Author: jerry Date: 2007-05-21 20:36:22 +0000 (Mon, 21 May 2007) New Revision: 23048
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23048 Log: Simo is correct in that winbind_lookup{sid,name}_async() needs to be able to handle SIDs in the S-1-22-{1,2} domain in order for winbindd_sid_to_uid(), et. al. to succeed. For 3.0.25a, we will short circuit in the sid_to_uid() family of functions so that smbd is ok. For 3.0.26, we need to allow winbindd to handle all types of SIDs. Modified: branches/SAMBA_3_0/source/nsswitch/idmap.c branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c branches/SAMBA_3_0/source/nsswitch/winbindd_util.c branches/SAMBA_3_0_26/source/nsswitch/idmap.c branches/SAMBA_3_0_26/source/nsswitch/winbindd_passdb.c branches/SAMBA_3_0_26/source/nsswitch/winbindd_util.c Changeset: Modified: branches/SAMBA_3_0/source/nsswitch/idmap.c =================================================================== --- branches/SAMBA_3_0/source/nsswitch/idmap.c 2007-05-21 19:53:57 UTC (rev 23047) +++ branches/SAMBA_3_0/source/nsswitch/idmap.c 2007-05-21 20:36:22 UTC (rev 23048) @@ -821,7 +821,10 @@ /* Check we do not create mappings for our own local domain, or BUILTIN or special SIDs */ if ((sid_compare_domain(map->sid, get_global_sam_sid()) == 0) || sid_check_is_in_builtin(map->sid) || - sid_check_is_in_wellknown_domain(map->sid)) { + sid_check_is_in_wellknown_domain(map->sid) || + sid_check_is_in_unix_users(map->sid) || + sid_check_is_in_unix_groups(map->sid) ) + { DEBUG(10, ("We are not supposed to create mappings for our own domains (local, builtin, specials)\n")); return NT_STATUS_UNSUCCESSFUL; } Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c =================================================================== --- branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c 2007-05-21 19:53:57 UTC (rev 23047) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_passdb.c 2007-05-21 20:36:22 UTC (rev 23048) @@ -125,7 +125,12 @@ /* Paranoia check */ if (!sid_check_is_in_builtin(sid) && - !sid_check_is_in_our_domain(sid)) { + !sid_check_is_in_our_domain(sid) && + !sid_check_is_in_unix_users(sid) && + !sid_check_is_unix_users(sid) && + !sid_check_is_in_unix_groups(sid) && + !sid_check_is_unix_groups(sid) ) + { DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with " "passdb backend\n", sid_string_static(sid))); return NT_STATUS_NONE_MAPPED; Modified: branches/SAMBA_3_0/source/nsswitch/winbindd_util.c =================================================================== --- branches/SAMBA_3_0/source/nsswitch/winbindd_util.c 2007-05-21 19:53:57 UTC (rev 23047) +++ branches/SAMBA_3_0/source/nsswitch/winbindd_util.c 2007-05-21 20:36:22 UTC (rev 23048) @@ -914,6 +914,17 @@ return find_domain_from_sid(sid); } + /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */ + + if ( sid_check_is_in_unix_groups(sid) || + sid_check_is_unix_groups(sid) || + sid_check_is_in_unix_users(sid) || + sid_check_is_unix_users(sid) ) + { + return find_domain_from_sid(get_global_sam_sid()); + } + + /* On a member server a query for SID or name can always go to our * primary DC. */ @@ -927,6 +938,14 @@ strequal(domain_name, get_global_sam_name())) return find_domain_from_name_noinit(domain_name); + /* The "Unix User" and "Unix Group" domain our handled by passdb */ + + if ( strequal(domain_name, unix_users_domain_name() ) || + strequal(domain_name, unix_groups_domain_name() ) ) + { + return find_domain_from_name_noinit( get_global_sam_name() ); + } + return find_our_domain(); } Modified: branches/SAMBA_3_0_26/source/nsswitch/idmap.c =================================================================== --- branches/SAMBA_3_0_26/source/nsswitch/idmap.c 2007-05-21 19:53:57 UTC (rev 23047) +++ branches/SAMBA_3_0_26/source/nsswitch/idmap.c 2007-05-21 20:36:22 UTC (rev 23048) @@ -821,7 +821,10 @@ /* Check we do not create mappings for our own local domain, or BUILTIN or special SIDs */ if ((sid_compare_domain(map->sid, get_global_sam_sid()) == 0) || sid_check_is_in_builtin(map->sid) || - sid_check_is_in_wellknown_domain(map->sid)) { + sid_check_is_in_wellknown_domain(map->sid) || + sid_check_is_in_unix_users(map->sid) || + sid_check_is_in_unix_groups(map->sid) ) + { DEBUG(10, ("We are not supposed to create mappings for our own domains (local, builtin, specials)\n")); return NT_STATUS_UNSUCCESSFUL; } Modified: branches/SAMBA_3_0_26/source/nsswitch/winbindd_passdb.c =================================================================== --- branches/SAMBA_3_0_26/source/nsswitch/winbindd_passdb.c 2007-05-21 19:53:57 UTC (rev 23047) +++ branches/SAMBA_3_0_26/source/nsswitch/winbindd_passdb.c 2007-05-21 20:36:22 UTC (rev 23048) @@ -125,7 +125,12 @@ /* Paranoia check */ if (!sid_check_is_in_builtin(sid) && - !sid_check_is_in_our_domain(sid)) { + !sid_check_is_in_our_domain(sid) && + !sid_check_is_in_unix_users(sid) && + !sid_check_is_unix_users(sid) && + !sid_check_is_in_unix_groups(sid) && + !sid_check_is_unix_groups(sid) ) + { DEBUG(0, ("Possible deadlock: Trying to lookup SID %s with " "passdb backend\n", sid_string_static(sid))); return NT_STATUS_NONE_MAPPED; Modified: branches/SAMBA_3_0_26/source/nsswitch/winbindd_util.c =================================================================== --- branches/SAMBA_3_0_26/source/nsswitch/winbindd_util.c 2007-05-21 19:53:57 UTC (rev 23047) +++ branches/SAMBA_3_0_26/source/nsswitch/winbindd_util.c 2007-05-21 20:36:22 UTC (rev 23048) @@ -923,6 +923,17 @@ return find_domain_from_sid(sid); } + /* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */ + + if ( sid_check_is_in_unix_groups(sid) || + sid_check_is_unix_groups(sid) || + sid_check_is_in_unix_users(sid) || + sid_check_is_unix_users(sid) ) + { + return find_domain_from_sid(get_global_sam_sid()); + } + + /* On a member server a query for SID or name can always go to our * primary DC. */ @@ -936,6 +947,14 @@ strequal(domain_name, get_global_sam_name())) return find_domain_from_name_noinit(domain_name); + /* The "Unix User" and "Unix Group" domain our handled by passdb */ + + if ( strequal(domain_name, unix_users_domain_name() ) || + strequal(domain_name, unix_groups_domain_name() ) ) + { + return find_domain_from_name_noinit( get_global_sam_name() ); + } + return find_our_domain(); }