[PATCH] Patch for bug 13052

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Patch for bug 13052

Samba - samba-technical mailing list
Howdy!

In the xid to SID mapping function idmap_rid uses the trusted domain list to get
the SID for the mapping domain.

But the idmap child may lack trusted domains in the case when before trusted
domains enumeration finished a winbindd idmapping request came in that triggered
the idmap child fork.

When it forks, the idmap child inherits the trusted domain list of the parent
which is not yet complete. Even after the parent finishes trusted domain
enumeration, xid2sid idmapping requets will continue to fail, so a transient
error becomes a permanent one.

The fix is to pass the domain sid as an additional argument to the idmap xid2sid
mapping functions. To get the sid, we call lsalookupnames on the domain name of
all idmap mapping domains.

Please review&push if happy. The patchset just survived a private autobuild and
was reported by a customer to fix the problem.

Thanks!
-slow

bug13052-master.patch (15K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Patch for bug 13052

Samba - samba-technical mailing list
Hi,

On Mon, Oct 09, 2017 at 04:24:33PM +0000, Ralph Böhme via samba-technical wrote:
> Please review&push if happy. The patchset just survived a private autobuild and
> was reported by a customer to fix the problem.

Volker suggested an additional check for the sid type returned from lookupnames,
updated patchset attached. With this we catch misconfigurations like:

        idmap config Administrator : backend = rid
        idmap config Administrator : range = 400000 - 499999

and log:

  wb_xids2sids_init_dom_maps_lookupname_done: SID
  S-1-5-21-1302242140-3407493554-1668119891-500 for idmap domain name
  'administrator' not a domain SID

While at it I factored out wb_xids2sids_init_dom_maps_lookupname_next() (smaller
diff!) in the first commit. Can you please re-review the first commit. The other
patches are unmodfied besides the minor changes for the long line and the
missing space.

Thanks!
-slow

bug13052-master.patch (15K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Patch for bug 13052

Samba - samba-technical mailing list
On Tue, Oct 10, 2017 at 12:45:47PM +0200, Ralph Böhme wrote:

> Hi,
>
> On Mon, Oct 09, 2017 at 04:24:33PM +0000, Ralph Böhme via samba-technical wrote:
> > Please review&push if happy. The patchset just survived a private autobuild and
> > was reported by a customer to fix the problem.
>
> Volker suggested an additional check for the sid type returned from lookupnames,
> updated patchset attached. With this we catch misconfigurations like:
>
>         idmap config Administrator : backend = rid
>         idmap config Administrator : range = 400000 - 499999
>
> and log:
>
>   wb_xids2sids_init_dom_maps_lookupname_done: SID
>   S-1-5-21-1302242140-3407493554-1668119891-500 for idmap domain name
>   'administrator' not a domain SID
>
> While at it I factored out wb_xids2sids_init_dom_maps_lookupname_next() (smaller
> diff!) in the first commit. Can you please re-review the first commit. The other
> patches are unmodfied besides the minor changes for the long line and the
> missing space.

RB+. Can you push? Thanks!

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Patch for bug 13052

Samba - samba-technical mailing list
On Tue, Oct 10, 2017 at 12:44:56PM +0000, Volker Lendecke wrote:

> On Tue, Oct 10, 2017 at 12:45:47PM +0200, Ralph Böhme wrote:
> > Hi,
> >
> > On Mon, Oct 09, 2017 at 04:24:33PM +0000, Ralph Böhme via samba-technical wrote:
> > > Please review&push if happy. The patchset just survived a private autobuild and
> > > was reported by a customer to fix the problem.
> >
> > Volker suggested an additional check for the sid type returned from lookupnames,
> > updated patchset attached. With this we catch misconfigurations like:
> >
> >         idmap config Administrator : backend = rid
> >         idmap config Administrator : range = 400000 - 499999
> >
> > and log:
> >
> >   wb_xids2sids_init_dom_maps_lookupname_done: SID
> >   S-1-5-21-1302242140-3407493554-1668119891-500 for idmap domain name
> >   'administrator' not a domain SID
> >
> > While at it I factored out wb_xids2sids_init_dom_maps_lookupname_next() (smaller
> > diff!) in the first commit. Can you please re-review the first commit. The other
> > patches are unmodfied besides the minor changes for the long line and the
> > missing space.
>
> RB+. Can you push? Thanks!

pushed.

Thanks!
-slow