svn commit: samba r20216 - in branches/SAMBA_3_0/source/nsswitch: .

Sat Dec 16 18:13:13 GMT 2006

Author: idra
Date: 2006-12-16 18:13:12 +0000 (Sat, 16 Dec 2006)
New Revision: 20216

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=20216

Log:

Fix fallback code.
A reversed check made it impossile to fallback to the Unix Domain mapping code.
Also fix a potential use of a freed array.



Jerry,
my tests shows that this code now correctly handle the fallback to Unix Domain
when our Domain member is asked for a mapped group that has a unix name different
from the Windows name against a Samba DC and we do not use winbindd but share
users/groups by other means (ldap / sync of passwd and group files)

Immediate Fix would be to discuss if we should answer back when DOMAIN\unixgroup -> SID
is asked for, in the case the unixgroup name is mapped to a different name.
IE: DOMAIN\Domain Admins -> ntadmins

Currently if we are asked for "DOMAIN\Domain Admins" we return the dom admins SID
If we are asked for "DOMAIN\ntadmins we return "not found", but we may consider to
return the Domain admins SID in this case too.

Comments are welcome on this point!


Long term fix I think is the unixinfo pipe and of course an idmap_unixinfo moudle.

Simo.


Modified:
   branches/SAMBA_3_0/source/nsswitch/idmap.c


Changeset:
Modified: branches/SAMBA_3_0/source/nsswitch/idmap.c
===================================================================

--- branches/SAMBA_3_0/source/nsswitch/idmap.c	2006-12-16 17:54:16 UTC (rev 20215)
+++ branches/SAMBA_3_0/source/nsswitch/idmap.c	2006-12-16 18:13:12 UTC (rev 20216)
@@ -791,6 +791,7 @@
 static NTSTATUS idmap_backends_unixids_to_sids(struct id_map **ids)
 {
 	struct idmap_domain *dom;
+	struct id_map **unmapped;
 	struct id_map **_ids;
 	TALLOC_CTX *ctx;
 	NTSTATUS ret;
@@ -819,8 +820,8 @@
 		_ids[i]->mapped = False;
 	}
 
+	unmapped = NULL;
 	for (n = num_domains-1; n >= 0; n--) { /* cycle backwards */
-		struct id_map **unmapped = NULL;
 
 		dom = idmap_domains[n];
 
@@ -829,7 +830,7 @@
 		ret = dom->methods->unixids_to_sids(dom, _ids);
 		IDMAP_CHECK_RET(ret);
 
-		TALLOC_FREE(unmapped);
+		unmapped = NULL;
 
 		for (i = 0, u = 0; _ids[i]; i++) {
 			if (_ids[i]->mapped == False) {
@@ -842,27 +843,28 @@
 		if (unmapped) {
 			/* terminate the unmapped list */
 			unmapped[u] = NULL;
-		} else { /* no more unmapped entries, get out */
+		} else { /* no more entries, get out */
 			break;
 		}
 
 		_ids = unmapped;
+		
 	}
 
-	if (!_ids) {
+	if (unmapped) {
 		/* there are still unmapped ids, map them to the unix users/groups domains */
-		for (i = 0; _ids[i]; i++) {
-			switch (_ids[i]->xid.type) {
+		for (i = 0; unmapped[i]; i++) {
+			switch (unmapped[i]->xid.type) {
 			case ID_TYPE_UID:
-				uid_to_unix_users_sid((uid_t)_ids[i]->xid.id, _ids[i]->sid);
-				_ids[i]->mapped = True;
+				uid_to_unix_users_sid((uid_t)unmapped[i]->xid.id, unmapped[i]->sid);
+				unmapped[i]->mapped = True;
 				break;
 			case ID_TYPE_GID:
-				gid_to_unix_groups_sid((gid_t)_ids[i]->xid.id, _ids[i]->sid);
-				_ids[i]->mapped = True;
+				gid_to_unix_groups_sid((gid_t)unmapped[i]->xid.id, unmapped[i]->sid);
+				unmapped[i]->mapped = True;
 				break;
 			default: /* what?! */
-				_ids[i]->mapped = False;
+				unmapped[i]->mapped = False;
 				break;
 			}
 		}

