[PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Samba - samba-technical mailing list
Hello,

please see attached patch to address the following winbind error message:

Jul 26 14:37:43 sambatest winbindd[24983]: [2017/07/26 14:37:43.057886,
0, pid=24983, effective(0, 0), real(0, 0), class=winbind]
../source3/winbindd/winbindd_group.c:45(fill_grent)
Jul 26 14:37:43 sambatest winbindd[24983]: Failed to find domain 'Unix
Group'. Check connection to trusted domains!

--
Regards

    Ralph Wuerthner

0001-s3-winbind-gid-0-in-getgrgid-must-be-resolved-locall.patch (1024 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Samba - samba-technical mailing list
Hi,

any feedback?

On 13.09.2017 12:19, Ralph Wuerthner via samba-technical wrote:

> Hello,
>
> please see attached patch to address the following winbind error message:
>
> Jul 26 14:37:43 sambatest winbindd[24983]: [2017/07/26 14:37:43.057886,
> 0, pid=24983, effective(0, 0), real(0, 0), class=winbind]
> ../source3/winbindd/winbindd_group.c:45(fill_grent)
> Jul 26 14:37:43 sambatest winbindd[24983]: Failed to find domain 'Unix
> Group'. Check connection to trusted domains!
>

--
Regards

    Ralph Wuerthner


Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Wed, Sep 13, 2017 at 12:19:28PM +0200, Ralph Wuerthner via samba-technical wrote:
> please see attached patch to address the following winbind error message:
>
> Jul 26 14:37:43 sambatest winbindd[24983]: [2017/07/26 14:37:43.057886, 0,
> pid=24983, effective(0, 0), real(0, 0), class=winbind]
> ../source3/winbindd/winbindd_group.c:45(fill_grent)
> Jul 26 14:37:43 sambatest winbindd[24983]: Failed to find domain 'Unix
> Group'. Check connection to trusted domains!

What about filtering S-1-2-22 in wb_getgrsid_send already?

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Samba - samba-technical mailing list
On Mon, Sep 25, 2017 at 05:14:32PM +0200, Volker Lendecke via samba-technical wrote:

> On Wed, Sep 13, 2017 at 12:19:28PM +0200, Ralph Wuerthner via samba-technical wrote:
> > please see attached patch to address the following winbind error message:
> >
> > Jul 26 14:37:43 sambatest winbindd[24983]: [2017/07/26 14:37:43.057886, 0,
> > pid=24983, effective(0, 0), real(0, 0), class=winbind]
> > ../source3/winbindd/winbindd_group.c:45(fill_grent)
> > Jul 26 14:37:43 sambatest winbindd[24983]: Failed to find domain 'Unix
> > Group'. Check connection to trusted domains!
>
> What about filtering S-1-2-22 in wb_getgrsid_send already?

Something like dom_sid_in_domain(global_sid_Unix_Group, group_sid)?

b_getpwsid_send should also get a similar check for local users:
dom_sid_in_domain(global_sid_Unix_Users, user_sid)

Christof

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Samba - samba-technical mailing list
On Mon, Sep 25, 2017 at 12:30:12PM -0700, Christof Schmitt via samba-technical wrote:
> Something like dom_sid_in_domain(global_sid_Unix_Group, group_sid)?
>
> b_getpwsid_send should also get a similar check for local users:
> dom_sid_in_domain(global_sid_Unix_Users, user_sid)

Yep.

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Hi!

On 25.09.2017 21:30, Christof Schmitt wrote:

> On Mon, Sep 25, 2017 at 05:14:32PM +0200, Volker Lendecke via samba-technical wrote:
>> On Wed, Sep 13, 2017 at 12:19:28PM +0200, Ralph Wuerthner via samba-technical wrote:
>>> please see attached patch to address the following winbind error message:
>>>
>>> Jul 26 14:37:43 sambatest winbindd[24983]: [2017/07/26 14:37:43.057886, 0,
>>> pid=24983, effective(0, 0), real(0, 0), class=winbind]
>>> ../source3/winbindd/winbindd_group.c:45(fill_grent)
>>> Jul 26 14:37:43 sambatest winbindd[24983]: Failed to find domain 'Unix
>>> Group'. Check connection to trusted domains!
>>
>> What about filtering S-1-2-22 in wb_getgrsid_send already?
>
> Something like dom_sid_in_domain(global_sid_Unix_Group, group_sid)?
>
> b_getpwsid_send should also get a similar check for local users:
> dom_sid_in_domain(global_sid_Unix_Users, user_sid)
>
> Christof
Please see attached patchset were I moved the check to wb_getgrsid_send
and wb_getpwsid respectively.

--
Regards

    Ralph Wuerthner

unmapped-unix-users-and-groups.patch (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Samba - samba-technical mailing list
On Wed, Sep 27, 2017 at 04:32:41PM +0200, Ralph Wuerthner wrote:

> Hi!
>
> On 25.09.2017 21:30, Christof Schmitt wrote:
> >On Mon, Sep 25, 2017 at 05:14:32PM +0200, Volker Lendecke via samba-technical wrote:
> >>On Wed, Sep 13, 2017 at 12:19:28PM +0200, Ralph Wuerthner via samba-technical wrote:
> >>>please see attached patch to address the following winbind error message:
> >>>
> >>>Jul 26 14:37:43 sambatest winbindd[24983]: [2017/07/26 14:37:43.057886, 0,
> >>>pid=24983, effective(0, 0), real(0, 0), class=winbind]
> >>>../source3/winbindd/winbindd_group.c:45(fill_grent)
> >>>Jul 26 14:37:43 sambatest winbindd[24983]: Failed to find domain 'Unix
> >>>Group'. Check connection to trusted domains!
> >>
> >>What about filtering S-1-2-22 in wb_getgrsid_send already?
> >
> >Something like dom_sid_in_domain(global_sid_Unix_Group, group_sid)?
> >
> >b_getpwsid_send should also get a similar check for local users:
> >dom_sid_in_domain(global_sid_Unix_Users, user_sid)
> >
> >Christof
>
> Please see attached patchset were I moved the check to
> wb_getgrsid_send and wb_getpwsid respectively.

Looks good to me.

Reviewed-by: Christof Schmitt <[hidden email]>

Volker, do you agree?

Christof

>
> --
> Regards
>
>    Ralph Wuerthner

> From b381ed5dccebcf10ac2e33ffddbb8d7e53adf074 Mon Sep 17 00:00:00 2001
> From: Ralph Wuerthner <[hidden email]>
> Date: Tue, 26 Sep 2017 15:56:56 +0200
> Subject: [PATCH 1/2] s3:winbind: unmapped Unix groups in getgrgid must be
>  resolved locally
>
> Signed-off-by: Ralph Wuerthner <[hidden email]>
> ---
>  source3/winbindd/wb_getgrsid.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/source3/winbindd/wb_getgrsid.c b/source3/winbindd/wb_getgrsid.c
> index acfedf6..8e0eac7 100644
> --- a/source3/winbindd/wb_getgrsid.c
> +++ b/source3/winbindd/wb_getgrsid.c
> @@ -53,6 +53,12 @@ struct tevent_req *wb_getgrsid_send(TALLOC_CTX *mem_ctx,
>   state->ev = ev;
>   state->max_nesting = max_nesting;
>  
> + if (dom_sid_in_domain(&global_sid_Unix_Groups, group_sid)) {
> + /* unmapped Unix groups must be resolved locally */
> + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
> + return tevent_req_post(req, ev);
> + }
> +
>   if (lp_winbind_trusted_domains_only()) {
>   struct winbindd_domain *our_domain = find_our_domain();
>  
> --
> 2.7.4
>
>
> From bbd9b0420b691caf9dcb452bc7abe4add1370953 Mon Sep 17 00:00:00 2001
> From: Ralph Wuerthner <[hidden email]>
> Date: Tue, 26 Sep 2017 15:57:53 +0200
> Subject: [PATCH 2/2] s3:winbind: unmapped Unix users must be resolved locally
>
> Signed-off-by: Ralph Wuerthner <[hidden email]>
> ---
>  source3/winbindd/wb_getpwsid.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/source3/winbindd/wb_getpwsid.c b/source3/winbindd/wb_getpwsid.c
> index 8c764f7..9b3f12e 100644
> --- a/source3/winbindd/wb_getpwsid.c
> +++ b/source3/winbindd/wb_getpwsid.c
> @@ -47,6 +47,12 @@ struct tevent_req *wb_getpwsid_send(TALLOC_CTX *mem_ctx,
>   state->ev = ev;
>   state->pw = pw;
>  
> + if (dom_sid_in_domain(&global_sid_Unix_Users, user_sid)) {
> + /* unmapped Unix users must be resolved locally */
> + tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
> + return tevent_req_post(req, ev);
> + }
> +
>   subreq = wb_queryuser_send(state, ev, &state->sid);
>   if (tevent_req_nomem(subreq, req)) {
>   return tevent_req_post(req, ev);
> --
> 2.7.4
>


Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] s3:winbind: gid 0 in getgrgid must be resolved locally

Samba - samba-technical mailing list
On Wed, Sep 27, 2017 at 12:00:42PM -0700, Christof Schmitt via samba-technical wrote:
> > Please see attached patchset were I moved the check to
> > wb_getgrsid_send and wb_getpwsid respectively.
>
> Looks good to me.
>
> Reviewed-by: Christof Schmitt <[hidden email]>
>
> Volker, do you agree?

Yes. Pushed, thanks!

Volker

--
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:[hidden email]