[SCM] Samba Shared Repository - branch v3-6-test updated

Sat Jun 30 05:14:56 MDT 2012

The branch, v3-6-test has been updated
       via  65cc848 s3:winbindd: don't turn negative cache entries into valid idmappings (bug #9002)
       via  e19d064 s3:passdb: don't turn negative cache entries into valid idmappings (bug #9002)
       via  a1a0bab s3:winbindd: do not expose negative cache idmap entries as valid mappings (bug #9002)
       via  19b0db8 s3:winbindd: discard the expired gid cache if we're online (bug #9002)
      from  9aa0c85 s3: fix build without ads support

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test


- Log -----------------------------------------------------------------
commit 65cc848fde9e383afa0c9eff78e66d6cd57aea18
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jun 19 17:57:19 2012 +0200

    s3:winbindd: don't turn negative cache entries into valid idmappings (bug #9002)
    
    It's typical that some file operations set a NTACL, which tries
    sid2uid() before sid2gid(), this will create a negative cache entry.
    
    Negative SID2UID entries cause that a valid SID2GID mapping is ignored
    and the group is ignored in the UNIX Token.
    
    metze

commit e19d064b2a23ec083da06fa56af47be694152442
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Jun 19 17:57:19 2012 +0200

    s3:passdb: don't turn negative cache entries into valid idmappings (bug #9002)
    
    It's typical that some file operations set a NTACL, which tries
    sid2uid() before sid2gid(), this will create a negative cache entry.
    
    Negative SID2UID entries cause that a valid SID2GID mapping is ignored
    and the group is ignored in the UNIX Token.
    
    metze

commit a1a0babdbd89b229a9d539993c2ad3791b654952
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu May 24 09:08:21 2012 +0200

    s3:winbindd: do not expose negative cache idmap entries as valid mappings (bug #9002)
    
    metze

commit 19b0db85cde6fc4affa1dec19bd39adf862dbf8c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Mar 2 05:08:17 2012 +0100

    s3:winbindd: discard the expired gid cache if we're online (bug #9002)
    
    This matches the uid case...
    
    metze

-----------------------------------------------------------------------

Summary of changes:
 source3/passdb/lookup_sid.c              |    4 +-
 source3/winbindd/winbindd_sids_to_xids.c |   94 ++++++++++++++++++++++++------
 2 files changed, 77 insertions(+), 21 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index 2afa86e..64a181e 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -1437,13 +1437,13 @@ bool sids_to_unix_ids(const struct dom_sid *sids, uint32_t num_sids,
 		}
 		if (idmap_cache_find_sid2uid(&sids[i], &ids[i].id.uid,
 					     &expired)
-		    && !expired) {
+		    && !expired && ids[i].id.uid != (uid_t)-1) {
 			ids[i].type = WBC_ID_TYPE_UID;
 			continue;
 		}
 		if (idmap_cache_find_sid2gid(&sids[i], &ids[i].id.gid,
 					     &expired)
-		    && !expired) {
+		    && !expired && ids[i].id.gid != (gid_t)-1) {
 			ids[i].type = WBC_ID_TYPE_GID;
 			continue;
 		}
diff --git a/source3/winbindd/winbindd_sids_to_xids.c b/source3/winbindd/winbindd_sids_to_xids.c
index 9c38b5a..7487f8f 100644
--- a/source3/winbindd/winbindd_sids_to_xids.c
+++ b/source3/winbindd/winbindd_sids_to_xids.c
@@ -123,41 +123,87 @@ struct tevent_req *winbindd_sids_to_xids_send(TALLOC_CTX *mem_ctx,
 static bool winbindd_sids_to_xids_in_cache(struct dom_sid *sid,
 					   struct id_map *map)
 {
-	uid_t uid;
-	gid_t gid;
-	bool expired;
+	bool is_online = is_domain_online(find_our_domain());
+	gid_t gid = (gid_t)-1;
+	bool gid_expired = false;
+	bool gid_cached = false;
+	bool gid_negative = false;
+	uid_t uid = (uid_t)-1;
+	bool uid_expired = false;
+	bool uid_cached = false;
+	bool uid_negative = false;
 
 	if (!winbindd_use_idmap_cache()) {
 		return false;
 	}
+
 	/*
 	 * SIDS_TO_XIDS is primarily used to resolve the user's group
 	 * sids. So we check groups before users.
 	 */
-	if (idmap_cache_find_sid2gid(sid, &gid, &expired)) {
-		if (expired && is_domain_offline(find_our_domain())) {
-			return false;
+	gid_cached = idmap_cache_find_sid2gid(sid, &gid, &gid_expired);
+	if (!is_online) {
+		gid_expired = false;
+	}
+	if (gid_cached && !gid_expired) {
+		if (gid != (gid_t)-1) {
+			map->sid = sid;
+			map->xid.id = gid;
+			map->xid.type = ID_TYPE_GID;
+			map->status = ID_MAPPED;
+			return true;
+		}
+		gid_negative = true;
+	}
+	uid_cached = idmap_cache_find_sid2uid(sid, &uid, &uid_expired);
+	if (!is_online) {
+		uid_expired = false;
+	}
+	if (uid_cached && !uid_expired) {
+		if (uid != (uid_t)-1) {
+			map->sid = sid;
+			map->xid.id = uid;
+			map->xid.type = ID_TYPE_UID;
+			map->status = ID_MAPPED;
+			return true;
 		}
+		uid_negative = true;
+	}
+
+	/*
+	 * Here we know that we only have negative
+	 * or no entries.
+	 *
+	 * All valid cases already returned to the caller.
+	 */
+
+	if (gid_negative && uid_negative) {
+		map->sid = sid;
+		map->xid.id = UINT32_MAX;
+		map->xid.type = ID_TYPE_NOT_SPECIFIED;
+		map->status = ID_MAPPED;
+		return true;
+	}
+
+	if (gid_negative) {
 		map->sid = sid;
-		map->xid.id = gid;
+		map->xid.id = gid; /* this is (gid_t)-1 */
 		map->xid.type = ID_TYPE_GID;
 		map->status = ID_MAPPED;
 		return true;
 	}
-	if (idmap_cache_find_sid2uid(sid, &uid, &expired)) {
-		if (expired && is_domain_online(find_our_domain())) {
-			return false;
-		}
+
+	if (uid_negative) {
 		map->sid = sid;
-		map->xid.id = uid;
+		map->xid.id = uid; /* this is (uid_t)-1 */
 		map->xid.type = ID_TYPE_UID;
 		map->status = ID_MAPPED;
 		return true;
 	}
+
 	return false;
 }
 
-
 static void winbindd_sids_to_xids_lookupsids_done(struct tevent_req *subreq)
 {
 	struct tevent_req *req = tevent_req_callback_data(
@@ -256,21 +302,26 @@ NTSTATUS winbindd_sids_to_xids_recv(struct tevent_req *req,
 
 	for (i=0; i<state->num_sids; i++) {
 		char type;
-		uint64_t unix_id = (uint64_t)-1;
+		uint32_t unix_id = UINT32_MAX;
 		bool found = true;
 
 		if (state->cached[i].sid != NULL) {
 			unix_id = state->cached[i].xid.id;
-			if (state->cached[i].xid.type == ID_TYPE_UID) {
+
+			switch (state->cached[i].xid.type) {
+			case ID_TYPE_UID:
 				type = 'U';
-			} else {
+				break;
+			case ID_TYPE_GID:
 				type = 'G';
+				break;
+			default:
+				found = false;
+				break;
 			}
 		} else {
 			unix_id = state->ids.ids[num_non_cached].unix_id;
-			if (unix_id == -1) {
-				found = false;
-			}
+
 			switch(state->ids.ids[num_non_cached].type) {
 			case WBC_ID_TYPE_UID:
 				type = 'U';
@@ -286,10 +337,15 @@ NTSTATUS winbindd_sids_to_xids_recv(struct tevent_req *req,
 				break;
 			default:
 				found = false;
+				break;
 			}
 			num_non_cached += 1;
 		}
 
+		if (unix_id == UINT32_MAX) {
+			found = false;
+		}
+
 		if (found) {
 			result = talloc_asprintf_append_buffer(
 				result, "%c%lu\n", type,


-- 
Samba Shared Repository
