Bug 3056 - wbinfo -Y doesn't work for BUILTIN group with idmap_rid on Domain
Summary: wbinfo -Y doesn't work for BUILTIN group with idmap_rid on Domain
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.14a
Hardware: All Windows XP
: P3 normal
Target Milestone: none
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-01 09:32 UTC by Ying Li
Modified: 2005-09-12 05:00 UTC (History)
2 users (show)

See Also:


Attachments
fix to always allow to add id-range for builtin (1.06 KB, patch)
2005-09-12 04:58 UTC, Guenther Deschner
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Ying Li 2005-09-01 09:32:30 UTC
Samba-3.0.14a:

wbinfo -Y builtingroup_sid can work with/without idmap_rid on ADS. But it 
couldn't work with idmap_rid on DOMAIN. By checking code, the function 
rid_idmap_get_id_from_sid() only checks if incoming sid is same with workgroup 
domain sid by following comparison:
470   if ( sid_compare_domain(sid, &sidstr) == 0 )

This would let the first "for" loop continue to go to the end, and make
the loop variable i equal to trust.number(=1). And the code after the
loop looks like
474        if (i == trust.number) {
475                DEBUG(0,("rid_idmap_get_id_from_sid: no suitable
range available for sid: %s\n",
476                        sid_string_static(sid)));
477                return NT_STATUS_INVALID_PARAMETER;
478        }

It leads to generate an error with "no suitable range available for sid:",
even if both idmap uid range and idmap gid range are exactly equal to 
idmap_rid range in smb.conf. Obviously, the error message is not improper.

When winbind nested groups is enabled, it works for ADS and Domain level with 
idmap_rid. Without idmap_rid, BUILTIN group's gid can also be displayed 
when 'winbind nested groups = No'.

smb.conf
[global]
   workgroup = MYDOMAIN
   security = ads or domain
   allow trust domains = no
   idmap backend = idmap_rid:"MYDOMAIN=50000-60000"
   idmap uid = 50000-60000
   idmap gid = 50000-60000
   ......
Comment 1 Gerald (Jerry) Carter (dead mail address) 2005-09-01 10:15:37 UTC
Guenther, can you take a look at this one.  It's the bug we 
discussed on #sdamba-technical yesterday.  Thanks.
Comment 2 Guenther Deschner 2005-09-05 14:25:13 UTC
I'm not sure if I fully understand your problem but please try adding a range
for BUILTIN as well

[global]
   workgroup = MYDOMAIN
   security = ads or domain
   allow trust domains = no
   idmap backend = idmap_rid:"MYDOMAIN=50000-59999,BUILTIN=60000-69999"
   idmap uid = 50000-70000
   idmap gid = 50000-70000

Does your problem still persist then ?
Comment 3 Ying Li 2005-09-06 10:11:51 UTC
When padding idmap mapping range of BUILTIN domain to idmap backend, as you 
suggested, the problem still persists to me. And also wbinfo -Y doesn't work 
for MYDOMAIN's SID. I got the following errors for BUILTIN domain and MYDOMAIN 
domain:
#>wbinfo -Y "S-1-5-32-549"
Could not convert sid S-1-5-32-549 to gid

#>wbinfo -Y "S-1-5-21-1078081533-1580818891-725345543-512"
Could not convert sid S-1-5-21-1078081533-1580818891-725345543-512 to gid

(In reply to comment #2)
> I'm not sure if I fully understand your problem but please try adding a range
> for BUILTIN as well
> [global]
>    workgroup = MYDOMAIN
>    security = ads or domain
>    allow trust domains = no
>    idmap backend = idmap_rid:"MYDOMAIN=50000-59999,BUILTIN=60000-69999"
>    idmap uid = 50000-70000
>    idmap gid = 50000-70000
> Does your problem still persist then ?

Comment 4 Guenther Deschner 2005-09-12 04:57:41 UTC
My fault, either set "allow trust domains = no" to "yes". It won't allow you to
map any other trusted domains (because that is hard-disabled in the code) but
allows you to use builtin.

In future releases (attached diff) it will always be possible to assign a
id-range for "Builtin".

Thanks.
Comment 5 Guenther Deschner 2005-09-12 04:58:16 UTC
Created attachment 1438 [details]
fix to always allow to add id-range for builtin
Comment 6 Guenther Deschner 2005-09-12 05:00:27 UTC
Fixed in Subversion.