Bug 6416 - "idmap backend = tdb2" does not filter out of range id mappings
Summary: "idmap backend = tdb2" does not filter out of range id mappings
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 3.3.4
Hardware: Other Linux
: P3 normal
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-05-27 12:20 UTC by Michael Adam
Modified: 2009-07-29 07:46 UTC (History)
2 users (show)

See Also:
vl: review+


Attachments
fix for v3-3-test (2.89 KB, patch)
2009-05-27 18:34 UTC, Michael Adam
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Adam 2009-05-27 12:20:21 UTC
The ranges set by idmap uid and idmap gid are used as the allocation range for
the unixid-allocator, but for the default idmap config, they are not used as a
mapping filter.

This has the effect that mappings that are present in the idmap2.tdb
database but are not within the configured range, are returned by the
sids_to_unixids call.

an example how to reproduce:
(this uses registry config but this is just for convenience, irrelevant for the
bug)

$ net conf getparm global "idmap gid"
20000-30000
$ winbindd
$ wbinfo -Y S-1-5-21-198380148-81607542-3125035400-1102
20014
$ killall winbindd
$ net cache flush
$ net conf setparm global "idmap gid" 20000-20010
$ winbindd
$ wbinfo -Y S-1-5-21-198380148-81607542-3125035400-1102
20014
$ 

This bug was introduced in 3.3.0.
Idmap config of catchall default domains was different before 3.3

Michael
Comment 1 Michael Adam 2009-05-27 12:51:53 UTC
fix pushed to master
Comment 2 Michael Adam 2009-05-27 17:56:46 UTC
pushed to v3-4-test
Comment 3 Michael Adam 2009-05-27 18:34:25 UTC
Created attachment 4216 [details]
fix for v3-3-test

please review
Comment 4 Volker Lendecke 2009-05-28 08:51:52 UTC
I'm not 100% certain I would call this a bug. Changing a configuration and leaving the idmap database unchanged is really begging for trouble. Yes, it might be a change in behavior between 3.2 and 3.3, but I'm not certain which of both is buggier than the other.

Volker
Comment 5 Volker Lendecke 2009-05-28 09:01:32 UTC
Ok, I got convinced this is a bug that needs fixing. Karolin, please put this into 3.3.

Thanks,

Volker
Comment 6 Karolin Seeger 2009-05-28 09:06:51 UTC
Pushed. Will be in 3.3.5.

Thanks!