[SCM] Samba Shared Repository - branch master updated

Jeremy Allison jra at samba.org
Sat Apr 1 19:19:03 UTC 2017 

The branch, master has been updated
       via  8b32fc4 winbindd: trigger possible passdb_dsdb initialisation
       via  8bd5f77 selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
       via  2150de3 selftest: wbinfo -s tests for wellknown SIDs
       via  6b7a14b winbindd: use passdb backend for well-known SIDs
      from  3a9ea18 s4: messaging. Add imessaging_reinit_all() function.

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 8b32fc4006ae338ddee7c0e5991958ec3463da0d
Author: Ralph Boehme <slow at samba.org>
Date:   Wed Mar 29 11:13:46 2017 +0200

    winbindd: trigger possible passdb_dsdb initialisation
    
    If the passdb backend is passdb_dsdb the domain SID comes from dsdb, not
    from secrets.tdb. As we use the domain SID in various places, we must
    ensure the domain SID is migrated from dsdb to secrets.tdb before
    get_global_sam_sid() is called the first time.
    
    The migration is done as part of the passdb_dsdb initialisation, calling
    pdb_get_domain_info() triggers it.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12729
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Sat Apr  1 21:18:59 CEST 2017 on sn-devel-144

commit 8bd5f774fdc1f4ea012885262eb0f40640504de8
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Mar 31 16:24:05 2017 +0200

    selftest: wbinfo --sids-to-unix-ids tests for wellknown SIDs
    
    This test passes even without the fix, as in sids2xids we use the
    lookupnames just to determine the mapping domain, using the default
    idmap domain as fallback if that fails.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 2150de3a73527850547263e853faf4f3fedca6e6
Author: Ralph Boehme <slow at samba.org>
Date:   Fri Mar 31 16:06:18 2017 +0200

    selftest: wbinfo -s tests for wellknown SIDs
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

commit 6b7a14b4b9c3411bd2e05383917e8fdedae51c90
Author: Ralph Boehme <slow at samba.org>
Date:   Thu Mar 30 23:41:59 2017 +0200

    winbindd: use passdb backend for well-known SIDs
    
    On a DC well-known SIDs like S-1-1-0 (everyone) *must* be handled by the
    local domain, otherwise something simple like this fails with
    WBC_ERR_DOMAIN_NOT_FOUND:
    
    $ make testenv SELFTEST_TESTENV=nt4_dc SCREEN=1
    
    localnt4dc2$ ./bin/wbinfo --sid-to-name S-1-1-0
    failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
    Could not lookup sid S-1-1-0
    
    On a member server asking our DC works and is what we're currently
    doing, but changing it to ask passdb avoids the overhead.
    
    Bug: https://bugzilla.samba.org/show_bug.cgi?id=12727
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 nsswitch/tests/test_wbinfo.sh                     | 20 +++++++++++++++++
 selftest/knownfail                                |  6 -----
 source3/script/tests/test_wbinfo_sids2xids_int.py |  2 +-
 source3/winbindd/winbindd_util.c                  | 27 ++++++++++++++++++-----
 4 files changed, 42 insertions(+), 13 deletions(-)


Changeset truncated at 500 lines:

diff --git a/nsswitch/tests/test_wbinfo.sh b/nsswitch/tests/test_wbinfo.sh
index f9c040e..d298ddb 100755
--- a/nsswitch/tests/test_wbinfo.sh
+++ b/nsswitch/tests/test_wbinfo.sh
@@ -88,6 +88,26 @@ else
 	echo "success: wbinfo -s check for sane mapping"
 fi
 
+WELL_KNOWN_SIDS="S-1-1-0\n /EVERYONE 5\n S-1-3-1\n /CREATOR GROUP 5\n S-1-5-1\n NT AUTHORITY/DIALUP 5"
+
+printf "$WELL_KNOWN_SIDS" | while read SID ; do
+    read NAME
+
+    testit "wbinfo -s $SID against $TARGET" $wbinfo -s $SID || failed=`expr $failed + 1`
+
+    RESOLVED_NAME=`$wbinfo -s $SID | tr a-z A-Z`
+    echo "$SID resolved to $RESOLVED_NAME"
+
+    echo "test: wbinfo -s $SID against $TARGET"
+    if test x"$RESOLVED_NAME" != x"$NAME" ; then
+        echo "$RESOLVED_NAME does not match $NAME"
+	echo "failure: wbinfo -s $SID against $TARGET"
+	failed=`expr $failed + 1`
+    else
+        echo "success: wbinfo -s $SID against $TARGET"
+    fi
+done
+
 testit "wbinfo -n on the returned name against $TARGET" $wbinfo -n $admin_name || failed=`expr $failed + 1`
 test_sid=`$wbinfo -n $tested_name | cut -d " " -f1`
 
diff --git a/selftest/knownfail b/selftest/knownfail
index 432908b..07b4cdb 100644
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -22,14 +22,12 @@
 ^samba3.raw.samba3hide.samba3hide\((nt4_dc|ad_dc)\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.samba3closeerr.samba3closeerr\(nt4_dc\) # This test fails against an smbd environment with NT ACLs enabled
 ^samba3.raw.acls nfs4acl_xattr-simple.INHERITFLAGS\(nt4_dc\) # This (and the follow nfs4acl_xattr tests fail because our NFSv4 backend isn't a complete mapping yet.
-^samba3.raw.acls nfs4acl_xattr-simple.sd\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.create_file\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.create_dir\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.nulldacl\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.generic\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-simple.inheritance\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.INHERITFLAGS\(nt4_dc\)
-^samba3.raw.acls nfs4acl_xattr-special.sd\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.create_file\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.create_dir\(nt4_dc\)
 ^samba3.raw.acls nfs4acl_xattr-special.nulldacl\(nt4_dc\)
@@ -224,10 +222,6 @@
 #
 ^samba4.winbind.struct.domain_info\(s4member:local\)
 ^samba4.winbind.struct.getdcname\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo -r against s4member\(s4member:local\)
-^samba.blackbox.wbinfo\(s4member:local\).wbinfo --user-sids against s4member\(s4member:local\)
-^samba.wbinfo_simple.\(s4member:local\).--user-groups
-^samba.nss.test using winbind\(s4member:local\)
 #
 # These fail since ad_dc_ntvfs assigns the local user's uid to SAMBADOMAIN/Administrator
 # hence we have a duplicate UID in nsswitch.
diff --git a/source3/script/tests/test_wbinfo_sids2xids_int.py b/source3/script/tests/test_wbinfo_sids2xids_int.py
index f3dbed8..3ad3156 100755
--- a/source3/script/tests/test_wbinfo_sids2xids_int.py
+++ b/source3/script/tests/test_wbinfo_sids2xids_int.py
@@ -29,7 +29,7 @@ domsid = domsid.split(' ')[0]
 #print domain
 #print domsid
 
-sids=[ domsid + '-512', 'S-1-5-32-545', domsid + '-513' ]
+sids=[ domsid + '-512', 'S-1-5-32-545', domsid + '-513', 'S-1-1-0', 'S-1-3-1', 'S-1-5-1' ]
 
 flush_cache()
 
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 1a38dde..8f16da7 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -795,6 +795,7 @@ static bool migrate_secrets_tdb_to_ldb(struct winbindd_domain *domain)
 bool init_domain_list(void)
 {
 	int role = lp_server_role();
+	struct pdb_domain_info *pdb_domain_info = NULL;
 	NTSTATUS status;
 
 	/* Free existing list */
@@ -806,15 +807,24 @@ bool init_domain_list(void)
 
 	/* Local SAM */
 
+	/*
+	 * In case the passdb backend is passdb_dsdb the domain SID comes from
+	 * dsdb, not from secrets.tdb. As we use the domain SID in various
+	 * places, we must ensure the domain SID is migrated from dsdb to
+	 * secrets.tdb before get_global_sam_sid() is called the first time.
+	 *
+	 * The migration is done as part of the passdb_dsdb initialisation,
+	 * calling pdb_get_domain_info() triggers it.
+	 */
+	pdb_domain_info = pdb_get_domain_info(talloc_tos());
+
 	if ( role == ROLE_ACTIVE_DIRECTORY_DC ) {
 		struct winbindd_domain *domain;
 		enum netr_SchannelType sec_chan_type;
 		const char *account_name;
 		struct samr_Password current_nt_hash;
-		struct pdb_domain_info *pdb_domain_info;
 		bool ok;
 
-		pdb_domain_info = pdb_get_domain_info(talloc_tos());
 		if (pdb_domain_info == NULL) {
 			DEBUG(0, ("Failed to fetch our own, local AD "
 				"domain info from sam.ldb\n"));
@@ -1009,12 +1019,19 @@ struct winbindd_domain *find_our_domain(void)
 
 struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 {
-	/* SIDs in the S-1-22-{1,2} domain should be handled by our passdb */
+	DBG_DEBUG("SID [%s]\n", sid_string_dbg(sid));
+
+	/*
+	 * SIDs in the S-1-22-{1,2} domain and well-known SIDs should be handled
+	 * by our passdb.
+	 */
 
 	if ( sid_check_is_in_unix_groups(sid) ||
 	     sid_check_is_unix_groups(sid) ||
 	     sid_check_is_in_unix_users(sid) ||
-	     sid_check_is_unix_users(sid) )
+	     sid_check_is_unix_users(sid) ||
+	     sid_check_is_wellknown_domain(sid, NULL) ||
+	     sid_check_is_in_wellknown_domain(sid) )
 	{
 		return find_domain_from_sid(get_global_sam_sid());
 	}
@@ -1023,8 +1040,6 @@ struct winbindd_domain *find_lookup_domain_from_sid(const struct dom_sid *sid)
 	 * one to contact the external DC's. On member servers the internal
 	 * domains are different: These are part of the local SAM. */
 
-	DEBUG(10, ("find_lookup_domain_from_sid(%s)\n", sid_string_dbg(sid)));
-
 	if (IS_DC || is_internal_domain(sid) || is_in_internal_domain(sid)) {
 		DEBUG(10, ("calling find_domain_from_sid\n"));
 		return find_domain_from_sid(sid);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list