b1ee061eaa335d70dc354dfb3700f8344274c9
7628a27a96bf817dd1707b123b792e7e1689edd2
231342faf2f5f6ab2287967f317cb1a862083a7f
Comment 9 Karolin Seeger 2021-04-01 10:28:06 UTC
Pushed to both branches.
Closing out bug report.

Thanks!
Comment 10 Samba QA Contact 2021-04-20 10:10:32 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.3):

e7b1ee061eaa335d70dc354dfb3700f8344274c9
7628a27a96bf817dd1707b123b792e7e1689edd2
231342faf2f5f6ab2287967f317cb1a862083a7f